From firewalls-owner Tue Oct 1 01:26:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA17916 for firewalls-outgoing; Tue, 1 Oct 1996 00:49:37 -0700 (PDT) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id AAA17905 for firewalls@greatcircle.com; Tue, 1 Oct 1996 00:49:30 -0700 (PDT) Received: from ren.netconnect.com.au (ren.netconnect.com.au [203.7.198.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id VAA02419 for ; Mon, 30 Sep 1996 21:24:27 -0700 (PDT) Received: (from kaw@localhost) by ren.netconnect.com.au (8.7.6/8.7.6) id OAA23029; Tue, 1 Oct 1996 14:24:46 +1000 Date: Tue, 1 Oct 1996 14:24:46 +1000 (EST) From: Kylie Winnell To: firewalls@greatcircle.com Subject: Help with ipfwadm Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I'm trying to implement a firewall using ipfwadm and desperately require some help. Is there any examples/documentation for ipfwadm anywher? Or could someone who has managed to get a firewall working please contact me? Thanks in advance for any help! Regards, Kylie From firewalls-owner Tue Oct 1 01:41:37 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA22258 for firewalls-outgoing; Tue, 1 Oct 1996 01:31:43 -0700 (PDT) Received: from gate.lcn.nl (mail.lcn.nl [195.108.51.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id BAA22240 for ; Tue, 1 Oct 1996 01:31:33 -0700 (PDT) Received: from ge (d1.lcn.nl [195.108.51.129]) by gate.lcn.nl (8.6.12/8.6.12) with SMTP id JAA13313 for ; Tue, 1 Oct 1996 09:23:14 +0100 Message-Id: <1.5.4.32.19961001083157.0090cad8@mail.lcn.nl> X-Sender: gedigest@mail.lcn.nl X-Mailer: Windows Eudora Light Version 1.5.4 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 01 Oct 1996 10:31:57 +0200 To: firewalls@greatcircle.com From: "Ge' Weijers" Subject: Re: SOLARIS x86 as firewall platform? - summary so far. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk As ever it's a case of 'you get what you pay for'. I've got an NT server sitting here built by Intel Ireland, Pentium 166 with 64Mb, pipeline burst cache and 12.5 GB net RAID 5 disk configuration. It's quite a bit faster than our SS5, but then it cost more, about $15K. A SS5 that has a similar disk configuration would be a lot more expensive, though. Ge' ---------------------------------------------------- Ge' Weijers E-mail: g.weijers@lcn.nl LCN Tel. +31-24-3238130 P.O. Box 1408 Fax. +31-24-3238074 6501 BK Nijmegen the Netherlands From firewalls-owner Tue Oct 1 02:27:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA29728 for firewalls-outgoing; Tue, 1 Oct 1996 02:13:57 -0700 (PDT) Received: from rauteg.rau.ac.za (rauteg.rau.ac.za [152.106.1.53]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id CAA29687 for ; Tue, 1 Oct 1996 02:13:34 -0700 (PDT) Received: from ing1.rau.ac.za (ing1.rau.ac.za [152.106.20.241]) by rauteg.rau.ac.za (8.6.11/8.6.9) with ESMTP id LAA15822 for ; Tue, 1 Oct 1996 11:32:22 +0200 Received: from ING1/SpoolDir by ing1.rau.ac.za (Mercury 1.21); 1 Oct 96 11:14:19 GMT+2 Received: from SpoolDir by ING1 (Mercury 1.21); 1 Oct 96 11:13:53 GMT+2 Received: from tetonka.rau.ac.za by ing1.rau.ac.za (Mercury 1.21); 1 Oct 96 11:13:46 GMT+2 From: "Marius Groenewald" To: "firewalls@greatcircle.com" Date: Tue, 01 Oct 96 11:14:09 Reply-To: "Marius Groenewald" X-Mailer: Sloet Sloet's Registered PMMail 1.5 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Subject: Mailing list Message-ID: <15366E50B9@ing1.rau.ac.za> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Could someone please remove mlg@ing1.rau.ac.za and mlg@eng.rau.ac.za from the mailing list. I don't want to receive any more news from firewalls@greatcircle.com Thanks From firewalls-owner Tue Oct 1 03:25:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA04733 for firewalls-outgoing; Tue, 1 Oct 1996 03:23:30 -0700 (PDT) Received: from lexicon.ins.com (lexicon.ins.com [199.0.193.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id DAA04717 for ; Tue, 1 Oct 1996 03:23:22 -0700 (PDT) Received: from martin_d.ins.com ([206.98.131.200]) by lexicon.ins.com (8.7.5/8.7.3) with SMTP id DAA13923; Tue, 1 Oct 1996 03:22:28 -0700 (PDT) Message-Id: <2.2.32.19961001102234.00693350@lexicon.ins.com> X-Sender: martin_d@lexicon.ins.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 01 Oct 1996 06:22:34 -0400 To: Kogulapalan From: Darwin Martinez Subject: Re: Checkpoint Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Earlier versions of FW-1 were not VPN/DES compatible. Later versions (2.0c and later) are available with VPN/DES. From at least 2.0, NAT is available. At 10:01 AM 10/1/96 -0800, you wrote: >Folks, > > A quick questions ;) Hope to get answers :) > > 1) Does the Checkpoint Firewall-1 that comes with SUN has the >capabilies of doing VPN ??? > > 2) Does the Checkpoint Firewall-1 that comes with SUN has the >capabilies of doing NAT ??? > > Thats all. Thanks. > >Regards, >PaLaN >palan@mailhost.net > >" Hack From The Rich and Download To The Poor " > > > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Darwin L. Martinez, NSE Email: darwin_martinez@ins.com Atlanta Office Client: 404-843-5954 International Network Services Pager: 1-800-INS-1-INS "Providing the power of operable networks" ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ From firewalls-owner Tue Oct 1 03:56:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA05582 for firewalls-outgoing; Tue, 1 Oct 1996 03:40:59 -0700 (PDT) Received: from ibmmail.COM (ibmmail.com [199.171.26.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id DAA05537 for ; Tue, 1 Oct 1996 03:40:42 -0700 (PDT) From: dehtpnmk@ibmmail.com Message-Id: <199610011040.DAA05537@miles.greatcircle.com> Received: from ibmmail by ibmmail.COM (IBM VM SMTP V2R3) with BSMTP id 3526; Tue, 01 Oct 96 06:19:49 EDT Date: Tue, 01 Oct 1996 05:07:22 EDT To: FIREWALLS@GREATCIRCLE.COM MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From: Amadeus Forums AT MUCVM1 Organization: AMADEUS Global travel - Erding - DE Subject: FW-1 accounting. Amadeus FORUMS for DAVID BLACK : private replies to: We wish to install the NETSCAPE proxy server with FW-1, both for caching and accounting.We also want to use CLIENT AUTHENTICATION and NAT.Will our accouting data be able give us records showing complete connections, ie: can we account from a users PC all the way to an INTERNET host, or does NAT interfere with the IP packets in such a way as to disable this?? Thanks, Dave Black System Programmer, Amadeus Global Travel, Munich, Germany osg023@mucvm1, dehtpz79@ibmmail.com, (49) 8122-43-5795 fax(3260) From firewalls-owner Tue Oct 1 04:11:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA05752 for firewalls-outgoing; Tue, 1 Oct 1996 03:43:12 -0700 (PDT) Received: from diablo.cisco.com (diablo.cisco.com [171.68.223.106]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id DAA05723 for ; Tue, 1 Oct 1996 03:42:55 -0700 (PDT) Received: from pferguso-pc.cisco.com (dhcp-restontel-84.cisco.com [171.68.52.84]) by diablo.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id DAA21907; Tue, 1 Oct 1996 03:42:23 -0700 Message-Id: <2.2.32.19961001104224.007629f0@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 01 Oct 1996 06:42:24 -0400 To: Kim Sung Ro From: Paul Ferguson Subject: Re: Subnetting Class C Network Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Actually, point your web browser instead at: http://cio.cisco.com/warp/public/105/11.html You can use IP subnet 0 if you use the global command 'ip subnet zero' within a cisco router. Use of the all-1's subnet has always been permissible. - paul At 02:11 PM 10/1/96 +0900, Kim Sung Ro wrote: > >In http://cio.cisco.com/warp/public/701/3.html, All 0's or 1's in >network part can't be used. >So if you subnet C class with 255.255.255.192, the number of effective >network is 2 I think. >In default network, We can't use 0 and 255 number as network number. >For example for A class, the first byte of IP address can't be 0 or 255. >So if you subnet C class with 255.255.255.192 (use 2 bits), 00 and 11 >can't be used for subnetting bits. > -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Tue Oct 1 04:25:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA07552 for firewalls-outgoing; Tue, 1 Oct 1996 04:06:44 -0700 (PDT) Received: from dax.sai.com (dax.sai.com [207.95.117.66]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id EAA07505 for ; Tue, 1 Oct 1996 04:06:30 -0700 (PDT) Received: from dax.sai.com by dax.sai.com with smtp (Smail3.1.29.1 #2) id m0v82eA-003pMVC; Tue, 1 Oct 96 07:05 EDT Date: Tue, 1 Oct 1996 07:05:54 -0400 (EDT) From: Darryl Wagoner To: Kim Sung Ro cc: Harry Feltsadas , firewalls@GreatCircle.COM Subject: Re: Subnetting Class C Network In-Reply-To: <3250A81A.58E8@164.124.1.108> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 1 Oct 1996, Kim Sung Ro wrote: > Harry Feltsadas wrote: > > > > > In http://cio.cisco.com/warp/public/701/3.html, All 0's or 1's in > network part can't be used. > So if you subnet C class with 255.255.255.192, the number of effective > network is 2 I think. > In default network, We can't use 0 and 255 number as network number. > For example for A class, the first byte of IP address can't be 0 or 255. > So if you subnet C class with 255.255.255.192 (use 2 bits), 00 and 11 > can't be used for subnetting bits. That is the way that I understood it myself, but I have seen provides use all the networks. It really surprised me. -- Darryl Wagoner darryl@sai.com http://www.sai.com/ Office: 603.672.0736 Fax: 603-672-4846 Beware of self-styled experts: an ex is a has-been, and a spurt is a drip under pressure. From firewalls-owner Tue Oct 1 04:56:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA09597 for firewalls-outgoing; Tue, 1 Oct 1996 04:39:22 -0700 (PDT) Received: from eci-esyst.com (callisto.eci-esyst.com [205.129.215.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id EAA09572 for ; Tue, 1 Oct 1996 04:38:56 -0700 (PDT) Received: by eci-esyst.com (4.1/SMI-4.1) id AA22327; Tue, 1 Oct 96 07:35:52 EDT Received: from www.eci-esyst.com(198.135.69.2) by callisto.eci-esyst.com via smap (V1.3) id sma022318; Tue Oct 1 07:35:30 1996 Received: from callisto (rodney.eci.esys.com) by eci.esys.com (4.1/SMI-4.1) id AA11017; Tue, 1 Oct 96 07:33:14 EDT Received: from qmgate.eci-esyst.com by callisto (4.1/SMI-4.1) id AA23415; Tue, 1 Oct 96 07:35:32 EDT Message-Id: Date: 1 Oct 1996 07:35:37 -0400 From: "Jerry Edmiston" Subject: FTP and TELNET Authenticati To: "firewalls greatcircle" X-Mailer: Mail*Link SMTP-QM 3.0.2 Mime-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1"; Name="Message Body" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Subject: Time: 7:13 = AM OFFICE MEMO FTP and TELNET Authentication Date: = 10/1/96 I have a CyberGuard firewall. I run Telnet and FTP proxies that = authenticate the request at the firewall and then passes it through. My = Sun station have no problem, but our FTP/TELNET clients on our MACs and = PCs do not support this authentication...ie multiple passwords to reach = its' destination.( A password at the f/w and again at the server in = question). Does anyone have any suggestions for a Telnet/FTP client on MACs and = PCs that will support authentication through our f/w...thanks in = advace...Jerry...jle9@eci-esyst.com From firewalls-owner Tue Oct 1 05:27:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA12577 for firewalls-outgoing; Tue, 1 Oct 1996 05:11:02 -0700 (PDT) Received: from rssi.rssi.com (RSSI.COM [198.3.220.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id FAA12520 for ; Tue, 1 Oct 1996 05:10:43 -0700 (PDT) Received: from rapid.rssi.com (rapid [198.3.220.2]) by rssi.rssi.com (8.7.6/8.7.3) with ESMTP id IAA17595 for ; Tue, 1 Oct 1996 08:12:07 -0400 (EDT) From: Brad VanOrden Received: (from bvvanor@localhost) by rapid.rssi.com (8.7.6/8.7.3) id IAA07614 for firewalls@GreatCircle.COM; Tue, 1 Oct 1996 08:11:15 -0400 (EDT) Date: Tue, 1 Oct 1996 08:11:15 -0400 (EDT) Message-Id: <199610011211.IAA07614@rapid.rssi.com> To: firewalls@GreatCircle.COM Subject: RE: NT Security Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I think you are missing the point of C2. It is not meant that if a box is rated C2 that it is invulnerable. Rather, it is a philosophy of how you are going to administer the system. The main points of C2 is that there are not any group logins allowed and that all transactions are logged. No group logins means you do not share your password. The system can't enforce that. It's a people thing. Will your users abide by it? The fact that all transactions are logged allows an administrator to find out who did what to the system (again, assuming the users aren't sharing their passwords). C2 is simply an accountability measure. It does not prevent anything. I would rather have a system that has been certified C2 compliant because it gives me better assurance I can find out what happened on my system (if something does happen). My $0.02 worth. Brad Van Orden Rapid Systems Solutions, a BSG company >C2 security seems basically worthless. You can't have any network, and if >a perpetrator has physical access to the machine, he/she can just boot >off a floppy to read your files. > >So, if you can't use it with a network as a file server, and if it's >easily compromised with physical access to the machine, what is a >practical example of where C2 is actually useful? > >Keith McCammon >Asymetrix Corp >*Opinions my own* > > >On Wed, 25 Sep 1996, Joseph S. D. Yao wrote: > >> Much has been made of NT's "C2" certification. I've heard that it was >> certified without the standard NT file system; and with that file >> system, it can't be certified. Beware. > > It will only comply with C2 standards if you are using the NTFS file >system (not FAT or HPFS) and, of course, as a stand-alone machine after >service pack X (7?) is applied with some other holes closed. From firewalls-owner Tue Oct 1 05:41:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA15005 for firewalls-outgoing; Tue, 1 Oct 1996 05:31:03 -0700 (PDT) Received: from trex.netrex.com (trex.netrex.com [206.253.226.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id FAA14961 for ; Tue, 1 Oct 1996 05:30:48 -0700 (PDT) Received: from foghorn.netrex.com (foghorn [206.253.226.10]) by trex.netrex.com (8.7.6/8.7.3) with SMTP id IAA28301; Tue, 1 Oct 1996 08:29:59 -0400 (EDT) Message-Id: <3.0b28.32.19961001082525.006e77d8@trex.netrex.com> X-Sender: richards@trex.netrex.com X-Mailer: Windows Eudora Pro Version 3.0b28 (32) Date: Tue, 01 Oct 1996 08:25:27 -0400 To: Greg Whalin From: Richard Stiennon Subject: Re: 'secure' intranet mailreading? Cc: firewalls@GreatCircle.COM Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 10:05 AM 9/27/96 -0500, Greg Whalin wrote: >I have been lookingfor the same exact thing. Netscae does offer a mail >server, but it does not use SSL in any way. It does use a little less >secure encryption scheme. I would assume that you have to use Netscape >Navigator's mail reader. Has anyone seen anything a little more secure? >Greg My understanding is that Netscape *does* use SSL with its mail server. ---------------------------------------------------------------------------- Richard Stiennon richards@netrex.com Director, Business Development http://www.netrex.com Netrex, Inc. Voice: 810-352-9643 Southfield, Michigan Fax: 810-352-2375 ----------------------------------------------------------------------------- Providing businesses and organizations with secure Internet solutions. From firewalls-owner Tue Oct 1 05:56:17 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA14320 for firewalls-outgoing; Tue, 1 Oct 1996 05:26:02 -0700 (PDT) Received: from trex.netrex.com (trex.netrex.com [206.253.226.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id FAA14284 for ; Tue, 1 Oct 1996 05:25:46 -0700 (PDT) Received: from foghorn.netrex.com (foghorn [206.253.226.10]) by trex.netrex.com (8.7.6/8.7.3) with SMTP id IAA28272; Tue, 1 Oct 1996 08:24:55 -0400 (EDT) Message-Id: <3.0b28.32.19961001082022.0070e39c@trex.netrex.com> X-Sender: richards@trex.netrex.com X-Mailer: Windows Eudora Pro Version 3.0b28 (32) Date: Tue, 01 Oct 1996 08:20:27 -0400 To: Kogulapalan From: Richard Stiennon Subject: Re: Checkpoint Cc: firewalls@GreatCircle.COM Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At10:01 AM 10/1/96 -0800,Kogulapalan doth say: >Folks, > > A quick questions ;) Hope to get answers :) > > 1) Does the Checkpoint Firewall-1 that comes with SUN has the >capabilies of doing VPN ??? Yes. > > 2) Does the Checkpoint Firewall-1 that comes with SUN has the >capabilies of doing NAT ??? > No problem. The only draw back to Sun's version is that it takes 3-6 months to come out with the new revisions for the Solarized FireWall-1. ---------------------------------------------------------------------------- Richard Stiennon richards@netrex.com Director, Business Development http://www.netrex.com Netrex, Inc. Voice: 810-352-9643 Southfield, Michigan Fax: 810-352-2375 ----------------------------------------------------------------------------- Providing businesses and organizations with secure Internet solutions. From firewalls-owner Tue Oct 1 06:10:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA15921 for firewalls-outgoing; Tue, 1 Oct 1996 05:38:37 -0700 (PDT) Received: from syr.edu (syr.edu [128.230.1.49]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id FAA15912; Tue, 1 Oct 1996 05:38:25 -0700 (PDT) Received: from peterm.syr.edu by syr.edu (8.7.5/CNS) id IAA27348; Tue, 1 Oct 1996 08:39:41 -0400 (EDT) Message-ID: <32513AF7.269E@syr.edu> Date: Tue, 01 Oct 1996 08:38:31 -0700 From: Peter Morrissey Organization: Syracuse University X-Mailer: Mozilla 2.0 (Win95; I; 16bit) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM, firewalls-digest@GreatCircle.COM Subject: Policy Templates Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I recently found a place that sold security templates, but have forgotten the URL. Anybody know the URL? _Pete Morrissey _Syracus University From firewalls-owner Tue Oct 1 06:27:10 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA17125 for firewalls-outgoing; Tue, 1 Oct 1996 05:50:18 -0700 (PDT) Received: from gw.iai.com (gw.iai.com [206.64.157.62]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id FAA17107 for ; Tue, 1 Oct 1996 05:50:09 -0700 (PDT) Received: by gw.iai.com; id UAA00150; Mon, 30 Sep 1996 20:32:03 -0400 (EDT) Received: from milford.iai.com(192.206.185.2) by gw.iai.com via smap (V3.1.1) id xma000148; Mon, 30 Sep 96 20:31:54 -0400 Received: by milford.iai.com (AIX 3.2/UCB 5.64/4.03) id AA29812; Mon, 30 Sep 1996 20:33:13 -0400 From: jegan@iai.com (James P. Egan) Message-Id: <9610010033.AA29812@milford.iai.com> Subject: Re: Subnetting Class C Network To: jfjohnm@ca-online.com (John McColley @ J F Engineering) Date: Mon, 30 Sep 1996 20:33:13 -2800 (EDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <9609301308.aa12861@cktassy.ca-online.com> from "John McColley @ J F Engineering" at Sep 30, 96 01:08:09 pm Reply-To: jegan@iai.com Organization: Integrated Architectures, Inc. Pgp-Fingerprint: 64 47 DC 51 D9 11 1D FF 31 43 9C 4C E2 A1 FC 04 Pgp-Public-Key: public-key-server@martigny.ai.mit.edu (subject: GET jegan) X-Mailer: ELM [version 2.4 PL24 ME5a] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What I would do is ask my ISP to give me 1 address from his range for the outside interface on my firewall and keep all of my Class C for inside. John McColley @ J F Engineering recently wrote: > > Let's see if I understand subnetting correctly. > If I want to split a class C network to setup a firewall I would > take the existing network, say a.b.c.0 with a netmask of > 255.255.255.0 and instead I would end up with 2 usable networks > if I use a netmask of 255.255.255.192. I would end up with > network a.b.c.64 with a netmask of 255.255.255.192 and network > a.b.c.128 with a netmask of 255.255.255.192. Therefore, I would > have available addresses of a.b.c.65 (netmask 255.255.255.192) > through a.b.c.126, broadcast address would be a.b.c.127 and > a.b.c.129 (netmask 255.255.255.192) through a.b.c.191, broadcast > address would be a.b.c.192. > I can't use a.b.c.0 through a.b.c.63 and a.b.c.193 through > a.b.c.255. > Does this sound right? /Jim/ -- James P. Egan | jegan@iai.com Integrated Architectures, Inc. | http://www.iai.com 300 East Main Street, Suite 207 | Tel: 508-634-3200 x209 Milford, MA 01757 | Fax: 508-634-8381 Use PGP for more secure email From firewalls-owner Tue Oct 1 06:54:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA18398 for firewalls-outgoing; Tue, 1 Oct 1996 06:06:45 -0700 (PDT) Received: from Aptech.com (joshua.aptech.com [199.29.185.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA18390 for ; Tue, 1 Oct 1996 06:06:30 -0700 (PDT) Received: by Aptech.com (SMI-8.6/SMI-SVR4) id GAA02315; Tue, 1 Oct 1996 06:02:50 -0700 Received: from naomi(199.29.185.132) by joshua via smap (V1.3) id sma002313; Tue Oct 1 06:02:43 1996 Received: from amos.Aptech.com by naomi.Aptech.com (SMI-8.6/SMI-SVR4) id GAA08424; Tue, 1 Oct 1996 06:03:08 -0700 Received: by amos.Aptech.com (SMI-8.6/SMI-SVR4) id GAA03789; Tue, 1 Oct 1996 06:03:07 -0700 Date: Tue, 1 Oct 1996 06:03:07 -0700 From: sjones@Aptech.com (Samuel D. Jones) Message-Id: <199610011303.GAA03789@amos.Aptech.com> To: Charles_Ragan@INS.COM, pferguso@cisco.com Subject: Re: Subnetting Class C Network Cc: harry@ns.fdc.nl, jfjohnm@ca-online.com, firewalls@GreatCircle.COM X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I find the little C program included at the end useful. Sam > From firewalls-owner@GreatCircle.COM Mon Sep 30 22:03 PDT 1996 > X-Sender: pferguso@lint.cisco.com > Mime-Version: 1.0 > Date: Tue, 01 Oct 1996 00:29:49 -0400 > To: "Charles_Ragan@ins.com" > From: Paul Ferguson > Subject: Re: Subnetting Class C Network > Cc: "Harry Feltsadas" , > jfjohnm@ca-online.com (John McColley @ J F Engineering), > firewalls@GreatCircle.COM > > Also, it goes without saying that classful routing protocols have outlived > their usefulness, and should be abandoned at one's earliest convenience. > > In fact, RIPv1 has been declared historical (or, rather, hysterical). > > - paul > > At 08:53 PM 9/30/96 -0500, Charles_Ragan@ins.com wrote: > > >One other note, rfc 1878's recommendation allows for the usage of the first > >and last subnet. Routing protocols that carry subnet information in its > >updates allow for this. Ones that don't (igrp, static, ripv1, etc.). The > >practice I follow is to use them last, if needed. > > > >Charles > > > > -- > Paul Ferguson || || > Consulting Engineering || || > Reston, Virginia USA |||| |||| > tel: +1.703.716.9538 ..:||||||:..:||||||:.. > e-mail: pferguso@cisco.com c i s c o S y s t e m s > > #include #include #include #include #include #define A 1 #define B 2 #define C 3 /* NOTE: Only class C is currently supported */ void dump_class_C(int b1, int b2, int b3, int b4, int sb) { int s, h, sd, hd; sd = 2; for (s = 1; s < sb; s++) sd *= 2; hd = 2; for (h = 1; h < (8 - sb); h++) hd *= 2; printf("Network: %d.%d.%d.%d/%d\n", b1, b2, b3, b4, 24 + sb); printf("Netmask: %d.%d.%d.%d\n", 255, 255, 255, (sd - 1) << (8 - sb)); for (s = 1; s < sd - 1; s++) { printf("\fSubnet: %d", s); printf("\nNetwork: %d.%d.%d.%d/%d", b1, b2, b3, s << (8 - sb), 24 + sb); printf("\nBroadcast: %d.%d.%d.%d\n\n", b1, b2, b3, (s << (8 - sb)) + (hd - 1)); for (h = 1; h < hd - 1; h++) { printf(" %d.%d.%d.%d\n", b1, b2, b3, (s << (8 - sb)) + h); } } } int main(int argc, char *argv[]) { char address[256], *cp; int class, sb, b1, b2, b3, b4; if (argc != 3) { printf("Usage: subnet address subnet_bits\n\n"); printf("Example: subnet 197.34.16.0 3\n"); return 1; } strcpy(address, argv[1]); cp = address; b1 = atoi(cp); while (isdigit(*cp)) ++cp; if (*cp == '.') ++cp; else { printf("Bad address: %s\n", argv[1]); return 1; } b2 = atoi(cp); while (isdigit(*cp)) ++cp; if (*cp == '.') ++cp; else { printf("Bad address: %s\n", argv[1]); return 1; } b3 = atoi(cp); while (isdigit(*cp)) ++cp; if (*cp == '.') ++cp; else { printf("Bad address: %s\n", argv[1]); return 1; } b4 = atoi(cp); sb = atoi(argv[2]); if (b1 < 128) class = A; else if (b1 < 192) class = B; else if (b1 < 224) class = C; else { printf("Bad address (class out of range): %s\n", argv[1]); return 1; } switch (class) { case A: if (sb > 24) { printf("Too many subnet bits\n"); return 1; } break; case B: if (sb > 16) { printf("Too many subnet bits\n"); return 1; } break; case C: if (sb > 8) { printf("Too many subnet bits\n"); return 1; } dump_class_C(b1, b2, b3, b4, sb); break; } return 0; } From firewalls-owner Tue Oct 1 07:33:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA23484 for firewalls-outgoing; Tue, 1 Oct 1996 06:43:25 -0700 (PDT) Received: from insync.net (vellocet.insync.net [204.253.208.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA23222 for ; Tue, 1 Oct 1996 06:42:27 -0700 (PDT) Received: (from uurtamo@localhost) by insync.net (8.7.1/8.7.1) id IAA01114 for firewalls@greatcircle.com; Tue, 1 Oct 1996 08:32:13 -0500 (CDT) From: Steve Uurtamo Message-Id: <199610011332.IAA01114@insync.net> Subject: CyberGuard. (fwd) To: firewalls@greatcircle.com Date: Tue, 1 Oct 1996 08:32:13 -0500 (CDT) X-Mailer: ELM [version 2.4 PL22] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Having some joy with the CyberGuard. In particular, I need to proxy a service that after making its first connection through the firewall will need to establish connections through exactly 2 future ports for the remainder of the service. These ports are in the "free zone" (>1024). I have to do NAT on all of the packets as the internal machine has a non-routable address. (10.x.x.x) Given that I can parse the packets well enough to figure out what those future ports are going to be (yes this is a proprietary service), what is a good place to start as far as writing my own proxy using the proxy source code on the CyberGuard. Should I be looking at the way FTP handles future connections for data? Or maybe I'm doing this all wrong. Thanks for any help anyone can give in advance. Steve Uurtamo From firewalls-owner Tue Oct 1 07:41:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA21897 for firewalls-outgoing; Tue, 1 Oct 1996 06:37:05 -0700 (PDT) Received: from mail.comm.hq.af.mil (mail.comm.hq.af.mil [134.205.80.6]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA21887 for ; Tue, 1 Oct 1996 06:36:57 -0700 (PDT) Received: from MSSMTPOUT.COMM.HQ.AF.MIL (mssmtpout.comm.hq.af.mil [134.205.80.21]) by mail.comm.hq.af.mil (8.6.5/8.6.5) with SMTP id JAA23421 for < Firewalls@GreatCircle.COM>; Tue, 1 Oct 1996 09:01:08 -0400 Received: by MSSMTPOUT.COMM.HQ.AF.MIL with Microsoft Mail id <325149EB@MSSMTPOUT.COMM.HQ.AF.MIL>; Tue, 01 Oct 96 09:42:19 PDT From: "Bouchard, Alexis, 2Lt,SAM/GNCP" To: Firewall Discussion Subject: Gauntlet vs. Sidewinder Date: Tue, 01 Oct 96 09:34:00 PDT Message-ID: <325149EB@MSSMTPOUT.COMM.HQ.AF.MIL> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have to choose between Gauntlet and Sidewinder as a Firewall solution. Both products meet my laundry list requirements. Both can do the job of securing my network, but which one is better? What I'm looking for is which one is better then the other as far as easy of use, overall security and support from the vender. I have all the general vender info, but I'm looking for strong technical reasons why I should go with one or the other. I'm a new kid on the block. This is my first Firewall experience. I haven't had the luxury of seeing many Firewalls in use, or being able to play and fiddle with them. I'm open to all input and all advise. I need to take advantage of someone else's experiences. Alexis Bouchard From firewalls-owner Tue Oct 1 07:45:54 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA24211 for firewalls-outgoing; Tue, 1 Oct 1996 06:46:56 -0700 (PDT) Received: from relay.ashton.csc.com (relay.ashton.csc.com [20.2.54.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA23988 for ; Tue, 1 Oct 1996 06:46:02 -0700 (PDT) Received: by relay.ashton.csc.com; id JAA15354; Tue, 1 Oct 1996 09:46:54 -0400 Received: from mccoy.ashton.csc.com(20.2.51.2) by relay.ashton.csc.com via smap (g3.0.1) id sma015348; Tue, 1 Oct 96 09:46:25 -0400 Received: (from jhkerr@localhost) by mccoy.ashton.csc.com (8.6.12/8.6.9) id JAA26971; Tue, 1 Oct 1996 09:54:05 -0400 Date: Tue, 1 Oct 1996 09:54:04 -0400 (EDT) From: "John H. Kerr" To: Kogulapalan cc: firewalls@GreatCircle.COM Subject: Re: Checkpoint In-Reply-To: <199610011801.KAA28685@snet> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The encryption module must be purchased seperately. The NAT does come with some if not all of there versions of the Firewall. I believe that if you go to their home page at WWW.Checkpoint.com you could find a listing of all their products. On Tue, 1 Oct 1996, Kogulapalan wrote: > Folks, > > A quick questions ;) Hope to get answers :) > > 1) Does the Checkpoint Firewall-1 that comes with SUN has the > capabilies of doing VPN ??? > > 2) Does the Checkpoint Firewall-1 that comes with SUN has the > capabilies of doing NAT ??? > > Thats all. Thanks. > > Regards, > PaLaN > palan@mailhost.net > > " Hack From The Rich and Download To The Poor " > From firewalls-owner Tue Oct 1 08:10:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA27182 for firewalls-outgoing; Tue, 1 Oct 1996 07:02:14 -0700 (PDT) Received: from ic.net (falcon.ic.net [152.160.101.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA27168 for ; Tue, 1 Oct 1996 07:02:08 -0700 (PDT) Received: from CimInc.com by ic.net with smtp (Smail3.1.28.1 #6) id m0v85OF-003Ib4C; Tue, 1 Oct 96 10:01 WET DST Received: by CimInc.com from localhost (router,SLmail95 V1.2,beta 1); Tue, 01 Oct 1996 10:05:50 Received: by CimInc.com from bill (152.160.211.243::mail daemon; unverified,SLmail95 V1.2,beta 1); Tue, 01 Oct 1996 10:05:49 Message-ID: <3251259B.65C9@ciminc.com> Date: Tue, 01 Oct 1996 10:07:23 -0400 From: "bill" Organization: Center for Information Management X-Mailer: Mozilla 2.01 (Win95; I) MIME-Version: 1.0 To: Firewalls@GreatCircle.com Subject: Checkpoint's Firewall-1 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please let me know about your experiences with Checkpoint's Firewall-1 product. Does anyone know if you can run this product on the machine you are trying to protect? From firewalls-owner Tue Oct 1 08:26:10 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA27513 for firewalls-outgoing; Tue, 1 Oct 1996 07:04:50 -0700 (PDT) Received: from ic.net (falcon.ic.net [152.160.101.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA27479 for ; Tue, 1 Oct 1996 07:04:29 -0700 (PDT) Received: from CimInc.com by ic.net with smtp (Smail3.1.28.1 #6) id m0v85QV-003Ib5C; Tue, 1 Oct 96 10:03 WET DST Received: by CimInc.com from localhost (router,SLmail95 V1.2,beta 1); Tue, 01 Oct 1996 10:08:10 Received: by CimInc.com from bill (152.160.211.243::mail daemon; unverified,SLmail95 V1.2,beta 1); Tue, 01 Oct 1996 10:08:09 Message-ID: <32512627.284E@ciminc.com> Date: Tue, 01 Oct 1996 10:09:43 -0400 From: "bill" Organization: Center for Information Management X-Mailer: Mozilla 2.01 (Win95; I) MIME-Version: 1.0 To: Firewalls@GreatCircle.com Subject: TIS Gauntlet Firewall product Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please let me know about your experiences with TIS' Gauntlet Firewall product. Also, does anyone know if you can run this product on the machine you are trying to protect. From firewalls-owner Tue Oct 1 08:27:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA29011 for firewalls-outgoing; Tue, 1 Oct 1996 07:20:07 -0700 (PDT) Received: from garrison.com (gw.garrison.com [205.241.58.147]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA28994 for ; Tue, 1 Oct 1996 07:19:59 -0700 (PDT) Received: by garrison.com; id DAA15676; Mon, 30 Sep 1996 03:37:22 -0500 Received: from unknown(10.0.0.2) by gw.garrison.com via smap (V3.1.1) id xma015654; Mon, 30 Sep 96 03:37:12 -0500 Received: by ukn0.garrison.com. (4.1/Nutered Mailer) id AA03250; Tue, 1 Oct 96 09:12:53 CDT Date: Tue, 1 Oct 96 09:12:53 CDT From: jeromie@garrison.com (Hmm) Message-Id: <9610011412.AA03250@ukn0.garrison.com.> To: smith@sctc.com, msmith@quix.robins.af.mil Subject: Re: Newbie question Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > At 3:25 PM 9/17/96, Chris Garrigues wrote about Mark's picture > > of a "triple homed" firewall: > > > > >I see maps like yours all the time, but I'm uneasy about real > > >routing happening on my firewall. It just seems to me like > > >there's potential risk in running routing software on a firewall. > > > > Quite so. Correct packet flow must be enforced by something more than IP > > level routing. The picture only makes sense if you've set up a firewall > > proxy to enforce the flow. All web server accesses should be sent to the > > isolated subnet containing the Web server and no incoming Internet > > connections should be allowed to flow directly into the database server's > > net. The "routing" in this case isn't handled by the IP layer, it's handled > > by socket layer proxies. > > > > Rick. > Also, in the above mentioned configuration, if the web server is compromised, it doesn't automatically give it the ability to go into promiscuous mode and read all traffic passing between the firewall & the outside. It also give you the ability to use the firewall audit utilities in order to log data. Centralization, and potentially better reporting mechanisms than you would have elsewhere. Jeromie Jackson Garrison Technologies jeromie@garrison.com From firewalls-owner Tue Oct 1 08:47:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA05429 for firewalls-outgoing; Tue, 1 Oct 1996 08:17:37 -0700 (PDT) Received: from franklin.seas.gwu.edu (franklin.seas.gwu.edu [128.164.9.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA05413 for ; Tue, 1 Oct 1996 08:17:24 -0700 (PDT) Received: from seas.gwu.edu (root@felix.seas.gwu.edu [128.164.9.3]) by franklin.seas.gwu.edu (8.7.1/8.7.1) with ESMTP id LAA23683 for ; Tue, 1 Oct 1996 11:16:34 -0400 (EDT) Received: from reto.seas.gwu.edu (reto@felix [128.164.9.3]) by seas.gwu.edu (8.7.1/8.7.1) with SMTP id LAA17878 for ; Tue, 1 Oct 1996 11:16:29 -0400 (EDT) Message-Id: <199610011516.LAA17878@seas.gwu.edu> X-Sender: reto@seas.gwu.edu X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 01 Oct 1996 11:17:16 -0400 To: firewalls@greatcircle.com From: Reto Haeni Subject: Introduction Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I recently joined this group and would like to shortly introduce myself. My name is Reto Haeni and I am since a year at The George Washington University in Washington DC where I plan to get my MSc in Telecommunications and Computers in December. Before I came to the US, I was working at R&D of Swiss Telecom (I am from Switzerland) in the communications group. Besides my studies, I am a Teaching Assistant in Computer Security and a Research Assistant at the Cyberspace Policy Institute. My knowledge of firewalls is somewhat limited (to the theory) but I am writing a paper on testing/penetration of firewalls and hope to get some insight knowledge out of it. greetings and I am looking forward to an interesting participation Reto Haeni _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ Reto E. Haeni Cyberspace Policy Institute The George Washington University 2033 K Str. NW Suite 340N School of Engineering and Applied Science Washington DC 20006 ph (202) 994-5512 (We, Th) http://www.cpi.seas.gwu.edu/ reto@seas.gwu.edu http://www.seas.gwu.edu/student/reto/ _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ From firewalls-owner Tue Oct 1 08:58:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA07484 for firewalls-outgoing; Tue, 1 Oct 1996 08:34:36 -0700 (PDT) Received: from ALABAMA.CF.CS.YALE.EDU (RT-GW.CS.YALE.EDU [128.36.0.13]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA07459 for ; Tue, 1 Oct 1996 08:34:28 -0700 (PDT) From: long-morrow@CS.YALE.EDU Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU (8.7.1/res.host.cf-4.0) with ESMTP id LAA16547; Tue, 1 Oct 1996 11:33:50 -0400 (EDT) sender long-morrow@CS.YALE.EDU for Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-8.7.1/res.client.cf-4.0) id LAA09888; Tue, 1 Oct 1996 11:33:47 -0400 (EDT) Date: Tue, 1 Oct 1996 11:33:47 -0400 (EDT) Message-Id: <199610011533.LAA09888@SPARKY.CF.CS.YALE.EDU> To: pferguso@cisco.com Subject: Re: Subnetting Class C Network Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Paul Ferguson >You can use IP subnet 0 if you use the global command 'ip subnet zero' >within a cisco router. Use of the all-1's subnet has always been >permissible. Yes. We use a subnet with all zeros (128.36.0.0, where our subnet mask is 255.255.255.0) for legacy reasons. Whenever we bring up a new CISCO router on the 128.36.0 subnet we run the router through the EZ config with a terminal --- and then after it refuses to talk to the zero subnet we enter the advanced configuration command 'service subnet-zero' or 'ip subnet-zero' (depending on the CISCO IOS release). - Morrow From firewalls-owner Tue Oct 1 09:12:40 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA09579 for firewalls-outgoing; Tue, 1 Oct 1996 08:47:00 -0700 (PDT) Received: from gauntlet-1.trusted.com (gauntlet-1.trusted.com [204.254.155.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id IAA09541 for ; Tue, 1 Oct 1996 08:46:46 -0700 (PDT) Received: by gauntlet-1.trusted.com; id LAA17119; Tue, 1 Oct 1996 11:50:21 -0400 Received: from hilo.trusted.com(10.0.1.126) by gauntlet-1.trusted.com via smap (V3.1.1) id xma017116; Tue, 1 Oct 96 11:49:59 -0400 Received: from metro.trusted.com by hilo.trusted.com with SMTP (1.37.109.4/16.2) id AA16362; Tue, 1 Oct 96 11:48:24 -0400 Message-Id: <32513C32.13728473@tis.com> Date: Tue, 01 Oct 1996 11:43:46 -0400 From: John J McMahon Organization: Trusted Information Systems - Rockville, MD X-Mailer: Mozilla 3.0 (X11; I; BSD/OS 2.0 i386) Mime-Version: 1.0 To: firewalls@GreatCircle.COM Subject: Re: ATM Firewalls References: <26860.20243.1996Sep24@tis.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dr. Bill Hancock wrote: > (edited) > FYI, there were two refereed papers on high-speed firewalls > delivered at the April 1996 InterOP show in Las Vegas... FYI - The Firewall in the NOC at Interop Las Vegas and Atlanta this year was partially on ATM. I can't speak for the Las Vegas design (I didn't build it), but the Atlanta design was a three interface system consisting of: - 10 Mbps Ethernet - Inside Interface 1 - 155 Mbps ATM (LANE) - Inside Interface 2 - 100 Mbps FDDI - Outside Interface The base system was a Sun SparcStation 20, running SunOS 4.1.4 and TIS Gauntlet 3.1.1. The FDDI and ATM boards came from Interphase. Cheers, John -- John "FuzzFace" McMahon Gauntlet Internet Firewall Technical Support Support: gauntlet-support@trusted.com, 301-527-9555, 301-527-0482 (fax) Pennsic XXV: Cry Havoc... And let slip the golf carts of War... From firewalls-owner Tue Oct 1 09:46:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA16825 for firewalls-outgoing; Tue, 1 Oct 1996 09:33:37 -0700 (PDT) Received: from pa0016c1.kpmg.com (pa0016c1.kpmg.com [199.207.255.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id JAA16789 for ; Tue, 1 Oct 1996 09:33:26 -0700 (PDT) Received: by pa0016c1.kpmg.com; id MAA26341; Tue, 1 Oct 1996 12:32:58 -0400 Received: from unknown(199.207.255.5) by pa0016c1.kpmg.com via smap (V3.1) id xmai26186; Tue, 1 Oct 96 12:32:33 -0400 Received: from ccMail by mailgate2.kpmg.com (IMA Internet Exchange 2.01 Enterprise) id 25146C00; Tue, 1 Oct 96 12:28:48 -0400 Mime-Version: 1.0 Date: Tue, 1 Oct 1996 11:28:35 -0400 Message-ID: <25146C00.@kpmg.com> From: kenng@kpmg.com (Ken Ng) Subject: Gauntlet FW in big environments. To: firewalls@greatcircle.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone here have any experience with running Gauntlet Firewalls in a "large" environment? By large, I mean about 500 ip sites a day, 1.2 gig of http traffic a day, 100 meg of email, and 200 meg of ftp traffic a day. I've got the TIS HP Vectra pc running BSD 2.0 with TIS 3.1. The machine has 48 meg of ram. The problem I'm having is that the machine typically either reboots itself or it crashes until I reboot it manually. I thought I fixed it by having it reboot from cron once a week in the early morning. But now it starting to crash on day 6. Will more memory help this thing? Are other people having similar problems? What's everyone else using? From firewalls-owner Tue Oct 1 09:58:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA19047 for firewalls-outgoing; Tue, 1 Oct 1996 09:51:47 -0700 (PDT) Received: from us.checkpoint.com (us.checkpoint.com [206.86.35.130]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id JAA19023 for ; Tue, 1 Oct 1996 09:51:38 -0700 (PDT) Received: from Barbara's HP.us.checkpoint.com (barbara-pc) by us.checkpoint.com (5.x/SMI-SVR4) id AA19375; Tue, 1 Oct 1996 09:51:48 -0700 Message-Id: <32514C1F.1BD3@us.checkpoint.com> Date: Tue, 01 Oct 1996 09:51:43 -0700 From: "Barbara W. Jaarsma" Reply-To: barbara@us.checkpoint.com Organization: Checkpoint US Technical Support X-Mailer: Mozilla 3.0 (Win95; I) Mime-Version: 1.0 To: "Bouchard, Alexis, 2Lt,SAM/GNCP" Cc: Firewall Discussion Subject: Re: Gauntlet vs. Sidewinder References: <325149EB@MSSMTPOUT.COMM.HQ.AF.MIL> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bouchard, Alexis, 2Lt,SAM/GNCP wrote: > > I have to choose between Gauntlet and Sidewinder as a Firewall solution. Personally, I'd go with FireWall-1... :-) -Barb From firewalls-owner Tue Oct 1 10:31:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA21123 for firewalls-outgoing; Tue, 1 Oct 1996 10:07:39 -0700 (PDT) Received: from tango.lightech.com.ar (spy.lightech.com.ar [200.0.253.134]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA21108 for ; Tue, 1 Oct 1996 10:07:31 -0700 (PDT) Received: from salsa (router1-p14.pccp.com.ar [200.0.253.30]) by tango.lightech.com.ar (8.6.8.1/SCA-6.6) with SMTP id RAA02098 for ; Tue, 1 Oct 1996 17:02:37 GMT Message-ID: <32514D90.7B61@lightech.com.ar> Date: Tue, 01 Oct 1996 13:57:52 -0300 From: Adrian Setton Reply-To: asetton@lightech.com.ar Organization: LighTech X-Mailer: Mozilla 3.0 (Win95; I) MIME-Version: 1.0 To: Firewalls@greatcircle.com Subject: Firewall-1 Light Restrictions Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anybody know which are the restrictions of Firewall-1 Light? In the Qualix FAQ it says 50 internal nodes and 50 concurrent sessions. I've seen in a Sun White Paper that it is 50 outbound sessions. In our customer we expect to have more than 50 inbound connections, but no more than 10 outbound connections, so this is really important. Thanks in advance. -- Adrian F. Setton LighTech Voice: (54-1) 420-4110 Ayacucho 563. Piso 13 Dto "A" FAX: (54-1) 315-1343 Buenos Aires e-mail: asetton@lightech.com.ar Argentina URL: http://www.lightech.com.ar From firewalls-owner Tue Oct 1 10:41:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA24451 for firewalls-outgoing; Tue, 1 Oct 1996 10:28:06 -0700 (PDT) Received: from ncar.UCAR.EDU (ncar.ucar.edu [192.52.106.6]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA24379 for ; Tue, 1 Oct 1996 10:27:49 -0700 (PDT) Message-Id: <199610011726.LAA23872@ncar.ucar.EDU> Received: by ncar.ucar.EDU (NCAR Local/ NCAR Central Post Office 03/11/93) id LAA23872; Tue, 1 Oct 1996 11:26:58 -0600 (MDT) Subject: Re: ATM Firewalls To: firewalls@GreatCircle.COM Date: Tue, 1 Oct 96 11:26:57 MDT In-Reply-To: <32513C32.13728473@tis.com>; from "John J McMahon" at Oct 1, 96 11:43 am From: woods@ucar.edu (Greg Woods) X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > a three interface system consisting of: > > - 10 Mbps Ethernet - Inside Interface 1 > - 155 Mbps ATM (LANE) - Inside Interface 2 > - 100 Mbps FDDI - Outside Interface For most of us that I've heard use the term, this is not an "ATM firewall". Although I cannot speak for anyone else, I think that to call something like this an ATM firewall is deceptive. What *I* mean when I use that term is something that can act as a firewall while passing packets *at ATM speed*. While I would agree that something that can at least pass packets at or close to FDDI speed is worthy of note, this is not an "ATM firewall" by any reasonable definition. --Greg From firewalls-owner Tue Oct 1 11:12:00 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA22123 for firewalls-outgoing; Tue, 1 Oct 1996 10:13:19 -0700 (PDT) Received: from ereapp.erenj.com (ereapp.ERENJ.COM [159.70.31.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA22058 for ; Tue, 1 Oct 1996 10:13:00 -0700 (PDT) Received: (from smap@localhost) by ereapp.erenj.com (8.7.4/8.7.3) id NAA09426 for ; Tue, 1 Oct 1996 13:12:29 -0400 Received: from eredns.erenj.com(159.70.1.252) by ereapp.erenj.com via smap (V1.3) id sma009419; Tue Oct 1 13:12:09 1996 Received: from stargate.erenj.com (stargate.erenj.com [159.70.1.8]) by eredns.erenj.com (8.7.4/8.7.3) with SMTP id NAA27401 for ; Tue, 1 Oct 1996 13:12:06 -0400 Message-ID: <325150E6.52BF@erenj.com> Date: Tue, 01 Oct 1996 13:12:06 -0400 From: "Bryan D. Boyle" Organization: Exxon Research and Engineering Co. X-Mailer: Mozilla 3.0 (X11; I; OSF1 V4.0 alpha) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: Re: Gauntlet vs. Sidewinder References: <325149EB@MSSMTPOUT.COMM.HQ.AF.MIL> <32514C1F.1BD3@us.checkpoint.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Barbara W. Jaarsma wrote: > > Bouchard, Alexis, 2Lt,SAM/GNCP wrote: > > > > I have to choose between Gauntlet and Sidewinder as a Firewall solution. > > Personally, I'd go with FireWall-1... :-) > -Barb Not an unbiased opinion, from your return address. -- Bryan D. Boyle | EMAIL: bdboyle@erenj.com 908-730-3338 #include | http://www.access.digex.net/~bdboyle/index.html "They that can give up liberty to obtain a little temporary safety deserve neither liberty nor safety." - Benjamin Franklin, Historical Review of Pennsylvania From firewalls-owner Tue Oct 1 11:16:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA27318 for firewalls-outgoing; Tue, 1 Oct 1996 10:48:20 -0700 (PDT) Received: from dorian.cybersmith.net (dorian.cybersmith.net [198.164.20.20]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA27301 for ; Tue, 1 Oct 1996 10:48:13 -0700 (PDT) Received: from localhost (agrant@localhost) by dorian.cybersmith.net (8.7.5/8.7.3) with SMTP id OAA00278 for ; Tue, 1 Oct 1996 14:47:42 -0300 Date: Tue, 1 Oct 1996 14:47:42 -0300 (ADT) From: Andrew Grant To: Firewalls@GreatCircle.COM Subject: TIS Toolkit (plug-gw) In-Reply-To: <32512627.284E@ciminc.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk How does one use the plug-gw program, once you've got it compiled! There doesn't seem to be any information on this. Also can someone explain the logic behind "ipfwadm", I've read the HOW-TO, but I'm still in the dark. I'm also running socks5, would ipfwadm (once setup right) take over its job. Thanks, --Andrew From firewalls-owner Tue Oct 1 11:22:17 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA21945 for firewalls-outgoing; Tue, 1 Oct 1996 10:12:01 -0700 (PDT) Received: from anka.mindvision.com (anka.mindvision.com [198.247.220.254]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA21902 for ; Tue, 1 Oct 1996 10:11:44 -0700 (PDT) Received: (from alan@localhost) by anka.mindvision.com (8.6.11/8.6.9) id LAA12291; Tue, 1 Oct 1996 11:58:00 -0500 Message-Id: <199610011658.LAA12291@anka.mindvision.com> Subject: Re: Gauntlet FW in big environments. To: kenng@kpmg.com (Ken Ng) Date: Tue, 1 Oct 1996 11:57:59 -0500 (CDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <25146C00.@kpmg.com> from "Ken Ng" at Oct 1, 96 11:28:35 am From: alan@mindvision.com (Alan Hannan) Reply-To: alan@mindvision.com (Alan Hannan) X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have worked with system larger than the one you describe. By upgrading to the current blessed set of patches, and going to Gauntlet 1.1.1 with appropo patches, I was consistently able to create a working system. Good luck! -alan > > Does anyone here have any experience with running Gauntlet Firewalls > in a "large" environment? By large, I mean about 500 ip sites a day, > 1.2 gig of http traffic a day, 100 meg of email, and 200 meg of ftp > traffic a day. I've got the TIS HP Vectra pc running BSD 2.0 with TIS > 3.1. The machine has 48 meg of ram. > > The problem I'm having is that the machine typically either reboots > itself or it crashes until I reboot it manually. I thought I fixed it > by having it reboot from cron once a week in the early morning. But > now it starting to crash on day 6. Will more memory help this thing? > Are other people having similar problems? What's everyone else using? > -- Alan Hannan Not Employed Networking, Ltd. email: alan@mindvision.com. phone: 402/488-0238 From firewalls-owner Tue Oct 1 11:26:10 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA28523 for firewalls-outgoing; Tue, 1 Oct 1996 10:55:02 -0700 (PDT) Received: from maddie.atlantic.com (maddie.atlantic.com [198.252.200.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA28466 for ; Tue, 1 Oct 1996 10:54:44 -0700 (PDT) Received: (from pokey@localhost) by maddie.atlantic.com (8.7.6/8.7.3) id NAA22325; Tue, 1 Oct 1996 13:38:42 -0400 From: Rick Romkey Message-Id: <199610011738.NAA22325@maddie.atlantic.com> Subject: Re: Firewall-1 Light Restrictions To: asetton@lightech.com.ar Date: Tue, 1 Oct 1996 13:38:42 -0400 (EDT) Cc: Firewalls@GreatCircle.COM In-Reply-To: <32514D90.7B61@lightech.com.ar> from "Adrian Setton" at Oct 1, 96 01:57:52 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Does anybody know which are the restrictions of Firewall-1 Light? > In the Qualix FAQ it says 50 internal nodes and 50 concurrent sessions. > I've seen in a Sun White Paper that it is 50 outbound sessions. > In our customer we expect to have more than 50 inbound connections, > but no more than 10 outbound connections, so this is really important. Firewall-1 maintains a flat file of the IP addresses of internal hosts it detects. Concurrent useage was dropped as a licensing criteria and it is strictly host based now. -Rick ---------------------------------------------------------------------------- Rick E Romkey | A T L A N T I C | Internet pokey@atlantic.com | Computing Technology Corporation | Specialists (860) 667-9596 | http://www.atlantic.com/ | ----------------------------------------------------------------------------- From firewalls-owner Tue Oct 1 12:00:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA00365 for firewalls-outgoing; Tue, 1 Oct 1996 11:05:03 -0700 (PDT) Received: from diablo.cisco.com (diablo.cisco.com [171.68.223.106]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id LAA00324 for ; Tue, 1 Oct 1996 11:04:51 -0700 (PDT) Received: from pferguso-pc.cisco.com (dhcp-restontel-84.cisco.com [171.68.52.84]) by diablo.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id LAA20495; Tue, 1 Oct 1996 11:03:46 -0700 Message-Id: <2.2.32.19961001180346.00677a14@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 01 Oct 1996 14:03:46 -0400 To: long-morrow@CS.YALE.EDU From: Paul Ferguson Subject: Re: Subnetting Class C Network Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 11:33 AM 10/1/96 -0400, long-morrow@CS.YALE.EDU wrote: > >Yes. We use a subnet with all zeros (128.36.0.0, where our subnet mask >is 255.255.255.0) for legacy reasons. > >Whenever we bring up a new CISCO router on the 128.36.0 subnet we run the >router through the EZ config with a terminal --- and then after it refuses >to talk to the zero subnet we enter the advanced configuration command >'service subnet-zero' or 'ip subnet-zero' (depending on the CISCO IOS >release). > >- Morrow > It also depends on the routing protocol; classful routing protocols cannot distinguish IP subnet 0 from a network address. Subnetting with a subnet address of zero generally is not allowed with classful routing protocols because of the confusion inherent in having a network and a subnet with indistinguishable addresses. For example, if network 128.36.0.0 is subnetted as 255.255.255.0, subnet zero would be written as 128.36.0.0 -- which is identical to the network address. - paul -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Tue Oct 1 12:01:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA04511 for firewalls-outgoing; Tue, 1 Oct 1996 11:33:28 -0700 (PDT) Received: from litle.net ([205.139.20.20]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id LAA04222 for ; Tue, 1 Oct 1996 11:32:10 -0700 (PDT) Received: from s_khan.litle.net by litle.net (SMI-8.6/SMI-SVR4) id OAA12276; Tue, 1 Oct 1996 14:33:54 -0400 Message-Id: <2.2.32.19961001183426.00ab0e9c@litle.net> X-Sender: s_khan@litle.net X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 01 Oct 1996 14:34:26 -0400 To: kenng@kpmg.com (Ken Ng) From: "Saqib A. Khan" Subject: Re: Gauntlet FW in big environments. Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Definetly more memory, like 128 Mb RAM. If you have control over the OS then also check your swap space, try to double it as compared to the memory or more (i.e. swap should be >= 256 Mb). BTW what does TIS say about this issue? At 11:28 AM 10/1/96 -0400, you wrote: > Does anyone here have any experience with running Gauntlet Firewalls > in a "large" environment? By large, I mean about 500 ip sites a day, > 1.2 gig of http traffic a day, 100 meg of email, and 200 meg of ftp > traffic a day. I've got the TIS HP Vectra pc running BSD 2.0 with TIS > 3.1. The machine has 48 meg of ram. > > The problem I'm having is that the machine typically either reboots > itself or it crashes until I reboot it manually. I thought I fixed it > by having it reboot from cron once a week in the early morning. But > now it starting to crash on day 6. Will more memory help this thing? > Are other people having similar problems? What's everyone else using? > > PS: Pls CC all mail to me @ - Saqib.A.Khan@worldnet.att.net --------------------------------------------------- Saqib A. Khan, Principal Architect, Information Security Strategic Network Consulting Voice: 617.433.7117 Saqib.A.Khan@worldnet.att.net --------------------------------------------------- "Sed quis custodiet ipsos custodes?" -Juvenal, c. 100 C.E. From firewalls-owner Tue Oct 1 12:14:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA01335 for firewalls-outgoing; Tue, 1 Oct 1996 11:11:53 -0700 (PDT) Received: from mm1 (mm1.sprynet.com [165.121.2.50]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA01317 for ; Tue, 1 Oct 1996 11:11:43 -0700 (PDT) Received: from stoico ([204.146.159.225]) by mm1.sprynet.com with SMTP id <148107-3174>; Tue, 1 Oct 1996 11:05:15 -0700 Message-Id: <3.0b19.32.19961001140637.009f6da0@hqmail.metlife.com> X-Sender: mstoico%hqmail.metlife.com@hqmail.metlife.com X-Mailer: Windows Eudora Pro Version 3.0b19 (32) Date: Tue, 01 Oct 1996 14:06:39 -0400 To: firewalls@Greatcircle.com From: Mike Stoico Subject: msn and firewalls Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Are there any specific ports that need to authorized through a firewall to allow a user to connect to msn? ========================================================================= Mike Stoico, I/S Security Consultant * Phone: (518)285-2567 MetLife * Fax: (518)285-2542 500 Jordan Rd * E-Mail: mstoico@metlife.com Troy, NY 12180 * URL: www.metlife.com ========================================================================= The opinions expressed here are my own and may not be those of my employer. ========================================================================= From firewalls-owner Tue Oct 1 12:36:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA10325 for firewalls-outgoing; Tue, 1 Oct 1996 12:03:07 -0700 (PDT) Received: from abraham.cs.berkeley.edu (abraham.CS.Berkeley.EDU [128.32.37.121]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id MAA10115 for ; Tue, 1 Oct 1996 12:02:23 -0700 (PDT) Received: (from daemon@localhost) by abraham.cs.berkeley.edu (8.7.5/local) id LAA00292 for firewalls@greatcircle.com; Tue, 1 Oct 1996 11:50:24 -0700 Date: Tue, 1 Oct 1996 11:50:24 -0700 Message-Id: <199610011850.LAA00292@abraham.cs.berkeley.edu> Content-Type: text/plain; charset="us-ascii" Subject: Information Seeking To: firewalls@greatcircle.com From: nobody@cypherpunks.ca (John Anonymous MacDonald) Comments: There is no way to determine the originator of this message. If you wish to be blocked from receiving all anonymous mail, send your request to the mailing list. The operator of this particular remailer can be reached at . Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello: Can anyone on this list recommend a reputable and professional group that can perform security (both network and host; Internet related) audits at a medium sized company located in the United States? My interest is in the background of these organizations; who to stay away from; who to take a look at; etc. From firewalls-owner Tue Oct 1 12:58:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA16887 for firewalls-outgoing; Tue, 1 Oct 1996 12:52:14 -0700 (PDT) Received: from gauntlet-1.trusted.com (gauntlet-1.trusted.com [204.254.155.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id MAA16763 for ; Tue, 1 Oct 1996 12:51:48 -0700 (PDT) Received: by gauntlet-1.trusted.com; id PAA22478; Tue, 1 Oct 1996 15:55:22 -0400 Received: from dhcp7.hq.tis.com(192.94.214.127) by gauntlet-1.trusted.com via smap (V3.1.1) id xmad22445; Tue, 1 Oct 96 15:55:00 -0400 Message-Id: <2.2.32.19961001194913.00af840c@pop.trusted.com> X-Sender: avolio@pop.trusted.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 01 Oct 1996 15:49:13 -0400 To: kenng@kpmg.com (Ken Ng), firewalls@GreatCircle.COM From: Frederick M Avolio Subject: Re: Gauntlet FW in big environments. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ken: We'd be happy to put you in touch with customers who are running Gauntlet Internet Firewalls in environments such as you describe here, and in even larger environments. I suppose you've worked with customer support, but it certainly sounds like a disk or memory hardware problem. More memory should not fix this because lack of memory should not cause system crashes on any UNIX machine. Fred At 11:28 AM 10/1/96 -0400, Ken Ng wrote: > Does anyone here have any experience with running Gauntlet Firewalls > in a "large" environment? By large, I mean about 500 ip sites a day, > 1.2 gig of http traffic a day, 100 meg of email, and 200 meg of ftp > traffic a day. I've got the TIS HP Vectra pc running BSD 2.0 with TIS > 3.1. The machine has 48 meg of ram. > > The problem I'm having is that the machine typically either reboots > itself or it crashes until I reboot it manually. I thought I fixed it > by having it reboot from cron once a week in the early morning. But > now it starting to crash on day 6. Will more memory help this thing? > Are other people having similar problems? What's everyone else using? > > From firewalls-owner Tue Oct 1 13:14:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA18590 for firewalls-outgoing; Tue, 1 Oct 1996 13:01:29 -0700 (PDT) Received: from mail2.webspan.net (mail2.webspan.net [206.154.70.7]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id NAA18461 for ; Tue, 1 Oct 1996 13:00:56 -0700 (PDT) Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.18]) by mail2.webspan.net (8.7.5/8.7.3) with ESMTP id PAA29878; Tue, 1 Oct 1996 15:48:54 -0400 (EDT) Received: (from jmb@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id MAA19812; Tue, 1 Oct 1996 12:48:49 -0700 (PDT) From: "Jonathan M. Bresler" Message-Id: <199610011948.MAA19812@freefall.freebsd.org> Subject: Re: Gauntlet FW in big environments. To: kenng@kpmg.com (Ken Ng) Date: Tue, 1 Oct 1996 12:48:49 -0700 (PDT) Cc: "Saqib A. Khan"@freefall.freebsd.org, , firewalls@greatcircle.com X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk we use a Gauntlet (at work not at FreeBSD.org) to support telnet, ftp, and http for ~1500 people. its a 586-90 w/ 64MB yesterday's usage: ftp inbound 188MB httpd inbound 854MB nntp inbound 3176MB (not a typo) the box is busy. it does *not* swap. swapping will kill you outbound usages is not significant. jmb -- Jonathan M. Bresler FreeBSD Postmaster jmb@FreeBSD.ORG FreeBSD--4.4BSD Unix for PC clones, source included. http://www.freebsd.org/ PGP 2.6.2 Fingerprint: 31 57 41 56 06 C1 40 13 C5 1C E3 E5 DC 62 0E FB From firewalls-owner Tue Oct 1 13:34:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA19033 for firewalls-outgoing; Tue, 1 Oct 1996 13:04:27 -0700 (PDT) Received: from anchorsteam (anchorsteam.unifiedtech.com [38.251.136.100]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id NAA19004 for ; Tue, 1 Oct 1996 13:04:12 -0700 (PDT) Received: from bass.com. by anchorsteam (SMI-8.6/SMI-SVR4) id QAA01039; Tue, 1 Oct 1996 16:04:32 -0400 Received: by bass.com. (SMI-8.6/SMI-SVR4) id QAA16337; Tue, 1 Oct 1996 16:01:47 -0400 Date: Tue, 1 Oct 1996 16:01:47 -0400 From: jonesmd@unifiedtech.com (Mike Jones) Message-Id: <199610012001.QAA16337@bass.com.> To: Firewalls@GreatCircle.COM, klynn@cyberspace.com Subject: Re: SOLARIS x86 as firewall platform Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-MD5: ypZuzpa3ij+O++mJvUNftg== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I believe your options in this aspect is either Sun Microsystems > Firewall-1 (which they're really just licensing from checkpoint), or from > what I understand Trusted Information Systems (TIS) is working on a > Solaris version of Gauntlet. I have run FW-1 on a Solaris X86 system (P90, no less) with one DMZ network and have had no problems (except with unreliable cheap PC hardware). > In my experience I'd favor gauntlet as it is a true application level > proxy gateway. Firewall-1 which is supposed to perform as the fastest > firewall around is unfortunately a hybrid packet filtering firewall > therefore it is somewhat less secure (depending on how you setup your > site of course). Therefore? Could you point out a couple of specific ways FW-1 is less secure? I understand that basic packet filtering (such as is found in most routers) has some shortcomings, particularly in lack of flexibility, but I've never been clear on exactly what sort of attacks a FW-1 would be susceptible to that, say, Gauntlet wouldn't. Mike Jones Sr. Network Computing Advisor UNIFIED Technologies From firewalls-owner Tue Oct 1 13:56:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA20087 for firewalls-outgoing; Tue, 1 Oct 1996 13:11:36 -0700 (PDT) Received: from news.be.innet.net (news.be.innet.net [194.7.1.5]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id NAA20068 for ; Tue, 1 Oct 1996 13:11:23 -0700 (PDT) Received: from pool011-7.innet.be (pool011-7.innet.be [194.7.12.38]) by news.be.innet.net (8.7.6/8.7.3) with SMTP id WAA18500; Tue, 1 Oct 1996 22:09:49 +0200 (MET DST) Message-Id: <199610012009.WAA18500@news.be.innet.net> X-Sender: fdehert@pophost.innet.be X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 01 Oct 1996 22:20:47 -0100 To: keithm@asymetrix.com From: fdehert@innet.be (Frank J.J. De Hert) Subject: RE: NT Security Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 30 Sep 96 , Keith McCammon wrote: > >C2 security seems basically worthless. You can't have any network, and if >a perpetrator has physical access to the machine, he/she can just boot >off a floppy to read your files. > >So, if you can't use it with a network as a file server, and if it's >easily compromised with physical access to the machine, what is a >practical example of where C2 is actually useful? > The issue is how the developer/vendor interprets the C2 requirements. If he/she 's fishing for the certificate to fill a segment of the market, chances are that he/she will comply to the letter of the requirements (it shall be possible to...) In many respects Win NT complies to the C2 requirements (probably to all of them), but once you try to implement them to set up a secure system, nothing works anymore. It's all very well to be able to protect system executables from the users, but if you have to give RWXD permissions to Everybody to allow the user(s) to actually use the system, there goes any confidence in such a certificate. It is true that in the C2 requirements there is no mention of networking, and that, to my knowledge, no networked system has been granted any certicates (yet). There are, on the other hand, a few operating systems around that have been written more to the idea behind the requirements than to the letter. But, you already guessed it, they're in a somewhat higher pricerange than WinNt. A while back there was mention of recipes to set up permissions on NT 3.51 in a more or less decent way, could someone point me in the right direction where I can find those, it would be much appreciated. Thx in advance, Frank De Hert System/Security Manager NATO Programming Centre From firewalls-owner Tue Oct 1 14:11:09 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA26099 for firewalls-outgoing; Tue, 1 Oct 1996 13:56:45 -0700 (PDT) Received: from intfw.bear.com (intfw.bear.com [206.25.172.66]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id NAA26071 for ; Tue, 1 Oct 1996 13:56:27 -0700 (PDT) Received: by intfw.bear.com (4.1/SMI-4.1) id AA08871; Tue, 1 Oct 96 16:55:39 EDT Received: from fastbear(165.168.74.3) by intfw via smap (V1.3) id sma007817; Tue Oct 1 16:51:01 1996 Received: from ursa2.bear.com by fastbear.bear.com (4.1/SMI-4.1/1.0 AMR 12/15/94) id AA27776; Tue, 1 Oct 96 16:55:29 EDT Received: from whip_xfr.bear.com (whip-xfr) by ursa2.bear.com (4.1/SMI-4.1/AMR+DJMS(2)) id AA22581; Tue, 1 Oct 96 16:52:04 EDT Received: from wizard.bsnet by whip_xfr.bear.com (SMI-8.6/SMI-SVR4) id QAA04378; Tue, 1 Oct 1996 16:51:05 -0400 Received: from neptune by wizard.bsnet (SMI-8.6/SMI-SVR4) id QAA15978; Tue, 1 Oct 1996 16:51:04 -0400 Message-Id: <32518438.1CA5@bear.com> Date: Tue, 01 Oct 1996 16:51:04 -0400 From: Shahryar Jahangir Organization: Bear Stearns X-Mailer: Mozilla 3.0Gold (X11; I; SunOS 5.5 sun4m) Mime-Version: 1.0 To: John Anonymous MacDonald Cc: firewalls@greatcircle.com, tcrimenti@iconnet.com, smassaro@iconnet.com Subject: Re: Information Seeking References: <199610011850.LAA00292@abraham.cs.berkeley.edu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk John, I highly recommend Integration Consortium CMT. They are located in Weehawken NJ. Tele# 1800 572-4266. You can checkout their website : www.iconnet.net and one of their online mags: www.word.com. If you woudl like any further information, please contact me. luck sj John Anonymous MacDonald wrote: > > Hello: > > Can anyone on this list recommend a reputable and professional group that > can perform security (both network and host; Internet related) audits at a > medium sized company located in the United States? > > My interest is in the background of these organizations; who to stay away > from; who to take a look at; etc. -- ........................................... " Is there a God ? I don't know, the computer is down !" Shahryar Jahangir Information Services Bear Stearns & Co. Inc. 245 Park Avenue New York, NY 10167 email: sj@bear.com Tel: 212 272 7764 Fax : 212 499 6977 ........................................... -- ******************************************************************************* Bear Stearns is not responsible for any recommendation, solicitation, offer or agreement or any information about any transaction, customer account or account activity contained in this communication. ******************************************************************************* From firewalls-owner Tue Oct 1 14:26:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA27022 for firewalls-outgoing; Tue, 1 Oct 1996 14:06:35 -0700 (PDT) Received: from cedar.cic.net ([192.131.22.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id OAA27006 for ; Tue, 1 Oct 1996 14:06:27 -0700 (PDT) Received: from 170.217.20.154 (i11gate3.ca.us.advantis.net [198.133.30.42]) by cedar.cic.net (8.8.0/8.6.9) with SMTP id RAA02684 for ; Tue, 1 Oct 1996 17:05:51 -0400 (EDT) Message-ID: <3251871E.1ECF@novusnet.com> Date: Tue, 01 Oct 1996 16:03:26 -0500 From: Brad Shively Reply-To: bshive1@novusnet.com Organization: Novus Services X-Mailer: Mozilla 3.0Gold (Win95; I) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: SSL Browsers Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I know this is the wrong group to ask this but, Does anyone know how to tell if a broswer is SSL enabled? I am checking the http_user_agent for Mozzilla 2.0 and above. It checked the Internet Explorer and Netscape 2.0 + and they both have Mozzila in this field. Is there a better way to check other than this? I know I can check if they are coming in on the secure port but I want to send them to a page if their browser is not complient. Thanks, Brad Shively From firewalls-owner Tue Oct 1 14:40:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA27438 for firewalls-outgoing; Tue, 1 Oct 1996 14:10:37 -0700 (PDT) Received: from www.steldyn.com (www.steldyn.com [198.68.45.121]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id OAA27407 for ; Tue, 1 Oct 1996 14:10:12 -0700 (PDT) Received: from juneau.steldyn.com (172.16.31.1) by www.steldyn.com (EMWAC SMTPRS 0.81) with SMTP id ; Tue, 01 Oct 1996 15:15:52 -0600 Received: by juneau.steldyn.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5) id <01BBAFAA.B0CAC340@juneau.steldyn.com>; Tue, 1 Oct 1996 15:10:32 -0600 Message-ID: From: Chris Pugrud To: "'Stewart Shinewald'" , "'Leonard Miyata'" Cc: Firewalls Mailing list Subject: RE: NT Security Date: Tue, 1 Oct 1996 15:10:30 -0600 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This can be done fairly simply from an administrative workstation, across the network. Every NT machine automatically shares all of it's drives under \\computername\c$ or d$ etc. These shares can only be accessed by an administrator (possibly a backup operator). This will allow you to scan the machine across the network without the users knowledge. I use it regularly to do virus scans on users machines across the network. Chris >-----Original Message----- From: Stewart Shinewald [SMTP:stewarts@cul.ca] Sent: Thursday, September 26, 1996 5:38 PM To: Leonard Miyata Cc: Firewalls Mailing list Subject: Re: NT Security > >Our company is just moving to NT. In the past, when we audited workstations, it was relatively easy to review the users hard drive for unsupported software or non company use of resources by using DOS utilities such as PC TOOLS or NORTON. Now that a workstation can be secured with a password and NTFS I had presumed that booting from a floppy and using DOS utilities to scan the hard drive would not work. Occasionally, we would audit a pc without the knowledge of the user thus we would not know the password. What utility programs would permit an auditor to scan and view in text format, an entire hard drive including NT File Systems? Will these also permit the restoration and viewing of deleted files. If files are password protected or NT encrypted, are you aware of any utilities that will permit the viewing of the contents of these files? Stewart Shinewald From firewalls-owner Tue Oct 1 14:58:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA27107 for firewalls-outgoing; Tue, 1 Oct 1996 14:07:17 -0700 (PDT) Received: from www.steldyn.com (www.steldyn.com [198.68.45.121]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id OAA27068 for ; Tue, 1 Oct 1996 14:06:57 -0700 (PDT) Received: from juneau.steldyn.com (172.16.31.1) by www.steldyn.com (EMWAC SMTPRS 0.81) with SMTP id ; Tue, 01 Oct 1996 15:12:33 -0600 Received: by juneau.steldyn.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5) id <01BBAFAA.3A207F50@juneau.steldyn.com>; Tue, 1 Oct 1996 15:07:13 -0600 Message-ID: From: Chris Pugrud To: "'Per-Henning Valderhaug'" , Firewalls Mailing list Subject: RE: Firewall for NT networks with transparent authentication Date: Tue, 1 Oct 1996 15:07:11 -0600 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk To my knowledge Microsoft Proxy Server (formerly Catapult) is the only package that does this. MSP is not a firewall in and of itself, but can be a major part of a complete firewall. Raptor's EagleNT is supposed to have NT Domain authentication added, although I am not aware of how it is implemented or if it is transparent. MSP is only transparent for users of MSIE 3.0 or greater. Chris >-----Original Message----- From: Per-Henning Valderhaug [SMTP:valper@nodeca.mil.no] Sent: Thursday, September 26, 1996 11:54 AM To: Firewalls Mailing list Subject: Firewall for NT networks with transparent authentication Hi all! I need a firewall that is able to transparently authenticate the users placed at the inside of the firewall (in the LAN). Inside users should be granted access to spesific external hosts based upon their username in the Windows NT network. Any such products out there? What would you recommend? Best regards Per-Henning __________________________________ | Per-Henning Valderhaug | | Forsvarets Tele- og Datatjeneste | | Oslo mil/Akershus | | N-0015 OSLO | | NORWAY | | | | Phone: +47 22 40 24 00 | | Direct line: +47 22 40 26 88 | | Telefax: +47 22 40 29 97 | /) (\ / ) e-mail: valper@nodeca.mil.no( \ _( (|___________________________________) ) /> (((\ \) / ) / ) / //))/ (\\\\ \_/ / \ \_/ ///// \ / \ / \ _/ \_ / - ----/ /--------------------------------\ \---- / / \ \ From firewalls-owner Tue Oct 1 15:19:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA27918 for firewalls-outgoing; Tue, 1 Oct 1996 14:14:16 -0700 (PDT) Received: from www.steldyn.com (www.steldyn.com [198.68.45.121]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id OAA27847 for ; Tue, 1 Oct 1996 14:13:40 -0700 (PDT) Received: from juneau.steldyn.com (172.16.31.1) by www.steldyn.com (EMWAC SMTPRS 0.81) with SMTP id ; Tue, 01 Oct 1996 15:19:14 -0600 Received: by juneau.steldyn.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5) id <01BBAFAB.28BD65B0@juneau.steldyn.com>; Tue, 1 Oct 1996 15:13:54 -0600 Message-ID: From: Chris Pugrud To: "'fdehert@innet.be'" , "'Anthony D. Thomas'" Cc: Firewalls Mailing list Subject: RE: netbeui & tcp Date: Tue, 1 Oct 1996 15:13:52 -0600 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk NetBEUI and TCP/IP are network protocols. There is no need to run one with the other (other than interesting security based decisions involving the non-routability of NetBEUI). I believe what was in question is NetBIOS which is essential for all windows networking. NetBIOS can run over NetBEUI, TCP/IP, or even IPX/SPX. Chris >-----Original Message----- From: fdehert@innet.be [SMTP:fdehert@innet.be] Sent: Friday, September 27, 1996 6:29 PM To: Anthony D. Thomas Cc: Firewalls Mailing list Subject: RE: netbeui & tcp >Yep... that is what it is for..... For many reasons you might >not want to run netbuei without TCP/IP.... > Could you elaborate on that? Somehow I was convinced that NetBEUI and TCP/IP were two separate stacks/protocols that don't need each other to run. >-------------------------------------------------- >Anthony Thomas, Network Engineer, TASC Inc >E-mail: adthomas@tasc.com >http://www.tasc.com >Phone : 617 - 942 - 2000 >Fax : 617 - 942 - 7100 >-------------------------------------------------- > >---------- >From: Andy Watts[SMTP:andywatt@loxinfo.co.th] >Sent: Tuesday, September 24, 1996 6:58 AM >To: firewalls@greatcircle.com >Subject: netbeui & tcp > >Hi, > >While playing with FW-1 on NT I saw that it can allow the service NetBEUI. > > >What is this for? > >Does this allow people to connect and become part of a microsoft network >across TCP/IP? > >Is there anyway users can become share MS network files & directories >accross TCP/IP > >Thanks > >Andy > > > > > -- While re-installing the newest version of The Operating System for the umpteenth time, it struck me that I would spend the better part of my active life sitting around, staring at a computer screen, waiting for The System to show some sign of life... \\ // O O | O Aaaaahhhhhh From firewalls-owner Tue Oct 1 15:26:10 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA04839 for firewalls-outgoing; Tue, 1 Oct 1996 14:57:00 -0700 (PDT) Received: from inroma.roma.it (srv.caspur.it [193.204.5.75]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id OAA04709 for ; Tue, 1 Oct 1996 14:56:34 -0700 (PDT) Received: from esquilino13.inroma.roma.it by inroma.roma.it (AIX 4.1/UCB 5.64/4.03) id AA29024; Tue, 1 Oct 1996 23:19:35 +0100 Date: Tue, 1 Oct 1996 23:19:35 +0100 Message-Id: <9610012219.AA29024@inroma.roma.it> X-Sender: anfus@inroma.roma.it (Unverified) X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: anfus@inroma.roma.it (Franco Pizzuto) Subject: info Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm writing for University of Rome a thesis about Net sicurity (firewalls ...) I'm looking for some documents to begin my research (I've just seen firewalls FAQ) Can anybody help me to find books or Net documents introducing the argument "security + firewalls + ....." ? Thanks in advance Franco Pizzuto From firewalls-owner Tue Oct 1 15:56:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA06635 for firewalls-outgoing; Tue, 1 Oct 1996 15:07:37 -0700 (PDT) Received: from home.nexus.net.mx ([167.114.25.165]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id PAA06612 for ; Tue, 1 Oct 1996 15:07:27 -0700 (PDT) Received: (from jdelgado@localhost) by home.nexus.net.mx (8.7/8.7.2) id RAA12398; Tue, 1 Oct 1996 17:12:09 -0500 (CDT) Date: Tue, 1 Oct 1996 17:12:08 -0500 (CDT) From: Jose Luis Delgado To: firewalls@GreatCircle.COM Subject: Netscape & Firewall help!! Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi everybody!!!! I have a question: I work in two distincts companies, the first have no a firewall... but, the second... have a firewall (Eagle Raptor). then I have in the Intranet an Oracle Web Server 2.0 for AIX 3.2.5... and in the other part, I have an OWS 1.0 in NT... my question is: How I can, WITH NETSCAPE, access the OWS and the database inside the firewall from an external machine? I hope somebody can help me. Thanks. _/_/_/_/_/_/ AT LESS... TRY! _/_/ _/_/ _/_/_/_/ _/_/_/_/_/ _/_/_/_/_/_/ _/_/_/_/ _/_/_/_/_/ _/ _/ _/ _/ _/ _/ _/_/ _/ _/ _/ _/ _/_/_/ _/ _/_/ _/_/_/ _/ _/ _/ _/ _/ _/_/ _/ _/ _/_/_/_/_/_/ _/_/_/_/ _/_/_/_/_/_/ _/_/ _/_/_/_/_/ _/_/_/_/_/_/ Jose Luis Delgado Solano (Base de Datos) jdelgado@nexus.net.mx From firewalls-owner Tue Oct 1 16:11:26 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA15356 for firewalls-outgoing; Tue, 1 Oct 1996 15:57:19 -0700 (PDT) Received: from intfw.bear.com (intfw.bear.com [206.25.172.66]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id PAA15293 for ; Tue, 1 Oct 1996 15:56:53 -0700 (PDT) Received: by intfw.bear.com (4.1/SMI-4.1) id AA19427; Tue, 1 Oct 96 18:55:36 EDT Received: from fastbear(165.168.74.3) by intfw via smap (V1.3) id sma018702; Tue Oct 1 18:54:40 1996 Received: from ursa2.bear.com by fastbear.bear.com (4.1/SMI-4.1/1.0 AMR 12/15/94) id AA29140; Tue, 1 Oct 96 18:59:09 EDT Received: from whip_xfr.bear.com (whip-xfr) by ursa2.bear.com (4.1/SMI-4.1/AMR+DJMS(2)) id AA23217; Tue, 1 Oct 96 18:55:44 EDT Received: from wizard.bsnet by whip_xfr.bear.com (SMI-8.6/SMI-SVR4) id SAA16916; Tue, 1 Oct 1996 18:54:46 -0400 Received: from neptune by wizard.bsnet (SMI-8.6/SMI-SVR4) id SAA19244; Tue, 1 Oct 1996 18:54:45 -0400 Message-Id: <3251A135.48FB@bear.com> Date: Tue, 01 Oct 1996 18:54:45 -0400 From: Shahryar Jahangir Organization: Bear Stearns X-Mailer: Mozilla 3.0Gold (X11; I; SunOS 5.5 sun4m) Mime-Version: 1.0 To: Mike Jones Cc: Firewalls@GreatCircle.COM, klynn@cyberspace.com Subject: Re: SOLARIS x86 as firewall platform References: <199610012001.QAA16337@bass.com.> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I should add to all that I have gone through heaven and earth to setup an x86 machine w. Sol 2.4 & FW-1 w/ an Ethernet NIC and a token ring NIC. The result: It didn't work !! Contacted SUN /Checkpoint/ Compaq - nothing ! luck sj Mike Jones wrote: > > > I believe your options in this aspect is either Sun Microsystems > > Firewall-1 (which they're really just licensing from checkpoint), or from > > what I understand Trusted Information Systems (TIS) is working on a > > Solaris version of Gauntlet. > > I have run FW-1 on a Solaris X86 system (P90, no less) with one DMZ > network and have had no problems (except with unreliable cheap PC > hardware). > > > In my experience I'd favor gauntlet as it is a true application level > > proxy gateway. Firewall-1 which is supposed to perform as the fastest > > firewall around is unfortunately a hybrid packet filtering firewall > > therefore it is somewhat less secure (depending on how you setup your > > site of course). > > Therefore? Could you point out a couple of specific ways FW-1 is less > secure? I understand that basic packet filtering (such as is found in > most routers) has some shortcomings, particularly in lack of flexibility, > but I've never been clear on exactly what sort of attacks a FW-1 would > be susceptible to that, say, Gauntlet wouldn't. > > Mike Jones > Sr. Network Computing Advisor > UNIFIED Technologies -- ........................................... " Is there a God ? I don't know, the computer is down !" Shahryar Jahangir Information Services Bear Stearns & Co. Inc. 245 Park Avenue New York, NY 10167 email: sj@bear.com Tel: 212 272 7764 Fax : 212 499 6977 ........................................... -- ******************************************************************************* Bear Stearns is not responsible for any recommendation, solicitation, offer or agreement or any information about any transaction, customer account or account activity contained in this communication. ******************************************************************************* From firewalls-owner Tue Oct 1 17:28:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA23615 for firewalls-outgoing; Tue, 1 Oct 1996 17:13:23 -0700 (PDT) Received: from snet (dataprep.com.my [202.190.57.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id RAA23580 for ; Tue, 1 Oct 1996 17:13:12 -0700 (PDT) Received: from palan-net by snet (SMI-8.6/SMI-SVR4) id IAA01408; Wed, 2 Oct 1996 08:18:56 -0800 Date: Wed, 2 Oct 1996 08:18:56 -0800 Message-Id: <199610021618.IAA01408@snet> X-Sender: palan@dataprep.com.my X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: Kogulapalan Subject: Re: info Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 11:19 PM 10/1/96 +0100, you wrote: >I'm writing for University of Rome a thesis about Net sicurity (firewalls ...) >I'm looking for some documents to begin my research (I've just seen >firewalls FAQ) >Can anybody help me to find books or Net documents introducing the argument >"security + firewalls + ....." ? Checkout Internet Security - Building Internet FIREWALLS by D.Brent Chapman & Elizabeth D.Zwicky (O'Reilly & Associates, Inc) >Thanks in advance >Franco Pizzuto > > From firewalls-owner Tue Oct 1 17:40:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA25237 for firewalls-outgoing; Tue, 1 Oct 1996 17:35:51 -0700 (PDT) Received: from sparky. (sparky.flashpoint.com [205.214.59.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id RAA25220 for ; Tue, 1 Oct 1996 17:35:44 -0700 (PDT) Received: from cktassy.ca-online.com by sparky. (SMI-8.6/SMI-SVR4) id RAA08979; Tue, 1 Oct 1996 17:38:30 -0700 From: "John McColley @ J F Engineering" To: firewalls@greatcircle.com Subject: Class C Subnetting X-Mailer: SCO Portfolio 2.0 Date: Tue, 1 Oct 1996 17:19:14 -0700 (PDT) Message-ID: <9610011719.aa22417@cktassy.ca-online.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thanks for all the information on Class C Subnetting. It answered all of my questions. John From firewalls-owner Tue Oct 1 17:55:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA24445 for firewalls-outgoing; Tue, 1 Oct 1996 17:22:57 -0700 (PDT) Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id RAA24405 for ; Tue, 1 Oct 1996 17:22:43 -0700 (PDT) Received: by mercury.Sun.COM (Sun.COM) id RAA03871; Tue, 1 Oct 1996 17:21:36 -0700 Received: from topsun.West.Sun.COM by West.Sun.COM (5.0/SMI-5.3) id AA06074; Tue, 1 Oct 1996 17:21:34 -0700 Received: from plato.West.Sun.COM by topsun.West.Sun.COM (SMI-8.6/SMI-SVR4) id RAA16607; Tue, 1 Oct 1996 17:20:20 -0700 Received: by plato.West.Sun.COM (SMI-8.6/SMI-SVR4) id RAA01541; Tue, 1 Oct 1996 17:22:57 -0700 Date: Tue, 1 Oct 1996 17:22:57 -0700 From: Matthew.Archibald@West.Sun.COM (Matthew Archibald) Message-Id: <199610020022.RAA01541@plato.West.Sun.COM> To: nobody@cypherpunks.ca, sj@bear.com Subject: Re: Information Seeking Cc: firewalls@greatcircle.com, tcrimenti@iconnet.com, smassaro@iconnet.com X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sun Professional Services provides all of this as well.... You can contact Brad.Powell@Sun.COM or myself... ----- Begin Included Message ----- From sj@bear.com Tue Oct 1 15:31:49 1996 Date: Tue, 01 Oct 1996 16:51:04 -0400 From: Shahryar Jahangir Mime-Version: 1.0 To: John Anonymous MacDonald Cc: firewalls@greatcircle.com, tcrimenti@iconnet.com, smassaro@iconnet.com Subject: Re: Information Seeking Content-Transfer-Encoding: 7bit John, I highly recommend Integration Consortium CMT. They are located in Weehawken NJ. Tele# 1800 572-4266. You can checkout their website : www.iconnet.net and one of their online mags: www.word.com. If you woudl like any further information, please contact me. luck sj John Anonymous MacDonald wrote: > > Hello: > > Can anyone on this list recommend a reputable and professional group that > can perform security (both network and host; Internet related) audits at a > medium sized company located in the United States? > > My interest is in the background of these organizations; who to stay away > from; who to take a look at; etc. -- ........................................... " Is there a God ? I don't know, the computer is down !" Shahryar Jahangir Information Services Bear Stearns & Co. Inc. 245 Park Avenue New York, NY 10167 email: sj@bear.com Tel: 212 272 7764 Fax : 212 499 6977 ........................................... -- ******************************************************************************* Bear Stearns is not responsible for any recommendation, solicitation, offer or agreement or any information about any transaction, customer account or account activity contained in this communication. ******************************************************************************* ----- End Included Message ----- From firewalls-owner Tue Oct 1 18:27:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA29653 for firewalls-outgoing; Tue, 1 Oct 1996 18:20:40 -0700 (PDT) Received: from snet (dataprep.com.my [202.190.57.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id SAA29591 for ; Tue, 1 Oct 1996 18:20:21 -0700 (PDT) Received: from palan-net by snet (SMI-8.6/SMI-SVR4) id JAA01537; Wed, 2 Oct 1996 09:24:56 -0800 Date: Wed, 2 Oct 1996 09:24:56 -0800 Message-Id: <199610021724.JAA01537@snet> X-Sender: palan@dataprep.com.my X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: bshive1@novusnet.com From: Kogulapalan Subject: Re: SSL Browsers Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 04:03 PM 10/1/96 -0500, you wrote: >I know this is the wrong group to ask this but, > >Does anyone know how to tell if a broswer is SSL enabled? I am checking >the http_user_agent for Mozzilla 2.0 and above. It checked the Internet >Explorer and Netscape 2.0 + and they both have Mozzila in this field. Is >there a better way to check other than this? I know I can check if they >are coming in on the secure port but I want to send them to a page if >their browser is not complient. If your browser can support https:// than yours is SSL enabled. > >Thanks, no problem :) >Brad Shively > From firewalls-owner Tue Oct 1 18:41:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA29409 for firewalls-outgoing; Tue, 1 Oct 1996 18:19:04 -0700 (PDT) Received: from esperosun.chungnam.ac.kr (esperosun.chungnam.ac.kr [168.188.66.84]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id SAA29380 for ; Tue, 1 Oct 1996 18:18:52 -0700 (PDT) Received: from esperosun.chungnam.ac.kr (espero.chungnam.ac.kr [168.188.66.89]) by esperosun.chungnam.ac.kr (8.6.12h2/8.6.9) with SMTP id KAA04043 for ; Wed, 2 Oct 1996 10:17:33 +0900 Message-ID: <3251C259.5A73@esperosun.chungnam.ac.kr> Date: Wed, 02 Oct 1996 10:16:09 +0900 From: jcryou X-Mailer: Mozilla 3.0Gold (Win95; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: info References: <9610012219.AA29024@inroma.roma.it> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Can anybody help me to find documents introducing security requirements or evaulation criteria for firewalls ? So far, I have found the following two documents: 1. "Security requirements for MISSI-Compliant Firewalls Protecting Sensitive But Unclassified Environments", ver1.0, March 1996. 2. "Common Criteria for Information Technology Security Evaluation- Part4 Predefined Protection Profiles for Network/Transport Layer Packet Filter Firewall", CCEB-96/014 Thanks in advance. Jae-Cheol Ryou Department of Computer Science Chungnam National University Daejeon, South Korea 305-764 From firewalls-owner Tue Oct 1 20:41:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA10634 for firewalls-outgoing; Tue, 1 Oct 1996 20:35:16 -0700 (PDT) Received: from cohiba.predictive.com (cohiba.predictive.com [204.243.240.5]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id UAA10627 for ; Tue, 1 Oct 1996 20:35:07 -0700 (PDT) Received: from starfury.shadow.net (ip55.indianapolis.in.interramp.com [38.11.127.55]) by cohiba.predictive.com (8.6.11/8.6.12) with SMTP id WAA11981 for ; Tue, 1 Oct 1996 22:47:26 -0400 Message-Id: <3.0b24.32.19961001233423.0067b8b0@204.243.240.5> X-Sender: starfury@204.243.240.5 X-Mailer: Windows Eudora Pro Version 3.0b24 (32) Date: Tue, 01 Oct 1996 23:34:30 -0400 To: firewalls@greatcircle.com From: PCA Subject: Compuserve and AOL ports Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk FW's, I hate to ask this, but the ports for Compuserve and AOL, can someone repost them... Thanks... From firewalls-owner Tue Oct 1 21:55:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA15090 for firewalls-outgoing; Tue, 1 Oct 1996 21:40:49 -0700 (PDT) Received: from diablo.cisco.com (diablo.cisco.com [171.68.223.106]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id VAA15075 for ; Tue, 1 Oct 1996 21:40:42 -0700 (PDT) Received: from clonvick-pc.cisco.com (c4robo2.cisco.com [171.68.13.98]) by diablo.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id VAA27565; Tue, 1 Oct 1996 21:39:06 -0700 Message-Id: <2.2.32.19961002063303.006b06f0@diablo.cisco.com> X-Sender: clonvick@diablo.cisco.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 01 Oct 1996 23:33:03 -0700 To: jcryou , firewalls@GreatCircle.COM From: Chris Lonvick Subject: Re: info Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello Jae-Cheol Ryou, Could you please post the URLs to those documents if they're on the Web? You may also want to look at the firewall evaluation from the National Computer Security Association at http://www.ncsa.com They list their criteria for "passing" a firewall. Beyond this, they have a large listing of books about computer security. Hope this helps, Chris Lonvick Cisco Systems Consulting Engineering Houston, TX, USA +1-713-778-5663 At 10:16 AM 10/2/96 +0900, jcryou wrote: >Can anybody help me to find documents introducing security >requirements or evaulation criteria for firewalls ? > >So far, I have found the following two documents: > > 1. "Security requirements for MISSI-Compliant Firewalls Protecting > Sensitive But Unclassified Environments", ver1.0, March 1996. > > 2. "Common Criteria for Information Technology Security Evaluation- > Part4 Predefined Protection Profiles for Network/Transport Layer > Packet Filter Firewall", CCEB-96/014 > >Thanks in advance. > >Jae-Cheol Ryou >Department of Computer Science >Chungnam National University >Daejeon, South Korea 305-764 > > From firewalls-owner Tue Oct 1 23:55:54 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA20929 for firewalls-outgoing; Tue, 1 Oct 1996 23:44:12 -0700 (PDT) Received: from mailout01.btx.dtag.de (mailout01.btx.dtag.de [194.25.2.149]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id XAA20922 for ; Tue, 1 Oct 1996 23:44:03 -0700 (PDT) Received: from mailto00.btx.dtag.de ([172.16.2.1]) by mailout01.btx.dtag.de with smtp (S3.1.29.1) id ; Wed, 2 Oct 96 07:34 MET Received: from funnel02.btx.dtag.de (022157600012-0002(btxid)@[194.25.2.3]) by mailto00.btx.dtag.de with smtp (S3.1.29.1) id ; Wed, 2 Oct 96 08:34 MET DST Message-ID: <325228DA.57FF@t-online.de> Date: Wed, 02 Oct 1996 08:33:30 +0000 Organization: Siemens AG X-Mailer: Mozilla 3.0b6 (Win95; I; 16bit) MIME-Version: 1.0 To: Franco Pizzuto CC: firewalls@greatcircle.com Subject: Re: info References: <9610012219.AA29024@inroma.roma.it> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Sender: 022157600012-0002@t-online.de (Krauss Siemens AG) From: Krauss.SiemensAG@t-online.de (Dietmar Krauss) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Franco Pizzuto wrote: > > I'm writing for University of Rome a thesis about Net sicurity (firewalls ...) > I'm looking for some documents to begin my research (I've just seen > firewalls FAQ) > Can anybody help me to find books or Net documents introducing the argument > "security + firewalls + ....." ? > Thanks in advance > Franco Pizzuto I dont' know if you've already checked out THE book on Internet and firewall security. It is considered to be a handbook for both sysadmins and hackers. 'Firewalls & Internet Security Repelling the Wily Hacker' by William R. Cheswick and Steven M. Bellovin Addison-Wesley Professional Computing Series 0-201-63357-4 * Paperback * 320 pages * ©1994 http://www.aw.com/cp/Ches.html Good luck, Dietmar -- +-------------------------------------------------------------------+ | Krauss.SiemensAG@t-online.de | | Dietmar Krauss | | Consulting Communication | | Siemens AG, Germany (www.siemens.de/pn) | +-------------------------------------------------------------------+ From firewalls-owner Wed Oct 2 00:42:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA24245 for firewalls-outgoing; Wed, 2 Oct 1996 00:35:13 -0700 (PDT) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id AAA24220 for firewalls@greatcircle.com; Wed, 2 Oct 1996 00:34:48 -0700 (PDT) Received: from 1ADTFREAR.1AD.ARMY.MIL (tfrear.1ad.army.mil [206.39.32.254]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id BAA19491 for ; Tue, 1 Oct 1996 01:10:26 -0700 (PDT) Received: from Microsoft Mail (PU Serial #1851) by 1ADTFREAR.1AD.ARMY.MIL (PostalUnion/SMTP(tm) v2.1.9a for Windows NT(tm)) id AA-1996Oct01.095200.1851.32442; Tue, 01 Oct 1996 10:12:27 +0200 From: g6amsib@1ADTFREAR.1AD.ARMY.MIL (G6 CPT Bates) To: Firewalls@GreatCircle.COM (Firewalls) Message-ID: <1996Oct01.095200.1851.32442@1ADTFREAR.1AD.ARMY.MIL> X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable Organization: 1AD G6 Automation Date: Tue, 01 Oct 1996 10:12:27 +0200 Subject: RE: NT Security Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >On Wed, 25 Sep 1996, Joseph S. D. Yao wrote: > Much has been made of NT's "C2" certification. I've heard that it was > certified without the standard NT file system; and with that file > system, it can't be certified. Beware. > It will only comply with C2 standards if you are using the NTFS file >system (not FAT or HPFS) and, of course, as a stand-alone machine after >service pack X (7?) is applied with some other holes closed Greetings, fellow automators. First post to Firewalls from here in the = Balkans. The U.S. Army (1st Armored Division) in Bosnia has come out = of the Iron Age (no pun intended) and into the information age. We are = currently utilizing Windows NT networks, and have introduced unclassified = = data connectivity to the field soldier primarily to support automated = logisitics data requirements. However, it appears more and more users = have discovered the convenience and utility of email, networks, and = shared files to conduct effective coordination and staffing. We use = two physically separate LAN/WAN's, one classified, and one unclassified. = Problem is, everyone wants to use their unclassified workstations, and = no one uses the classified, for obvious reasons, they like Web access, = email loved ones back home, and coordinate with government contractors = who do not have access to the secret LAN/WAN. However, we have run into speed bumps with individuals processing = classified information on unclassified PC's, and virus problems, mostly = those that affect the boot sector. Converting from WFW 3.11 and WIN 95 = to NT Workstation with no FAT partitions, strictly NTFS partitions seem = to be the optimal solution. We do not have the budget nor training to install expensive firewalls at = = the Division level. We think less, but more robust machines running NT = workstation on both the class and unclass LAN/WAN's, would offer what we = require in terms of processing power and NT's excellent = auditing/security. However, it is very expensive, both in terms of = equipment, and personnel, to maintain these two NT LAN's. While I have = yet to see someone hack an NTFS partition with permissions and other = holes plugged up (watched a couple of DISA's best guys try), the security = = goons still have conniption fits about placing classified data on an = unclassified NTFS partition. Any word on when NT will be network = certified?? We are also starting to use Iomega's Zip drive to = store/archive/use large amounts of data. Merely attempting to find a = solution that meets our needs, both from a function, security, and fiscal = = perspective. Thanks much in advance. Regards, Stephen E. Bates CPT, SC G6 Systems Integration g6amsib@1adtfrear.1ad.army.mil DSN 370-7179 MSE 551-3562 ---------- ). From firewalls-owner Wed Oct 2 01:41:31 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA29708 for firewalls-outgoing; Wed, 2 Oct 1996 01:30:52 -0700 (PDT) Received: from ecmwf.int ([136.156.22.68]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id BAA29678 for ; Wed, 2 Oct 1996 01:30:39 -0700 (PDT) Received: from barant by ecmwf.int (8.7.1/sendmail-8.7.1) id IAA11663; Wed, 2 Oct 1996 08:29:59 GMT for Received: by barant (950215.SGI.8.6.10/920502.SGI) id JAA28388; Wed, 2 Oct 1996 09:29:57 +0100 From: cgt@ecmwf.int (Tony Bakker) Message-Id: <9610020929.ZM28386@barant> Date: Wed, 2 Oct 1996 09:29:56 +0100 Organization: ECMWF (European Weather Centre) Address: Shinfield Park, Reading RG2 9AX, Berkshire, UK Phone: +44-1734-499378 Fax: +44-1734-869450 Reply-To: Tony.Bakker@ecmwf.int X-Mailer: Z-Mail (3.2.0 06sep94) To: sdadmin@jabberwocky.bbnplanet.com, Firewalls@greatcircle.com Subject: Gauntlet 3.1 on SGI IRIX and SecurID Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I just received version 3.1 of Gauntlet for SGI IRIX and am having problems getting SecurID to work. I get the following message in the SYSLOG: authsrv[23191]: ACM Error: Unable to locate ACE/Server host ; error Error 0 and the TELNET gateway says: TELNET Gateway. Authorized access only. Username: cgt Enter PASSCODE: ###### Cannot talk to ACE server Username: I know for sure that the firewall host can talk to the ACE server as I have verified thsi with running sdshell. Also traceroute and ping to the ACE server are successfull. In the netperm-table I have got the line: authsrv: securidhost isis I have monitored teh ethernet and do not see any packets from the firewall host fot the ACE server from the Gauntlet software. Any help would be appreciated. Thanks Tony Bakker -- ------------------------------------------------------------------ _/_/_/_/_/ _/_/_/ European Centre for Medium-Range _/ _/ _/ Weather Forecasts _/ _/_/_/ Shinfield Park, Reading _/ _/ _/ Berkshire RG2 9AX _/ O N Y _/_/_/_/ A K K E R United Kingdom http://www.ecmwf.int/ System Software Section tel: +44 118 9499378 WAN Group leader fax: +44 118 9869450 Email: Tony.Bakker@ecmwf.int tlx: +44 118 9847908 ------------------------------------------------------------------ From firewalls-owner Wed Oct 2 03:12:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA07026 for firewalls-outgoing; Wed, 2 Oct 1996 02:54:54 -0700 (PDT) Received: from pinelands.oldmutual.com (pinelands.oldmutual.com [196.22.118.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id CAA07018 for ; Wed, 2 Oct 1996 02:54:40 -0700 (PDT) Received: by pinelands.oldmutual.com; id AA04197; Wed, 2 Oct 96 11:51:48+020 Received: from unknown(160.123.45.3) by pinelands.oldmutual.com via smap (V3.1) id xma004170; Wed, 2 Oct 96 11:51:28 +0200 Received: from inv735524 ([160.123.1.81]) by box66.oldmutual.com (post.office MTA v2.0 0813 ID# 0-13494) with SMTP id AAA125 for ; Wed, 2 Oct 1996 11:45:56 +0200 Message-Id: <32523B05.3FAE@oldmutual.com> Date: Wed, 02 Oct 1996 11:51:01 +0200 From: jbarnes@oldmutual.com (Jay Barnes) Organization: Old Mutual X-Mailer: Mozilla 3.0Gold (WinNT; I) Mime-Version: 1.0 To: firewalls@greatcircle.com Subject: DHCP and Firewalls Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This subject was raised a while ago, but didn't really come to any conclusions, IMHO, so I'd like to try again. My problem is as follows. We have several thousand workstations, which need to be moved quite frequently (because of building, etc) and our PC people want (need) to use DHCP to allocate IP addresses. They have a problem with locking down addresses (permanent lease) because all that that does is move the administration problem somewhere else. We are using Gauntlet as our firewall, and thus (apparently) need fixed IP addresses - either that or permit all addresses access to the Internet and manage the end user, which I am told we can't do yet and anyway is against our policy. So, how do I integrate the very real need for DHCP with the very real need to operate and mange a secure (firewalled) connection to the Internet? We are going to look at Microsoft's Catapult - we use Microsoft products extensively - but I am uncomfortable with what I hear about the product on this list. Are there any other products around that can help us? PS - please don't turn this into another "MS vs Unix" debate. The product set is not the issue, the technology is. -- Jay Barnes WebMaster at "http://www.oldmutual.com" Email jbarnes@oldmutual.com Phone +27 21 509 5464 Cell 082 452 5939 Fax +27 21 509 5619 From firewalls-owner Wed Oct 2 03:44:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA08116 for firewalls-outgoing; Wed, 2 Oct 1996 03:27:42 -0700 (PDT) Received: from lexicon.ins.com (lexicon.ins.com [199.0.193.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id DAA08109 for ; Wed, 2 Oct 1996 03:27:35 -0700 (PDT) Received: from martin_d.ins.com ([206.98.131.200]) by lexicon.ins.com (8.7.5/8.7.3) with SMTP id DAA14615; Wed, 2 Oct 1996 03:27:02 -0700 (PDT) Message-Id: <2.2.32.19961002102658.006a5460@lexicon.ins.com> X-Sender: martin_d@lexicon.ins.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 02 Oct 1996 06:26:58 -0400 To: PCA From: Darwin Martinez Subject: Re: Compuserve and AOL ports Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk AOL = 5190 (tcp/udp), Compuserve = 4144 (tcp) :) At 11:34 PM 10/1/96 -0400, you wrote: >FW's, > > I hate to ask this, but the ports for Compuserve and AOL, can someone >repost them... Thanks... > > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Darwin L. Martinez, NSE Email: darwin_martinez@ins.com Atlanta Office Client: 404-843-5954 International Network Services Pager: 1-800-INS-1-INS "Providing the power of operable networks" ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ From firewalls-owner Wed Oct 2 04:41:39 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA12975 for firewalls-outgoing; Wed, 2 Oct 1996 04:38:58 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id EAA12956 for ; Wed, 2 Oct 1996 04:38:48 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.6.9/8.6.9) id HAA25388; Wed, 2 Oct 1996 07:42:43 -0500 From: Adam Shostack Message-Id: <199610021242.HAA25388@homeport.org> Subject: Re: Gauntlet 3.1 on SGI IRIX and SecurID To: Tony.Bakker@ecmwf.int Date: Wed, 2 Oct 1996 07:42:43 -0500 (EST) Cc: sdadmin@jabberwocky.bbnplanet.com, Firewalls@GreatCircle.COM In-Reply-To: <9610020929.ZM28386@barant> from "Tony Bakker" at Oct 2, 96 09:29:56 am X-Mailer: ELM [version 2.4 PL24 ME8b] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What Ace/Server are you using? The Authserv was written long before v2 came out, and may be expecting version 1 files, message formats, etc. Adam Tony Bakker wrote: | I just received version 3.1 of Gauntlet for SGI IRIX and am having problems | getting SecurID to work. I get the following message in the SYSLOG: | | authsrv[23191]: ACM Error: Unable to locate ACE/Server host | ; error Error 0 | I know for sure that the firewall host can talk to the ACE server as I have | verified thsi with running sdshell. Also traceroute and ping to the | ACE server are successfull. | | In the netperm-table I have got the line: | | authsrv: securidhost isis | | I have monitored teh ethernet and do not see any packets from the firewall host | fot the ACE server from the Gauntlet software. | | Any help would be appreciated. | | Thanks | | Tony Bakker | | | -- | ------------------------------------------------------------------ | _/_/_/_/_/ _/_/_/ European Centre for Medium-Range | _/ _/ _/ Weather Forecasts | _/ _/_/_/ Shinfield Park, Reading | _/ _/ _/ Berkshire RG2 9AX | _/ O N Y _/_/_/_/ A K K E R United Kingdom | http://www.ecmwf.int/ | System Software Section tel: +44 118 9499378 | WAN Group leader fax: +44 118 9869450 | Email: Tony.Bakker@ecmwf.int tlx: +44 118 9847908 | ------------------------------------------------------------------ | -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Wed Oct 2 06:12:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA17243 for firewalls-outgoing; Wed, 2 Oct 1996 06:05:42 -0700 (PDT) Received: from ecmwf.int (scylla.ecmwf.int [136.156.22.68]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA17236 for ; Wed, 2 Oct 1996 06:05:32 -0700 (PDT) Received: from barant by ecmwf.int (8.7.1/sendmail-8.7.1) id NAA16282; Wed, 2 Oct 1996 13:04:52 GMT for Received: by barant (950215.SGI.8.6.10/920502.SGI) id OAA29471; Wed, 2 Oct 1996 14:04:43 +0100 From: cgt@ecmwf.int (Tony Bakker) Message-Id: <9610021404.ZM29469@barant> Date: Wed, 2 Oct 1996 14:04:42 +0100 In-Reply-To: Mikael Kuisma "Re: Gauntlet 3.1 on SGI IRIX and SecurID" (Oct 2, 10:40) References: <9610020929.ZM28386@barant> <32524675.480D@Nexus.SE> Organization: ECMWF (European Weather Centre) Address: Shinfield Park, Reading RG2 9AX, Berkshire, UK Phone: +44-1734-499378 Fax: +44-1734-869450 Reply-To: Tony.Bakker@ecmwf.int X-Mailer: Z-Mail (3.2.0 06sep94) To: Mikael Kuisma Subject: Re: Gauntlet 3.1 on SGI IRIX and SecurID Cc: sdadmin@jabberwocky.bbnplanet.com, Firewalls@greatcircle.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Oct 2, 10:40, Mikael Kuisma wrote: > Subject: Re: Gauntlet 3.1 on SGI IRIX and SecurID > Tony Bakker wrote: > > In the netperm-table I have got the line: > > > > authsrv: securidhost isis > > isis should be the name/address of the inside > interface on the Gauntlet, i.e. the host > that acts as the securid client. It should > not be the name of the ACE server. > Done that, but it still does not work! # grep secur /usr/gauntlet/config/netperm-table authsrv: securidhost 136.156.112.128 # ifconfig ec0 ec0: flags=c63 inet 136.156.112.128 netmask 0xfffffc00 broadcast 136.156.115.255 authsrv[24258]: ACM Error: Unable to locate ACE/Server host ; error Error 0 Tony From firewalls-owner Wed Oct 2 06:26:50 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA16889 for firewalls-outgoing; Wed, 2 Oct 1996 05:59:18 -0700 (PDT) Received: from gatekeep.us.landisgyr.com (gatekeep.us.landisgyr.com [206.175.68.122]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id FAA16882; Wed, 2 Oct 1996 05:59:09 -0700 (PDT) Received: by gatekeep.us.landisgyr.com; id EAA27940; Wed, 2 Oct 1996 04:54:23 -0400 Received: from unknown(204.207.110.148) by gatekeep.us.landisgyr.com via smap (V3.1) id xmaa27934; Wed, 2 Oct 96 04:54:14 -0400 Received: from mailrelay.us.landisgyr.com by pmdf.us.landisgyr.com (PMDF V5.0-4 #10101) id <01IA5RY2CV1S0001PL@pmdf.us.landisgyr.com>; Wed, 02 Oct 1996 07:58:07 -0500 (CDT) Received: with PMDF-MR; Wed, 02 Oct 1996 07:56:22 -0500 (CDT) MR-Received: by mta PFMSV1.MUAS; Relayed; Wed, 02 Oct 1996 07:56:22 -0500 MR-Received: by mta PFMSV1; Relayed; Wed, 02 Oct 1996 07:56:23 -0500 MR-Received: by mta PFMMRX; Relayed; Wed, 02 Oct 1996 07:57:38 -0500 Disclose-recipients: prohibited Date: Wed, 02 Oct 1996 07:56:22 -0500 (CDT) From: Joav Kohn Subject: Re: DHCP and Firewalls In-reply-to: <32523B05.3FAE@oldmutual.com> To: firewalls-owner , firewalls Message-id: <5322560702101996/A00649/PFMSV1/11AA11F81500*@MHS.us.landisgyr.com> Autoforwarded: false MIME-version: 1.0 Content-type: TEXT/PLAIN; CHARSET=US-ASCII Content-transfer-encoding: 7BIT Importance: normal Sensitivity: Company-Confidential UA-content-id: 11AA11F81500 X400-MTS-identifier: [;5322560702101996/A00649/PFMSV1] Hop-count: 2 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > My problem is as follows. We have several thousand workstations, which > need to be moved quite frequently (because of building, etc.) and our PC > people want (need) to use DHCP to allocate IP addresses. They have a > problem with locking down addresses (permanent lease) because all that > that does is move the administration problem somewhere else. We are > using Gauntlet as our firewall, and thus (apparently) need fixed IP > addresses - either that or permit all addresses access to the Internet > and manage the end user, which I am told we can't do yet and anyway is > against our policy. We had the same exact problem here. The solution I came up with was this: In the DHCP situation, you can never guarantee that an IP will be unique, but a NETBIOS name always will be. This meant that the main issue was how to map NETBIOS names to the IP that they were currently using. We were already running an internal DNS server, now we needed one that could do forward & reverse WINS lookups (for NETBIOS names). I looked at several NT DNS products, including Metainfo's DNS & NT4.0's, and Microsoft's proved to have the most stability (though the GUI is slightly buggy). This being done, the next trick was to get the firewall to look for reverse lookups on our internal machine, while allow all other reverse and forward lookups to take place on the outside. If you've gotten your IP's from InterNIC, just have the in-addr.arpa domain for your addresses point to your internal name server. If your on a public scheme, or lease your IP's from Sprint, MCI, CompuServe, etc..., (I had a mix of both), then you're going to have to dance through some extra hoops. I set the firewall's DNS as a primary server for the (.) domain. In the dB file for root, I left out an SOA record for . and listed the other primary root servers that would normally be in the cache file as secondary NS servers for (.). I then listed our internal name server as the primary NS for our in-addr.arpa domains. Once this was done, along with a restart of named, all that needed to be done was edit the netperm table in gauntlet. I simply deny everyone, and add NETBIOS names to the table for the services we allow those users to have. It's been working relatively problem free for several months now, if you have any more questions, feel free to ask. -joav From firewalls-owner Wed Oct 2 06:46:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA17844 for firewalls-outgoing; Wed, 2 Oct 1996 06:19:09 -0700 (PDT) Received: from igate2.pabs.com (igate2.pabs.com [38.246.96.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA17836 for ; Wed, 2 Oct 1996 06:19:01 -0700 (PDT) Received: from igate2.pabs.com (daemon@localhost) by igate2.pabs.com (8.7.2/8.7.2) with ESMTP id JAA02068 for ; Wed, 2 Oct 1996 09:21:15 -0400 (EDT) Received: from richey.pabs.com (richey.pabs.com [157.154.1.136]) by igate2.pabs.com (8.7.2/8.7.2) with ESMTP id JAA02062 for ; Wed, 2 Oct 1996 09:21:15 -0400 (EDT) Received: from richey (richey@richey.pabs.com [157.154.1.136]) by richey.pabs.com (8.7.5/8.6.9) with SMTP id JAA01738; Wed, 2 Oct 1996 09:18:30 -0400 Message-ID: <32526BA5.4A9D7C0@pabs.com> Date: Wed, 02 Oct 1996 09:18:29 -0400 From: Jim Richey X-Mailer: Mozilla 3.0Gold (X11; I; Linux 2.0.20 i586) MIME-Version: 1.0 To: barbara@us.checkpoint.com CC: Firewall Discussion Subject: Re: Gauntlet vs. Sidewinder References: <325149EB@MSSMTPOUT.COMM.HQ.AF.MIL> <32514C1F.1BD3@us.checkpoint.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What do you base this on? We are currently running Sidewinder and are pleased with its operation. Are there advantages to running FireWall-1 as opposed to Sidewinder? Barbara W. Jaarsma wrote: > > Bouchard, Alexis, 2Lt,SAM/GNCP wrote: > > > > I have to choose between Gauntlet and Sidewinder as a Firewall solution. > > Personally, I'd go with FireWall-1... :-) > -Barb -- Jim Richey jrichey@pabs.com http://www.cmagic.com/Pub/JLR/home.html From firewalls-owner Wed Oct 2 06:56:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA19238 for firewalls-outgoing; Wed, 2 Oct 1996 06:45:11 -0700 (PDT) Received: from mailhost.linkd.net (mailhost.linkd.net [204.191.68.50]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA19192 for ; Wed, 2 Oct 1996 06:44:59 -0700 (PDT) Received: from thor.kwic.com (thor.linkd.net [204.191.68.14]) by mailhost.linkd.net (8.7.3/8.7.3) with ESMTP id JAA02760 for ; Wed, 2 Oct 1996 09:49:15 -0400 (EDT) Message-Id: <199610021349.JAA02760@mailhost.linkd.net> Reply-To: From: "Rob M. VanHooren" To: Subject: Opinions/Experiences re: Sidewinder? Date: Wed, 2 Oct 1996 08:44:25 -0400 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greetings, all... Am evaluating high-end firewall implementations currently on the market = for deployment in large, complex WAN environments. Secure Computing's Sidewinder seems to be what I'm after, but if there = are any "gotchas", with their package, I'd sure like to know about = them. =20 Additionally, if there's a f/w out there other than Sidewinder that = happens to have a special place in your heart (or in your WAN :-), I'd = be grateful if you would share your opinions and experiences. Look forward hearing your varied kudos or gripes. w/thanks --Rob. ~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-.._..-= *~ Rob M. VanHooren Tel: +1 519 679-1155 = x28 Network Engineering Services 171 Queens Avenue, Suite = 320 Linkdata Communications, Inc. London, Ontario CANADA = N6A5J7 From firewalls-owner Wed Oct 2 07:11:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA19997 for firewalls-outgoing; Wed, 2 Oct 1996 06:54:59 -0700 (PDT) Received: from h003.bostonherald.com (h003.bostonherald.com [204.96.59.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA19981 for ; Wed, 2 Oct 1996 06:54:51 -0700 (PDT) Received: by h003.bostonherald.com (951211.SGI.8.6.12.PATCH1042/940406.SGI.AUTO) id JAA14839; Wed, 2 Oct 1996 09:45:48 -0400 Received: from unknown(198.99.20.188) by h003 via smap (3.1) id xma014831; Wed, 2 Oct 96 09:44:47 -0400 Message-Id: <2.2.32.19961002135405.006b04b8@mailhub.bostonherald.com> X-Sender: manny@mailhub.bostonherald.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 02 Oct 1996 09:54:05 -0400 To: PCA , firewalls@GreatCircle.COM From: Emmanuel Korkodilos Subject: Re: Compuserve and AOL ports Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 11:34 PM 10/1/96 -0400, you wrote: >FW's, > > I hate to ask this, but the ports for Compuserve and AOL, can someone >repost them... Thanks... > These are the values that I use for our plug-gw's in Gauntlet. Service Port# Host ------- ----- ---- AOL 5190 americaonline.aol.com Compuserve 4144 gateway.compuserve.com MSN 569 gateway.moswest.msn.net -------------------------------------------------------- Emmanuel Korkodilos Boston Herald, Inc. manny@bostonherald.com One Herald Square 1.617.426.3000 X354 (Voice) Boston, MA 02106-2096 1.617.338.4964 (Fax) -------------------------------------------------------- From firewalls-owner Wed Oct 2 07:26:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA21362 for firewalls-outgoing; Wed, 2 Oct 1996 07:10:04 -0700 (PDT) Received: from h003.bostonherald.com (h003.bostonherald.com [204.96.59.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA21323 for ; Wed, 2 Oct 1996 07:09:46 -0700 (PDT) Received: by h003.bostonherald.com (951211.SGI.8.6.12.PATCH1042/940406.SGI.AUTO) id KAA14869; Wed, 2 Oct 1996 10:00:19 -0400 Received: from unknown(198.99.20.188) by h003 via smap (3.1) id xma014867; Wed, 2 Oct 96 10:00:18 -0400 Message-Id: <2.2.32.19961002140935.006956c4@mailhub.bostonherald.com> X-Sender: manny@mailhub.bostonherald.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 02 Oct 1996 10:09:35 -0400 To: Skarban , firewalls@GreatCircle.COM From: Emmanuel Korkodilos Subject: Re: ifconfig Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 06:10 AM 10/1/96 +0100, you wrote: >Hi, >I am building virtual www server and i need to define multi IP address >over one physical interface of my SGI Challenge - S (Irix 5.3). >I am looking for parameter of Ifconfig command of SGI IRIX 5.3 >Hope to your kindly response. > >M. Skarban NH a.s. >Czech >mskarban@novahut.cz > Go to the www.sgi.com and search for the IP Aliases solution. This will allow one physical net interface such as ec0 to repsond to multiple IP Address. Alternately you could do a man page on "ipaliases" and try to figure it out yourself. Its much easier with the step by step SGI provides. -Manny -------------------------------------------------------- Emmanuel Korkodilos Boston Herald, Inc. manny@bostonherald.com One Herald Square 1.617.426.3000 X354 (Voice) Boston, MA 02106-2096 1.617.338.4964 (Fax) -------------------------------------------------------- From firewalls-owner Wed Oct 2 08:11:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA20731 for firewalls-outgoing; Wed, 2 Oct 1996 07:03:49 -0700 (PDT) Received: from h003.bostonherald.com (h003.bostonherald.com [204.96.59.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA20724 for ; Wed, 2 Oct 1996 07:03:41 -0700 (PDT) Received: by h003.bostonherald.com (951211.SGI.8.6.12.PATCH1042/940406.SGI.AUTO) id JAA14858; Wed, 2 Oct 1996 09:54:49 -0400 Received: from unknown(198.99.20.188) by h003 via smap (3.1) id xma014856; Wed, 2 Oct 96 09:54:32 -0400 Message-Id: <2.2.32.19961002140349.006c1ce8@mailhub.bostonherald.com> X-Sender: manny@mailhub.bostonherald.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 02 Oct 1996 10:03:49 -0400 To: "Jerry Edmiston" , firewalls@GreatCircle.COM From: Emmanuel Korkodilos Subject: Re: FTP and TELNET Authenticati Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 07:35 AM 10/1/96 -0400, you wrote: > Subject: Time: 7:13 AM > OFFICE MEMO FTP and TELNET Authentication Date: 10/1/96 > >I have a CyberGuard firewall. I run Telnet and FTP proxies that authenticate the request at the firewall and then passes it through. My Sun station have no problem, but our FTP/TELNET clients on our MACs and PCs do not support this authentication...ie multiple passwords to reach its' destination.( A password at the f/w and again at the server in question). > Does anyone have any suggestions for a Telnet/FTP client on MACs and PCs that will support authentication through our f/w...thanks in advace...Jerry...jle9@eci-esyst.com > > Gauntlet uses a the following method. Try it may work for CyberGuard. GUI FTP Tools 1. For the hostname supply the name of the firewall ie: firewall.abc.com 2. For the user name, supply the firewall authentication username, the FTP host username, and the name of the FTP host, in the form: firewall-authentication-username-@ftp-host-username@ftp-host ie: johndoe@jdoe@server1.abc.com 3. For the password, supply the firewall authentication password, the FTP host password fire-wall-authentication-password@ftp-host-password. ie: for SKey STAY GOLF LOGO MAN BOX TALL@myftphostpassword -------------------------------------------------------- Emmanuel Korkodilos Boston Herald, Inc. manny@bostonherald.com One Herald Square 1.617.426.3000 X354 (Voice) Boston, MA 02106-2096 1.617.338.4964 (Fax) -------------------------------------------------------- From firewalls-owner Wed Oct 2 08:13:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA23400 for firewalls-outgoing; Wed, 2 Oct 1996 07:31:50 -0700 (PDT) Received: from nsco.network.com (nsco.network.com [129.191.1.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA23387 for ; Wed, 2 Oct 1996 07:31:38 -0700 (PDT) Received: from anubis.network.com by nsco.network.com (4.1/1.34) id AA04299; Wed, 2 Oct 96 09:38:15 CDT Received: from blefscu.network.com by anubis.network.com (4.1/SMI-4.1) id AA04097; Wed, 2 Oct 96 09:30:54 CDT Date: Wed, 2 Oct 96 09:30:54 CDT From: amolitor@anubis.network.com (Andrew Molitor) Message-Id: <9610021430.AA04097@anubis.network.com> To: firewalls@greatcircle.com Subject: Re: Information Seeking Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We've got this service thing called, err, NetVestigator. It's something morally similar to the following: - a network audit from Wheel Group (wheelgroup.com, I think) - a physical security audit from Guidry Group - big ol' reports on what's wrong - presumably some sort of litany of things you could buy to help you fix what's wrong. I think it's quite a good deal, but it is intended as the high-end, fully-featured, big-ticket deal. Whether you want the full deal, and whether we offer any scaled back products which match customers who don't want the full deal, I don't know. If you only want the network audit, you could get in touch with wheel group, they might be willing and able to put together just what you want. I don't work for them, so I know even less about what they offer. Andrew Network Systems Corp. evil vendor slime From firewalls-owner Wed Oct 2 08:27:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA23365 for firewalls-outgoing; Wed, 2 Oct 1996 07:31:22 -0700 (PDT) Received: from m.bani.COM (m.bani.com [192.204.32.215]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA23314 for ; Wed, 2 Oct 1996 07:31:06 -0700 (PDT) Received: from bani.com (banigw2.bani.COM [192.204.32.210]) by m.bani.COM (8.7.1/8.7.1) with ESMTP id KAA09466; Wed, 2 Oct 1996 10:52:46 -0400 (EDT) Received: from crash (crash [204.170.160.143]) by bani.com (8.7.1/8.7.1) with SMTP id KAA23821; Wed, 2 Oct 1996 10:28:25 -0400 (EDT) Message-ID: <32527B2E.C92@bani.com> Date: Wed, 02 Oct 1996 10:24:46 -0400 From: Hani Bandi Organization: Bell Atlantic Network Integration X-Mailer: Mozilla 3.0b7Gold (X11; I; SunOS 5.5.1 sun4m) MIME-Version: 1.0 To: Jose Luis Delgado CC: firewalls@GreatCircle.COM Subject: Re: Netscape & Firewall help!! References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jose Luis Delgado wrote: > > Hi everybody!!!! > > I have a question: > I work in two distincts companies, the first have no a firewall... > but, the second... have a firewall (Eagle Raptor). > > then I have in the Intranet an Oracle Web Server 2.0 for AIX 3.2.5... > and in the other part, I have an OWS 1.0 in NT... > my question is: > > How I can, WITH NETSCAPE, access the OWS and the database inside the > firewall from an external machine? > Jose, What you would do is create a rule in the Eagle firewall makeing your external system a trusted host. If you have Eagle Remote installed on your external system you could also create a VPN tunnel, this would give you added security if your accessing the OWS from the internet. -- Hani Bandi Technical Research Center Bell Alantic Network Integration 52 East Swedesford Road Frazer PA, 19355 Voice: 610-407-2029 Or use pagenet's WWW site to send an alphanumeric message: http://www.pagenet.net/pagenet/page_inp.hmt; ID 0827858 Email- hani@bani.com WWW: http://www.bani.com From firewalls-owner Wed Oct 2 08:49:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA25280 for firewalls-outgoing; Wed, 2 Oct 1996 07:46:48 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA25246 for ; Wed, 2 Oct 1996 07:46:38 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id HAA19696; Wed, 2 Oct 1996 07:44:54 -0700 Received: from lighthouse.homeport.org(205.136.65.198) by mycroft via smap (V1.3mjr) id sma019686; Wed Oct 2 07:44:34 1996 Received: (adam@localhost) by homeport.org (8.6.9/8.6.9) id KAA25767; Wed, 2 Oct 1996 10:05:42 -0500 From: Adam Shostack Message-Id: <199610021505.KAA25767@homeport.org> Subject: Re: CyberGuard. (fwd) To: uurtamo@insync.net (Steve Uurtamo) Date: Wed, 2 Oct 1996 10:05:42 -0500 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: <199610011332.IAA01114@insync.net> from "Steve Uurtamo" at Oct 1, 96 08:32:13 am X-Mailer: ELM [version 2.4 PL24 ME8b] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk First off, theres clearly programming work to be done. You need to write code to handle this protocol. My first question would be can you move some of that complexity off the firewall by modifying the proprietary protocol? I'd still suggest using a real proxy to ensure that all the packets look right. As far as what code to base it on, you could consider using plug (modulo licensing requirements). There are also a couple of tcp redirectors in the hacker world which are small & modular. Also, Freestone has bsrelay. Adam Steve Uurtamo wrote: | In particular, I need to proxy a service that after | making its first connection through the firewall will | need to establish connections through exactly 2 future | ports for the remainder of the service. These ports | are in the "free zone" (>1024). | Given that I can parse the packets well enough to figure out | what those future ports are going to be (yes this is a proprietary | service), what is a good place to start as far as writing my own | proxy using the proxy source code on the CyberGuard. Should I | be looking at the way FTP handles future connections for data? -- "Every year the Republicans campaign like Libertarians, and then go to Wasthington and spend like Democrats." Vote Harry Browne for President. http://www.harrybrowne96.org From firewalls-owner Wed Oct 2 09:00:19 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA25691 for firewalls-outgoing; Wed, 2 Oct 1996 07:51:40 -0700 (PDT) Received: from quix.robins.af.mil (quix.robins.af.mil [137.244.193.103]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA25651 for ; Wed, 2 Oct 1996 07:51:17 -0700 (PDT) Received: by quix.robins.af.mil; (5.65v3.2/1.1.8.2/01Nov95-0110PM) id AA07335; Wed, 2 Oct 1996 10:50:05 -0400 From: "Mr. Jolt Cola" Message-Id: <9610021450.AA07335@quix.robins.af.mil> Subject: Re: SSL Browsers To: palan@dataprep.com.my (Kogulapalan) Date: Wed, 2 Oct 1996 10:50:04 -0400 (EDT) Cc: bshive1@novusnet.com, firewalls@greatcircle.com In-Reply-To: <199610021724.JAA01537@snet> from "Kogulapalan" at Oct 2, 96 09:24:56 am X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >I know this is the wrong group to ask this but, > > > >Does anyone know how to tell if a broswer is SSL enabled? I am checking > >the http_user_agent for Mozzilla 2.0 and above. It checked the Internet > >Explorer and Netscape 2.0 + and they both have Mozzila in this field. Is > >there a better way to check other than this? I know I can check if they > >are coming in on the secure port but I want to send them to a page if > >their browser is not complient. > > If your browser can support https:// than yours is SSL enabled. One thing to consider for browser choice in Intranet environments is the fact that Netscape allows you to add RSA keys from an unknown authority, whereas M$ Explorer just refuses to connect. Then again, the cost of your browsers may outweight the cost of paying Verisign their 290$. We signed our own digital key and used Netscape for SSL but now clients are complaining that Explorer wont connect so we have requested a key from the Verisign CA. Its a racket. :P Melvin From firewalls-owner Wed Oct 2 09:13:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA25954 for firewalls-outgoing; Wed, 2 Oct 1996 07:54:36 -0700 (PDT) Received: from us.checkpoint.com (us.checkpoint.com [206.86.35.130]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA25884 for ; Wed, 2 Oct 1996 07:54:19 -0700 (PDT) Received: from Barbara's HP.us.checkpoint.com (barbara-pc) by us.checkpoint.com (5.x/SMI-SVR4) id AA27561; Wed, 2 Oct 1996 07:54:59 -0700 Message-Id: <3252823E.7D53@us.checkpoint.com> Date: Wed, 02 Oct 1996 07:54:54 -0700 From: "Barbara W. Jaarsma" Reply-To: barbara@us.checkpoint.com Organization: Checkpoint US Technical Support X-Mailer: Mozilla 3.0 (Win95; I) Mime-Version: 1.0 To: "Bryan D. Boyle" Cc: firewalls@greatcircle.com Subject: Re: Gauntlet vs. Sidewinder References: <325149EB@MSSMTPOUT.COMM.HQ.AF.MIL> <32514C1F.1BD3@us.checkpoint.com> <325150E6.52BF@erenj.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bryan - You're right - it's not an unbiased opinion. But after 25 years in the business, first as a programmer, and then as a consultant specializing in multi-protocol, multi-vendor, multi-application environments & security, and having worked for numerous firewall vendors, I can pick my own jobs and name my own price. And I'm here at Checkpoint. Think about it... -Barb P.S. Note the free SYNDefender upgrade on out web site (http://www.checkpoint.com). Know anyone else who has one? Bryan D. Boyle wrote: > > Barbara W. Jaarsma wrote: > > > > Bouchard, Alexis, 2Lt,SAM/GNCP wrote: > > > > > > I have to choose between Gauntlet and Sidewinder as a Firewall solution. > > > > Personally, I'd go with FireWall-1... :-) > > -Barb > > Not an unbiased opinion, from your return address. > > -- > Bryan D. Boyle | EMAIL: bdboyle@erenj.com 908-730-3338 > #include | http://www.access.digex.net/~bdboyle/index.html > "They that can give up liberty to obtain a little temporary safety > deserve neither liberty nor safety." - Benjamin Franklin, > Historical Review of Pennsylvania From firewalls-owner Wed Oct 2 09:30:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA28669 for firewalls-outgoing; Wed, 2 Oct 1996 08:15:50 -0700 (PDT) Received: from loki.asymetrix.com (loki.asymetrix.com [192.147.176.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA28595 for ; Wed, 2 Oct 1996 08:15:24 -0700 (PDT) Received: from mailgate.asymetrix.com (mailgate.asymetrix.com [192.220.170.13]) by loki.asymetrix.com (8.7.3/8.7.1) with SMTP id IAA20456 for ; Wed, 2 Oct 1996 08:00:27 -0700 (PDT) Received: by mailgate.asymetrix.com with Microsoft Mail id <32528762@mailgate.asymetrix.com>; Wed, 02 Oct 96 08:16:50 PDT From: Keith McCammon To: "'Firewalls'" Subject: RE: NT Security Date: Wed, 02 Oct 96 08:20:00 PDT Message-ID: <32528762@mailgate.asymetrix.com> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ---------- the Division level. We think less, but more robust machines running NT = workstation on both the class and unclass LAN/WAN's, would offer what we = require in terms of processing power and NT's excellent = auditing/security. Excuse me, but NT does NOT have excellent auditing/security. Internet hackers are just starting to wade into NT, and the more I talk to them the more gaping holes I find. However, it is very expensive, both in terms of = equipment, and personnel, to maintain these two NT LAN's. While I have = yet to see someone hack an NTFS partition with permissions and other = holes plugged up (watched a couple of DISA's best guys try), the security What??? NTFS is not encrypted! NTFS is not a secure file system! You can directly edit NTFS disk sectors from WITHIN NT! You can also boot to DOS and using the NTFS4DOS driver read any file regardless of encryption. You can also reinstall NT and Take Ownership of entire volumes! And if you physically transfer the hard disk to another NT box you can also take ownership, negating all file security! goons still have conniption fits about placing classified data on an = unclassified NTFS partition. Any word on when NT will be network = certified?? Probably in a year or so. Keith McCammon MIS Analyst Asymetrix Corp *Opinions Are My Own* From firewalls-owner Wed Oct 2 10:08:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA00750 for firewalls-outgoing; Wed, 2 Oct 1996 08:29:25 -0700 (PDT) Received: from litle.net (wizard.litle.com [205.139.20.20]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id IAA00722 for ; Wed, 2 Oct 1996 08:29:07 -0700 (PDT) Received: from s_khan.litle.net by litle.net (SMI-8.6/SMI-SVR4) id LAA06374; Wed, 2 Oct 1996 11:30:57 -0400 Message-Id: <2.2.32.19961002153127.0075ef98@litle.net> X-Sender: s_khan@litle.net X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Priority: 2 (High) Date: Wed, 02 Oct 1996 11:31:27 -0400 To: firewalls@greatcircle.com From: "Saqib A. Khan" Subject: TCP SYN attack possible SOLUTION: FW-1 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Heres a blurb from Checkpoint suggesting that Firewall-1 can prevent TCP SYN attacks, I have'nt personally verified it but it looks good. Surf to http://www.checkpoint.com/fw21/syndefender/index.html for the following page- CheckPoint SYNDefender Check Point's SYNDefender software, is the industry's first and only firewall to provide protection against this denial of service attack, which has crippled several Internet Service Providers (ISPs) in recent weeks. Integrated into existing FireWall-1 installations, SYNDefender protects against the TCP SYN (requests for connection establishment) flood attacks by intercepting all SYN packets and mediating the connection attempts before they reach the operating system. This prevents the target host from becoming flooded by these unresolved connection attempts, which causes the operating system, and the host, stop receiving new connections. As a result, the host system is effectively insulated from the SYN flood attack and denial of service condition that results. The SYNDefender white paper TCP SYN Flooding Attack and the FireWall-1 SYNDefender Also available in [MsWord DOC format]. CheckPoint's Press Release Announcing SYNDefender Download SYNDefender NOW! PS: Pls CC all mail to me @ - Saqib.A.Khan@worldnet.att.net --------------------------------------------------- Saqib A. Khan, Principal Architect, Information Security Strategic Network Consulting Voice: 617.433.7117 Saqib.A.Khan@worldnet.att.net --------------------------------------------------- "Sed quis custodiet ipsos custodes?" -Juvenal, c. 100 C.E. From firewalls-owner Wed Oct 2 10:11:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA08325 for firewalls-outgoing; Wed, 2 Oct 1996 09:21:06 -0700 (PDT) Received: from loki.asymetrix.com (loki.asymetrix.com [192.147.176.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id JAA08288 for ; Wed, 2 Oct 1996 09:20:54 -0700 (PDT) Received: from mailgate.asymetrix.com (mailgate.asymetrix.com [192.220.170.13]) by loki.asymetrix.com (8.7.3/8.7.1) with SMTP id JAA21209 for ; Wed, 2 Oct 1996 09:05:58 -0700 (PDT) Received: by mailgate.asymetrix.com with Microsoft Mail id <325296BD@mailgate.asymetrix.com>; Wed, 02 Oct 96 09:22:21 PDT From: Keith McCammon To: "'Firewalls'" Subject: RE: NT Security Date: Wed, 02 Oct 96 09:26:00 PDT Message-ID: <325296BD@mailgate.asymetrix.com> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Following along the lines of C2 orangebook being absolutely useless, there is an alleged security flaw with NT4 and possibly 3.5x that allows a remote user to change the administrator password with no authenticaction whatsoever. I don't have the details for this so don't ask, but you might want to look at RPC and the Win32 api... I am puzzled as to why Microsoft is keeping mum about this, but if you do find the problem and call them to confirm it, they will. Keith McCammon MIS Analyst Asymetrix Corp *Opinions Are My Own* From firewalls-owner Wed Oct 2 10:16:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA05339 for firewalls-outgoing; Wed, 2 Oct 1996 09:00:10 -0700 (PDT) Received: from dns.ottawa.net (dns.ottawa.net [205.211.4.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA05054 for ; Wed, 2 Oct 1996 08:59:04 -0700 (PDT) Received: from slip-ppp3.ottawa.net (slip-ppp3.ottawa.net [205.211.5.3]) by dns.ottawa.net (8.7.5/1.2) with SMTP id LAA23345; Wed, 2 Oct 1996 11:57:45 -0400 (EDT) Date: Wed, 2 Oct 1996 11:57:45 -0400 (EDT) Message-Id: <199610021557.LAA23345@dns.ottawa.net> X-Sender: bjm@ottawa.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: bdboyle@erenj.com, firewalls@GreatCircle.COM From: bjm@ottawa.net (Brian McIntosh) Subject: Re: Gauntlet vs. Sidewinder Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Geez Bryan, lighten up a little. Of course she has a biased opinion - that's why she followed the comment with a smiley face. Her personal opinion notwithstanding, it was (obviously) meant as a little bit of humor. At 01:12 PM 96/10/1 -0400, Bryan D. Boyle wrote: >Barbara W. Jaarsma wrote: >> >> Bouchard, Alexis, 2Lt,SAM/GNCP wrote: >> > >> > I have to choose between Gauntlet and Sidewinder as a Firewall solution. >> >> Personally, I'd go with FireWall-1... :-) >> -Barb > > >Not an unbiased opinion, from your return address. > >-- >Bryan D. Boyle | EMAIL: bdboyle@erenj.com 908-730-3338 >#include | http://www.access.digex.net/~bdboyle/index.html >"They that can give up liberty to obtain a little temporary safety >deserve neither liberty nor safety." - Benjamin Franklin, > Historical Review of Pennsylvania > > ======================================================== Brian J. McIntosh UniSol Inc. 53 Courtney Road Tel: 613 831 6373 Kanata, Ontario Fax: 613 831 4739 Canada, K2L 1M1 Email: bjm@ottawa.net ======================================================== From firewalls-owner Wed Oct 2 11:06:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA20995 for firewalls-outgoing; Wed, 2 Oct 1996 10:40:14 -0700 (PDT) Received: from twinds.com (eagle.twinds.com [206.153.22.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA20959 for ; Wed, 2 Oct 1996 10:40:04 -0700 (PDT) Received: by twinds.com; id NAA10159; Wed, 2 Oct 1996 13:37:39 -0400 (EDT) Received: from hawk.twinds.com(206.153.22.3) by eagle.twinds.com via smap (V3.1.1) id xma010157; Wed, 2 Oct 96 13:37:27 -0400 Date: Wed, 2 Oct 1996 13:44:07 -0400 (EDT") From: Arley Carter X-Sender: ac@hawk.twinds.com To: "Barbara W. Jaarsma" cc: "Bryan D. Boyle" , firewalls@GreatCircle.COM Subject: Re: Gauntlet vs. Sidewinder In-Reply-To: <3252823E.7D53@us.checkpoint.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 2 Oct 1996, Barbara W. Jaarsma wrote: [Propaganda] Barbara, Give it a rest. Less is more. :-) Arley Carter Tradewinds Technologies, Inc. email: ac@twinds.com www: http://www.twinds.com "Life is a journey to adventure and discovery, not a problem to be solved." -me From firewalls-owner Wed Oct 2 11:38:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA24407 for firewalls-outgoing; Wed, 2 Oct 1996 11:05:09 -0700 (PDT) Received: from h003.bostonherald.com (h003.bostonherald.com [204.96.59.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id LAA24349 for ; Wed, 2 Oct 1996 11:04:49 -0700 (PDT) Received: by h003.bostonherald.com (951211.SGI.8.6.12.PATCH1042/940406.SGI.AUTO) for id NAA16505; Wed, 2 Oct 1996 13:55:54 -0400 Received: from unknown(198.99.20.188) by h003 via smap (3.1) id xma016501; Wed, 2 Oct 96 13:55:51 -0400 Message-Id: <2.2.32.19961002180509.00699854@mailhub.bostonherald.com> X-Sender: manny@mailhub.bostonherald.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 02 Oct 1996 14:05:09 -0400 To: firewalls@GreatCircle.COM From: Emmanuel Korkodilos Subject: Re: Compuserve and AOL ports Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 11:34 PM 10/1/96 -0400, you wrote: >FW's, > > I hate to ask this, but the ports for Compuserve and AOL, can someone >repost them... Thanks... > These are the values that I use for our plug-gw's in Gauntlet. Service Port# Host ------- ----- ---- AOL 5190 americaonline.aol.com Compuserve 4144 gateway.compuserve.com MSN 569 gateway.moswest.msn.net -------------------------------------------------------- Emmanuel Korkodilos Boston Herald, Inc. manny@bostonherald.com One Herald Square 1.617.426.3000 X354 (Voice) Boston, MA 02106-2096 1.617.338.4964 (Fax) -------------------------------------------------------- From firewalls-owner Wed Oct 2 11:41:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA28982 for firewalls-outgoing; Wed, 2 Oct 1996 11:34:50 -0700 (PDT) Received: from news.be.innet.net (news.be.innet.net [194.7.1.5]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA28935 for ; Wed, 2 Oct 1996 11:34:33 -0700 (PDT) Received: from pool011-73.innet.be (pool011-73.innet.be [194.7.12.73]) by news.be.innet.net (8.7.6/8.7.3) with SMTP id UAA09340; Wed, 2 Oct 1996 20:33:40 +0200 (MET DST) Message-Id: <199610021833.UAA09340@news.be.innet.net> X-Sender: fdehert@pophost.innet.be X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 02 Oct 1996 20:44:45 -0100 To: ChrisP@steldyn.com From: fdehert@innet.be (Frank J.J. De Hert) Subject: RE: NT Security Cc: firewalls@GreatCircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 1 Oct 1996, Chris Pugrud wrote: >This can be done fairly simply from an administrative workstation, >across the network. Every NT machine automatically shares all of it's >drives under \\computername\c$ or d$ etc. These shares can only be >accessed by an administrator (possibly a backup operator). This will >allow you to scan the machine across the network without the users >knowledge. This is true if the user hasn't taken ownership of certain directories and set the permissions such that only the user has access. For even an administrator to look at these files, the admin has to take ownership and set appropriate permissions (unless I missed something somewhere). This, of course, throws a spanner in the works. Any suggestions? -- Frank De Hert System/Security Manager NATO Programming Centre. From firewalls-owner Wed Oct 2 12:06:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA24252 for firewalls-outgoing; Wed, 2 Oct 1996 11:04:01 -0700 (PDT) Received: from h003.bostonherald.com (h003.bostonherald.com [204.96.59.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id LAA24197 for ; Wed, 2 Oct 1996 11:03:47 -0700 (PDT) Received: by h003.bostonherald.com (951211.SGI.8.6.12.PATCH1042/940406.SGI.AUTO) for id NAA16492; Wed, 2 Oct 1996 13:54:53 -0400 Received: from unknown(198.99.20.188) by h003 via smap (3.1) id xma016489; Wed, 2 Oct 96 13:54:35 -0400 Message-Id: <2.2.32.19961002180353.006f47ec@mailhub.bostonherald.com> X-Sender: manny@mailhub.bostonherald.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 02 Oct 1996 14:03:53 -0400 To: firewalls@GreatCircle.COM From: Emmanuel Korkodilos Subject: Re: ifconfig Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 06:10 AM 10/1/96 +0100, you wrote: >Hi, >I am building virtual www server and i need to define multi IP address >over one physical interface of my SGI Challenge - S (Irix 5.3). >I am looking for parameter of Ifconfig command of SGI IRIX 5.3 >Hope to your kindly response. > >M. Skarban NH a.s. >Czech >mskarban@novahut.cz > Go to the www.sgi.com and search for the IP Aliases solution. This will allow one physical net interface such as ec0 to repsond to multiple IP Address. Alternately you could do a man page on "ipaliases" and try to figure it out yourself. Its much easier with the step by step SGI provides. -Manny -------------------------------------------------------- Emmanuel Korkodilos Boston Herald, Inc. manny@bostonherald.com One Herald Square 1.617.426.3000 X354 (Voice) Boston, MA 02106-2096 1.617.338.4964 (Fax) -------------------------------------------------------- From firewalls-owner Wed Oct 2 12:14:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA28920 for firewalls-outgoing; Wed, 2 Oct 1996 11:34:25 -0700 (PDT) Received: from ALABAMA.CF.CS.YALE.EDU (RT-GW.CS.YALE.EDU [128.36.0.13]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA28904 for ; Wed, 2 Oct 1996 11:34:17 -0700 (PDT) From: long-morrow@CS.YALE.EDU Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU (8.7.1/res.host.cf-4.0) with ESMTP id OAA02834; Wed, 2 Oct 1996 14:33:16 -0400 (EDT) sender long-morrow@CS.YALE.EDU for Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-8.7.1/res.client.cf-4.0) id OAA13330; Wed, 2 Oct 1996 14:33:13 -0400 (EDT) Date: Wed, 2 Oct 1996 14:33:13 -0400 (EDT) Message-Id: <199610021833.OAA13330@SPARKY.CF.CS.YALE.EDU> To: barbara@us.checkpoint.com, bdboyle@erenj.com Subject: SYN Flood defenses -- was Re: Gauntlet vs. Sidewinder Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk "Barbara W. Jaarsma" wrote: >P.S. Note the free SYNDefender upgrade on out web site >(http://www.checkpoint.com). Know anyone else who has one? There are others: ISS (Internet Security Systems) has an alpha software package called 'Real Secure' which goes around resetting 'waiting' half open connections to clear them out of th backlogged queue for a port. CISCO is mentioned in the CERT advisory on the SYN flood attack and a page on how they have worked with ISPs on solutions ( http://www.cisco.com/warp/public/146/917_security.html ) but they appear to be intentionally vague about their solution(s) so as not to give potential attackers any inside information. But I do think that the Checkpoint defenses regarding SYN flooding are truly clever/ingenious and made for very interesting reading. In addition to the white paper and press release there is a download (patches and installation scripts for FW 2.0c-e, 2.1 & 2.1a) available from Checkpoint's Web page for the Firewall-1 firewall: http://www.checkpoint.com/fw21/syndefender/index.html There is an interesting and technical description of how the Checkpoint Firewall-1 SYNDefender defenses (Relay and Gateway) work. Obviously both approaches are only feasible because Firewall-1 is a smart/intelligent dynamic packet filter (aka. "stateful inspection screening router') - the SYN flood attack is one of the strongest arguments to come around in favor of such firewalls, there will likely be future denial-of-service attacks to recommend their use. Basically the two SYNDefendor approaches are (based on my reading of them)... 1. The Relay approach tries to make sure that incoming TCP connections are valid by holding up the initial SYN from the outside host, answering on the behalf of the internal target with a SYN/ACK to the external initiator and then only passing on the initial SYN to the internal target, Firewall-1 then absorbs (captures and eats) the SYN/ACK sent out by the internal target and responds by forging an ACK as sent by the external host. In effect, the relay works by acting as a 'man-in-the-middle' to spoof the remote end of the 3-way handshake to both the initiator and the contacted. 2. The Gateway solution works instead by allowing through the initial SYN packet from the external initiator. After Firewall-1 intercepts the SYN/ACK packet sent from the internal target it (in a timely manner) supplies an 'ACK' to the internal target just as if the external initiator had sent it. This completes the three way handshake for the internal target and it moves the pending connection out of the backlog queue (the limited number of which is the basis of the D-O-S attack in the first place). The pros and cons of both approaches as a defense choice are discussed in the white paper (http://www.checkpoint.com/fw21/syndefender/syndefender-white.html). For more information on SYN Flooding and IP spoofing I recommend: The two excellent articles on SYN Flooding and IP Spoofing attacks (alone and in combination) in the latest Phrack ( V. 7, #48, September 1, 1996. ISSN 1068-1035 ). This description of how to, as well as the exploit code posted in this copy of Phrack are commonly held to be at least partially (and possibly primarily) responsible for the rash of D-O-S attacks on the Internet against hosts such as PANIX and the Internet Chess servers. They can be read at URLs : http://www.fc.net/phrack/files/p48/p48-13.html http://www.fc.net/phrack/files/p48/p48-14.html - Morrow From firewalls-owner Wed Oct 2 12:25:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA24949 for firewalls-outgoing; Wed, 2 Oct 1996 11:07:23 -0700 (PDT) Received: from diablo.cisco.com (diablo.cisco.com [171.68.223.106]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id LAA24751 for ; Wed, 2 Oct 1996 11:06:28 -0700 (PDT) Received: from pferguso-pc.cisco.com (dhcp-restontel-84.cisco.com [171.68.52.84]) by diablo.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id LAA00294; Wed, 2 Oct 1996 11:05:33 -0700 Message-Id: <2.2.32.19961002180532.006d8888@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Priority: 2 (High) Date: Wed, 02 Oct 1996 14:05:32 -0400 To: "Saqib A. Khan" From: Paul Ferguson Subject: Re: TCP SYN attack possible SOLUTION Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 11:31 AM 10/2/96 -0400, Saqib A. Khan wrote: >Heres a blurb from Checkpoint suggesting that Firewall-1 can prevent TCP SYN >attacks, I have'nt personally verified it but it looks good. Surf to >http://www.checkpoint.com/fw21/syndefender/index.html for the following page- > In the same vein, an I-D draft that I have submitted has been posted to the I-D drafts repository near you [below]. I would like to get some feedback prior to the *-01.txt revision; I would like for this document published as an RFC once the language has been polished, typos corrected, etc. FYI. - paul [snip] To: IETF-Announce:; Sender: ietf-announce-request@ietf.org From: Internet-Drafts@ietf.org Reply-to: Internet-Drafts@ietf.org Subject: I-D ACTION:draft-ferguson-ingress-filtering-00.txt Date: Wed, 02 Oct 1996 10:01:04 -0400 X-Orig-Sender: cclark@ietf.org A New Internet-Draft is available from the on-line Internet-Drafts directories. Title : Network Ingress Filtering Author(s) : P. Ferguson Filename : draft-ferguson-ingress-filtering-00.txt Pages : 6 Date : 10/01/1996 Recent occurrences of various Denial of Service attacks which have employed forged source addresses have proven to be a troublesome issue for Internet Service Providers and the Internet community overall. This paper discusses a simple, effective and straightforward method for using ingress traffic filtering to deny attacks which use "invalid" source addresses; prefixes which are not being legitimately advertized to the Internet via a particular service provider gateway. Internet-Drafts are available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-ferguson-ingress-filtering-00.txt". A URL for the Internet-Draft is: ftp://ds.internic.net/internet-drafts/draft-ferguson-ingress-filtering-00.txt Internet-Drafts directories are located at: o Africa: ftp.is.co.za o Europe: nic.nordu.net ftp.nis.garr.it o Pacific Rim: munnari.oz.a o US East Coast: ds.internic.net o US West Coast: ftp.isi.edu Internet-Drafts are also available by mail. Send a message to: mailserv@ds.internic.net. In the body type: "FILE /internet-drafts/draft-ferguson-ingress-filtering-00.txt". NOTE: The mail server at ds.internic.net can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e., documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. Content-Type: text/plain Content-ID: <19961001164609.I-D@ietf.org> ENCODING mime FILE /internet-drafts/draft-ferguson-ingress-filtering-00.txt Content-Type: text/plain Content-ID: <19961001164609.I-D@ietf.org> [snip] -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Wed Oct 2 12:42:27 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA05138 for firewalls-outgoing; Wed, 2 Oct 1996 12:26:21 -0700 (PDT) Received: from DOCKMASTER.NCSC.MIL ([198.26.55.74]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id MAA04974 for ; Wed, 2 Oct 1996 12:25:44 -0700 (PDT) Date: Wed, 2 Oct 96 15:21 EDT From: Wilner@DOCKMASTER.NCSC.MIL Subject: Re: NT Security To: firewalls@GREATCIRCLE.COM Message-ID: <961002192121.375426@DOCKMASTER.NCSC.MIL> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Much has been made of NT's "C2" certification. I've heard > that it was certified without . . . There is no need to speculate or to "have heard" about such things. You can order the NCSC's Final Evaluation Report on the product (FER-95/003) and feast on two hundred pages of technical meat and potatoes. Such documents can be obtained, free, from the U. S. Government by calling (410)766-8729 or, if their phones haven't caught up with them since the move, (410)691-2795. From firewalls-owner Wed Oct 2 13:07:31 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA04208 for firewalls-outgoing; Wed, 2 Oct 1996 12:19:36 -0700 (PDT) Received: from answerman.mindspring.com (answerman.mindspring.com [204.180.128.8]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id MAA04192 for ; Wed, 2 Oct 1996 12:19:29 -0700 (PDT) Received: from [168.121.206.219] (user-168-121-206-219.dialup.mindspring.com [168.121.206.219]) by answerman.mindspring.com (8.7.5/8.7.3) with SMTP id PAA24094; Wed, 2 Oct 1996 15:18:49 -0400 (EDT) Date: Wed, 2 Oct 1996 15:18:49 -0400 (EDT) Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: barbara@us.checkpoint.com From: pelicans@mindspring.com (BeachCruiser) Subject: Re: Gauntlet vs. Sidewinder Cc: Firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >You're right - it's not an unbiased opinion. But after 25 years in >the business, first as a programmer, and then as a consultant >specializing in multi-protocol, multi-vendor, multi-application >environments & security, and having worked for numerous firewall >vendors, I can pick my own jobs and name my own price. And I'm here >at Checkpoint. Think about it... Hummmmmm. Let see...twenty-five years in the business, and security (presumably USG INFOSEC experience?). Numerours firewall vendors huh? And you PICKED Checkpoint? Guess you're right...that indeed does make it's own statement. rmck From firewalls-owner Wed Oct 2 13:24:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA09452 for firewalls-outgoing; Wed, 2 Oct 1996 12:51:37 -0700 (PDT) Received: from wichita.fn.net ([204.233.71.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id MAA09418 for ; Wed, 2 Oct 1996 12:51:26 -0700 (PDT) Received: (from bkmarsh@localhost) by wichita.fn.net (8.7.6/8.6.9) id OAA17222; Wed, 2 Oct 1996 14:50:53 -0500 (CDT) Date: Wed, 2 Oct 1996 14:50:52 -0500 (CDT) From: "Bruce M." X-Sender: bkmarsh@wichita.fn.net To: firewalls@greatcircle.com Subject: Re: TCP SYN attack possible SOLUTION: FW-1 In-Reply-To: <2.2.32.19961002153127.0075ef98@litle.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 2 Oct 1996, Saqib A. Khan wrote: > (ISPs) in recent weeks. Integrated into > existing FireWall-1 installations, SYNDefender protects against the TCP SYN > (requests for connection > establishment) flood attacks by intercepting all SYN packets and mediating > the connection attempts before they > reach the operating system. This prevents the target host from becoming > flooded by these unresolved connection > attempts, which causes the operating system, and the host, stop receiving > new connections. As a result, the host > system is effectively insulated from the SYN flood attack and denial of > service condition that results. That is good for when you still want to be able to use your host for internal matters during an attack, but what about the effects to the firewall and any other potential Internet users trying to get to your site? ________________________________ [ Bruce M. - Feist Systems, Inc. ] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 'DISA information shows that computer attacks on the Department of Defense are successful 65 percent of the time. The DoD, despite its problems, probably has one of the strongest computer security programs in government.' -GAO/T-AIMD-96-108 From firewalls-owner Wed Oct 2 13:40:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA15170 for firewalls-outgoing; Wed, 2 Oct 1996 13:29:00 -0700 (PDT) Received: from bulldog.ca (indy.bulldog.ca [204.101.141.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id NAA15114 for ; Wed, 2 Oct 1996 13:28:41 -0700 (PDT) Received: from belgium.bulldog.ca by bulldog.ca via SMTP (940816.SGI.8.6.9/940406.SGI) for id QAA28975; Wed, 2 Oct 1996 16:30:28 -0400 Received: by belgium.bulldog.ca with Microsoft Mail id <01BBB07F.296F0F20@belgium.bulldog.ca>; Wed, 2 Oct 1996 16:31:28 -0400 Message-ID: <01BBB07F.296F0F20@belgium.bulldog.ca> From: Dan Tshin To: "firewalls@greatcircle.com" Subject: RE: SYN Flood defenses -- was Re: Gauntlet vs. Sidewinder Date: Wed, 2 Oct 1996 16:31:27 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wednesday, October 02, 1996 10:33 AM, long-morrow@CS.YALE.EDU wrote: > >"Barbara W. Jaarsma" wrote: >>P.S. Note the free SYNDefender upgrade on out web site >>(http://www.checkpoint.com). Know anyone else who has one? > >There are others: [snip] Yes, I know that Milkyway is going to address this issue in their next = release of BlackHole. Their implementation is similar to what someone = else mentioned a while back. I suppose you can contact Milkyway about = what their plans are. Dan _______________________________________________ Dan Tshin The Bulldog Group Inc. Research and Development 416.594.9207:252 http://www.bulldog.ca 416.594.1473 Fax _______________________________________________ A head is not merely a hat hangar. Just Use It. From firewalls-owner Wed Oct 2 14:11:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA16512 for firewalls-outgoing; Wed, 2 Oct 1996 13:40:13 -0700 (PDT) Received: from manukau.govt.nz ([202.14.82.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id NAA16485 for ; Wed, 2 Oct 1996 13:40:03 -0700 (PDT) Received: by kotuku.manukau.govt.nz id <35717>; Thu, 3 Oct 1996 09:17:12 +1200 Message-Id: <96Oct3.091712nzst.35717@kotuku.manukau.govt.nz> From: Matthew Thompson To: "'Firewalls'" , "'Keith McCammon'" Subject: RE: NT Security Date: Fri, 4 Oct 1996 08:37:41 +1200 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >What??? NTFS is not encrypted! NTFS is not a secure file system! You can >directly edit NTFS disk sectors from WITHIN NT! You can also boot to DOS >and using the NTFS4DOS driver read any file regardless of encryption. You >can also reinstall NT and Take Ownership of entire volumes! And if you >physically transfer the hard disk to another NT box you can also take >ownership, negating all file security! The same attacks apply to Unix and Netware. What do you recommend people do to extend/replace these 3 operating systems to solve this problem? From firewalls-owner Wed Oct 2 14:20:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA15126 for firewalls-outgoing; Wed, 2 Oct 1996 13:28:44 -0700 (PDT) Received: from gw.lsli.com (gw.lsli.com [206.50.87.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id NAA15066 for ; Wed, 2 Oct 1996 13:28:28 -0700 (PDT) From: firstcat@lsli.com Received: by gw.lsli.com id AA19213; Wed, 2 Oct 1996 15:26:43 -0500 Received: by lsli.com via smwrap Version 2.2 id smwrapOAsDiQ; Wed Oct 2 15:26:12 1996 Date: Wed, 2 Oct 96 15:23:29 Subject: ANNOUNCE: Livermore Solution for SYN FLOOD To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Livermore Software Labs. Announces Defense against SYN Flooding Attacks: N.O.A.H. Component Lets Firewall Rise Above SYN Floods HOUSTON, TX ( October, 1996) Livermore Software Laboratories, International announced its SYN flood defense for the PORTUS firewall, N.O.A.H.. PORTUS is the first application firewall to defend against the SYN flood attacks that have denied service to many systems on the Internet. The PORTUS monitor automatically detects SYN flood attacks, manages the partially completed connection queue, deletes old entries, and alerts the systems administrators. PORTUS performs queue management, adjusting queue lengths, high and low water marks based on system status. PORTUS has always prevented systems behind the firewall from receiving SYN attacks. With the new enhancement PORTUS also protects itself from denial of service attacks. Unlike other approaches taken by packet filter firewalls, PORTUS' N.O.A.H. never lets a system behind the firewall see a SYN flood attack. As a result, protected servers never see a invalid SYN and ACK. Thus the server does not have to respond by spawning a process to support a connection that will eventually timeout. This prevents the server from wasting cpu and memory resources responding to hundreds superfluous connection requests, which could cause other system problems(such as crashes). NOAH is a standard component in the PORTUS V2.2 release, and will ship October 5th to LSLI's existing customers, and enter general distribution the following week. PORTUS is available through standard distribution channels and LSLI directly. For more information contact LSLI at 713/ 974-3274. Livermore Software Labs http://www.lsli.com From firewalls-owner Wed Oct 2 15:11:37 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA28099 for firewalls-outgoing; Wed, 2 Oct 1996 14:56:16 -0700 (PDT) Received: from loki.asymetrix.com (loki.asymetrix.com [192.147.176.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id OAA28082 for ; Wed, 2 Oct 1996 14:56:08 -0700 (PDT) Received: from mailgate.asymetrix.com (mailgate.asymetrix.com [192.220.170.13]) by loki.asymetrix.com (8.7.3/8.7.1) with SMTP id OAA25115 for ; Wed, 2 Oct 1996 14:41:20 -0700 (PDT) Received: by mailgate.asymetrix.com with Microsoft Mail id <3252E556@mailgate.asymetrix.com>; Wed, 02 Oct 96 14:57:42 PDT From: Keith McCammon To: "'Firewalls'" Subject: RE: NT Security Date: Wed, 02 Oct 96 15:02:00 PDT Message-ID: <3252E556@mailgate.asymetrix.com> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Use an encrypted filesystem. ---------- The same attacks apply to Unix and Netware. What do you recommend people do to extend/replace these 3 operating systems to solve this problem? From firewalls-owner Wed Oct 2 15:25:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA01775 for firewalls-outgoing; Wed, 2 Oct 1996 15:20:57 -0700 (PDT) Received: from mailbox.neosoft.com (mailbox.neosoft.com [206.109.1.16]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id PAA01733 for ; Wed, 2 Oct 1996 15:20:45 -0700 (PDT) Received: from fw.nmti.com (fw.baileynm.com [206.109.159.11]) by mailbox.neosoft.com (8.7.5/8.7.3) with SMTP id RAA21353; Wed, 2 Oct 1996 17:20:11 -0500 (CDT) Received: from web.nmti.com(198.178.0.201) by fw.nmti.com via smap (V1.3) id sma004629; Wed Oct 2 17:18:19 1996 Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id RAA25055; Wed, 2 Oct 1996 17:18:18 -0500 Received: by sonic.nmti.com; id AA21250; Wed, 2 Oct 1996 17:18:11 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9610022218.AA21250@sonic.nmti.com.nmti.com> Subject: Re: NT Security To: mthomps1@kiwitech.co.nz (Matthew Thompson) Date: Wed, 2 Oct 1996 17:18:11 -0500 (CDT) Cc: firewalls@GreatCircle.COM, keithm@asymetrix.com In-Reply-To: <96Oct3.091712nzst.35717@kotuku.manukau.govt.nz> from "Matthew Thompson" at Oct 4, 96 08:37:41 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > The same attacks apply to Unix and Netware. What do you recommend people do > to extend/replace these 3 operating systems to solve this problem? I'd install CFS on UNIX. It's a cryptographic file system that is layered on top of the existing file system. Without the key, all the file names and contents are gibberish. From firewalls-owner Wed Oct 2 15:40:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA02864 for firewalls-outgoing; Wed, 2 Oct 1996 15:30:12 -0700 (PDT) Received: from suntan.tandem.com (suntan.tandem.com [192.216.221.8]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id PAA02849 for ; Wed, 2 Oct 1996 15:30:06 -0700 (PDT) Received: from adm.loc201.tandem.com by suntan.tandem.com (8.6.12/suntan5.960905) id PAA28315; Wed, 2 Oct 1996 15:29:34 -0700 Received: from vern.loc201.tandem.com by adm.loc201.tandem.com (4.1/6main.940209) id AA29557; Wed, 2 Oct 96 15:29:31 PDT Received: by vern.loc201.tandem.com (5.x/6leaf.940209) id AA01348; Wed, 2 Oct 1996 15:28:07 -0700 Date: Wed, 2 Oct 1996 15:28:07 -0700 Message-Id: <9610022228.AA01348@vern.loc201.tandem.com> To: firewalls@greatcircle.com Subject: RE: SYN Flood defenses, Firewall-1 Cc: barbara@us.checkpoint.com From: pat@tandem.com X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >"Barbara W. Jaarsma" wrote: >>P.S. Note the free SYNDefender upgrade on out web site >>(http://www.checkpoint.com). Know anyone else who has one? > How does this protect the firewall-1 host itself (if at all)?? -pat From firewalls-owner Wed Oct 2 15:56:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA03339 for firewalls-outgoing; Wed, 2 Oct 1996 15:33:32 -0700 (PDT) Received: from PACBELL.net (chumash.snfc21.pbi.net [206.13.28.17]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id PAA03286 for ; Wed, 2 Oct 1996 15:33:18 -0700 (PDT) Received: from ppp-206-170-2-31.sntc01.pacbell.net (ppp-206-170-24-134.sntc01.pacbell.net [206.170.24.134]) by PACBELL.net (8.7.6/8.7.1) with SMTP id PAA09012; Wed, 2 Oct 1996 15:32:46 -0700 (PDT) Received: by ppp-206-170-2-31.sntc01.pacbell.net with Microsoft Mail id <01BBB077.140DB4E0@ppp-206-170-2-31.sntc01.pacbell.net>; Wed, 2 Oct 1996 15:33:36 -0700 Message-ID: <01BBB077.140DB4E0@ppp-206-170-2-31.sntc01.pacbell.net> From: muzo To: "'Firewalls'" , "'Keith McCammon'" Subject: RE: NT Security Date: Wed, 2 Oct 1996 15:33:29 -0700 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > You can directly edit NTFS disk sectors from WITHIN NT! not on a properly secured system with the correct user rights. To be able to read sector off of a partition you need certain rights which your regular users shouldn't have. > You can also boot to DOS > and using the NTFS4DOS driver read any file regardless of encryption. Is there any PC OS which can prevent you from booting to DOS and doing the same ? muzo From firewalls-owner Wed Oct 2 16:11:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA29796 for firewalls-outgoing; Wed, 2 Oct 1996 15:07:29 -0700 (PDT) Received: from yeager.nmh.org (YEAGER.NMH.ORG [165.20.13.23]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id PAA29758 for ; Wed, 2 Oct 1996 15:07:17 -0700 (PDT) Received: from nmhnt.nmh.org (nmhnt.nmh.org [165.20.13.27]) by yeager.nmh.org (8.6.9/8.6.9) with SMTP id RAA03967 for ; Wed, 2 Oct 1996 17:10:05 -0500 Message-Id: <199610022210.RAA03967@yeager.nmh.org> Date: Wed, 2 Oct 1996 17:22:00 -0500 From: "Davidson, Clyde" Subject: RE: NT Security To: Firewalls X-Mailer: Worldtalk (NetConnex V4.00a)/MIME Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Don't forget that the "Orange Book" that defines C2 is not for any networked system. It defines government security requirements for stand-alone systems. That means that any UNIX system that is networked would loose whatever C2 certification that it might have, just like NT. Also remember that C2 is Discretionary Access Control. That means that "The discretionary access control mechanism shall, either by explicit user action or by default, provide that objects are protected from unauthorized access. These access controls shall be capable of including or excluding access to the granularity of a single user." The Orange Book. It looks to me that NT and any C2 UNIX both do this just fine. Of course, being discretionary means that NT and UNIX can be configured without any security at all. That is the requirement. If you want Mandatory Access Control you will have to make your system B1, B2, B3, or A1 level of security. However, you still can't network it. Then again, none of this discusses whether these are even worthwhile for commercial businesses. Clyde Davidson ---------- From firewalls-owner Wed Oct 2 16:31:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA00758 for firewalls-outgoing; Wed, 2 Oct 1996 15:11:59 -0700 (PDT) Received: from yeager.nmh.org (YEAGER.NMH.ORG [165.20.13.23]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id PAA00673 for ; Wed, 2 Oct 1996 15:11:38 -0700 (PDT) Received: from nmhnt.nmh.org (nmhnt.nmh.org [165.20.13.27]) by yeager.nmh.org (8.6.9/8.6.9) with SMTP id RAA03995; Wed, 2 Oct 1996 17:14:19 -0500 Message-Id: <199610022214.RAA03995@yeager.nmh.org> Date: Wed, 2 Oct 1996 17:22:00 -0500 From: "Davidson, Clyde" Subject: RE: Gauntlet vs. Sidewinder To: Firewalls , "'BOUCHARDA@comm.hq.af.mil'" X-Mailer: Worldtalk (NetConnex V4.00a)/MIME Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have Sidewinder and I love it, but I don't know anything about Gauntlet except that a lot of people love it and use it. Secure Computing sent me a printed interview with Peter Stephenson of InfoSEC Technologies. He is suppose to be an expert in security who does work for companies to see if he can crack their security, among other things. Peter claims that Sidewinder is the only firewall that he hasn't been able to break into or through. He used ISS and many other tools. Now you have to remember that the source of this interview was Secure Computing, but they have always play very straight with me. This may or may not help you. Clyde Davidson Data Security Coordinator NMH Alexis Bouchard wrote: ---------- I have to choose between Gauntlet and Sidewinder as a Firewall solution. Both products meet my laundry list requirements. Both can do the job of securing my network, but which one is better? What I'm looking for is which one is better then the other as far as easy of use, overall security and support from the vender. I have all the general vender info, but I'm looking for strong technical reasons why I should go with one or the other. I'm a new kid on the block. This is my first Firewall experience. I haven't had the luxury of seeing many Firewalls in use, or being able to play and fiddle with them. I'm open to all input and all advise. I need to take advantage of someone else's experiences. From firewalls-owner Wed Oct 2 16:41:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA10766 for firewalls-outgoing; Wed, 2 Oct 1996 16:22:45 -0700 (PDT) Received: from ns.rc.toronto.on.ca ([142.77.249.9]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id QAA10710 for ; Wed, 2 Oct 1996 16:22:20 -0700 (PDT) Received: by ns.rc.toronto.on.ca with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5) id <01BBB094.AB84B4F0@ns.rc.toronto.on.ca>; Wed, 2 Oct 1996 19:05:26 -0400 Message-ID: From: Russ To: "'keithm@asymetrix.com'" , "'fdehert@innet.be'" Cc: "'firewalls@greatcircle.com'" Subject: RE: NT Security Date: Wed, 2 Oct 1996 19:05:24 -0400 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk To use NT as a File and Print server, there are no directories/files which need to be set to RWXD for Everyone. In fact, the group Everyone does not need to have any access to anything. Given that access for some unknown/unqualified user (i.e. Everyone) is not necessary for an NT File and Print server, the idea of C2's accountability/auditing is of value, albeit limited value, but that's all that C2 provides. Part of the C2 requirements are that the system cannot be modified or accessed without record, and to comply in this area, Microsoft used Compaq and Digital equipment which could have the floppy boot disabled (in the case of Compaq they also disabled the CD boot). The boxes also required physical security (i.e. cabinet locks). This would be true of any system which does not employ a firmware-based tripwire system for the HD controller. The C2 Orange book requirements were meant to cover a stand-alone machine, but the C2 Red Book requirements were/are intended for network environments. Microsoft has never completed C2 Red Book testing (or if they have, they've never published the results). The main reason, IMO, is that in order to comply they would have to make significant modifications to their BackOffice products which might run on an NT Server. Microsoft is far more interested in selling less secure/more easily useable products to make that investment at this time. Although customer requirements are changing (look at some of the security features in MSExchange Server, like data encryption, encrypted sessions between site servers, integrated NT Domain authentication...), they still don't have a focus on security first. As for basic security precautions for NT, remove permissions for the group Everyone at the root of the HKEY_LOCAL_MACHINE hierarchy in the registry. You will be given the option to have this removal propogated down through the entire tree, DO NOT USE THIS OPTION. With that one change, accessing your registry from the network will be restricted only to logged on users of the Administrators group, and even members of this group can be restricted if they are not granted the right to "Log on from the Network". Of course, members of the Administrators group can change that right to give themselves access, but as C2 requires, this change would be recorded in the event logs. And if they were to delete the logs, the deletion would be recorded also...and so on... NT 4.0, by default, now restricts registry access for the group Everyone to read access of the following hives; System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\Windows NT\CurrentVersion NOTE: If you have your NT box set to auto-logon, the username and password get stored in a subkey of Software\Microsoft\Windows NT\CurrentVersion, and can therefore be seen by members of the group Everyone by default. Since enabling auto-logon is done by a registry hack (although a utility is included in the NT Resource Kit to enable it), and since it requires a user ID and password to be stored in clear text, its obviously a pretty bad idea to enable it. Reducing permissions on subkeys of this hive is a good idea since it contains some parameters that you might not want made known, usually removing the query permission is sufficient. Cheers, Russ "any sufficiently advanced technology is indistinguishable from magic"...Arthur C. Clarke > From firewalls-owner Wed Oct 2 17:00:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA09789 for firewalls-outgoing; Wed, 2 Oct 1996 16:17:19 -0700 (PDT) Received: from dns1.noc.best.net (dns1.noc.best.net [206.86.8.69]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id QAA09647 for ; Wed, 2 Oct 1996 16:16:39 -0700 (PDT) Received: from shellx.best.com (shellx.best.com [206.86.0.11]) by dns1.noc.best.net (8.6.12/8.6.5) with ESMTP id PAA23492 for ; Wed, 2 Oct 1996 15:48:12 -0700 Received: from [204.156.153.118] (mblakele.vip.best.com [204.156.153.118]) by shellx.best.com (8.6.12/8.6.5) with ESMTP id PAA01461 for ; Wed, 2 Oct 1996 15:48:00 -0700 Date: Wed, 2 Oct 1996 15:48:00 -0700 X-Sender: mblakele@pop (Unverified) Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: Camille Blakeley Subject: Re: Opinions/Experiences re: Sidewinder? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Greetings, all... > >Am evaluating high-end firewall implementations currently on the market >for deployment in large, complex WAN environments. > >Secure Computing's Sidewinder seems to be what I'm after, but if there are >any "gotchas", with their package, I'd sure like to know about them. > I have messed around with Sidewinder. The network I was on had an old version of TIS Toolkit running on an even older DEC station. It wasn't perfect, but it did get done what I needed. I was running a 2500 node campus network. Anyway, the old DEC station finally pooped out and someone lent us a Secure Computing Sidewider to use until we got a new firewall in. I must have spent an entire week configuring it, ugh. I then spent another two months babysitting the little beastie. My impression is,for a small network (100 nodes or less, one server, etc...) with very standard requirements for the internet (www,telnet,ftp,gopher, and maybe news), and little or no administration or expertise, this is the thing for you. However, for a large, diverse network that has some non standard requirements, for internet connections, a dynamic configuration, and a very busy mail system, this is your nightmare. My access list, for reasons I won't go into here, was very large, and the Sidewinder just couldn't handle the size or dynamic nature of my access requirements. I had several applications that needed access to the outside world that were using ports no already listed. The process for making customized proxies was long, problematic, and cryptic. There were times when either one proxy or the whole set of them just stopped working; their processes were still running, but they were rejecting connections, stating that the connection on the other end wasn't available (it was). Nothing short of rebooting the system could fix this. Its interface was kludgy, inflexible, and buggy. However, I believe this was due mainly to the fact I was stressing the system far beyond what it was expected to do. I also didn't like the fact that you could use it for a web server, anonymous ftp server, etc.. as well as a firewall. This made for some problems when configuring, and I believe is just generally insecure. You really want to use a seperate system for public access, I think. Despite the above info, I don't really think Sidewider is a bad system, it just wasn't able to handle my large, rather complicated network. >Additionally, if there's a f/w out there other than Sidewinder that >happens to have a special place in your heart (or in your WAN :-), I'd be >grateful if you would share your opinions and experiences. I much prefer any UNIX flavor you may like and Firewall-1. I've messed with several, and this is the one I enjoy working with most. Hope this helps. Camille Blakeley Camille Blakeley (camille@blakeley.com) From firewalls-owner Wed Oct 2 17:11:19 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA09244 for firewalls-outgoing; Wed, 2 Oct 1996 16:14:27 -0700 (PDT) Received: from hidata.com (hidata.com [205.158.61.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id QAA09205 for ; Wed, 2 Oct 1996 16:14:11 -0700 (PDT) Received: by hidata.com; id AA15211; Wed, 2 Oct 96 16:13:43 PDT Received: from osc.hidata.com(205.158.62.10) by hds-gw.hidata.com via smap (V3.1.1) id xma015209; Wed, 2 Oct 96 16:13:30 -0700 Received: from sysadmin by osc.osc.hidata.com (SMI-8.6/SMI-SVR4) id QAA11213; Wed, 2 Oct 1996 16:13:21 -0700 Message-Id: <2.2.32.19961002231123.00be35a8@osc.hidata.com> X-Sender: bstout@osc.hidata.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 02 Oct 1996 16:11:23 -0700 To: Firewalls@GreatCircle.COM (Firewalls) From: Bill Stout Subject: RE: NT Security Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 10:12 AM 10/1/96 +0200, G6 CPT Bates wrote: ... >However, we have run into speed bumps with individuals processing classified information on unclassified >... >We do not have the budget nor training to install expensive firewalls at the Division level. We think less, but more robust machines running NT workstation on both the class and unclass LAN/WAN's, would offer what we require in terms of processing power and NT's excellent auditing/security. However, it is very expensive, both in terms of equipment, and personnel, to maintain these two NT LAN's. While I have yet to see someone hack an NTFS partition with permissions and other holes plugged up (watched a couple of DISA's best guys try), the security goons still have conniption fits about placing classified data on an unclassified NTFS partition. Any word on when NT will be network certified?? >... Ha ha ha ha ho ho he. As an ex-crypto (MOS 31S) and 'other duties as assigned' Army vet, good luck! I sure hope you're not really putting classified data on NT systems in unclassified nets! If you know of someone who has, get the S2 to have a nice long talk with them. I pay nose-bleed taxes to support god-knows-what covert and non-covert politicial and military actions which I may or may not agree with, and had put my own neck on the line in the insane live-fire environment of the Korean DMZ and other environments to 'protect our freedoms' (which keep diminishing thanks to our own Governments' occasional Socialist/Tyrannistic binges), and I'd hate to see my hard-earned tax dollars be blown so easily. NT is breakable. UNIX is breakable. Unless you know exactly what you are doing, I guaran'f-ing'tee you, you will leave security holes open. DISA's 'best' are not 'the best' hackers in the world by far. The best are out there in the private industry making the big bucks, talking to developers, comparing notes, and, hacking. NT will have Kerberos 5 authentication which is probably what you are thinking of. But even thought an O.S. may have strong internal security mechanisms, that security mechanism never leaves the local machine. Once a external connection is made into a machine, some service aliases what it authenticated, to some valid internal user. Your internal O.S. has process-to-process communciations that can be snooped, your client-to-server process can be spoofed, external sessions can be hijacked, and your external data can be sniffed. There is a biblical prophesy which talks about a statue of the great world empires made of gold, silver, copper, legs of iron etc. This great powerful statue collapsed because a stone was thrown at it's feet which were made of clay mixed with iron. Silcon and wires? Food for thought. Bill Stout _______________________________________________________________________________ Senior Systems Admin NT/Solaris/WWW/Firewalls/Routers/Mainframe_UNIX Hitachi Data Systems 408-970-4822 --- Disclaimer: I speak only for myself HDS Marketing ---> http://www.hdshq.com/ Freedom ---> http://www.libertarian.com/ Threats ---> http://www.ccnet.com/~suntzu75/resister.htm From firewalls-owner Wed Oct 2 17:26:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA15667 for firewalls-outgoing; Wed, 2 Oct 1996 16:48:05 -0700 (PDT) Received: from kyoko.mpx.com.au (new-kyoko.mpx.com.au [203.2.75.38]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id QAA15539 for ; Wed, 2 Oct 1996 16:47:30 -0700 (PDT) From: craigw@mac.ce.com.au Received: from enterprise.ce.com.au(really [203.23.60.2]) by kyoko.mpx.com.au via sendmail with esmtp id for ; Thu, 3 Oct 96 09:43:40 +1000 (EST) (/\##/\ Smail3.1.30.13 #30.8 built 5-oct-95) Received: from mac.ce.com.au by enterprise.ce.com.au with smtp (Smail3.1.30.13 #1) id m0v8b0E-001Tf3C; Thu, 3 Oct 96 09:46:58 +1000 (EST) Received: from craig.ce.com.au by mac.ce.com.au (8.6.13/200.8.1.3) id JAA20536; Thu, 3 Oct 1996 09:44:43 +1000 Message-Id: <199610022344.JAA20536@mac.ce.com.au> Comments: Authenticated sender is To: fdehert@innet.be (Frank J.J. De Hert) Date: Thu, 3 Oct 1996 09:46:02 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: RE: NT Security CC: firewalls@GreatCircle.com X-mailer: Pegasus Mail for Win32 (v2.42a) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Have a separate admin account on ALL machines. Users should have a maximum "Power User" access level. Never allow root access to the user...even on their own machine. As admin change all permisions back > > >This can be done fairly simply from an administrative workstation, > >across the network. Every NT machine automatically shares all of it's > >drives under \\computername\c$ or d$ etc. These shares can only be > >accessed by an administrator (possibly a backup operator). This will > >allow you to scan the machine across the network without the users > >knowledge. > > This is true if the user hasn't taken ownership of certain directories and > set the permissions such that only the user has access. For even an > administrator to look at these files, the admin has to take ownership and > set appropriate permissions (unless I missed something somewhere). This, of > course, throws a spanner in the works. Any suggestions? > > -- > Frank De Hert > System/Security Manager > NATO Programming Centre. > > ,'~``. \|/ ,'``~. (-o=o-) (@ @) ,(-o=o-), +--.oooO--(_)--Ooo-----oOO-(_)-OOo-------oooO--(_)--Oooo.------+ | | | Soon, we may all be staring at our computers, wondering | | whether they're staring back. | | | | [Network Admin For WPA Business Products. aka doshai >;-) ] | | .oooO http://pip.com.au/~doshai/ Oooo. | | ( ) Oooo. .oooO ( ) | +-----\ (----( )-------oooO-Oooo--------( )--- ) /---------+ \_) ) / \ ( (_/ (_/ \_) Key fingerprint = 2D F4 54 BB B4 EA F1 E7 B6 DE 48 92 FC 8D FF 49 Send a message with the subject "send pgp-key" for a copy of my key. (if I want to give it to you) From firewalls-owner Wed Oct 2 17:41:27 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA20768 for firewalls-outgoing; Wed, 2 Oct 1996 17:13:16 -0700 (PDT) Received: from nsco.network.com (nsco.network.com [129.191.1.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id RAA20730 for ; Wed, 2 Oct 1996 17:12:57 -0700 (PDT) Received: from anubis.network.com by nsco.network.com (4.1/1.34) id AA06965; Wed, 2 Oct 96 19:19:16 CDT Received: from blefscu.network.com by anubis.network.com (4.1/SMI-4.1) id AA13639; Wed, 2 Oct 96 19:12:04 CDT Date: Wed, 2 Oct 96 19:12:04 CDT From: amolitor@anubis.network.com (Andrew Molitor) Message-Id: <9610030012.AA13639@anubis.network.com> To: firewalls@greatcircle.com Subject: apologies - Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have been justly chastised for advertising NSC's audit products, in the guise of informing on this list. I apologise to all! In an attempt to atone, I will also urge all wanting a network audit to contact TIS. My feeble brain seems to recall that they occasionally do that sort of thing under at least some circumstances, and I deeply respect those TIS people I have any opinion on. As far as I know, NSC and TIS have no formal relationships at all. Andrew Molitor From firewalls-owner Wed Oct 2 17:56:40 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA23306 for firewalls-outgoing; Wed, 2 Oct 1996 17:29:59 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id RAA23232 for ; Wed, 2 Oct 1996 17:29:32 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id RAA22783; Wed, 2 Oct 1996 17:13:36 -0700 Received: from gw.garrison.com(205.241.58.147) by mycroft via smap (V1.3mjr) id sma022778; Wed Oct 2 17:12:56 1996 Received: by garrison.com; id NAA07672; Tue, 1 Oct 1996 13:30:27 -0500 Received: from unknown(10.0.0.2) by gw.garrison.com via smap (V3.1.1) id xma007613; Tue, 1 Oct 96 13:30:01 -0500 Received: by ukn0.garrison.com. (4.1/Nutered Mailer) id AA03411; Wed, 2 Oct 96 19:07:30 CDT Date: Wed, 2 Oct 96 19:07:30 CDT From: jeromie@garrison.com (Hmm) Message-Id: <9610030007.AA03411@ukn0.garrison.com.> To: bdboyle@erenj.com, barbara@us.checkpoint.com Subject: Re: Gauntlet vs. Sidewinder Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Bryan - > You're right - it's not an unbiased opinion. But after 25 years in > the business, first as a programmer, and then as a consultant > specializing in multi-protocol, multi-vendor, multi-application > environments & security, and having worked for numerous firewall > vendors, I can pick my own jobs and name my own price. And I'm here > at Checkpoint. Think about it... > -Barb > P.S. Note the free SYNDefender upgrade on out web site > (http://www.checkpoint.com). Know anyone else who has one? > > > Bryan D. Boyle wrote: > > > > Barbara W. Jaarsma wrote: > > > > > > Bouchard, Alexis, 2Lt,SAM/GNCP wrote: > > > > > > > > I have to choose between Gauntlet and Sidewinder as a Firewall solution. > > > > > > Personally, I'd go with FireWall-1... :-) > > > -Barb > > > > Not an unbiased opinion, from your return address. I would be interested in hearing how checkpoint is securing their customers from SMTP based attacks! From what I have seen, they simply pass it through to a mail machine... If that mail machine happends to be running Sendmail 4.1, the attacker can blow holes right through the perimiter....? Jeromie Jackson Garrison Technologies jeromie@garrison.com Keep the flames burning. From firewalls-owner Wed Oct 2 18:11:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA20687 for firewalls-outgoing; Wed, 2 Oct 1996 17:12:31 -0700 (PDT) Received: from kyoko.mpx.com.au (new-kyoko.mpx.com.au [203.2.75.38]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id RAA20613 for ; Wed, 2 Oct 1996 17:12:03 -0700 (PDT) From: craigw@mac.ce.com.au Received: from enterprise.ce.com.au(really [203.23.60.2]) by kyoko.mpx.com.au via sendmail with esmtp id for ; Thu, 3 Oct 96 10:08:07 +1000 (EST) (/\##/\ Smail3.1.30.13 #30.8 built 5-oct-95) Received: from mac.ce.com.au by enterprise.ce.com.au with smtp (Smail3.1.30.13 #1) id m0v8bNu-001Tf3C; Thu, 3 Oct 96 10:11:26 +1000 (EST) Received: from craig.ce.com.au by mac.ce.com.au (8.6.13/200.8.1.3) id KAA26474; Thu, 3 Oct 1996 10:09:12 +1000 Message-Id: <199610030009.KAA26474@mac.ce.com.au> Comments: Authenticated sender is To: muzo Date: Thu, 3 Oct 1996 10:10:31 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: RE: NT Security CC: "To: \"'Firewalls'\"" X-mailer: Pegasus Mail for Win32 (v2.42a) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is why there is the requirement that there is no removable boot device (floppy, cd, hard drive or chip) > You can directly edit NTFS disk sectors from WITHIN NT! not on a properly secured system with the correct user rights. To be able to read sector off of a partition you need certain rights which your regular users shouldn't have. > You can also boot to DOS > and using the NTFS4DOS driver read any file regardless of > encryption. ,'~``. \|/ ,'``~. (-o=o-) (@ @) ,(-o=o-), +--.oooO--(_)--Ooo-----oOO-(_)-OOo-------oooO--(_)--Oooo.------+ | | | Soon, we may all be staring at our computers, wondering | | whether they're staring back. | | | | [Network Admin For WPA Business Products. aka doshai >;-) ] | | .oooO http://pip.com.au/~doshai/ Oooo. | | ( ) Oooo. .oooO ( ) | +-----\ (----( )-------oooO-Oooo--------( )--- ) /---------+ \_) ) / \ ( (_/ (_/ \_) Key fingerprint = 2D F4 54 BB B4 EA F1 E7 B6 DE 48 92 FC 8D FF 49 Send a message with the subject "send pgp-key" for a copy of my key. (if I want to give it to you) From firewalls-owner Wed Oct 2 18:11:27 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA23160 for firewalls-outgoing; Wed, 2 Oct 1996 17:29:01 -0700 (PDT) Received: from main.geminisecure.com ([205.179.16.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id RAA23146 for ; Wed, 2 Oct 1996 17:28:50 -0700 (PDT) Received: (from leonard@localhost) by main.geminisecure.com (8.6.9/8.6.9) id RAA26545; Wed, 2 Oct 1996 17:31:20 -0700 Date: Wed, 2 Oct 1996 17:31:19 -0700 (PDT) From: Leonard Miyata To: "Davidson, Clyde" cc: Firewalls Subject: RE: NT Security In-Reply-To: <199610022210.RAA03967@yeager.nmh.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk That Right, If you want the Networking C2 requirments you have to look at the "Red Book" (TNI) which supplements the "Orange Book" for Network functionality. (The TNI also defines A1, B3, B2, B1 networking requirments as well) P.S. While checking the Orange Book, check the qualifications necessary to do a C2 evauluation. I bet that the majority of readers of this forem would qualify. And if you personally can't find a security bug in O.S. in two-three weeks, does this mean the O.S. is secure??? Personal Opinions provided by Leonard Miyata Gemini Computers Inc. On Wed, 2 Oct 1996, Davidson, Clyde wrote: > > > > Don't forget that the "Orange Book" that defines C2 is not for any > networked system. It defines government security requirements for > stand-alone systems. That means that any UNIX system that is networked > would loose whatever C2 certification that it might have, just like NT. > > Also remember that C2 is Discretionary Access Control. That means that > "The discretionary access control mechanism shall, either by explicit > user action or by default, provide that objects are protected from > unauthorized access. These access controls shall be capable of including > or excluding access to the granularity of a single user." The Orange > Book. It looks to me that NT and any C2 UNIX both do this just fine. Of > course, being discretionary means that NT and UNIX can be configured > without any security at all. That is the requirement. If you want > Mandatory Access Control you will have to make your system B1, B2, B3, or > A1 level of security. However, you still can't network it. > > Then again, none of this discusses whether these are even worthwhile for > commercial businesses. > > Clyde Davidson > > ---------- > From firewalls-owner Wed Oct 2 18:41:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA28582 for firewalls-outgoing; Wed, 2 Oct 1996 18:03:52 -0700 (PDT) Received: from ns.rc.toronto.on.ca ([142.77.249.9]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id SAA28537 for ; Wed, 2 Oct 1996 18:03:37 -0700 (PDT) Received: by ns.rc.toronto.on.ca with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5) id <01BBB0A5.015DFD90@ns.rc.toronto.on.ca>; Wed, 2 Oct 1996 21:02:22 -0400 Message-ID: From: Russ To: "'Keith McCammon'" Cc: "'Firewalls'" Subject: RE: NT Security Date: Wed, 2 Oct 1996 21:02:20 -0400 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Excuse me, but NT does NOT have excellent auditing/security. Internet >hackers are just starting to wade into NT, and the more I talk to them >the more gaping holes I find. Would you mind substantiating this claim a little. I mean, anyone can make this statement, but without some references to actual possible attacks, its hardly useful on the Firewalls list is it? I do this stuff for a living, and am very familiar with many past problems, some that have been addressed and some that have not. However, in all that, I'm unfamiliar with any GAPING HOLES in NT's security which cannot be rectified with the tools included in a basic NT Server package. That doesn't mean it prevents spoofing or session hijacking, but I don't consider its inability to deal with these things out of the box as GAPING HOLES. A GAPING HOLE would be your ability to connect to a secured network share without an appropriate user ID/password, or your ability to read/modify the contents of SAM hive of the registry. Got a hack for something like that? >What??? NTFS is not encrypted! NTFS is not a secure file system! You can >directly edit NTFS disk sectors from WITHIN NT! You can also boot to DOS >and using the NTFS4DOS driver read any file regardless of encryption. You >can also reinstall NT and Take Ownership of entire volumes! And if you >physically transfer the hard disk to another NT box you can also take >ownership, negating all file security! O.k., I give, where is there a disk sector editor that works on NTFS from WITHIN NT! I assume, by your emphasis on this supposed tool, that it bypasses NTFS security and can be run by a non-Administrator user ID. If, on the other hand, you are referring to the DIR command, or the TYPE command, used by the Administrator user who has permissions in the directory, and on the file in question, then obviously this is by no means news. As for the NTFS4DOS program(s), DOS and Linux versions exist, neither of these programs have any decryption capabilities (re: your statement "regardless of encryption"). As you pointed out already, NTFS is not encrypted. Both the DOS and Linux versions are simple sector editors which can understand the NTFS sector layouts. Whoop-ti-do! Sure, if you thought NTFS provided encryption or security when NT WASN'T running, then its news. Neither of these are "hacks" of NT, and neither should pose a threat to any "properly secured" NT box that has data that is meant to be confidential. I'm sure our friends at .MIL already know how to secure the hard disks of their boxes on the classified network (they've told me that over and over again during the first publication of the NTFS reader many, many months ago). Cheers, Russ "any sufficiently advanced technology is indistinguishable from magic"...Arthur C. Clarke > From firewalls-owner Wed Oct 2 18:48:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA28744 for firewalls-outgoing; Wed, 2 Oct 1996 18:05:10 -0700 (PDT) Received: from garrison.com (gw.garrison.com [205.241.58.147]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id SAA28722 for ; Wed, 2 Oct 1996 18:04:55 -0700 (PDT) Received: by garrison.com; id OAA14594; Tue, 1 Oct 1996 14:22:27 -0500 Received: from unknown(10.0.0.2) by gw.garrison.com via smap (V3.1.1) id xma014590; Tue, 1 Oct 96 14:22:24 -0500 Received: by ukn0.garrison.com. (4.1/Nutered Mailer) id AA03436; Wed, 2 Oct 96 20:00:04 CDT Date: Wed, 2 Oct 96 20:00:04 CDT From: jeromie@garrison.com (Hmm) Message-Id: <9610030100.AA03436@ukn0.garrison.com.> To: firewalls@greatcircle.com, camille@blakeley.com Subject: Re: Opinions/Experiences re: Sidewinder? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >Greetings, all... > > > >Am evaluating high-end firewall implementations currently on the market > >for deployment in large, complex WAN environments. > > > >Secure Computing's Sidewinder seems to be what I'm after, but if there are > >any "gotchas", with their package, I'd sure like to know about them. > > > > I have messed around with Sidewinder. The network I was on had an old > version of TIS Toolkit running on an even older DEC station. It wasn't > perfect, but it did get done what I needed. I was running a 2500 node > campus network. > > Anyway, the old DEC station finally pooped out and someone lent us a Secure > Computing Sidewider to use until we got a new firewall in. I must have > spent an entire week configuring it, ugh. I then spent another two months > babysitting the little beastie. > This I would definitely agree with.. They are VERY specific in the hardware requirements, and without buying the box directly from them, it is very hard to get all the pieces right. (even in the new 3.0) > My impression is,for a small network (100 nodes or less, one server, > etc...) with very standard requirements for the internet > (www,telnet,ftp,gopher, and maybe news), and little or no administration or > expertise, this is the thing for you. > > However, for a large, diverse network that has some non standard > requirements, for internet connections, a dynamic configuration, and a very > busy mail system, this is your nightmare. > > My access list, for reasons I won't go into here, was very large, and the > Sidewinder just couldn't handle the size or dynamic nature of my access > requirements. > > I had several applications that needed access to the outside world that > were using ports no already listed. The process for making customized > proxies was long, problematic, and cryptic. I cannot speak of earlier versions than 2.2, but 2.2 & 3.0 appear to be quite easy in order to add generic proxies. I was able to do so in a matter of 15 minutes my first time, following the manuals instructions. By the way, the manual for Sidewinder is much better than the documentation I have seen elsewhere, including Gauntlet. Have you found a good paper on custom configuration of the netperm-table!?!?@#? > > There were times when either one proxy or the whole set of them just > stopped working; their processes were still running, but they were > rejecting connections, stating that the connection on the other end wasn't > available (it was). Nothing short of rebooting the system could fix this. > > Its interface was kludgy, inflexible, and buggy. However, I believe this > was due mainly to the fact I was stressing the system far beyond what it > was expected to do. > > I also didn't like the fact that you could use it for a web server, > anonymous ftp server, etc.. as well as a firewall. This made for some > problems when configuring, and I believe is just generally insecure. You > really want to use a seperate system for public access, I think. > Here I would definitely have to agree with you. Reguardless of the security mechanisms in place, I do not feel safe running any server on the firewall. > Despite the above info, I don't really think Sidewider is a bad system, it > just wasn't able to handle my large, rather complicated network. > > >Additionally, if there's a f/w out there other than Sidewinder that > >happens to have a special place in your heart (or in your WAN :-), I'd be > >grateful if you would share your opinions and experiences. > > I much prefer any UNIX flavor you may like and Firewall-1. I've messed > with several, and this is the one I enjoy working with most. > Jeromie Jackson Garrison Technologies jeromie@garrison.com From firewalls-owner Wed Oct 2 19:15:50 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA03705 for firewalls-outgoing; Wed, 2 Oct 1996 18:32:27 -0700 (PDT) Received: from ns.rc.toronto.on.ca ([142.77.249.9]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id SAA03652 for ; Wed, 2 Oct 1996 18:32:13 -0700 (PDT) Received: by ns.rc.toronto.on.ca with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5) id <01BBB0A8.F888F4A0@ns.rc.toronto.on.ca>; Wed, 2 Oct 1996 21:30:45 -0400 Message-ID: From: Russ To: "'Firewalls@GreatCircle.COM'" , "'g6amsib@1ADTFREAR.1AD.ARMY.MIL'" Subject: RE: NT Security Date: Wed, 2 Oct 1996 21:30:43 -0400 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >However, we have run into speed bumps with individuals processing >classified information on unclassified PC's According to what I've been told, those hard disks should be brought into your classified network right away. Whether NT does or does not prevent retreival of data fragments from deleted or reused disk space is supposedly irrelevant to .mil security. If classified data has ever been on a drive, the drive stays in a machine on the classified network or becomes a spare for a machine on the classified network. Shortage of resources does not equal throwing your security policies and practices out with the bath water. >and virus problems, mostly those that affect the boot sector. Converting >from WFW 3.11 and WIN 95 to NT Workstation with no FAT partitions, strictly >NTFS partitions seem to be the optimal solution. Removing the floppy drives is the optimal solution. An NTFS boot partition will prevent the boot sector viruses. >We do not have the budget nor training to install expensive firewalls at >the Division level. We think less, but more robust machines running NT >workstation on both the class and unclass LAN/WAN's, would offer what we >require in terms of processing power and NT's excellent auditing/security. Ah, life on the road. If the boss says "get it done", you do it, right? I may be wrong here, but last I heard NT was not acceptable on the class net, I would strongly suggest you check that out. >While I have yet to see someone hack an NTFS partition with permissions and >other holes plugged up (watched a couple of DISA's best guys try), the >security goons still have conniption fits about placing classified data on an >unclassified NTFS partition. The "goons" are having conniptions more about putting classified data on an unclassified machine than they are about putting class stuff on NTFS. If its unclass, the physical security is different bud, so are access controls, management, auditing, (need I go on?). Putting class data "out in the wilds" is unnacceptable regardless of what you put on the drive in terms of an OS. If the machine is deemed a class machine, its a different animal. NTFS, or some file encryption mechanism you might get your hands on, employed on a UNCLASSIFIED machine, will never meet the specs for classified data storage. 'Cause it ain't just about how the data is stored on the drive or how the OS let's you get access to it. Security isn't a thing you stick on a box or load into memory, its a whole range of things from the lock on the door leading into the area to the size of the ventillation ducting venting the air out the other end, oh, and by the way, there's some software and hardware stuff somewhere inbetween. >Any word on when NT will be network certified?? For CLASSIFIED data? I don't think that MS is going to provide you with what you need. Even C2 Red Book certification ain't going to satisfy your goons. Look to Global Internet's TNT product (www.gi.net), or Nortel's Entrust products. >We are also starting to use Iomega's Zip drive to store/archive/use large >amounts of data. Merely attempting to find a solution that meets our needs, >both from a function, security, and fiscal perspective. Out of curiosity, what's your plan for securing the Zip drive cartridges? Cheers, Russ "any sufficiently advanced technology is indistinguishable from magic"...Arthur C. Clarke > From firewalls-owner Wed Oct 2 20:11:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA15877 for firewalls-outgoing; Wed, 2 Oct 1996 20:07:54 -0700 (PDT) Received: from pathway1.pathcom.com (pathway1.pathcom.com [204.191.122.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id UAA15864 for ; Wed, 2 Oct 1996 20:07:48 -0700 (PDT) Received: from nnavarro.pathcom.com (ts4l4.pathcom.com [204.191.122.72]) by pathway1.pathcom.com (8.7.5/8.7.3) with SMTP id XAA27814 for ; Wed, 2 Oct 1996 23:07:25 -0400 (EDT) Message-ID: <32532BD6.67A3@pathcom.com> Date: Wed, 02 Oct 1996 22:58:30 -0400 From: Nestor & Christine Navarro X-Mailer: Mozilla 3.0 (Win95; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: How does one set a rule in IBM's Internet Secure Network Gateway to allow Notes 4.1.4 replication? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am having setting up the IBM's firewall the "Secure Network Gateway" to allow a machine in an internal network with Lotus Notes 4.1.4 to replicate (or even at the moment to talk) to an external machine over the Internet. All I know is to open up PORT 1352. Part of my problem as well is my internal network also has unregistered IP addresses. So how do I handle Name Address Translation? If anyone can be of any help, I would gladly appreciate it. Thank you. Chris. From firewalls-owner Wed Oct 2 20:26:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA16127 for firewalls-outgoing; Wed, 2 Oct 1996 20:14:40 -0700 (PDT) Received: from smtp2.interramp.com (smtp2.interramp.com [38.8.200.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id UAA16120 for ; Wed, 2 Oct 1996 20:14:32 -0700 (PDT) Received: from davidh.interramp.com by smtp2.interramp.com (8.6.12/SMI-4.1.3-PSI-irsmtp) id XAA17439; Wed, 2 Oct 1996 23:13:51 -0400 Message-ID: <32533C06.2CBE@checkpoint.com> Date: Wed, 02 Oct 1996 23:07:34 -0500 From: David Helms Organization: CheckPoint Software Technologies X-Mailer: Mozilla 2.02Gold (Win95; I) MIME-Version: 1.0 To: jeromie@garrison.com CC: firewalls@GreatCircle.COM Subject: Re: Gauntlet vs. Sidewinder References: <9610030007.AA03411@ukn0.garrison.com.> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jeromie wrote, >(Many leading emails deleted) > > I would be interested in hearing how checkpoint is securing their > customers from SMTP based attacks! From what I have seen, they simply pass it > through to a mail machine... If that mail machine happends to be running > Sendmail 4.1, the attacker can blow holes right through the perimiter....? > > Jeromie Jackson > Garrison Technologies > jeromie@garrison.com > > Keep the flames burning. Jeromie, It's the firewall's responsibility to control access and pass protocols securely. If the customer has a server that they are going to allow public access to, we recommend that they isolate that server in a DMZ. This could be a mail server or a web server, or whatever. Here's how it works: [External Net]----[Firewall]----[Internal Net] | | [DMZ Net] They key here is that you can limit access to specific DMZ servers to specific services. You can log connection attempts to specific DMZ servers and most important, you only allow connections to DMZ servers, not connections from DMZ servers. You never allow connections originating from outside the inernal network to enter into the internal network. That way, even if a DMZ server gets hacked, it can't be used as a launching point to attack the good stuff, the internal network. Have a great day, David Helms a launching platform into the secure network. -- __________________________________ David Helms Senior Technical Consultant CheckPoint Software Technologies ph 703.684.4824 fx 703.684.4847 davidh@checkpoint.com __________________________________ From firewalls-owner Wed Oct 2 20:56:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA15780 for firewalls-outgoing; Wed, 2 Oct 1996 20:05:18 -0700 (PDT) Received: from dosgod.mi.org (dosgod.mi.org [205.149.142.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id UAA15773 for ; Wed, 2 Oct 1996 20:05:08 -0700 (PDT) Received: (from root@localhost) by dosgod.mi.org (8.7.4/8.7.3) id XAA16541; Wed, 2 Oct 1996 23:04:30 -0400 Date: Wed, 2 Oct 1996 23:04:29 -0400 (EDT) From: Eric Kimminau To: Tony.Bakker@ecmwf.int cc: Mikael Kuisma , sdadmin@jabberwocky.bbnplanet.com, Firewalls@greatcircle.com Subject: Re: Gauntlet 3.1 on SGI IRIX and SecurID In-Reply-To: <9610021404.ZM29469@barant> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Since Gauntlet 3.1 is ONLY for IRIX 5.3, Im assuming that you are NOT trying to use multiple netmasks on this system, that is, the netmask for all interfaces in this system is netmask 0xfffffc00 - I also see a GLARING problem in your network configuration, in that the broadcast address for this interface doesn't match the IP address assigned to it, ie: for an IP address of 136.156.112.128 with a netmask 0xfffffc00 the broadcast address SHOULD be 136.156.112.255 NOT 136.156.115.255. Id start there. Good luck. Eric. On Wed, 2 Oct 1996, Tony Bakker wrote: > Date: Wed, 2 Oct 1996 14:04:42 +0100 > From: Tony Bakker > To: Mikael Kuisma > Cc: sdadmin@jabberwocky.bbnplanet.com, Firewalls@greatcircle.com > Subject: Re: Gauntlet 3.1 on SGI IRIX and SecurID > > [To unsubscribe, mail to majordomo@jabberwocky.bbnplanet.com] > On Oct 2, 10:40, Mikael Kuisma wrote: > > Subject: Re: Gauntlet 3.1 on SGI IRIX and SecurID > > Tony Bakker wrote: > > > In the netperm-table I have got the line: > > > > > > authsrv: securidhost isis > > > > isis should be the name/address of the inside > > interface on the Gauntlet, i.e. the host > > that acts as the securid client. It should > > not be the name of the ACE server. > > > > Done that, but it still does not work! > > # grep secur /usr/gauntlet/config/netperm-table > authsrv: securidhost 136.156.112.128 > > # ifconfig ec0 > ec0: flags=c63 > inet 136.156.112.128 netmask 0xfffffc00 broadcast 136.156.115.255 > > authsrv[24258]: ACM Error: Unable to locate ACE/Server host > ; error Error 0 > > > Tony > ======================================================================== Eric Kimminau eric@kimminau.org "I speak my mind and no one else's." "I am the downhill tumble and roll champ, king of the toad finders, captain of the high altitude tree branch vista club, second place finisher in the round the yard backward dash, premier burper state division, sodbuster and worm scout first order, and generalissimo of the mud and mayhem society." Calvin, 1995 Baroque (adj.): when you run out of Monet. In dog years, Im dead. From firewalls-owner Wed Oct 2 21:11:09 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA17312 for firewalls-outgoing; Wed, 2 Oct 1996 20:31:36 -0700 (PDT) Received: from garrison.com (gw.garrison.com [205.241.58.147]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id UAA17303 for ; Wed, 2 Oct 1996 20:31:28 -0700 (PDT) Received: by garrison.com; id QAA03524; Tue, 1 Oct 1996 16:48:57 -0500 Received: from unknown(10.0.0.2) by gw.garrison.com via smap (V3.1.1) id xma003481; Tue, 1 Oct 96 16:48:38 -0500 Received: by ukn0.garrison.com. (4.1/Nutered Mailer) id AA03445; Wed, 2 Oct 96 22:26:17 CDT Date: Wed, 2 Oct 96 22:26:17 CDT From: jeromie@garrison.com (Hmm) Message-Id: <9610030326.AA03445@ukn0.garrison.com.> To: jeromie@garrison.com, david.helms@checkpoint.com Subject: Re: Gauntlet vs. Sidewinder Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Jeromie wrote, > > >(Many leading emails deleted) > > > > > I would be interested in hearing how checkpoint is securing their > > customers from SMTP based attacks! From what I have seen, they simply pass it > > through to a mail machine... If that mail machine happends to be running > > Sendmail 4.1, the attacker can blow holes right through the perimiter....? > > > > Jeromie Jackson > > Garrison Technologies > > jeromie@garrison.com > > > > Keep the flames burning. > > Jeromie, > > It's the firewall's responsibility to control access and pass protocols securely. > If the customer has a server that they are going to allow public access to, we > recommend that they isolate that server in a DMZ. This could be a mail server or > a web server, or whatever. > > Here's how it works: > > > [External Net]----[Firewall]----[Internal Net] > | > | > [DMZ Net] > > They key here is that you can limit access to specific DMZ servers to specific > services. You can log connection attempts to specific DMZ servers and most > important, you only allow connections to DMZ servers, not connections from DMZ > servers. You never allow connections originating from outside the inernal network > to enter into the internal network. That way, even if a DMZ server gets hacked, > it can't be used as a launching point to attack the good stuff, the internal network. > > Have a great day, > > David Helms > a launching platform into the secure network. > > My point is this: 1) People generally have their SMTP server sitting somewhere within the "[Internal Net]". The firewall would say something like "We only allow connections to port 25 of the SMTP gateway". If the SMTP gateway is sitting inside, the perimiter is broken. 2) If the internet SMTP gateway sits on the DMZ, and the customer has several internal SMTP gateways that distribute all the mail, then again, the SMTP gateway on the DMZ would have access to send data to the inside SMTP hosts, thus providing information flow. If the internal SMTP gateways are vulerable to attack (IE: version of sendmail that have problems, IE: ALL) then again, the perimiter is broken. If I am not seeing something here, please clarify it for us all. Jeromie Jackson Garrison Technologies jeromie@garrison.com From firewalls-owner Wed Oct 2 21:41:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA25365 for firewalls-outgoing; Wed, 2 Oct 1996 21:29:22 -0700 (PDT) Received: from smtp2.erols.com (smtp2.erols.com [205.252.116.102]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id VAA25329 for ; Wed, 2 Oct 1996 21:29:05 -0700 (PDT) Received: from ndapice.erols.com (col-as9s36.erols.com [205.252.119.36]) by smtp2.erols.com (8.7.5/8.7.3) with SMTP id AAA02198; Thu, 3 Oct 1996 00:28:10 -0400 (EDT) Message-Id: <199610030428.AAA02198@smtp2.erols.com> Comments: Authenticated sender is From: "Nick D'Apice" To: Skarban , firewalls@GreatCircle.COM Date: Thu, 3 Oct 1996 00:31:39 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: ifconfig X-mailer: Pegasus Mail for Win32 (v2.42) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk for SGI and BSDI, its 'ifconfig xxx alias a.b.c.d netmask a.b.c.d broadcast a.b.c.d....where 'xxx' is the interface, which can be obtained from a 'netstat -in' and views with an 'ifconfig xxx'. The alias keyword basically replaces the inet keyword from the usual command parameters ... > Date: Tue, 01 Oct 1996 06:10:55 +0100 > From: Skarban > Organization: Nova Hut a.s. > To: Firewall > Subject: ifconfig > Hi, > I am building virtual www server and i need to define multi IP > address over one physical interface of my SGI Challenge - S (Irix > 5.3). I am looking for parameter of Ifconfig command of SGI IRIX 5.3 > Hope to your kindly response. > > M. Skarban NH a.s. > Czech > mskarban@novahut.cz > From firewalls-owner Wed Oct 2 21:56:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA25283 for firewalls-outgoing; Wed, 2 Oct 1996 21:28:52 -0700 (PDT) Received: from smtp2.erols.com (smtp2.erols.com [205.252.116.102]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id VAA25239 for ; Wed, 2 Oct 1996 21:28:40 -0700 (PDT) Received: from ndapice.erols.com (col-as9s36.erols.com [205.252.119.36]) by smtp2.erols.com (8.7.5/8.7.3) with SMTP id AAA02191; Thu, 3 Oct 1996 00:28:08 -0400 (EDT) Message-Id: <199610030428.AAA02191@smtp2.erols.com> Comments: Authenticated sender is From: "Nick D'Apice" To: "Bouchard, Alexis, 2Lt,SAM/GNCP" , Firewalls@GreatCircle.COM Date: Thu, 3 Oct 1996 00:31:39 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: Gauntlet vs. Sidewinder X-mailer: Pegasus Mail for Win32 (v2.42) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ok, here's my two cents... you asked... I'm sure I'll ruffle somebody's feathers, but thats what we're here for... I don't have first-hand experience with Sidewinder, but have used several variants of the application relay and cicuit relay firewalls. (I strongly recommend the O'Reilly book, Building Internet Firewalls [or something like that I think by Cheswick]...the best I've read with practical implementation examples as well... Also Marcus Ranum's paper 'On Internet Firewalls', which pre-dates the book). Anyway, I'm a big fan of the TIS-Firewall Toolkit, (fwtk), and like "rolling-my-own" because I have the source code and know exactly what the system is doing.... Thus, when I recommend a system to a customer, I usually go with the Gauntlet, as it is based on the fwtk, and operates basically the same, but is commercially supported (so that when I'm done, the customer has support other than from just me, plus this doesn't violate the agreement for using the fwtk put forward by TIS, as its their commercial variant). Anyway, there is nothing I haven't been able to accomplish with the Gauntlet/fwtk. Even though the Gauntlet/fwtk is said to only support TCP (exceptions are UDP relays like DNS, Real Audio, etc.) via application relays, I have found that via either the 'ipfs' for transparent filtering and via the UDPrelay, I can implement even those risky protocols that some customers require (I state the risks and they still insist.. usually until they can break a legacy application out and put it on a bastion host) in a manner as secure as its going to get'... options that were only available in packet filters just a short while back. This area is changing daily, and there may be some new magic bullet out there with which I am unfamiliar (can only read and do so much in a 24-hour day)...so again this is my opinion alone based on personal exposure. Also, performance is terrific, reports are flexible, and basically it adheres to the philosophy of firewalls that I feel most comfortable -- keep it as simple as possible, and security through obsurity is NOT the way to secure a facility... The other firewalls, such as FW-1, raptor, etc. are really good products, its just I feel 'at home' with the TIS software due to the software source availability....no skeletons in the closet... I'll now get off of my soap-box..... let the shooting gallery begin... and apologies to those products with which I am unfamiliar...no slander intended... > From: "Bouchard, Alexis, 2Lt,SAM/GNCP" > To: Firewall Discussion > Subject: Gauntlet vs. Sidewinder > Date: Tue, 01 Oct 96 09:34:00 PDT > > > I have to choose between Gauntlet and Sidewinder as a Firewall > solution. > Both products meet my laundry list requirements. Both can do the > job of > securing my network, but which one is better? What I'm looking for > is which one is better then the other as far as easy of use, overall > security and support from the vender. I have all the general vender > info, but I'm looking for strong technical reasons why I should go > with one or the other. > > I'm a new kid on the block. This is my first Firewall experience. > I haven't had the luxury of seeing many Firewalls in use, or being > able to play and fiddle with them. I'm open to all input and all > advise. I need to take advantage of someone else's experiences. > > Alexis Bouchard > From firewalls-owner Wed Oct 2 22:25:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA02126 for firewalls-outgoing; Wed, 2 Oct 1996 22:18:12 -0700 (PDT) Received: from smtp2.erols.com (smtp2.erols.com [205.252.116.102]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id WAA02081 for ; Wed, 2 Oct 1996 22:17:59 -0700 (PDT) Received: from ndapice.erols.com (col-as9s36.erols.com [205.252.119.36]) by smtp2.erols.com (8.7.5/8.7.3) with SMTP id BAA04423; Thu, 3 Oct 1996 01:17:29 -0400 (EDT) Message-Id: <199610030517.BAA04423@smtp2.erols.com> Comments: Authenticated sender is From: "Nick D'Apice" To: kenng@kpmg.com (Ken Ng), firewalls@GreatCircle.COM Date: Thu, 3 Oct 1996 01:21:01 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: Gauntlet FW in big environments. X-mailer: Pegasus Mail for Win32 (v2.42) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The release notes from BSDI V2.1 indicate that a virtual memory 'leak' bug has been corrected. This could very well be your problem. I'm running Gauntlet and the FWTK in multiple areas, and have found the software itself to be reliable... problems I've encountered are frequently with the hardware and/or O/S bugs, but those have been far and few between... Getting ready to upgrade to Gauntlet 3.2, which I hear has improved performance... so much for my very little and sketchy feedback.... > Date: Tue, 1 Oct 1996 11:28:35 -0400 > From: kenng@kpmg.com (Ken Ng) > Subject: Gauntlet FW in big environments. > To: firewalls@GreatCircle.COM > Does anyone here have any experience with running Gauntlet > Firewalls in a "large" environment? By large, I mean about 500 > ip sites a day, 1.2 gig of http traffic a day, 100 meg of > email, and 200 meg of ftp traffic a day. I've got the TIS HP > Vectra pc running BSD 2.0 with TIS 3.1. The machine has 48 meg > of ram. > > The problem I'm having is that the machine typically either > reboots itself or it crashes until I reboot it manually. I > thought I fixed it by having it reboot from cron once a week in > the early morning. But now it starting to crash on day 6. > Will more memory help this thing? Are other people having > similar problems? What's everyone else using? > From firewalls-owner Wed Oct 2 22:56:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA04672 for firewalls-outgoing; Wed, 2 Oct 1996 22:41:49 -0700 (PDT) Received: from mailsrv1.pcy.mci.net (mailsrv1.pcy.mci.net [204.71.0.43]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id WAA04645 for ; Wed, 2 Oct 1996 22:41:39 -0700 (PDT) Received: from [166.55.36.134] (usr7-dialup6.mix1.WillowSprings.mci.net) by MAIL-CLUSTER.PCY.MCI.NET (PMDF V5.0-7 #10044) id <01IA6T3XDNHS8X3GYG@MAIL-CLUSTER.PCY.MCI.NET>; Thu, 03 Oct 1996 01:42:43 -0400 (EDT) Received: from [166.55.36.134] (usr7-dialup6.mix1.WillowSprings.mci.net) by MAIL-CLUSTER.PCY.MCI.NET (PMDF V5.0-7 #10044) id <01IA6T3QS3L08X3B23@MAIL-CLUSTER.PCY.MCI.NET>; Thu, 03 Oct 1996 01:41:43 -0400 (EDT) Date: Thu, 03 Oct 1996 00:39:12 -0500 From: Ted Stockwell Subject: Re: Opinions/Experiences re: Sidewinder? To: Camille Blakeley Cc: "Firewalls@GreatCircle.COM" Message-id: <01IA6T3RTRU08X3B23@MAIL-CLUSTER.PCY.MCI.NET> MIME-version: 1.0 X-Mailer: e-mailMCI v2.3 Content-type: TEXT/PLAIN; CHARSET=US-ASCII Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -- [ From: Ted Stockwell * EMC.Ver #2.3 ] -- > Date: Wednesday, 02-Oct-96 03:48 PM > From: Camille Blakeley \ Internet: (camille@blakeley.com) > To: Firewalls@GreatCircle.COM \ Internet: (firewalls@greatcircle.com) > > Subject: Re: Opinions/Experiences re: Sidewinder? > ... > My access list, for reasons I won't go into here, was very large, and the > Sidewinder just couldn't handle the size or dynamic nature of my access > requirements. The access control list system and its user interface has been completely reworked for version 3.0. You should now find it much better at managing large lists of machines and users. > I also didn't like the fact that you could use it for a web server, anonymous > ftp server, etc.. as well as a firewall. This made for some problems when > configuring, and I believe is just generally insecure. You really want to use > a seperate system for public access, I think. Actually, the ability to host servers safely is one of the advantages of Sidewinder's secured OS. The general risk is that the server may be overrun and you can use that process to connect to the other side. This is not the case with Sidewinder. If you were able to overrun the Web server, for example, you would still have no access to the internal network. You would not even be able to vandalize the web pages. If the web server attempted to modify the pages, the attempts would be audited and alarms sent out (pager, mail, or SNMP traps). Of course, you always have the option of turning off the servers and running them on a separate host. This is often advisable for high volume web sites where the web server would create too much of a load on the firewall. (disclosure: yes, I work at SCC) -- Ted Stockwell From firewalls-owner Wed Oct 2 23:27:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA08380 for firewalls-outgoing; Wed, 2 Oct 1996 23:15:33 -0700 (PDT) Received: from citecuh.citec.qld.gov.au (citecuh.citec.qld.gov.au [203.5.10.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id XAA08360 for ; Wed, 2 Oct 1996 23:15:23 -0700 (PDT) Received: (from mail@localhost) by citecuh.citec.qld.gov.au (8.7.6/8.7.3) id QAA20246 for ; Thu, 3 Oct 1996 16:14:54 +1000 (EST) Received: from guru.citec.qld.gov.au(147.132.20.47) by citecuh.citec.qld.gov.au via smap (V1.3) id /mail/incoming/sma020228; Thu Oct 3 16:14:34 1996 Received: (from sgcccdc@localhost) by guru.citec.qld.gov.au (8.6.12/8.6.12) id QAA02697 for firewalls@greatcircle.com; Thu, 3 Oct 1996 16:14:25 +1000 From: Colin Campbell Message-Id: <199610030614.QAA02697@guru.citec.qld.gov.au> Subject: Financial transactions and firewalls. To: firewalls@greatcircle.com Date: Thu, 3 Oct 1996 16:14:25 +1000 (EST) X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I recently spent several hours (yes hours!) on the phone discussing the relative merits of my "stupid firewall philosophy" with a gentleman representing a company implementing secure financial services on the Internet. His service, if I understood correctly, was based on (something like?) SWIFT which has been in use in Europe for 15-20 years by many large financial institutions and therefore was not going to be changed quickly if at all. My firewall was stupid (based on fwtk) because it put proxies in bewteen my inside hosts and external servers. Furthermore, any firewall that did any sort of network address translation or proxying was brain-dead. (My interpretation of his statements). Why? Because his software passed an identifying "ticket" with every packet. This ticket comprised an encrypted date+time, the IP address of the client machine and some other stuff. When the server saw a packet from a host whose IP address did not match that in the ticket, alarm bells would sound and the fraud squad would be on the door step within minutes. When I suggested to him that 80% (just guessing, so be nice to me) of the firewalls outside of the financial world use NAT and or proxies he scoffed at the prospect, suggesting that people using such stupid technologies were going to miss out on the upcoming revolution about to hit the Internet with secure financial transactions that would not work through such firewalls. He also mentioned the "new Microsoft software" several times (anyone know which?). Does anyone have any comments on this guy's philosophy, or mine for that matter? I would especially like to hear from anyone who's been following the development of secure financial transactions (SET comes to mind, right track?) and how these systems are expected to operate through "stupid firewalls" like mine. Colin From firewalls-owner Wed Oct 2 23:56:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA10817 for firewalls-outgoing; Wed, 2 Oct 1996 23:49:07 -0700 (PDT) Received: from tortola.u.arizona.edu (tortola.U.Arizona.EDU [128.196.137.22]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id XAA10793 for ; Wed, 2 Oct 1996 23:48:59 -0700 (PDT) Received: from localhost (waleed@localhost) by tortola.u.arizona.edu (8.7.6/8.7.3) with SMTP id XAA43858 for ; Wed, 2 Oct 1996 23:49:31 -0700 Date: Wed, 2 Oct 1996 23:49:30 -0700 (MST) From: Waleed Modra To: firewalls@GreatCircle.COM In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk set firewalls digest From firewalls-owner Thu Oct 3 00:26:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA13433 for firewalls-outgoing; Thu, 3 Oct 1996 00:19:09 -0700 (PDT) Received: from dxmint.cern.ch (dxmint.cern.ch [137.138.26.76]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id AAA13388 for ; Thu, 3 Oct 1996 00:18:56 -0700 (PDT) From: gamble@dxcoms.cern.ch Received: from dxcoms.cern.ch (dxcoms.cern.ch [137.138.28.176]) by dxmint.cern.ch with SMTP id JAA19875; Thu, 3 Oct 1996 09:18:17 +0200 (MET DST) Received: from localhost.cern.ch by dxcoms.cern.ch; (5.65v3.0/1.1.8.2/28Jul95-0949AM) id AA32401; Thu, 3 Oct 1996 09:18:16 +0200 Message-Id: <9610030718.AA32401@dxcoms.cern.ch> To: firewalls@GreatCircle.COM Cc: "Bryan D. Boyle" , gamble@dxcoms.cern.ch Subject: Re: Gauntlet vs. Sidewinder In-Reply-To: Your message of "Wed, 02 Oct 96 18:29:41 +0200." <199610021629.SAA13578@dxmint.cern.ch> Date: Thu, 03 Oct 96 09:18:16 +0200 X-Mts: smtp Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Bryan - > You're right - it's not an unbiased opinion. But after 25 years in > the business, first as a programmer, and then as a consultant > specializing in multi-protocol, multi-vendor, multi-application > environments & security, and having worked for numerous firewall > vendors, I can pick my own jobs and name my own price. And I'm here > at Checkpoint. Think about it... > -Barb Ummm .... I guess you thought Checkpoint needed your help !!! or Checkpoint thought they needed your help 8-): (I never could workout how to do these smiley things ...). Lets keep the discusion on technical pros and cons please. We (my organisation) are currently (like many others) trying to decide on the "best" firewall for our security policy ... so a set of plus/minus points on technical aspects would be very welcome. John. From firewalls-owner Thu Oct 3 01:26:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA18640 for firewalls-outgoing; Thu, 3 Oct 1996 01:21:24 -0700 (PDT) Received: from internet_host (internet_host.spmu.rssi.ru [194.85.234.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id BAA18499 for ; Thu, 3 Oct 1996 01:19:18 -0700 (PDT) Received: from proliant.spmu.rssi.ru by internet_host (NTMail 3.01.03) id oa030564; Thu, 3 Oct 1996 11:14:42 +0300 Message-ID: <32536873.297A@spmu.rssi.ru> Date: Thu, 03 Oct 1996 11:17:07 +0400 From: Lawrence Beobachter X-Mailer: Mozilla 2.0 (WinNT; I) MIME-Version: 1.0 To: "Nick D'Apice" CC: firewalls@GreatCircle.COM Subject: Re: ifconfig References: <199610030428.AAA02198@smtp2.erols.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Info: Evaluation version at internet_host Sender: firewalls-owner@GreatCircle.COM Precedence: bulk netmask a.b.c.d for alias statement should be netmask 0xffffffff. Correct me if I'm wrong. Nick D'Apice wrote: > > for SGI and BSDI, its 'ifconfig xxx alias a.b.c.d netmask a.b.c.d > broadcast a.b.c.d....where 'xxx' is the interface, which can be > obtained from a 'netstat -in' and views with an 'ifconfig xxx'. > The alias keyword basically replaces the inet keyword from the usual > command parameters ... > > > Date: Tue, 01 Oct 1996 06:10:55 +0100 > > From: Skarban > > Organization: Nova Hut a.s. > > To: Firewall > > Subject: ifconfig > > > Hi, > > I am building virtual www server and i need to define multi IP > > address over one physical interface of my SGI Challenge - S (Irix > > 5.3). I am looking for parameter of Ifconfig command of SGI IRIX 5.3 > > Hope to your kindly response. > > > > M. Skarban NH a.s. > > Czech > > mskarban@novahut.cz > > From firewalls-owner Thu Oct 3 02:11:54 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA23065 for firewalls-outgoing; Thu, 3 Oct 1996 02:02:24 -0700 (PDT) Received: from inetsrv1.biss.co.uk (inetsrv1.biss.co.uk [193.115.8.97]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id CAA23019 for ; Thu, 3 Oct 1996 02:02:08 -0700 (PDT) Received: from ccmailgw.biss.co.uk by inetsrv1.biss.co.uk with SMTP (1.38.193.4/16.2) id AA10816; Thu, 3 Oct 96 10:00:45 +0100 Received: from cc:Mail by ccmailgw.biss.co.uk id AA844362034; Thu, 03 Oct 96 09:50:27 GMT Date: Thu, 03 Oct 96 09:50:27 GMT From: "Steve Betts" Message-Id: <9609038443.AA844362034@ccmailgw.biss.co.uk> To: firewalls@GreatCircle.COM, Colin Campbell Subject: Re: Financial transactions and firewalls. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Colin Campbell asked: > He also mentioned the "new Microsoft software" several times (anyone > know which?). I guess he is talking about Merchant Server (MS) or possibly Normandy (which includes MS). MS is based on the UNIX E-shop virtual shop/mall product. Details of the Microsoft software are under Beta NDA at the moment. Normandy is a complete package for ISPs. I would be ^very^ surprised if firewalls and proxies will cause either of these products more than a configuration issue. Dont forget Microsoft have a proxy server of their own code-named Catapault. > Does anyone have any comments on this guy's philosophy, With Spoofing, DHCP and dial-up connections assigning different IP addresses to a PC on each visit, I would say that anyone who expects the IP address to even partially identify a user, particularly for a financial transaction, needs to have their head examined. Regards. ___ / ) / <, ) / / NB Opinions are my own and may (__ -/--- /_,/ -/--/- not be the same as my employers / ) / /7 /7 /7 /7 / `> /7 / / _/7 tel: +44 (0) 1 442 233 366 \___//(_(/_/ (/ (_(/_/\__ /(_(/_/(_/(_/,_7 fax: +44 (0) 1 442 236 623 From firewalls-owner Thu Oct 3 04:42:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA00770 for firewalls-outgoing; Thu, 3 Oct 1996 04:38:53 -0700 (PDT) Received: from mailgate.execpc.com (mailgate.execpc.com [169.207.16.5]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id EAA00751 for ; Thu, 3 Oct 1996 04:38:46 -0700 (PDT) Received: from mail.execpc.com (mail [169.207.16.2]) by mailgate.execpc.com (8.7.6/8.7.5) with ESMTP id GAA11869 for ; Thu, 3 Oct 1996 06:38:26 -0500 Received: from Pmreed (herrmann.execpc.com [204.95.215.32]) by mail.execpc.com (8.7.6/8.7.3) with ESMTP id GAA17890 for ; Thu, 3 Oct 1996 06:38:16 -0500 (CDT) Message-Id: <199610031138.GAA17890@mail.execpc.com> From: "Maurie Reed" To: Subject: set firewalls digest Date: Thu, 3 Oct 1996 06:37:20 -0500 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk set firewalls digest From firewalls-owner Thu Oct 3 04:55:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA01200 for firewalls-outgoing; Thu, 3 Oct 1996 04:48:12 -0700 (PDT) Received: from ereapp.erenj.com (ereapp.ERENJ.COM [159.70.31.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id EAA01171 for ; Thu, 3 Oct 1996 04:48:02 -0700 (PDT) Received: (from smap@localhost) by ereapp.erenj.com (8.7.4/8.7.3) id HAA05478; Thu, 3 Oct 1996 07:47:30 -0400 Received: from eredns.erenj.com(159.70.1.252) by ereapp.erenj.com via smap (V1.3) id sma005473; Thu Oct 3 07:47:20 1996 Received: from stargate.erenj.com (stargate.erenj.com [159.70.1.8]) by eredns.erenj.com (8.7.4/8.7.3) with SMTP id HAA09335; Thu, 3 Oct 1996 07:47:17 -0400 Message-ID: <3253A7C5.41C6@erenj.com> Date: Thu, 03 Oct 1996 07:47:17 -0400 From: "Bryan D. Boyle" Organization: Exxon Research and Engineering Co. X-Mailer: Mozilla 3.0 (X11; I; OSF1 V4.0 alpha) MIME-Version: 1.0 To: "Mr. Jolt Cola" CC: firewalls@greatcircle.com Subject: Re: SSL Browsers References: <9610021450.AA07335@quix.robins.af.mil> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mr. Jolt Cola wrote: > > One thing to consider for browser choice in Intranet environments > is the fact that Netscape allows you to add RSA keys from an unknown > authority, whereas M$ Explorer just refuses to connect. Then again, > the cost of your browsers may outweight the cost of paying Verisign > their 290$. We signed our own digital key and used Netscape for SSL > but now clients are complaining that Explorer wont connect so we > have requested a key from the Verisign CA. Its a racket. :P It is a racket for the buzzwordy 'INTRAnet'; if the navigator tool is never going to access the outside directly, why can't I certify that my employee is my employee for the purposes of accessing inside information and authenticating their access through a corporate proxy. Besides, correctly built, the outside world will never see a direct connect from the desktop, only a corporate 'funnel' device like a proxy, so, in this model, the only certification needed is that my *company* is who it says it is, and the user authentication is my responsibility. Of course, that means that whatever certificate authority is charging $$$ is only certifying one 'organism'. It also places the responsibility for authentication with the authority who, in a corporation, is charged with controlling access. What Microsoft does or doesn't do, in this model, is irrelevant (at least to the outside world...), which allows you to choose the best tool for the job, regardless of the marketing propaganda. -- Bryan D. Boyle | EMAIL: bdboyle@erenj.com 908-730-3338 #include | http://www.access.digex.net/~bdboyle/index.html "They that can give up liberty to obtain a little temporary safety deserve neither liberty nor safety." - Benjamin Franklin, Historical Review of Pennsylvania From firewalls-owner Thu Oct 3 05:11:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA03044 for firewalls-outgoing; Thu, 3 Oct 1996 05:07:47 -0700 (PDT) Received: from www.valuu.net (www.valuu.net [204.252.40.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id FAA03022 for ; Thu, 3 Oct 1996 05:07:34 -0700 (PDT) Received: from fd.valuu.net ([204.252.40.3]) by www.valuu.net (post.office MTA v1.9.1 ID# 0-11837) with SMTP id AAA301; Thu, 3 Oct 1996 08:08:04 -0400 Received: by fd.valuu.net with Microsoft Mail id <01BBB101.5CC33040@fd.valuu.net>; Thu, 3 Oct 1996 08:03:29 -0400 Message-ID: <01BBB101.5CC33040@fd.valuu.net> From: rabbi@www.valuu.net (Rabbi Haim Cassorla) To: "'Arley Carter'" , "Barbara W. Jaarsma" Cc: "Bryan D. Boyle" , "firewalls@GreatCircle.COM" Subject: RE: Gauntlet vs. Sidewinder Date: Thu, 3 Oct 1996 08:03:27 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In human history, often it has been noted that a good offense is better = than any other defense. Put down the flame throwers. All of you network and/or security = professionals and/or wannabes think that everybody else looses their = personal integrity when they back their employer's product. I would = worry lots more about the Sr. person in greatsquares.com who said that = they would choose the product from greattriangles.com There is no such thing as an objective opinion. Each of us favors and/or = despises what we know because we know it. Look at all the eunuchs out = there who still flame M$ on general principle Shalom Hag Sameach From firewalls-owner Thu Oct 3 05:26:00 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA04059 for firewalls-outgoing; Thu, 3 Oct 1996 05:16:40 -0700 (PDT) Received: from maddie.atlantic.com (maddie.atlantic.com [198.252.200.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id FAA04023 for ; Thu, 3 Oct 1996 05:16:23 -0700 (PDT) Received: (from pokey@localhost) by maddie.atlantic.com (8.7.6/8.7.3) id HAA30042; Thu, 3 Oct 1996 07:55:04 -0400 From: Rick Romkey Message-Id: <199610031155.HAA30042@maddie.atlantic.com> Subject: Re: Gauntlet vs. Sidewinder To: jeromie@garrison.com (Hmm) Date: Thu, 3 Oct 1996 07:55:04 -0400 (EDT) Cc: bdboyle@erenj.com, barbara@us.checkpoint.com, firewalls@GreatCircle.COM In-Reply-To: <9610030007.AA03411@ukn0.garrison.com.> from "Hmm" at Oct 2, 96 07:07:30 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > I would be interested in hearing how checkpoint is securing their > customers from SMTP based attacks! From what I have seen, they simply pass it > through to a mail machine... If that mail machine happends to be running > Sendmail 4.1, the attacker can blow holes right through the perimiter....? > Part of the services offered by many of the resellers of firewalls include securing the operating system that a firewall runs on. This can include enabling the box with a store-and-forward mailer, removing funky services, putting Sendmail in a non-interactive mode, etc. That is why people should be careful with who they ultimately select to sell them firewall software. Quite some time ago I suggested the analogy that you wouldn't buy a car from a dealer that had no clue how to service the thing. The same should be true about firewalls (no...not that you shouldn't buy a firewall from a dealer that has no clue how to service cars...but you should buy a firewall from a vendor that you are confident can both help install and secure the machine and support the related infrastructure around it...). I think it is terrific that CheckPoint has made a patch available to address the SYN attack problems. I don't think it makes it the best firewall out there, though it definately is a feather in their cap. Selecting a firewall comes down to a few basic things (in no particular order): 1) it must support the services that you need 2) it must be affordable 3) it must be secure 4) it has to make sense I could talk to five different people in a day and using these 4 points, we could decide on five different firewalls because of the criteria the people have. With all due respect to the list, I doubt you'll get a generic "which one is better" answer from here because no one's network and security needs are the same. You need to call some capable VARs for the products you are interested in and talk to them about how the products will solve the four points above. There...now that I said it all, I guess everyone can unsubscribe from this list....assuming anyone ever figures out how! 8^) -Rick ---------------------------------------------------------------------------- Rick E Romkey | A T L A N T I C | Internet pokey@atlantic.com | Computing Technology Corporation | Specialists (860) 667-9596 | http://www.atlantic.com/ | ----------------------------------------------------------------------------- From firewalls-owner Thu Oct 3 05:42:39 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA05970 for firewalls-outgoing; Thu, 3 Oct 1996 05:29:24 -0700 (PDT) Received: from judge.ulst.ac.uk (judge.ulst.ac.uk [193.61.128.17]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id FAA05928 for ; Thu, 3 Oct 1996 05:29:09 -0700 (PDT) Received: from smserver1.ulst.ac.uk (smserver1.ulst.ac.uk [193.61.143.1]) by judge.ulst.ac.uk (8.7.6/8.7.3) with ESMTP id NAA19697 for ; Thu, 3 Oct 1996 13:28:35 +0100 (BST) Received: from SMSERVER1/SpoolDir by smserver1.ulst.ac.uk (Mercury 1.21); 3 Oct 96 13:24:03 GMT Received: from SpoolDir by SMSERVER1 (Mercury 1.21); 3 Oct 96 13:23:42 GMT From: "GOULDING CP" Organization: University of Ulster To: firewalls@greatcircle.com Date: Thu, 3 Oct 1996 13:23:35 GMT Subject: Firewalls and Java X-mailer: Pegasus Mail for Windows (v2.23) Message-ID: <3941B5B3207@smserver1.ulst.ac.uk> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I'm looking for refernces to creating proxy servers using Java, or other such implemenations of a firewall, again using Java. Peter From firewalls-owner Thu Oct 3 05:56:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA06634 for firewalls-outgoing; Thu, 3 Oct 1996 05:33:04 -0700 (PDT) Received: from deliverator.sgi.com (deliverator.sgi.com [204.94.214.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id FAA06593 for ; Thu, 3 Oct 1996 05:32:48 -0700 (PDT) Received: from baires.buenosaires.sgi.com by deliverator.sgi.com via ESMTP (950413.SGI.8.6.12/951211.SGI.AUTO) for <@external-mail-relay.sgi.com:firewalls@GreatCircle.COM> id FAA22222; Thu, 3 Oct 1996 05:32:21 -0700 Received: from caro.buenosaires.sgi.com by baires.buenosaires.sgi.com via ESMTP (940816.SGI.8.6.9/930416.SGI) for <@baires.buenosaires.sgi.com:firewalls@GreatCircle.COM> id IAA06900; Thu, 3 Oct 1996 08:32:11 -0400 Received: (from arusso@localhost) by caro.buenosaires.sgi.com (950413.SGI.8.6.12/950213.SGI.AUTOCF) id JAA08511 for firewalls@GreatCircle.COM; Thu, 3 Oct 1996 09:29:54 -0700 From: "Adrian Gustavo Russo" Message-Id: <9610030929.ZM8510@caro.buenosaires.sgi.com> Date: Thu, 3 Oct 1996 09:29:53 -0700 X-Mailer: Z-Mail (3.2.3 08feb96 MediaMail) To: firewalls@GreatCircle.COM Subject: PIX (CISCO) Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi is the PIX-FIREWALL Cisco with NAT a secure firewall in my intranet? -- _\|/_ (o o) +---------------------oOO-(_)-OOo---------------------+ | | | Adrian Gustavo Russo | | ==================== | | Licenciado en Informatica - Analista de Sistemas | | | | Silicon Graphics Argentina | | e-mail: arusso@buenosaires.sgi.com | | tel: 54 1 311-6666 | | | | Universidad Nacional de La Plata Argentina | | e-mail: arusso@isis.unlp.edu.ar | | tel: 54 21 35-102 | | | +-----------------------------------------------------+ (_| |_) From firewalls-owner Thu Oct 3 06:29:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA12584 for firewalls-outgoing; Thu, 3 Oct 1996 06:20:54 -0700 (PDT) Received: from habanero.jmu.edu (habanero.jmu.edu [134.126.71.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA12521; Thu, 3 Oct 1996 06:20:42 -0700 (PDT) Message-Id: <199610031320.GAA12521@miles.greatcircle.com> Received: by habanero.jmu.edu (1.37.109.16/16.2) id AA010648608; Thu, 3 Oct 1996 09:16:48 -0400 Date: Thu, 3 Oct 1996 09:16:48 -0400 From: gary flynn To: firewalls-owner@GreatCircle.COM, firewalls@GreatCircle.COM, keithm@asymetrix.com Subject: RE: NT Security Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: muzo > > > You can also boot to DOS > > and using the NTFS4DOS driver read any file regardless of encryption. > > Is there any PC OS which can prevent you from booting to DOS and doing the > same ? Is there any OS of any kind that prevents disk access if you have physical access to the computer? Of course not! From firewalls-owner Thu Oct 3 06:41:27 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA11156 for firewalls-outgoing; Thu, 3 Oct 1996 06:10:01 -0700 (PDT) Received: from ns.coy.com ([206.224.78.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA11149 for ; Thu, 3 Oct 1996 06:09:53 -0700 (PDT) Received: (from coy@localhost) by ns.coy.com (8.7.4/8.7.3) id IAA19150; Thu, 3 Oct 1996 08:09:20 -0500 Date: Thu, 3 Oct 1996 08:09:19 -0500 (CDT) From: Chip Coy To: firewalls@GreatCircle.COM Subject: Re: Information Seeking In-Reply-To: <199610011850.LAA00292@abraham.cs.berkeley.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 1 Oct 1996, John Anonymous MacDonald wrote: > Can anyone on this list recommend a reputable and professional group that > can perform security (both network and host; Internet related) audits at a > medium sized company located in the United States? Take a look at IBM, http://www.ibm.com/Security/consult.htm. I work for them. We do both hosts and networks. As far as reputation/professionalism, we have a number of past clients who will recommend us. Chip Coy coy@coy.com, coy@austin.ibm.com From firewalls-owner Thu Oct 3 06:42:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA07958 for firewalls-outgoing; Thu, 3 Oct 1996 05:46:37 -0700 (PDT) Received: from mail.Clark.Net (mail.clark.net [168.143.0.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id FAA07885 for ; Thu, 3 Oct 1996 05:46:15 -0700 (PDT) Received: from explorer2.clark.net (proberts@explorer2.clark.net [168.143.0.5]) by mail.Clark.Net (8.7.3/8.6.5) with ESMTP id IAA10670; Thu, 3 Oct 1996 08:45:47 -0400 (EDT) Received: from localhost (proberts@localhost) by explorer2.clark.net (8.7.1/8.7.1) with SMTP id IAA19368; Thu, 3 Oct 1996 08:45:46 -0400 (EDT) X-Authentication-Warning: explorer2.clark.net: proberts owned process doing -bs Date: Thu, 3 Oct 1996 08:45:46 -0400 (EDT) From: "Paul D. Robertson" X-Sender: proberts@explorer2 To: Colin Campbell cc: firewalls@GreatCircle.COM Subject: Re: Financial transactions and firewalls. In-Reply-To: <199610030614.QAA02697@guru.citec.qld.gov.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 3 Oct 1996, Colin Campbell wrote: > Why? Because his software passed an identifying "ticket" with every > packet. This ticket comprised an encrypted date+time, the IP address of > the client machine and some other stuff. When the server saw a packet > from a host whose IP address did not match that in the ticket, alarm > bells would sound and the fraud squad would be on the door step within > minutes. I've seen several schemes like this before, I tend to tell them the same sort of thing, and point out that I can pretty much guarentee that I have about 30-50,000 people who won't be using their software myself, and don't feel like I'll be alone. > Does anyone have any comments on this guy's philosophy, or mine for that > matter? I would especially like to hear from anyone who's been following > the development of secure financial transactions (SET comes to mind, > right track?) and how these systems are expected to operate through > "stupid firewalls" like mine. I tend to point them towards what Progressive has learned, since the whole TCP enabled implementation of Real Audio, and the proxy code was, in my mind a large education to them in terms of what they were going to have to do to co-exist with the firewall community. There's not a great deal of utility to securing the transaction if one or both of the endpoints is wide open. I'll be talking fairly seriously with a few of the transaction folks as a follow-up to a conferance I attended, and their ability to deal with proxies will be a recurring theme. I won't be wasting hours on the ones who don't get it right off the bat though. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@clark.net which may have no basis whatsoever in fact." PSB#9280 From firewalls-owner Thu Oct 3 06:56:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA11671 for firewalls-outgoing; Thu, 3 Oct 1996 06:12:47 -0700 (PDT) Received: from smtp2.interramp.com (smtp2.interramp.com [38.8.200.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA11522 for ; Thu, 3 Oct 1996 06:12:07 -0700 (PDT) Received: from davidh.interramp.com by smtp2.interramp.com (8.6.12/SMI-4.1.3-PSI-irsmtp) id JAA21578; Thu, 3 Oct 1996 09:11:35 -0400 Message-ID: <3253C81B.5632@checkpoint.com> Date: Thu, 03 Oct 1996 09:05:15 -0500 From: David Helms Organization: CheckPoint Software Technologies X-Mailer: Mozilla 2.02Gold (Win95; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: [Fwd: Re: Gauntlet vs. Sidewinder] Content-Type: multipart/mixed; boundary="------------71B4112927A" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is a multi-part message in MIME format. --------------71B4112927A Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Micheal, Exactly right. It can be a pop server. This would mean that the pop session is initiated from inside the network. Not from the DMZ. You would not necessarily have to put it on a separate DMZ machine. It could be on the firewall, but I generally recommend to my customers to keep services off the firewall. David -- __________________________________ David Helms Senior Technical Consultant CheckPoint Software Technologies ph 703.684.4824 fx 703.684.4847 davidh@checkpoint.com __________________________________ --------------71B4112927A Content-Type: message/rfc822 Content-Transfer-Encoding: 7bit Content-Disposition: inline Return-Path: Received: from cale.checkpoint.com by us.checkpoint.com (5.x/SMI-SVR4) id AA27433; Thu, 3 Oct 1996 00:15:04 -0700 Received: from master.the-link.com (master.the-link.com [204.221.32.253]) by cale.checkpoint.com (8.7.5/8.7.1) with ESMTP id KAA08466 for ; Thu, 3 Oct 1996 10:11:49 +0200 (IST) Received: from bambino.continentalmills.com ([204.221.32.15]) by master.the-link.com (8.7.4/8.6.9) with ESMTP id CAA24510 for ; Thu, 3 Oct 1996 02:12:01 -0500 (CDT) Message-Id: <199610030712.CAA24510@master.the-link.com> From: "Michael Endrizzi" To: "David Helms" Subject: Re: Gauntlet vs. Sidewinder Date: Thu, 3 Oct 1996 02:10:59 -0500 X-Msmail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=ISO-8859-1 X-Mozilla-Status: 0011 if dmz can't send mail to internal network, then it better be a pop server. in addition, if i buy a fw-1, does that mean i have to buy another machine and configure it myself just to "secure" email. ---------- > From: David Helms > To: jeromie@garrison.com > Cc: firewalls@GreatCircle.COM > Subject: Re: Gauntlet vs. Sidewinder > Date: Wednesday, October 02, 1996 11:07 PM > > Jeromie wrote, > > >(Many leading emails deleted) > > > > > I would be interested in hearing how checkpoint is securing their > > customers from SMTP based attacks! From what I have seen, they simply pass it > > through to a mail machine... If that mail machine happends to be running > > Sendmail 4.1, the attacker can blow holes right through the perimiter....? > > > > Jeromie Jackson > > Garrison Technologies > > jeromie@garrison.com > > > > Keep the flames burning. > > Jeromie, > > It's the firewall's responsibility to control access and pass protocols securely. > If the customer has a server that they are going to allow public access to, we > recommend that they isolate that server in a DMZ. This could be a mail server or > a web server, or whatever. > > Here's how it works: > > > [External Net]----[Firewall]----[Internal Net] > | > | > [DMZ Net] > > They key here is that you can limit access to specific DMZ servers to specific > services. You can log connection attempts to specific DMZ servers and most > important, you only allow connections to DMZ servers, not connections from DMZ > servers. You never allow connections originating from outside the inernal network > to enter into the internal network. That way, even if a DMZ server gets hacked, > it can't be used as a launching point to attack the good stuff, the internal network. > > Have a great day, > > David Helms > a launching platform into the secure network. > > > > > -- > __________________________________ > David Helms > Senior Technical Consultant > CheckPoint Software Technologies > ph 703.684.4824 > fx 703.684.4847 > davidh@checkpoint.com > __________________________________ --------------71B4112927A-- From firewalls-owner Thu Oct 3 07:32:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA19280 for firewalls-outgoing; Thu, 3 Oct 1996 07:17:45 -0700 (PDT) Received: from ALABAMA.CF.CS.YALE.EDU (RT-GW.CS.YALE.EDU [128.36.0.13]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA19270 for ; Thu, 3 Oct 1996 07:17:37 -0700 (PDT) From: long-morrow@CS.YALE.EDU Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU (8.7.1/res.host.cf-4.0) with ESMTP id KAA05016; Thu, 3 Oct 1996 10:17:03 -0400 (EDT) sender long-morrow@CS.YALE.EDU for Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-8.7.1/res.client.cf-4.0) id KAA15954; Thu, 3 Oct 1996 10:17:00 -0400 (EDT) Date: Thu, 3 Oct 1996 10:17:00 -0400 (EDT) Message-Id: <199610031417.KAA15954@SPARKY.CF.CS.YALE.EDU> To: firewalls@greatcircle.com, sgcccdc@citec.qld.gov.au Subject: Re: Financial transactions and firewalls. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From: Colin Campbell >through such firewalls. He also mentioned the "new Microsoft software" >several times (anyone know which?). Regarding finanacial transactions and open standards involving the Internet two products come to mind: 1. Microsoft Merchant System is an Internet retail commerce solution currently in beta designed to make it easy to set up electronic storefronts and clear credit card transactions. Microsoft says in a press release ( http://www.microsoft.com/corpinfo/press/1996/aug96/VERIFOPR.htm ) that they will be incorporating VeriFone's virtual point-of-sale (vPOS) software for the first general availability release scheduled for 4th quarter 1996. Not clear is whether SET (the Mastercard/VISA Secure Electronic Transaction protocol) will be implemented in that release or a later release of MS Merchant System. 2. Microsoft Open Financial Connectivity (OFC) -- not really a product per se, but a spec, a vision and a number of software products incorporating OFC including some Web based tools for open Internet banking and an OFC (as well as Visa Interactive ADMS 2.0 online banking spec and Intuit) compatible client -- MS Money '97. I'd presume if the guy was talking about SET he was probably talking about #1 above. On the other hand the guy could have been talking about Micrsoft Catapult (currently in beta) proxy services, which (though the documentation never mentions the word 'firewall') provides a 'caching proxy' enhancement to the IIS server as well as the RWS ( Remote Windows Sockets ) Winsock 1.1 remoting proxy service. I suspect that the Microsoft Proxy Server (codenamed 'Catapult') will be added to the 'Back Office' package offerings at the end of this year based on questions in one of those marketing phone surveys I received. It may be that some e-commerce or financial transaction software for the Internet may be on the BackOffice schedule as well though I have no firm info on this. - Morrow From firewalls-owner Thu Oct 3 07:41:26 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA21092 for firewalls-outgoing; Thu, 3 Oct 1996 07:37:36 -0700 (PDT) Received: from peapod.be ([194.105.102.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA21065 for ; Thu, 3 Oct 1996 07:37:27 -0700 (PDT) From: koen@peapod.be Received: by gateway.peapod.be id <19585>; Thu, 3 Oct 1996 16:35:35 -0100 Date: Thu, 3 Oct 1996 12:34:21 -0100 X-Mailer: Mozilla 2.02 (WinNT; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: overrunning things Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <96Oct3.163535gmt-0100.19585@gateway.peapod.be> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, When reading through some of the stuff here and elsewhere I often find the terms "overrun buffers" and "overrun servers". Would somebody be so kind to try and explain this to me(What, how,...?)or give me a URL, book title... where I can find some reading material. I do know in general what it means, its the tech stuff that I'm interested in... thanks Koen :-) From firewalls-owner Thu Oct 3 08:12:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA25132 for firewalls-outgoing; Thu, 3 Oct 1996 08:08:16 -0700 (PDT) Received: from sprite (sprite.acsacs.com [206.16.240.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id IAA25124 for ; Thu, 3 Oct 1996 08:08:09 -0700 (PDT) Date: Thu, 3 Oct 1996 08:07:43 -0700 (PDT) From: "Daniel J Blander - Sr. Systems Engineer for ACS" X-Sender: phaedrus@ferrari To: David Helms cc: firewalls@greatcircle.com Subject: Re: Gauntlet vs. Sidewinder In-Reply-To: <32533C06.2CBE@checkpoint.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I would agree strongly with David here - I would never allow SMTP services (proven the most buggy and difficult to secure) on any highly secure firewall. Its the most uncontrollable and most difficult to monitor service (its miserable wading through hundreds of legitimate connections via SMTP to look for VRFY, EXPN, DEBUG, etc commands...and break in attempts). A DMZ / bastion host system is the best solution for this. On Wed, 2 Oct 1996, David Helms wrote: > Date: Wed, 02 Oct 1996 23:07:34 -0500 > From: David Helms > To: jeromie@garrison.com > Cc: firewalls@GreatCircle.COM > Subject: Re: Gauntlet vs. Sidewinder > > Jeromie wrote, > > >(Many leading emails deleted) > > > > > I would be interested in hearing how checkpoint is securing their > > customers from SMTP based attacks! From what I have seen, they simply pass it > > through to a mail machine... If that mail machine happends to be running > > Sendmail 4.1, the attacker can blow holes right through the perimiter....? > > > > Jeromie Jackson > > Garrison Technologies > > jeromie@garrison.com > > > > Keep the flames burning. > > Jeromie, > > It's the firewall's responsibility to control access and pass protocols securely. > If the customer has a server that they are going to allow public access to, we > recommend that they isolate that server in a DMZ. This could be a mail server or > a web server, or whatever. > > Here's how it works: > > > [External Net]----[Firewall]----[Internal Net] > | > | > [DMZ Net] > > They key here is that you can limit access to specific DMZ servers to specific > services. You can log connection attempts to specific DMZ servers and most > important, you only allow connections to DMZ servers, not connections from DMZ > servers. You never allow connections originating from outside the inernal network > to enter into the internal network. That way, even if a DMZ server gets hacked, > it can't be used as a launching point to attack the good stuff, the internal network. > > Have a great day, > > David Helms > a launching platform into the secure network. > > > > > -- > __________________________________ > David Helms > Senior Technical Consultant > CheckPoint Software Technologies > ph 703.684.4824 > fx 703.684.4847 > davidh@checkpoint.com > __________________________________ > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Daniel Blander =8^) Sr. Systems Engineer Applied Computer Solutions ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Phone: (714) 842.7800 Fax: (714) 842.8299 Email: Daniel.Blander@acsacs.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The Official Applied Computer Solutions Home Page and Tech Tip of the Week: http://www.acsacs.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From firewalls-owner Thu Oct 3 08:41:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA26774 for firewalls-outgoing; Thu, 3 Oct 1996 08:24:10 -0700 (PDT) Received: from loki.asymetrix.com (loki.asymetrix.com [192.147.176.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA26723 for ; Thu, 3 Oct 1996 08:23:53 -0700 (PDT) Received: from mailgate.asymetrix.com (mailgate.asymetrix.com [192.220.170.13]) by loki.asymetrix.com (8.7.3/8.7.1) with SMTP id IAA01696 for ; Thu, 3 Oct 1996 08:09:00 -0700 (PDT) Received: by mailgate.asymetrix.com with Microsoft Mail id <3253DAE5@mailgate.asymetrix.com>; Thu, 03 Oct 96 08:25:25 PDT From: Keith McCammon To: "'Firewalls'" Subject: RE: NT Security Date: Thu, 03 Oct 96 08:30:00 PDT Message-ID: <3253DAE5@mailgate.asymetrix.com> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Just to add to the below, Microsoft also doesn't seem to take certification and security seriously. See http://www.microsoft.com/kb/bussys/winnt/q93362.htm. I quote:" Microsoft has opted not to include certain components of NT in the evaluation process, not because they would not pass the evaluation, but to save time by reducing the load on the NSA." Additionally," Networking on NT may not have to go through the "Red Book," or "Trusted Network Interpretation." It may be enough to consider networking to be another subsystem, and therefore only the Orange Book would apply." Microsoft is so confident in their security mechanisms that they believe that in theory their object-checking system will work identically with networked or local objects. However, it's foolish at best to assume this is actaully true, and my guess is that Microsoft wants to avoid the pain of Red Book rejection or is unwilling to secure their NOS in order to meet the independent standards. Having a NOS certifiable to me means there has been at least a small amount of objective evaluation of the system, and for Microsoft to opt not to undergo Red Book evaluation does not give me confidence given their track record of dropping the ball on security issues. The explanation that they want to save the load on the NSA is hard to believe as well. Keith McCammon Asymetrix Corp MIS Analyst *Opinions Are My Own* ---------- NT will have Kerberos 5 authentication which is probably what you are thinking of. But even thought an O.S. may have strong internal security mechanisms, that security mechanism never leaves the local machine. Once a external connection is made into a machine, some service aliases what it authenticated, to some valid internal user. Your internal O.S. has process-to-process communciations that can be snooped, your client-to-server process From firewalls-owner Thu Oct 3 09:01:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA29410 for firewalls-outgoing; Thu, 3 Oct 1996 08:44:40 -0700 (PDT) Received: from kerby.cybersafe.com (kerby.cybersafe.com [192.156.168.6]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA29399 for ; Thu, 3 Oct 1996 08:44:29 -0700 (PDT) Received: from odo.cybersafe.com (odo.cybersafe.com [192.156.168.102]) by kerby.cybersafe.com (8.7.6/8.7.3/8.7.5, dpg hack 30jul96) with SMTP id IAA19771 for ; Thu, 3 Oct 1996 08:43:59 -0700 (PDT) Message-Id: <2.2.32.19961003154359.00769410@pop-srvr> X-Sender: tonyp@pop-srvr X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 03 Oct 1996 08:43:59 -0700 To: firewalls@GreatCircle.COM From: "Anthony R. Plastino III" Subject: Re: Information Seeking Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 11:50 AM 10/1/96 -0700, John Anonymous MacDonald wrote: >Hello: > >Can anyone on this list recommend a reputable and professional group that >can perform security (both network and host; Internet related) audits at a >medium sized company located in the United States? > surf to: http://www.cybersafe.com/Consulting/secassmt.htm Anthony R. Plastino III - Systems Administrator CyberSafe Corporation - tony.plastino@CyberSafe.COM 1605 NW Sammamish Rd. - http://www.cybersafe.com Issaquah, WA 98027 - ===================================================== Mine are _not_ the opinions of my employer. From firewalls-owner Thu Oct 3 09:42:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA04270 for firewalls-outgoing; Thu, 3 Oct 1996 09:28:17 -0700 (PDT) Received: from newfed.FRB.GOV (newfed.frb.gov [198.3.221.5]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id JAA04250 for ; Thu, 3 Oct 1996 09:28:08 -0700 (PDT) Received: from FRB.GOV by newfed.FRB.GOV (4.1/SMI-4.0) id AA02758; Thu, 3 Oct 96 12:27:34 EDT Received: from kryten.frb.gov by frbgate.FRB.GOV (4.1/SMI-4.0) id AA08312; Thu, 3 Oct 96 12:11:37 EDT Received: from localhost.frb.gov (localhost.frb.gov [127.0.0.1]) by kryten.frb.gov (8.6.12/8.6.12) with SMTP id MAA21504; Thu, 3 Oct 1996 12:10:29 -0400 Message-Id: <199610031610.MAA21504@kryten.frb.gov> X-Authentication-Warning: kryten.frb.gov: Host localhost.frb.gov didn't use HELO protocol X-Mailer: exmh version 1.6.5 12/11/95 To: Matthew Thompson Cc: "'Firewalls'" , "'Keith McCammon'" Subject: Re: NT Security In-Reply-To: Your message of "Fri, 04 Oct 1996 08:37:41 +1200." <96Oct3.091712nzst.35717@kotuku.manukau.govt.nz> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 03 Oct 1996 12:10:29 -0400 From: "Jonathan M. Bresler" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>What??? NTFS is not encrypted! NTFS is not a secure file system! You can >>directly edit NTFS disk sectors from WITHIN NT! You can also boot to DOS >>and using the NTFS4DOS driver read any file regardless of encryption. You >>can also reinstall NT and Take Ownership of entire volumes! And if you >>physically transfer the hard disk to another NT box you can also take >>ownership, negating all file security! > >The same attacks apply to Unix and Netware. What do you recommend people do >to extend/replace these 3 operating systems to solve this problem? CFS: cryptographic file system available from Matt Blaze of either AT&T or Lucent (for Unix, if you run either NT or Netware......) jmb From firewalls-owner Thu Oct 3 09:56:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA06634 for firewalls-outgoing; Thu, 3 Oct 1996 09:46:05 -0700 (PDT) Received: from arioch.tky.hut.fi (arioch.tky.hut.fi [130.233.34.126]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id JAA06599 for ; Thu, 3 Oct 1996 09:45:55 -0700 (PDT) Received: (from pvirkkul@localhost) by arioch.tky.hut.fi (8.8.0/8.8.0) id SAA01610; Thu, 3 Oct 1996 18:45:25 +0200 Date: Thu, 3 Oct 1996 18:45:25 +0200 Message-Id: <199610031645.SAA01610@arioch.tky.hut.fi> From: Petri Virkkula To: firewalls@GreatCircle.COM Subject: RE: NT Security In-Reply-To: <199610021833.UAA09340@news.be.innet.net> References: <199610021833.UAA09340@news.be.innet.net> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 02 Oct 1996 20:44:45 -0100, fdehert@innet.be (Frank J.J. De Hert) said: Frank> This is true if the user hasn't taken ownership of certain Frank> directories and set the permissions such that only the user has Frank> access. For even an administrator to look at these files, the Frank> admin has to take ownership and set appropriate permissions Frank> (unless I missed something somewhere). I think Backup rights are enough, no need to change ownership etc. Petri From firewalls-owner Thu Oct 3 10:13:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA05786 for firewalls-outgoing; Thu, 3 Oct 1996 09:39:55 -0700 (PDT) Received: from arioch.tky.hut.fi (arioch.tky.hut.fi [130.233.34.126]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id JAA05779 for ; Thu, 3 Oct 1996 09:39:49 -0700 (PDT) Received: (from pvirkkul@localhost) by arioch.tky.hut.fi (8.8.0/8.8.0) id SAA01603; Thu, 3 Oct 1996 18:39:19 +0200 Date: Thu, 3 Oct 1996 18:39:19 +0200 Message-Id: <199610031639.SAA01603@arioch.tky.hut.fi> From: Petri Virkkula To: firewalls@GreatCircle.COM Subject: RE: NT Security In-Reply-To: <199610031320.GAA12521@miles.greatcircle.com> References: <199610031320.GAA12521@miles.greatcircle.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 3 Oct 1996 09:16:48 -0400, gary flynn said: >> From: muzo >> >> > You can also boot to DOS >> > and using the NTFS4DOS driver read any file regardless of encryption. >> >> Is there any PC OS which can prevent you from booting to DOS and doing the >> same ? gary> Is there any OS of any kind that prevents disk access if you have gary> physical access to the computer? Of course not! That depends on definition of computer. If you count smart cards as computers, the "filesystem" is still secure even if you have physical access to the card. Petri From firewalls-owner Thu Oct 3 10:27:00 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA10472 for firewalls-outgoing; Thu, 3 Oct 1996 10:22:40 -0700 (PDT) Received: from ns.gbnet.net (ns.gbnet.net [194.70.126.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA10409 for ; Thu, 3 Oct 1996 10:22:23 -0700 (PDT) Received: (from jrg@localhost) by ns.gbnet.net (8.7.5/8.7.3) id SAA18106; Thu, 3 Oct 1996 18:18:28 +0100 (BST) Date: Thu, 3 Oct 1996 18:18:28 +0100 (BST) From: James R Grinter Message-Id: <199610031718.SAA18106@ns.gbnet.net> X-Subliminal: H is for Hypertext X-Mailer: Mail User's Shell (7.2.5 10/14/92) To: "Nick D'Apice" , Skarban , firewalls@GreatCircle.COM Subject: Re: ifconfig Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu 3 Oct, 1996, "Nick D'Apice" wrote: >for SGI and BSDI, its 'ifconfig xxx alias a.b.c.d netmask a.b.c.d the original poster asks about IRIX 5.3. That only supports aliases if you apply a patch. The poster is in .cz so probably won't be able to download it from the SGI web server, but he could try looking for it anyway (look in the webforce areas). IRIX 6.2 adds support in the release operating system, and improves performance, but often results in crashing the OS because of some pointer errors when deleting them. C'est la vie. >> Date: Tue, 01 Oct 1996 06:10:55 +0100 >> From: Skarban >> I am building virtual www server and i need to define multi IP >> address over one physical interface of my SGI Challenge - S (Irix >> 5.3). I am looking for parameter of Ifconfig command of SGI IRIX 5.3 James. From firewalls-owner Thu Oct 3 10:27:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA04869 for firewalls-outgoing; Thu, 3 Oct 1996 09:31:41 -0700 (PDT) Received: from us.checkpoint.com (us.checkpoint.com [206.86.35.130]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id JAA04662 for ; Thu, 3 Oct 1996 09:31:02 -0700 (PDT) Received: from bradley.us.checkpoint (johnc-pc) by us.checkpoint.com (5.x/SMI-SVR4) id AA17153; Thu, 3 Oct 1996 09:31:54 -0700 Message-Id: <3253EA49.46E4@us.checkpoint.com> Date: Thu, 03 Oct 1996 09:31:05 -0700 From: Bradley Brown Reply-To: bradley@us.checkpoint.com Organization: CheckPoint Software Technologies, Inc. X-Mailer: Mozilla 3.0b7 (Win95; I) Mime-Version: 1.0 To: Firewalls@GreatCircle.COM, pat@tandem.com Subject: Re: Firewalls-Digest V5 #549 References: <199610030328.UAA17091@miles.greatcircle.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Pat wrote: >Date: Wed, 2 Oct 1996 15:28:07 -0700 >From: pat@tandem.com >Subject: RE: SYN Flood defenses, Firewall-1 >>"Barbara W. Jaarsma" wrote: >>>P.S. Note the free SYNDefender upgrade on out web site >>>(http://www.checkpoint.com). Know anyone else who has one? >> >How does this protect the firewall-1 host itself (if at all)?? -pat The SYN Flooding Attack takes advantage of inadequate Queue lengths in the host OS, i.e., using less than 10% of the available bandwidth on a T1 connection to the Internet a host can be flooded. The SYNDefender software is integrated with the Check Point INSPECT Engine which intercepts all packets before they are passed off to the host system's OS. The FireWall-1 host OS will never see the invalid SYN packets. Since SYNDefender is a kernel-level process which is handling the connection attempts, it operates very fast and without context switching. As with normal connections handled by INSPECT, thousands of invalid connection attempts can be intermediated simultaneously without placing an undue burden on the host's CPU. ----------------------------------------------------------------------- Bradley Brown Email: bradley@us.checkpoint.com CheckPoint Software Technologies Phone: (415) 562-0400 x225 "Global Secure Connectivity" Fax: (415) 562-0410 From firewalls-owner Thu Oct 3 10:42:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA11331 for firewalls-outgoing; Thu, 3 Oct 1996 10:28:43 -0700 (PDT) Received: from garrison.com (gw.garrison.com [205.241.58.147]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA11287; Thu, 3 Oct 1996 10:28:22 -0700 (PDT) Received: by garrison.com; id GAA21805; Wed, 2 Oct 1996 06:45:29 -0500 Received: from unknown(10.0.0.2) by gw.garrison.com via smap (V3.1.1) id xma021749; Wed, 2 Oct 96 06:45:05 -0500 Received: by ukn0.garrison.com. (4.1/Nutered Mailer) id AA03486; Thu, 3 Oct 96 12:23:03 CDT Date: Thu, 3 Oct 96 12:23:03 CDT From: jeromie@garrison.com (Hmm) Message-Id: <9610031723.AA03486@ukn0.garrison.com.> To: firewalls-owner@GreatCircle.COM, jeromie@garrison.com, david.helms@checkpoint.com, joav.kohn@us.landisstaefa.com Subject: Re: Gauntlet vs. Sidewinder Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > 1) People generally have their SMTP server sitting somewhere within > > the "[Internal Net]". The firewall would say something like "We only allow > > connections to port 25 of the SMTP gateway". If the SMTP gateway is sitting > > inside, the perimiter is broken. > > > > The proper way to set this up is to have the firewall itself accept mail with > smapd and sendmail v8.6 and then re-route that mail to the internal servers. > The internal servers are never vulnerable to an attack because the outside > world cannot talk directly to them. > Agreed, that is what I was explaining to checkpoint. > > > > 2) If the internet SMTP gateway sits on the DMZ, and the customer > > has several internal SMTP gateways that distribute all the mail, then again, > > the SMTP gateway on the DMZ would have access to send data to the inside SMTP > > hosts, thus providing information flow. If the internal SMTP gateways are > > vulerable to attack (IE: version of sendmail that have problems, IE: ALL) > then > > again, the perimiter is broken. > > > > The best way to secure things is to assume nothing is secure on your internal > network. Reduce your points of faliure on the DMZ, and trust nothing. If you > make sure that your DMZ versions of sendmail are secure and they talk to your > internal servers, no direct communication ever takes place from the external > network to the internal network. > "If you make sure that your DMZ versions of sendmail are secure.." History has proven, sendmail & security do not belong in the same sentence. 8-) Jeromie Jackson Garrison Technologies jeromie@garrison.com From firewalls-owner Thu Oct 3 11:16:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA09288 for firewalls-outgoing; Thu, 3 Oct 1996 10:13:10 -0700 (PDT) Received: from gatekeep.us.landisgyr.com (gatekeep.us.landisgyr.com [206.175.68.122]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA09246; Thu, 3 Oct 1996 10:12:57 -0700 (PDT) Received: by gatekeep.us.landisgyr.com; id JAA24079; Thu, 3 Oct 1996 09:06:43 -0400 Received: from unknown(204.207.110.148) by gatekeep.us.landisgyr.com via smap (V3.1) id xmac24042; Thu, 3 Oct 96 09:06:33 -0400 Received: from mailrelay.us.landisgyr.com by pmdf.us.landisgyr.com (PMDF V5.0-4 #10101) id <01IA7ELGC48000042X@pmdf.us.landisgyr.com>; Thu, 03 Oct 1996 11:59:12 -0500 (CDT) Received: with PMDF-MR; Thu, 03 Oct 1996 07:06:32 -0500 (CDT) MR-Received: by mta PFMSV1.MUAS; Relayed; Thu, 03 Oct 1996 07:06:32 -0500 MR-Received: by mta PFMSV1; Relayed; Thu, 03 Oct 1996 07:06:32 -0500 MR-Received: by mta PFMMRX; Relayed; Thu, 03 Oct 1996 07:07:59 -0500 Disclose-recipients: prohibited Date: Thu, 03 Oct 1996 07:06:32 -0500 (CDT) From: Joav Kohn Subject: Re: Gauntlet vs. Sidewinder In-reply-to: <9610030326.AA03445@ukn0.garrison.com> To: firewalls-owner , jeromie , "david.helms" Cc: firewalls Message-id: <2432060703101996/A00383/PFMSV1/11AA19C61F00*@MHS.us.landisgyr.com> Autoforwarded: false MIME-version: 1.0 Content-type: TEXT/PLAIN; CHARSET=US-ASCII Content-transfer-encoding: 7BIT Importance: normal Sensitivity: Company-Confidential UA-content-id: 11AA19C61F00 X400-MTS-identifier: [;2432060703101996/A00383/PFMSV1] Hop-count: 2 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > 1) People generally have their SMTP server sitting somewhere within > the "[Internal Net]". The firewall would say something like "We only allow > connections to port 25 of the SMTP gateway". If the SMTP gateway is sitting > inside, the perimiter is broken. > The proper way to set this up is to have the firewall itself accept mail with smapd and sendmail v8.6 and then re-route that mail to the internal servers. The internal servers are never vulnerable to an attack because the outside world cannot talk directly to them. > > 2) If the internet SMTP gateway sits on the DMZ, and the customer > has several internal SMTP gateways that distribute all the mail, then again, > the SMTP gateway on the DMZ would have access to send data to the inside SMTP > hosts, thus providing information flow. If the internal SMTP gateways are > vulerable to attack (IE: version of sendmail that have problems, IE: ALL) then > again, the perimiter is broken. > The best way to secure things is to assume nothing is secure on your internal network. Reduce your points of faliure on the DMZ, and trust nothing. If you make sure that your DMZ versions of sendmail are secure and they talk to your internal servers, no direct communication ever takes place from the external network to the internal network. -joav From firewalls-owner Thu Oct 3 11:22:04 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA15852 for firewalls-outgoing; Thu, 3 Oct 1996 11:00:24 -0700 (PDT) Received: from main.geminisecure.com (main.geminisecure.com [205.179.16.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA15781 for ; Thu, 3 Oct 1996 10:59:50 -0700 (PDT) Received: (from leonard@localhost) by main.geminisecure.com (8.6.9/8.6.9) id LAA01461; Thu, 3 Oct 1996 11:02:17 -0700 Date: Thu, 3 Oct 1996 11:02:17 -0700 (PDT) From: Leonard Miyata To: firewalls@greatcircle.com Subject: SYN solution? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Has anyone looked at the syn flood attack solution posted by BSDI (www.bsdi.com) that their providing source code for??? Leonard Miyata aka leonard@geminisecure.com Gemini Computers Inc. From firewalls-owner Thu Oct 3 11:41:19 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA15680 for firewalls-outgoing; Thu, 3 Oct 1996 10:59:06 -0700 (PDT) Received: from e-tex.com (e-tex.com [206.25.36.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA15637 for ; Thu, 3 Oct 1996 10:58:51 -0700 (PDT) Received: from ctownen by e-tex.com with smtp (Smail3.1.29.1 #1) id m0v8s1n-0002G2C; Thu, 3 Oct 96 12:57 CDT Message-ID: <3253FECE.C05@e-tex.com> Date: Thu, 03 Oct 1996 12:58:38 -0500 From: Chris Townend Organization: Texas Department of Transportation X-Mailer: Mozilla 2.0 (WinNT; U) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM CC: mail.e-tex.com Subject: Re: Firewalls-Digest V5 #550 References: <199610030800.BAA16858@miles.greatcircle.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My network currently utilizes nasi dial-out capabilities through a netware connect 2.0 server. Dial-out clients are using win3.11 with netscape 1.22. These clients do not have a tcp/ip stack on network card, only ipx. Can anyone tell me how vulnerable my network is to access from other Internet hosts, and how to protect it? Any advice would be greatly appreciated! From firewalls-owner Thu Oct 3 12:39:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA19547 for firewalls-outgoing; Thu, 3 Oct 1996 11:26:17 -0700 (PDT) Received: from mailhub.axion.bt.co.uk (mailhub.axion.bt.co.uk [132.146.5.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id LAA19495 for ; Thu, 3 Oct 1996 11:25:59 -0700 (PDT) Received: from msmsmtp1.comnet.bt.co.uk (actually msmsmtp2.comnet.bt.co.uk) by mailhub.axion.bt.co.uk with SMTP (PP); Thu, 3 Oct 1996 19:23:18 +0100 Received: by msmsmtp1.comnet.bt.co.uk with Microsoft Mail id <32540420@msmsmtp1.comnet.bt.co.uk>; Thu, 03 Oct 96 19:21:20 BST From: "Bettich,K,NAT22,BETTICK M" To: Firewalls Newsgroup Subject: Dynamic Address allocation Date: Thu, 03 Oct 96 18:27:00 BST Message-ID: <32540420@msmsmtp1.comnet.bt.co.uk> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello My knowledge of firewalls is very limited but I am considering an Intranet design whereby a firewall would translate private IP addresses into a registered address. Can a firewall map several private addresses to a single public address at the same time. If so, what's the maximum number of concurrent sessions handled typically? The purpose is to keep the number of registered IP addresses as low as possible without impacting too much on the network performance from an Intranet user's point of view when he/she tries to access the outside WWW. Thanks very much Karim From firewalls-owner Thu Oct 3 13:23:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA27430 for firewalls-outgoing; Thu, 3 Oct 1996 12:57:11 -0700 (PDT) Received: from anka.mindvision.com (anka.mindvision.com [198.247.220.254]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id MAA27351 for ; Thu, 3 Oct 1996 12:56:44 -0700 (PDT) Received: (from alan@localhost) by anka.mindvision.com (8.6.11/8.6.9) id OAA00859; Thu, 3 Oct 1996 14:55:44 -0500 Message-Id: <199610031955.OAA00859@anka.mindvision.com> Subject: Re: Dynamic Address allocation To: BETTICK@boat.bt.com (Bettich K NAT22 BETTICK M) Date: Thu, 3 Oct 1996 14:55:43 -0500 (CDT) Cc: Firewalls@GreatCircle.COM In-Reply-To: <32540420@msmsmtp1.comnet.bt.co.uk> from "Bettich,K,NAT22,BETTICK M" at Oct 3, 96 06:27:00 pm From: alan@mindvision.com (Alan Hannan) Reply-To: alan@mindvision.com (Alan Hannan) X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, > My knowledge of firewalls is very limited but I am considering an Intranet > design whereby a firewall would translate private IP addresses into a > registered address. This is a fairly standard design, typically know as a transparent proxy/application gateway firewall. > Can a firewall map several private addresses to a single > public address at the same time. Yes. The majority (??) or commercial firewalls do just that, mapping large amounts of address space (/16|Class Bs and larger) to just _one_ IP address visible to the world. > If so, what's the maximum number of > concurrent sessions handled typically? I don't know that there is a technical design limit, I suppose there could be, but practically, it is limited only by the firewall software and platform hardware's ability to build and maintain the connections/throughput. > The purpose is to keep the number of registered IP addresses as low as > possible without impacting too much on the network performance from an > Intranet user's point of view when he/she tries to access the outside WWW. This should do the trick. Gauntlet, Centri, Raptor, others come to mind as commercial solutions... -alan From firewalls-owner Thu Oct 3 13:27:00 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA24468 for firewalls-outgoing; Thu, 3 Oct 1996 12:24:16 -0700 (PDT) Received: from www.valuu.net (www.valuu.net [204.252.40.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id MAA24426; Thu, 3 Oct 1996 12:24:00 -0700 (PDT) Received: from fd.valuu.net ([204.252.40.3]) by www.valuu.net (post.office MTA v1.9.1 ID# 0-11837) with SMTP id AAA346; Thu, 3 Oct 1996 15:24:43 -0400 Received: by fd.valuu.net with Microsoft Mail id <01BBB13E.5D6AF540@fd.valuu.net>; Thu, 3 Oct 1996 15:20:09 -0400 Message-ID: <01BBB13E.5D6AF540@fd.valuu.net> From: rabbi@www.valuu.net (Rabbi Haim Cassorla) To: "'Chris Townend'" , "Firewalls@GreatCircle.COM" Cc: "mail.e-tex.com@GreatCircle.COM" Subject: RE: Fireballs-Digest V5 #550 Date: Thu, 3 Oct 1996 15:20:07 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The short answer is: 1. Very. 2. Unplug it. ---------- From: Chris Townend[SMTP:ctownend@e-tex.com] Sent: Thursday, October 03, 1996 1:58 PM To: Firewalls@GreatCircle.COM Cc: mail.e-tex.com@GreatCircle.COM Subject: Re: Firewalls-Digest V5 #550 My network currently utilizes nasi dial-out capabilities through a netware connect 2.0 server. Dial-out clients are using win3.11 with netscape 1.22. These clients do not have a tcp/ip stack on network card, only ipx. Can anyone tell me how vulnerable my network is to access from other Internet hosts, and how to protect it? Any advice would be greatly appreciated! From firewalls-owner Thu Oct 3 13:53:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA27778 for firewalls-outgoing; Thu, 3 Oct 1996 13:01:03 -0700 (PDT) Received: from relay4.oleane.net (Relay4.OLEANE.NET [194.2.1.6]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id MAA27498 for ; Thu, 3 Oct 1996 12:58:57 -0700 (PDT) Received: from dyn-234.gre.oleane.com (dyn-234.gre.oleane.com [194.2.9.234]) by relay4.oleane.net (8.7.5/8.7.3) with SMTP id UAA29911 for ; Thu, 3 Oct 1996 20:54:53 +0100 (MET) X-Authentication-Warning: relay4.oleane.net: Host dyn-234.gre.oleane.com [194.2.9.234] didn't use HELO protocol Message-Id: <1.5.4.32.19961003205647.00698e6c@pop.dial.oleane.com> X-Sender: mc007@pop.dial.oleane.com X-Mailer: Windows Eudora Light Version 1.5.4 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 03 Oct 1996 21:56:47 +0100 To: firewalls@greatcircle.com From: Marc Chatel Subject: Need volunteer FTP archive site to host new security software Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello all, I am looking for one or more anonymous FTP sites that would be interested in hosting a new security software kit called "S4". S4 stands for the "Secure System Setup Script". The kit is currently about 6.5 megabytes (and will probably grow), and it may be necessary to keep several versions archived over time if the kit proves popular. The kit does not currently contain anything that would cause "export control" problems if hosted in the U.S., but this COULD change over time. Because of this (and if sites are interested, of course), the ideal setup may be for a non-U.S. master FTP site, with mirrors in the U.S or elsewhere. Better suggestions from people more knowledgeable than me about the problem are welcome. :-) Interested sites may contact me at mchatel@dial.oleane.com. I will need to use a "simple" authentication method to update the FTP area, since I live in France and basically cannot use any serious crypto without a permit. A bit more detail on S4 is included below for your reading pleasure... Sincere Regards, Marc Chatel 9, ave Jean Monnet 74940 ANNECY-LE-VIEUX FRANCE Private E-mail: mchatel@dial.oleane.com ----------- details on S4 (the Secure System Setup Script) ------------- S4 is best described as "a security glueware compromise". The goal of S4 is to minimize the time necessary to accomplish the following: Move from a) system with freshly installed base operating system with no config done yet to b) system with a maximum number of obvious security holes closed, ready to connect to an insecure network, and which offers some basic services that people need today: FTP/WWW/SMTP/POP. Most services offered (including the ones I just listed) run chrooted and non-privileged. The current S4 is able to move a system from a) to b) in approx. 60 minutes. The installer spends most of that time pressing "Y", "N", and RETURN to accept default parameters and page through the output. I guess it could be described as an "automatic system defense tool", as opposed to "automatic system scanning tools", which are more common... Although it currently runs on only one platform (OSF/Digital Unix on Alpha), I believe people will find the tool interesting (even if it is just to pick some parts out of it). My goal in publishing S4 is to find volunteers that will find it useful enough to add functionality to it, and help me port it to other platforms (my experience is that testing a tool like this requires exclusive access to at least one machine of the type being tested, preferably two). The actual S4 "kit" is composed at > 90% of software packages already published on Internet and written by many people. All packages included are in source form (S4 compiles all packages during installation, that's why it takes an hour to run). In some cases, I have made slight modifications to the packages (usually to improve drop privilege/chroot methods and to fix syslog issues introduced by chroot environments). Packages currently included in the S4 kit (either as-is or modified) are: ----------------------------------------------------------------------------- "aftpd", originally written by Marcus J. Ranum, based on Berkeley sources "arpwatch" from the University of California, Lawrence Berkeley Laboratory the Berkeley "db" package, from the University of California at Berkeley "gzip", from the Free Software Foundation "libpcap" from the University of California, Lawrence Berkeley Laboratory the NCSA "httpd" web server, from the National Center for Supercomputing Applications at the University of Illinois at Urbana-Champaign PERL (version 5.003), from Larry Wall "poppasswd", originally from Daniel L. Leavitt at MITRE (I believe) "qpopper", a collective work currently hosted at QualComm "sendmail", from the University of California at Berkeley "spop", put in the public domain by the RAND Corporation "tcpd", from Wietse Venema at the Eindhoven University of Technology ----------------------------------------------------------------------------- The parts of S4 actually written by me are mostly installation shellscripts, and a few C programs here and there to handle specific issues. *************************** LICENSING/COPYRIGHT ISSUES: *************************** My primary goal is usefulness. To some extent, the S4 kit can be considered an "aggregation" of many software packages (the S4 shellscripts sit in their own directory and drive each package's installation script from outside). Each package included in the S4 kit remains on its own license/copyright terms. The top directory of the S4 kit includes a file called S4_LICENSE.txt that includes the basic license text from all of the parties involved (I think). Each kit included is in source and includes its own license text. For the parts of S4 specifically written by me, I chose licensing terms as convenient as possible. The S4-specific files include the following text: # ------------------------------------------------------------------------------ # Copyright (c) 1995,1996 Donated to the public domain # # Original author and maintainer: Marc Chatel mchatel@dial.oleane.com # Last known maintainer: Marc Chatel mchatel@dial.oleane.com # # This file was created as part of the S4 (Secure System Setup Script) kit. # Permission is granted to any person or entity to do any of the following: # a) use this file alone or in some other software # b) modify this file or include parts of this file in other files # c) re-distribute this file AS IS or modified, for non-commercial # or commercial purposes, alone or as part of some software package # # No warranties of any kind, express or implied, on the functionality and safety # of the contents of this file. Use at your own risk! # # If you do useful changes to this file (bug fixes, portability fixes, # enhancements), you should TRY to contact the current maintainer, who may be # maintaining a "latest greatest" version of the file. You do not HAVE TO, # but you should TRY. Promote software reuse! It helps everybody, including you! # ------------------------------------------------------------------------------ --------------- end of message ----------------- From firewalls-owner Thu Oct 3 15:09:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA22004 for firewalls-outgoing; Thu, 3 Oct 1996 11:57:39 -0700 (PDT) Received: from sapa.inka.de (sapa.inka.de [193.197.84.6]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id LAA21986; Thu, 3 Oct 1996 11:57:07 -0700 (PDT) Received: from uu.inka.de (root@[193.197.84.8]) by sapa.inka.de with smtp (S3.1.29.1) id ; Thu, 3 Oct 96 20:55 MET DST Received: from lina (lists@lina.inka.de) by uu.inka.de with bsmtp (S3.1.29.1) id ; Thu, 3 Oct 96 20:55 MET DST Received: by lina id m0v8spB-0004jMC (Debian /\oo/\ Smail3.1.29.1 #29.37); Thu, 3 Oct 96 20:48 MET DST Message-Id: From: lists@lina.inka.de (Bernd Eckenfels) Subject: Re: Gauntlet vs. Sidewinder To: jeromie@garrison.com (Hmm) Date: Thu, 3 Oct 1996 20:48:43 +0200 (MET DST) Cc: firewalls-owner@GreatCircle.COM, jeromie@garrison.com, david.helms@checkpoint.com, joav.kohn@us.landisstaefa.com, firewalls@GreatCircle.COM In-Reply-To: <9610031723.AA03486@ukn0.garrison.com.> from "Hmm" at Oct 3, 96 12:23:03 pm X-Mailer: ELM [version 2.4 PL25 PGP2] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, > > The proper way to set this up is to have the firewall itself accept mail with > > smapd and sendmail v8.6 and then re-route that mail to the internal servers. > > The internal servers are never vulnerable to an attack because the outside > > world cannot talk directly to them. > > > > Agreed, that is what I was explaining to checkpoint. Umm.. thats not completely right. Where is the difference in receiving mail from the outside or from an smapd forwarder? In both caes you can still have broken Envelops or Headers. It's probably better to put the MX Host outside of the firewall, or an secure forwarder on the firewall, but secure MTAs like qmail are a possible solution without using smtp-forwarders which dont give you much security (at least not hose i know of). Greetings Bernd > > The best way to secure things is to assume nothing is secure on your internal > > network. Reduce your points of faliure on the DMZ, and trust nothing. If you > > make sure that your DMZ versions of sendmail are secure and they talk to your > > internal servers, no direct communication ever takes place from the external > > network to the internal network. > > > > "If you make sure that your DMZ versions of sendmail are secure.." If you trust your DMZ hosts you can even put them inside the Firewall perimeter, right. If you receive Mail on a bastion host on the DMZ, then you still need a way tosecure mail from the bastion host to the internal net (i.e. filtering mail forwarder on the firewall or secure MTA on the internal net). Since Hackers can still send you malicious mail if they have hacked the bastion. Greetings Bernd -- (OO) -- Bernd_Eckenfels@Wittumstrasse13.76646Bruchsal.de -- ( .. ) ecki@{lina.inka.de,linux.de} http://home.pages.de/~eckes/ o--o *plush* 2048/A2C51749 eckes@irc +4972573817 *plush* (O____O) If privacy is outlawed only Outlaws have privacy From firewalls-owner Thu Oct 3 15:26:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA01664 for firewalls-outgoing; Thu, 3 Oct 1996 13:45:19 -0700 (PDT) Received: from habanero.jmu.edu (habanero.jmu.edu [134.126.71.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id NAA01627 for ; Thu, 3 Oct 1996 13:45:02 -0700 (PDT) Message-Id: <199610032045.NAA01627@miles.greatcircle.com> Received: by habanero.jmu.edu (1.37.109.16/16.2) id AA104565278; Thu, 3 Oct 1996 16:41:18 -0400 Date: Thu, 3 Oct 1996 16:41:18 -0400 From: gary flynn To: firewalls@greatcircle.com Subject: UDP 137 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm seeing lots of access violations for UDP 137 which is used by Netbios name services. I'm blocking 137-139 from the Internet. What I don't understand is why these are trying to come in from the Internet destined for machines all over campus...some that aren't even running Netbios services (or so I'm told). Going through RFC1001 and 1002 (quickly, I'm afraid) it seems that these packets would be used to challenge a name. Why would computers from sites all over the world be challenging end user computers here? One of the sites sending the packets was a Web site and I thought maybe it did that because it was an NT based server or something but I checked with the person whose PC was the target and they'd never heard of the Web site (no it wasn't one that they'd publicly deny :-) Of course, I might be misunderstanding the protocol and perhaps the Internet is supporting Netbios broadcast service which means its supporting a whole bunch of machines broadcasting their names. Tell me this isn't true! Appletalk on the Internet :-) Can someone explain this to me? thanks, Gary Flynn Network Manager James Madison University From firewalls-owner Thu Oct 3 15:52:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA12337 for firewalls-outgoing; Thu, 3 Oct 1996 15:13:56 -0700 (PDT) Received: from wichita.fn.net ([204.233.71.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id PAA12319 for ; Thu, 3 Oct 1996 15:13:38 -0700 (PDT) Received: (from bkmarsh@localhost) by wichita.fn.net (8.7.6/8.6.9) id RAA18671; Thu, 3 Oct 1996 17:13:04 -0500 (CDT) Date: Thu, 3 Oct 1996 17:13:03 -0500 (CDT) From: "Bruce M." X-Sender: bkmarsh@wichita.fn.net To: Bradley Brown cc: firewalls@greatcircle.com Subject: Re: Check Point and SYN Flood Attack In-Reply-To: <3253E7B1.63F1@us.checkpoint.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 3 Oct 1996, Bradley Brown wrote: > I saw your email on the FW mailing list. I suggest you read to white > paper posted on our site to get a better understanding of our solution. > The key element of the SYN Flood attack is that a site (Firewall or > Internet server) can be hosed due to the OS inability to handle the > unresolved connection attempts with an attack that uses less than 10% of > the available bandwidth across a T1 connection. With SYNDefender, the OS > is protected and valid Internet connections can pass through the > firewall to the destination server unimpeded. I read through the white paper and besides a few hazy blips about how your "patent-pending Stateful Inspection" protects Firewall-1, I still haven't received a decent refutation to my original observation: What is going to keep the firewall itself from becoming ensnared in a SYN flooding DOS attack? Even if it protects your host, won't Internet traffic essentially stop reaching it if the firewall is stuck chasing down SYNs from bogus addresses? Am I missing an important factor in this equation? ________________________________ [ Bruce M. - Feist Systems, Inc. ] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 'DISA information shows that computer attacks on the Department of Defense are successful 65 percent of the time. The DoD, despite its problems, probably has one of the strongest computer security programs in government.' -GAO/T-AIMD-96-108 From firewalls-owner Thu Oct 3 15:56:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA05442 for firewalls-outgoing; Thu, 3 Oct 1996 14:17:24 -0700 (PDT) Received: from ns.rc.toronto.on.ca ([142.77.249.9]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id OAA05426 for ; Thu, 3 Oct 1996 14:17:11 -0700 (PDT) Received: by ns.rc.toronto.on.ca with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5) id <01BBB14E.8C597920@ns.rc.toronto.on.ca>; Thu, 3 Oct 1996 17:16:00 -0400 Message-ID: From: Russ To: "'firewalls@GreatCircle.COM'" , "'Petri Virkkula'" Subject: RE: NT Security Date: Thu, 3 Oct 1996 17:15:57 -0400 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I think Backup rights are enough, no need to change ownership > etc. Backup rights, membership in the Backup Operators group, Server Operators Group, or anyone assigned explicitly the right to Backup Files and Directories (and typically its sister right to Restore Files and Directories) do not have the facility to Read, Write, Execute, Delete, Change Permissions or Take Ownership of Files or Directories, outside the use of a program which uses Backup or Restore functions specific to NT (copying a file in a DOS window would not work for these users, for example). The API calls to perform Backup or Restore operations register events in the event log stating that such an action has been taken. Obviously, the tape contains all the data and that could be read on another system outside of the Domain very easily, but if the data was restored into the same NT environment, it would still not be possible to read the data as a member of the above mentioned groups. Just because one is a member of the above mentioned groups does not permit them access to directories or files through normal access methods (i.e. File Manager, DOS, or Explorer in NT 4.0). Obviously its possible to programmatically simulate a backup program, and while generating an event indicating the backup, have that program display the contents of the data being backed up. Judicious granting of the right, or membership in the above mentioned groups, therefore, is extremely wise. An often overlooked, and possibly more critical right, is the ability to perform restore operations. Restoring a system to a pre-secure state (or some previously secure state which the perpetrator has some knowledge of) can be far more damaging than losing a current backup. Cheers, Russ "any sufficiently advanced technology is indistinguishable from magic"...Arthur C. Clarke > From firewalls-owner Thu Oct 3 16:20:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA13426 for firewalls-outgoing; Thu, 3 Oct 1996 15:27:47 -0700 (PDT) Received: from answerman.mindspring.com (answerman.mindspring.com [204.180.128.8]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id PAA13373 for ; Thu, 3 Oct 1996 15:27:24 -0700 (PDT) Received: from [168.121.206.219] (user-168-121-206-219.dialup.mindspring.com [168.121.206.219]) by answerman.mindspring.com (8.7.5/8.7.3) with SMTP id SAA26449; Thu, 3 Oct 1996 18:26:41 -0400 (EDT) Date: Thu, 3 Oct 1996 18:26:41 -0400 (EDT) Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Chip Coy From: pelicans@mindspring.com (BeachCruiser) Subject: Re: Information Seeking Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 8:09 AM 10/3/96, Chip Coy wrote: >On Tue, 1 Oct 1996, John Anonymous MacDonald wrote: > Can anyone on this list recommend a reputable and professional group that > can perform security (both network and host; Internet related) audits at a > medium sized company located in the United States? Well, if the outfits that do most of the secuity planning, auditing and accreditation testing for the defense and intelligence communities would be of any interest, I suggest calling: Jim Harper Computer Sciences Corporation Hanover, Maryland (410) 684-3500 Ron Gove SAIC McLean, Virginia (703) 556-9722 Robert Kitzmiller DSA Fairfax, Virginia (703) 591-3704 Stuart Moore Booz Allen and Hamilton McLean, Virginia (703) 902-5310 Happy Hunting :-) ___________________________ Bob McKisson Cypress Systems Corporation P. O. Box 809 Virginia Beach, VA 23451 (757) 425-4195 Voice (757) 425-4196 FAX (757) 442-0888 STU-III pelicans@mindspring.com From firewalls-owner Thu Oct 3 16:30:00 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA03757 for firewalls-outgoing; Thu, 3 Oct 1996 14:03:40 -0700 (PDT) Received: from hermes.intel.com ([143.183.152.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id OAA03697 for ; Thu, 3 Oct 1996 14:03:21 -0700 (PDT) Received: from genel.csnet.can.ibm.com by hermes.intel.com (8.7.6/10.0i); Thu, 3 Oct 1996 14:02:50 -0700 Received: by genel.csnet.can.ibm.com with Microsoft Mail id <01BBB14C.4BC73D40@genel.csnet.can.ibm.com>; Thu, 3 Oct 1996 16:59:52 -0400 Message-ID: <01BBB14C.4BC73D40@genel.csnet.can.ibm.com> From: Gene Lee To: "firewalls@GreatCircle.COM" , "'Nestor & Christine Navarro'" Subject: RE: How does one set a rule in IBM's Internet Secure Network Gateway to allow Notes 4.1.4 replication? Date: Thu, 3 Oct 1996 16:59:52 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wednesday, October 02, 1996 10:58 PM, Nestor & Christine Navarro[SMTP:nnavarro@pathcom.com] wrote: >I am having setting up the IBM's firewall the "Secure Network Gateway" >to allow a machine in an internal network with Lotus Notes 4.1.4 to >replicate (or even at the moment to talk) to an external machine over >the Internet. All I know is to open up PORT 1352. Part of my problem >as well is my internal network also has unregistered IP addresses. So >how do I handle Name Address Translation? Christine, if you are using SNG v2.2, you can use the NAT function built-in and create a filter rule to pass traffic through port 1352. Remember that the filter filters on NATed addresses so you would use the unregistered IP address in your rules. Also remember that the pool of registered IP addresses cannot be in the same network as your unsecured network hanging off the firewall, but must be a different subnet which is routed through the firewall by the external router. -- Gene Lee genel@inforamp.net genelee@vnet.ibm.com From firewalls-owner Thu Oct 3 16:41:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA07714 for firewalls-outgoing; Thu, 3 Oct 1996 14:39:34 -0700 (PDT) Received: from abayuba.soltel.com.uy (abayuba.soltel.com.uy [206.99.46.130]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id OAA07689 for ; Thu, 3 Oct 1996 14:39:22 -0700 (PDT) Received: (from beto@localhost) by abayuba.soltel.com.uy (8.6.12/8.6.9) id SAA10757; Thu, 3 Oct 1996 18:31:12 -0300 Date: Thu, 3 Oct 1996 18:31:12 -0300 From: Mario Pereyra Message-Id: <199610032131.SAA10757@abayuba.soltel.com.uy> To: BETTICK@boat.bt.com, Firewalls@GreatCircle.COM Subject: Re: Dynamic Address allocation Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Karim, you must view http://socks.nec.com/ From firewalls-owner Thu Oct 3 17:17:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA27929 for firewalls-outgoing; Thu, 3 Oct 1996 17:03:51 -0700 (PDT) Received: from tophat.stetson.edu (tophat.stetson.edu [147.253.10.40]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id RAA27878 for ; Thu, 3 Oct 1996 17:03:33 -0700 (PDT) Received: from localhost (midengre@localhost) by tophat.stetson.edu (8.7.1/8.7.1) with SMTP id TAA01784; Thu, 3 Oct 1996 19:56:55 -0400 (EDT) X-Authentication-Warning: tophat.stetson.edu: midengre owned process doing -bs Date: Thu, 3 Oct 1996 19:56:55 -0400 (EDT) From: Michael Idengren Reply-To: Michael Idengren To: Leonard Miyata cc: firewalls@GreatCircle.COM Subject: Re: SYN solution? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Has anyone looked at the syn flood attack solution posted > by BSDI (www.bsdi.com) that their providing source code > for??? Also: For many platforms, there is a kernel patch available that will symptoms of a SYN flood (characteristic of a denial of service attack). I particularly like the SunOS fix, which will dynamically increase the proc table when a flood hits. See http://www.netaxs.com/~freedman/syn for more info. Mike Idengren | MEISTER ---------------------------------+---------------------------------- Center for Information Technology| Alachua Free-Net IRC Administrator Stetson University | WorldWide Free-Net IRC Network Coordinator From firewalls-owner Thu Oct 3 17:27:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA24118 for firewalls-outgoing; Thu, 3 Oct 1996 16:43:34 -0700 (PDT) Received: from sgi.sgi.com (SGI.COM [192.48.153.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id QAA23994 for ; Thu, 3 Oct 1996 16:42:49 -0700 (PDT) Received: from hollywood.engr.sgi.com ([150.166.61.38]) by sgi.sgi.com (950413.SGI.8.6.12/950213.SGI.AUTOCF) via ESMTP id QAA10734; Thu, 3 Oct 1996 16:42:07 -0700 Received: by hollywood.engr.sgi.com (940816.SGI.8.6.9/911001.SGI) id QAA07393; Thu, 3 Oct 1996 16:42:06 -0700 From: fisher@hollywood.engr.sgi.com (William Fisher) Message-Id: <199610032342.QAA07393@hollywood.engr.sgi.com> Subject: Re: ifconfig To: jrg@gbnet.net (James R Grinter) Date: Thu, 3 Oct 1996 16:42:02 -0800 (PDT) Cc: ndapice@erols.com, mskarban@novahut.cz, firewalls@GreatCircle.COM, fisher@hollywood.engr.sgi.com (William Fisher) In-Reply-To: <199610031718.SAA18106@ns.gbnet.net> from "James R Grinter" at Oct 3, 96 06:18:28 pm Reply-To: fisher@sgi.com X-Mailer: ELM [version 2.4 PL3] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > On Thu 3 Oct, 1996, "Nick D'Apice" wrote: > >for SGI and BSDI, its 'ifconfig xxx alias a.b.c.d netmask a.b.c.d > > the original poster asks about IRIX 5.3. That only supports > aliases if you apply a patch. The poster is in .cz so probably won't > be able to download it from the SGI web server, but he could try > looking for it anyway (look in the webforce areas). > > IRIX 6.2 adds support in the release operating system, and improves > performance, but often results in crashing the OS because of some > pointer errors when deleting them. C'est la vie. > That problem has been fixed in an Irix 6.2 patch. You can get the patches fro the patch server or by calling customer support. -- Bill (fisher@sgi.com) > >> Date: Tue, 01 Oct 1996 06:10:55 +0100 > >> From: Skarban > > >> I am building virtual www server and i need to define multi IP > >> address over one physical interface of my SGI Challenge - S (Irix > >> 5.3). I am looking for parameter of Ifconfig command of SGI IRIX 5.3 > > James. > From firewalls-owner Thu Oct 3 17:41:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA02320 for firewalls-outgoing; Thu, 3 Oct 1996 17:34:04 -0700 (PDT) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id RAA02266; Thu, 3 Oct 1996 17:33:42 -0700 (PDT) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id TAA24850; Thu, 3 Oct 1996 19:24:30 -0400 Date: Thu, 3 Oct 1996 19:24:27 -0400 (EDT) From: Rabid Wombat To: Rabbi Haim Cassorla cc: "'Chris Townend'" , "Firewalls@GreatCircle.COM" , "mail.e-tex.com@GreatCircle.COM" Subject: RE: Fireballs-Digest V5 #550 In-Reply-To: <01BBB13E.5D6AF540@fd.valuu.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 3 Oct 1996, Rabbi Haim Cassorla wrote: > The short answer is: > > 1. Very. > 2. Unplug it. Would you care to elaborate on this? I have set up NCSI comm servers on a segment that is screened by a router - only IPX can cross, no IP is allowed. The modems are set for "no answer", and there are no other systems on this screened segment. Users can access the NCSI ports via IPX/NCSI through the screening router. The ACS^2/SA's are attached to a secure hub. The hub attaches to the router. I'm not trying to make it impossible for an insider to get out - just exercise some administrative control, and have an alternative to locally attached modems (hence the ability to deny them to users). Of course, an insider *could* still set up a cellular modem, etc., but they could take data out on a floppy disk, too. This isn't my concern (today). I just want to do a reasonable job of providing dial-out access while blocking incoming calls. It isn't a great leap from having a modem on the desk for dial-out, and then installing PC Anywhere to dial in from home, or loading Chameleon, and leaving IP routing turned on, etc. These are the things I'm trying to stop. NOT someone on the inside who writes a winsock-capable TCP/IP app that tunnels through IPX to get to the dial-out, so he/she can dial into another system that breaks out the IP and passes it on. Like I said - the insider could just walk off with a tape or disk. It is the outside I'm worried about. Yes - You could trick a dial-out user of mine into downloading a trojan horse. You could also get them to do this through our firewall, as we allow ftp if it originates "outbound." I just want my dial-out system to be good enough that it doesn't "backdoor" the firewall. Just where do you see the risk? If you really know something about NCSI/NASI, and aren't just blowing smoke, I'd like to hear from you. -r.w. On Thu, 3 Oct 1996, Rabbi Haim Cassorla wrote: > The short answer is: > > 1. Very. > 2. Unplug it. > > ---------- > From: Chris Townend[SMTP:ctownend@e-tex.com] > Sent: Thursday, October 03, 1996 1:58 PM > To: Firewalls@GreatCircle.COM > Cc: mail.e-tex.com@GreatCircle.COM > Subject: Re: Firewalls-Digest V5 #550 > > My network currently utilizes nasi dial-out capabilities through > a netware connect 2.0 server. Dial-out clients are using > win3.11 with netscape 1.22. These clients do not have a tcp/ip > stack on network card, only ipx. Can anyone tell me how > vulnerable my network is to access from other Internet hosts, > and how to protect it? Any advice would be greatly appreciated! > > > From firewalls-owner Thu Oct 3 19:00:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA08749 for firewalls-outgoing; Thu, 3 Oct 1996 18:46:19 -0700 (PDT) Received: from morebbs.com (morebbs.com [206.165.150.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id SAA08742 for ; Thu, 3 Oct 1996 18:46:11 -0700 (PDT) From: potlicker@morebbs.com Received: by morebbs.com id 0UKAX00O Thu, 03 Oct 96 21:45:23 Message-ID: <9610032145.0UKAX00@morebbs.com> Organization: MORE BBS X-Mailer: TBBS/TIGER v1.0/PRIMP 1.56p Date: Thu, 03 Oct 96 21:45:23 Subject: Audio/video To: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk 1) How much bandwidth, in kbps, does a RealAudio connection use assuming that the firewall can keep up with the Internet access line speed? 2) How much bandwidth does a QuickTime video thingy use, also assuming the firewall can keep up with the access line speed? 3) Nothing to do with firewalls. Does anybody know the name of the music or tune for the song "Canny Newcastle" by Thomas Thompson, in the Geordie Song Book by Butler Publishing, Northumberland? We would all like to sing it to the right tune when we get tanked on the mead. Hinnie PoT_LiCkEr From firewalls-owner Thu Oct 3 19:14:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA08879 for firewalls-outgoing; Thu, 3 Oct 1996 18:53:06 -0700 (PDT) Received: from dns1.noc.best.net (dns1.noc.best.net [206.86.8.69]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id SAA08872 for ; Thu, 3 Oct 1996 18:52:57 -0700 (PDT) Received: from shellx.best.com (shellx.best.com [206.86.0.11]) by dns1.noc.best.net (8.6.12/8.6.5) with ESMTP id RAA01818; Thu, 3 Oct 1996 17:37:27 -0700 Received: from [204.156.153.118] (mblakele.vip.best.com [204.156.153.118]) by shellx.best.com (8.6.12/8.6.5) with ESMTP id RAA04437; Thu, 3 Oct 1996 17:36:38 -0700 X-Sender: mblakele@pop Message-Id: In-Reply-To: <9610030100.AA03436@ukn0.garrison.com.> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 3 Oct 1996 17:17:37 -0700 To: jeromie@garrison.com (Hmm) From: Camille Blakeley Subject: Re: Opinions/Experiences re: Sidewinder? Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I cannot speak of earlier versions than 2.2, but 2.2 & 3.0 appear to >be quite easy in order to add generic proxies. I was able to do so in a >matter >of 15 minutes my first time, following the manuals instructions. By the way, >the manual for Sidewinder is much better than the documentation I have seen >elsewhere, including Gauntlet. Have you found a good paper on custom >configuration of the netperm-table!?!?@#? I believe I was using 2.2. I agree their documentation (for the GUI interface, not what it is actually doing) is first rate. However, I regard having to vi at least 4 different files (more if you want to be able to let that port back in, as well), as well as a few other functions, in order to make a proxy excessive. My recollection of TIS was two files. I would also like to add that their tech support is very good at what it does. They can coach you through their interface and do preliminary UNIX commands on the command line if necessary (they prefer not to). Unfortunately, they have the same fault as the documentation; they have very little knowledge (if any) of UNIX and don't have a real good understanding of what the operating system is doing, only their GUI. As to the netperm-table, I found the man pages with my old version of TIS to be sufficient. However, I didn't expect much, the software was free :-). Camille Camille Blakeley (camille@blakeley.com) From firewalls-owner Thu Oct 3 19:41:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA10651 for firewalls-outgoing; Thu, 3 Oct 1996 19:21:31 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id TAA10627 for ; Thu, 3 Oct 1996 19:21:19 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.6.9/8.6.9) id WAA02869; Thu, 3 Oct 1996 22:26:49 -0500 From: Adam Shostack Message-Id: <199610040326.WAA02869@homeport.org> Subject: NT FTPd? To: ntsecurity@iss.net Date: Thu, 3 Oct 1996 22:26:48 -0500 (EST) Cc: firewalls@greatcircle.com (Firewalls mailing list) X-Mailer: ELM [version 2.4 PL24 ME8b] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk (Cross posted to Firewalls, ntsec) I'm looking for a FTP server to run on Windows NT. My criteria are: * Claims to offer security * Can provide ability to prevent moving up a directory tree. (chroot) * Can use NT login mechanisms to control login & activity as different users. Source would be nice. Free would be nice, but a downloadable demo version is a must for pay software. Please respond to me, and I'll summarize. Adam -- "Every year the Republicans campaign like Libertarians, and then go to Wasthington and spend like Democrats." Vote Harry Browne for President. http://www.harrybrowne96.org From firewalls-owner Thu Oct 3 20:42:26 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA16278 for firewalls-outgoing; Thu, 3 Oct 1996 20:35:21 -0700 (PDT) Received: from wichita.fn.net ([204.233.71.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id UAA16271 for ; Thu, 3 Oct 1996 20:35:10 -0700 (PDT) Received: (from bkmarsh@localhost) by wichita.fn.net (8.7.6/8.6.9) id WAA02884; Thu, 3 Oct 1996 22:34:44 -0500 (CDT) Date: Thu, 3 Oct 1996 22:34:43 -0500 (CDT) From: "Bruce M." X-Sender: bkmarsh@wichita.fn.net To: firewalls@greatcircle.com Subject: Re: Check Point and SYN Flood Attack (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ---------- Forwarded message ---------- Date: Thu, 03 Oct 1996 15:53:54 -0700 From: Bradley Brown To: "Bruce M." Subject: Re: Check Point and SYN Flood Attack Bruce, My comments below, /Bradley Bruce M. wrote: > > On Thu, 3 Oct 1996, Bradley Brown wrote: > > > I saw your email on the FW mailing list. I suggest you read to white > > paper posted on our site to get a better understanding of our solution. > > The key element of the SYN Flood attack is that a site (Firewall or > > Internet server) can be hosed due to the OS inability to handle the > > unresolved connection attempts with an attack that uses less than 10% of > > the available bandwidth across a T1 connection. With SYNDefender, the OS > > is protected and valid Internet connections can pass through the > > firewall to the destination server unimpeded. > > I read through the white paper and besides a few hazy blips about how > your "patent-pending Stateful Inspection" protects Firewall-1, I still > haven't received a decent refutation to my original observation: What is > going to keep the firewall itself from becoming ensnared in a SYN > flooding DOS attack? Even if it protects your host, won't Internet traffic > essentially stop reaching it if the firewall is stuck chasing down SYNs > from bogus addresses? Am I missing an important factor in this equation? Several points to try to make this more clear: 1. SYN Floods take advantage of a queue managed by the OS. This queue is typically small in size and requires significant resources of the host if made much larger. Typically, this queue handles about 10 connection attempts and can be filled in seconds with a SYN Flood Attack. This is the whole reason the attack is so effective - it can be launched from a limited bandwidth link and still be effective at creating a denial of service condition. 2. Management of SYN connection attempts with FireWall-1 IS NOT managed by the OS, or a user-level process. It is managed at the kernel-level using software specifically designed to do this WITHOUT the memory/CPU overhead or limitations normally imposed by the OS. The Check Point solution can handle thousands of simultaneous connection attempts without danger of filling any queues. Valid connection attempts will be completed as per usual while invalid attempts will be timed out by the firewall and discarded from the firewall queue (the only time valid attempts do not get through is when the queue is filled up and cannot accept additional request which is NOT a problem with FireWall-1). Assume, for example, that the attacker is sending 500 packets per second. If the timeout is set to 5 seconds, then the largest number of unresolved connections which will exist at any point in time is about 2500 which does not even come close to exceeding FireWall-1's ability to track connections. The only way the SYN Flood Attack can create a denial of service condition in this case is if the attacker is capable of filling the whole T1 pipe to the firewall, in which case, they might as well use another more effective approach to fill the pipe. Hopefully this explains everything clearly. I assume you currently have a pure proxy-based firewall which is vulnerable to this type of attack (and hence, your view that the firewall 'must' have the same limitations as the target host). If so, it might be worth your while to look more closely at FireWall-1 which combines kernel-level intelligence with traditional proxies to give you the best of both worlds. Only firewalls with kernel-level intelligence can block SYN Flooding Attacks efficiently and be totally immune to standard scanners, etc. > > ________________________________ > [ Bruce M. - Feist Systems, Inc. ] > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > 'DISA information shows that computer attacks on the > Department of Defense are successful 65 percent of the time. > The DoD, despite its problems, probably has one of the strongest > computer security programs in government.' -GAO/T-AIMD-96-108 -- ----------------------------------------------------------------------- Bradley Brown Email: bradley@us.checkpoint.com CheckPoint Software Technologies Phone: (415) 562-0400 x225 "Global Secure Connectivity" Fax: (415) 562-0410 From firewalls-owner Thu Oct 3 21:26:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA19083 for firewalls-outgoing; Thu, 3 Oct 1996 21:14:24 -0700 (PDT) Received: from hermes.intel.com (hermes.intel.com [143.183.152.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id VAA19074 for ; Thu, 3 Oct 1996 21:14:14 -0700 (PDT) Received: from ts58-10.tor.iSTAR.ca by hermes.intel.com (8.7.6/10.0i); Thu, 3 Oct 1996 21:13:35 -0700 Received: by ts58-10.tor.iSTAR.ca with Microsoft Mail id <01BBB188.780FF180@ts58-10.tor.iSTAR.ca>; Fri, 4 Oct 1996 00:10:37 -0400 Message-ID: <01BBB188.780FF180@ts58-10.tor.iSTAR.ca> From: Gene Lee To: "ntsecurity@iss.net" Cc: Firewalls mailing list Subject: RE: NT FTPd? Date: Fri, 4 Oct 1996 00:10:35 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thursday, October 03, 1996 6:26 PM, Adam Shostack[SMTP:adam@homeport.org] wrote: >I'm looking for a FTP server to run on Windows NT. > >* Claims to offer security >* Can provide ability to prevent moving up a directory tree. (chroot) >* Can use NT login mechanisms to control login & activity as >different users. > >Source would be nice. Free would be nice, but a downloadable demo >version is a must for pay software. NT comes standard with an ftpd (not sure if you'd call it secure though). You can also try: Winsock archive mirror: http://warum.uni-mannheim.de/systems/windows/win32/win95-winsock/Daemons/FTPD/00_index.txt Commercial NT ftpd: http://www.gekko.com/library/internet/Internet%20NT%20FTP%20Deamon I've heard rumours of an NT port of wu-ftpd, but I can't substantiate this. -- Gene Lee genel@inforamp.net genelee@vnet.ibm.com From firewalls-owner Thu Oct 3 21:41:09 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA19542 for firewalls-outgoing; Thu, 3 Oct 1996 21:20:52 -0700 (PDT) Received: from wadjet.cerner.com ([159.140.254.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id VAA19535 for ; Thu, 3 Oct 1996 21:20:42 -0700 (PDT) Received: from wadjet.cerner.com (daemon@localhost) by wadjet.cerner.com (8.7.2/8.7.2) with ESMTP id XAA21109 for ; Thu, 3 Oct 1996 23:23:10 -0500 (CDT) Received: from mailwhq05.cerner.com (mailwhq05.cerner.com [159.140.10.42]) by wadjet.cerner.com (8.7.2/8.7.2) with SMTP id XAA21105 for ; Thu, 3 Oct 1996 23:23:10 -0500 (CDT) Received: by mailwhq05.cerner.com with Microsoft Exchange (IMC 4.0.837.3) id <01BBB181.1CB40D00@mailwhq05.cerner.com>; Thu, 3 Oct 1996 23:17:57 -0500 Message-ID: From: "Bird,Tina" To: "'firewalls@greatcircle.com'" Subject: Re: Gauntlet vs. Sidewinder Date: Thu, 3 Oct 1996 23:17:07 -0500 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.837.3 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'll start with the disclosure: I don't work for SCC, tho' I do have several school friends who do... I've been running Sidewinder versions 2.2 and 3.0 for about a year now. I was responsible for the selection of our Internet firewall, and chose Sidewinder because of the "type enforcement" (which prevents hostile processes from accessing files or memory or any of those other bad things), because changes to executable code on the system are forbidden when the network connections are live, and because there's no all-powerful "root" account on the system despite its being a modified BSD UNIX. None of the other commercially available application proxy firewalls have security features this strong built into the operating system (at least, not that I was able to identify during my product review!). The initial installation of the 2.2 software was pretty ugly, due to the complexity of our corporate network and our struggle with getting exactly the right hardware components. However, throughout the installation and, in fact, throughout our work with SCC, we've found the technical support staff and developers to be tremendously helpful. None of my outstanding support issues have "out-stood" more than a couple of days. Our PC environment provides plenty of opportunity to stress our suppliers (we've got an internal network with over 2000 Win95 PCs and servers ranging from NT to an IBM SP2, with lots of VAXen thrown in for good measure), and SCC met the challenges head-on. As the person responsible for integrating firewall security into all of Cerner's network applications, I'm a lot more productive thanks to the robustness of the Sidewinder and the solid relationship I have with Secure Computing. (Honest, they're not paying me for this.) I'm not quite as familiar with the 3.0 software, having only installed it last week, but it appears to have a much more flexible User/Groups mechanism. My only qualm at the moment is that I've got two boxes with pretty complicated user access rules and access control lists, and at this time I have no idea of how to port that information into the upgraded system. I considered the Gauntlet system in my initial product review, but a couple of the executive level requirements for the Internet firewall (read: non-technical) precluded its use. I was able to directly compare the Sidewinder with the Eagle system, the Digital Firewall (don't know if that's still its name) and IBM's product -- none of these three had such good OS-level security as the Sidewinder did. Tina Bird UNIX System Administrator Cerner Corporation From firewalls-owner Thu Oct 3 22:58:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA24700 for firewalls-outgoing; Thu, 3 Oct 1996 22:48:58 -0700 (PDT) Received: from pinky.junction.net (pinky.junction.net [199.166.227.12]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id WAA24693 for ; Thu, 3 Oct 1996 22:48:46 -0700 (PDT) Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by pinky.junction.net (8.6.12/8.6.12) with ESMTP id WAA29456 for ; Thu, 3 Oct 1996 22:02:11 -0700 Received: from localhost (michael@localhost) by sidhe.memra.com (8.6.12/8.6.12) with SMTP id WAA28561 for ; Thu, 3 Oct 1996 22:43:21 -0700 Date: Thu, 3 Oct 1996 22:43:20 -0700 (PDT) From: Michael Dillon To: "Firewalls@GreatCircle.COM" Subject: RE: Fireballs-Digest V5 #550 In-Reply-To: Message-ID: Organization: Memra Software Inc. - Internet consulting MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 3 Oct 1996, Rabid Wombat wrote: > and leaving IP routing turned on, etc. These are the things I'm trying to > stop. NOT someone on the inside who writes a winsock-capable TCP/IP app > that tunnels through IPX to get to the dial-out, so he/she can dial into > another system that breaks out the IP and passes it on. Like I said - the > insider could just walk off with a tape or disk. It is the outside I'm > worried about. That TCP/IP tunnel is a hole. If someone is running a scanner looking for winsock machines, they will find your user's machine, and if IP routing is enabled or if there is an exploitable bug that allows them to make IP routing happen, then your firewall is non-existent. Basically, vulnerable OSes (anything but properly configured UNIX systems) should never be exposed to the net. A firewall should always be protecting them. Thus, burn all your modems and only allow application layer connections via your firewall. Michael Dillon - ISP & Internet Consulting Memra Software Inc. - Fax: +1-604-546-3049 http://www.memra.com - E-mail: michael@memra.com From firewalls-owner Fri Oct 4 01:26:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA28688 for firewalls-outgoing; Fri, 4 Oct 1996 00:59:43 -0700 (PDT) Received: from mail1.digital.com (mail1.digital.com [204.123.2.50]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id AAA28680 for ; Fri, 4 Oct 1996 00:59:33 -0700 (PDT) Received: from osftag.geo.dec.com by mail1.digital.com (5.65 EXP 4/12/95 for V3.2/1.0/WV) id AA12205; Fri, 4 Oct 1996 00:54:27 -0700 Received: from osftag.geo.dec.com (osftag.geo.dec.com [16.184.80.100]) by osftag.geo.dec.com (8.7.1/8.6.10) with SMTP id JAA23207; Fri, 4 Oct 1996 09:55:56 +0200 (MET DST) Message-Id: <3254C30B.446B@osftag.geo.dec.com> Date: Fri, 04 Oct 1996 09:55:55 +0200 From: thierry agassis Organization: Multivendor Customers Services - Digital X-Mailer: Mozilla 2.0 (X11; I; OSF1 V3.2 alpha) Mime-Version: 1.0 To: Marc Chatel Cc: firewalls@GreatCircle.COM Subject: Re: Need volunteer FTP archive site to host new security software References: <1.5.4.32.19961003205647.00698e6c@pop.dial.oleane.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Marc (author of RFC1919), Many thank's for makeing S4 public. I know how much time and effort you've put on it. Could soemone expose an S4'ed bastion host and ask the worse (or best ?) hackers (to the right sense of the term !) to break it ? Best regards ! -- Thierry AGASSIS Mail address : UNIX and Internet Support thierry@osftag.geo.dec.com DEC-TEP 16 Partner URL : (from inside dec.com ): http://www-mcs.geo.dec.com From firewalls-owner Fri Oct 4 02:03:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA02097 for firewalls-outgoing; Fri, 4 Oct 1996 01:50:24 -0700 (PDT) Received: from gmap-gw.gmap.leeds.ac.uk (gmap-gw.leeds.ac.uk [129.11.84.200]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id BAA02051 for ; Fri, 4 Oct 1996 01:50:10 -0700 (PDT) Received: (from root@localhost) by gmap-gw.gmap.leeds.ac.uk (8.7.6/8.6.9) id JAA17884 for ; Fri, 4 Oct 1996 09:50:54 +0100 (BST) Received: from gmap3.gmap.leeds.ac.uk(129.11.200.3) by gmap-gw via smap (V1.3) id sma017877; Fri Oct 4 09:50:48 1996 Received: from gmap.leeds.ac.uk (gmap124 [129.11.200.124]) by gmap3 (8.6.12/8.6.9) with SMTP id JAA15564 for ; Fri, 4 Oct 1996 09:50:56 +0100 From: Danny Cox Date: Fri, 4 Oct 1996 09:49:30 +0000 Message-Id: <3172.9610040849@gmap.leeds.ac.uk> To: firewalls@greatcircle.com Subject: qmail X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Regarding one of our current threads .. are there many folk on this list use qmail rather than smap[d] or sendmail etc. ? I understand that it's reckoned to be pretty good, although I've not looked too hard at it - I got the impression that there are quite a few parts to it. Cheers Danny From firewalls-owner Fri Oct 4 02:46:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA05708 for firewalls-outgoing; Fri, 4 Oct 1996 02:22:03 -0700 (PDT) Received: from mailhub.axion.bt.co.uk (mailhub.axion.bt.co.uk [132.146.5.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id CAA05701 for ; Fri, 4 Oct 1996 02:21:49 -0700 (PDT) Received: from msmsmtp1.comnet.bt.co.uk (actually msmsmtp2.comnet.bt.co.uk) by mailhub.axion.bt.co.uk with SMTP (PP); Fri, 4 Oct 1996 09:36:35 +0100 Received: by msmsmtp1.comnet.bt.co.uk with Microsoft Mail id <3254CC1C@msmsmtp1.comnet.bt.co.uk>; Fri, 04 Oct 96 09:34:36 BST From: "Bettich,K,NAT22,BETTICK M" To: Firewalls Newsgroup Subject: RE: PIX (CISCO) Date: Fri, 04 Oct 96 09:35:00 BST Message-ID: <3254CC1C@msmsmtp1.comnet.bt.co.uk> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi According to the docs, the PIX is very secure. One of my colleagues had a chance to play with a box and he reckons it's got a very good performance in terms of speed and security. The PIX is using adaptive security which means all the inbound traffic is checked against Source and Destination IP address, Source and destination port number, protocol, TCP sequence number It conceals the Intranet from the outside world by running NAT. Dynamic address allocation is only enabled for connections initiated from the inside network and is port-specific. It has Private Link Encryption which allows users to communicate in privacy over a public IP network (secure tunnels). More info at the following URLs: http://www.cisco.com/warp/public/751/pix/index.html http://www.translation.com/ Best regards Karim ---------- From: Adrian Gustavo Russo To: firewalls Subject: PIX (CISCO) Date: 03 October 1996 09:29 Hi is the PIX-FIREWALL Cisco with NAT a secure firewall in my intranet? -- _\|/_ (o o) +---------------------oOO-(_)-OOo---------------------+ | | | Adrian Gustavo Russo | | ==================== | | Licenciado en Informatica - Analista de Sistemas | | | | Silicon Graphics Argentina | | e-mail: arusso@buenosaires.sgi.com | | tel: 54 1 311-6666 | | | | Universidad Nacional de La Plata Argentina | | e-mail: arusso@isis.unlp.edu.ar | | tel: 54 21 35-102 | | | +-----------------------------------------------------+ (_| |_) From firewalls-owner Fri Oct 4 02:59:53 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA06403 for firewalls-outgoing; Fri, 4 Oct 1996 02:31:07 -0700 (PDT) Received: from mhead.saic.com ([194.131.225.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id CAA06373 for ; Fri, 4 Oct 1996 02:30:40 -0700 (PDT) Received: from eumadw027.EUMAD by mhead.saic.com (SMI-8.6/SMI-SVR4) id KAA29561; Fri, 4 Oct 1996 10:30:30 +0100 Received: by eumadw027.EUMAD with Microsoft Mail id <01BBB1DE.8B59E100@eumadw027.EUMAD>; Fri, 4 Oct 1996 10:26:46 +-100 Message-ID: <01BBB1DE.8B59E100@eumadw027.EUMAD> From: Suheil Shahryar To: "'firewalls@greatcircle.com'" Cc: "'Chip Coy'" , "'Steve Manning (SAIC)'" Subject: RE: Information Seeking Date: Fri, 4 Oct 1996 10:26:38 +-100 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 1 Oct 1996, John Anonymous MacDonald wrote: > Can anyone on this list recommend a reputable and professional group > that can perform security (both network and host; Internet related) audits > at a medium sized company located in the United States? Try SAIC: http://www.saic.com/consulting/index.html or send an email to STEVE.A.MANNING@cpmx.saic.com. (SAIC stands for Science Applications International Corporation.) Our clients come from US commercial and financial institutions, government, national security & defense, energy, health, etc. Alternatively, I will be happy to receive and respond to your requirements. I work for SAIC LTD in the UK where we provide Consultancy and Systems Integration services based around Security Technologies (including enterprise audits and web security) to European clients of SAIC. Suheil Shahryar Senior Technology Consultant SAIC LTD Berkshire House, Queen Street Maidenhead, Berks SL6 1NF UK Tel: +44-1628-686121 Fax: +44-1628-686198 email:Suheil.Shahryar@cpmx.saic.com NOTE: ANY OPINIONS EXPRESSED ABOVE ARE PERSONAL ONLY. From firewalls-owner Fri Oct 4 04:46:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA13967 for firewalls-outgoing; Fri, 4 Oct 1996 04:21:54 -0700 (PDT) Received: from garrison.com (gw.garrison.com [205.241.58.147]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id EAA13955 for ; Fri, 4 Oct 1996 04:21:39 -0700 (PDT) Received: by garrison.com; id AAA10389; Thu, 3 Oct 1996 00:38:31 -0500 Received: from unknown(10.0.0.2) by gw.garrison.com via smap (V3.1.1) id xma010335; Thu, 3 Oct 96 00:38:06 -0500 Received: by ukn0.garrison.com. (4.1/Nutered Mailer) id AA03519; Fri, 4 Oct 96 06:16:24 CDT Date: Fri, 4 Oct 96 06:16:24 CDT From: jeromie@garrison.com (Jeromie Jackson) Message-Id: <9610041116.AA03519@ukn0.garrison.com.> To: Firewalls@greatcircle.com, BETTICK@boat.bt.com Subject: RE: PIX (CISCO) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Hi > According to the docs, the PIX is very secure. One of my colleagues had a > chance to play with a box and he reckons it's got a very good performance in > terms of speed and security. > The PIX is using adaptive security which means all the inbound traffic is > checked against Source and Destination IP address, Source and destination > port number, protocol, TCP sequence number This is called "IP FILTERING" > It conceals the Intranet from the outside world by running NAT. Dynamic > address allocation is only enabled for connections initiated from the inside > network and is port-specific. > It has Private Link Encryption which allows users to communicate in privacy > over a public IP network (secure tunnels). > This box is an IP filtering box that understands "Stateful Inspection" or "SYN/ACK" flags, or whatever you care to call it. The box has the same limitations as all other IP filtering mechanisms. It does not increase the level of assurance of the existing daemons, thus doesn't put a very strong bubble around your network. IP filtering relies on header information (src, port, dst, port, flags). My usual ACL example: "We do not allow any inbound connections EXCEPT SMTP" "We allow only XYZ.COM to connect to our telnet port" That would be a fair policy for many corporations. Spoofing IP addresses is quite trivial.. If someone can spoof the address of XYZ.COM, they would effectively circumvent the ACL's in place, thus busting through the perimiter bubble. This would be similarly true of application level gateways, although in app. gateways you also have the ability to increase the level of assurance of the daemons, seperate the outside network services from the internal network, provide 2-factor authentication mechanisms, and have a decent/good audit & data reduction tool to audit traffic. Jeromie Jackson Garrison Technologies jeromie@garrison.com From firewalls-owner Fri Oct 4 05:14:30 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA15405 for firewalls-outgoing; Fri, 4 Oct 1996 05:02:33 -0700 (PDT) Received: from ragnarok.hks.com ([192.101.199.9]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id FAA15398 for ; Fri, 4 Oct 1996 05:02:23 -0700 (PDT) Received: (qmail 21702 invoked by uid 401); 4 Oct 1996 12:01:56 -0000 Date: Fri, 4 Oct 1996 08:01:56 -0400 (EDT) From: Jim Littlefield To: Danny Cox cc: firewalls@GreatCircle.COM Subject: Re: qmail In-Reply-To: <3172.9610040849@gmap.leeds.ac.uk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 4 Oct 1996, Danny Cox wrote: > Regarding one of our current threads .. are there many folk on this list > use qmail rather than smap[d] or sendmail etc. ? I understand that it's > reckoned to be pretty good, although I've not looked too hard at it - I > got the impression that there are quite a few parts to it. I have been running it on a few machines, including my firewall/mail server. It is quite a bit different than sendmail w/smap, but seems to be very effective at delivering high volumes of mail. Is it secure? Having examined the source somewhat, it certainly appears that Dan has made a good effort at reducing/eliminating the problems with sendmail, without losing functionality. Is it secure? ...the vote is still out. Cheap, fast, secure...pick any two ;) -- Jim Littlefield "I used to be an airline pilot. I got fired because I kept locking the keys in the plane. They caught me on an 80 foot stepladder with a coathanger." - Steven Wright From firewalls-owner Fri Oct 4 05:31:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA16116 for firewalls-outgoing; Fri, 4 Oct 1996 05:17:16 -0700 (PDT) Received: from www.webgalaxy.net (www.allensysgroup.com [205.245.8.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id FAA16108 for ; Fri, 4 Oct 1996 05:17:02 -0700 (PDT) Received: from snapper.naplesoft.com ([205.245.8.252]) by www.webgalaxy.net (post.office MTA v1.9.3 ID# 0-16970) with SMTP id AAA220 for ; Fri, 4 Oct 1996 08:17:42 -0400 Received: by snapper.naplesoft.com with Microsoft Mail id <01BBB1C3.B1C90160@snapper.naplesoft.com>; Fri, 4 Oct 1996 07:14:34 -0400 Message-ID: <01BBB1C3.B1C90160@snapper.naplesoft.com> From: bbrown@allensysgroup.com (Bobby Brown ) To: "'Firewalls@GreatCircle.COM'" Subject: Raptor for NT user wanted Date: Fri, 4 Oct 1996 07:14:33 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I would like to have contact with other Raptor firewall users running on Windows NT for information sources and discussions. I am presently running 3.02 till new version is released. Contact me directly by e-mail (not the mail list) TIA, Bobby Brown **************************************************************** Bobby Brown Allen Systems Group, INC. 750 11th Street South FAX- 941-263-1952 Naples, FL. 33940 BUS- 941-435-2299 bbrown@allensysgroup.com http://www.allensysgroup.com http://www.webgalaxy.net From firewalls-owner Fri Oct 4 06:05:10 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA18001 for firewalls-outgoing; Fri, 4 Oct 1996 05:38:55 -0700 (PDT) Received: from fire1.sprintlink.net (fire1.sprintlink.net [206.229.244.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id FAA17964 for ; Fri, 4 Oct 1996 05:38:38 -0700 (PDT) Received: from mercury.int.sprintlink.net ([206.229.244.25]) by fire1.sprintlink.net via smtpd (for miles.greatcircle.com [198.102.244.34]) with SMTP; 4 Oct 1996 12:39:57 UT Received: (from dvv@localhost) by mercury.int.sprintlink.net (8.7.3/8.6.12) id IAA19398; Fri, 4 Oct 1996 08:38:17 -0400 (EDT) Message-Id: <199610041238.IAA19398@mercury.int.sprintlink.net> Subject: Re: Check Point and SYN Flood Attack (fwd) To: bkmarsh@feist.com (Bruce M.) Date: Fri, 4 Oct 1996 08:38:16 -0400 (EDT) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Bruce M." at Oct 3, 96 10:34:43 pm From: dvv@sprint.net (Dima Volodin) X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bruce M. writes: > > Several points to try to make this more clear: > 1. SYN Floods take advantage of a queue managed by the OS. This queue is > typically small in size and requires significant resources of the host ^^^^^^^^^^^^^^^ [etc etc etc] Now do you remember the "typical" way Win 3.xx handled the VM? Do you remember a certain product (SoftRAM? RAMDoubler? I never remember its name) that "intelligently" handled Win's deficiency? Now do you remember what happened to that product when Win'95 started using a more-or-less decent VM? Same for SYNDefender or what-its-name - OS kernels might be easily fixed to handle SYN flood attacks. The resources consumption is absolutely the same as it is for whatever firewall - you always have _this_ many bytes to keep track of TCP state. And, BTW, 5 sec is way too low for the timeout. Dima From firewalls-owner Fri Oct 4 06:41:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA23596 for firewalls-outgoing; Fri, 4 Oct 1996 06:28:59 -0700 (PDT) Received: from ACML.COM ([206.218.249.66]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA23491 for ; Fri, 4 Oct 1996 06:28:21 -0700 (PDT) Received: from smtpngw.acml.com by ACML.COM (SMI-8.6/SMI-SVR4) id JAA08695; Fri, 4 Oct 1996 09:33:45 -0400 Received: by smtpngw.acml.com (IBM OS/2 SENDMAIL VERSION 1.3.14/2.12um) id AA7539; Fri, 04 Oct 96 09:27:13 -0400 Message-Id: <9610041327.AA7539@smtpngw.acml.com> Received: from ACML with "Lotus Notes Mail Gateway for SMTP" id C45B5880E649CA22852563B90049BCAD; Fri, 4 Oct 96 09:27:11 To: Firewalls-Digest Cc: firewalls-digest From: Rey LeClerc/New York/ACMC Date: 4 Oct 96 9:26:21 Subject: Information Security Administrator - UNIX / Internet Systems X-Lotus-Type: Reply to _All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I do not know if this is the right place for this, but we are currently looking for an Information Security Administrator - UNIX / Internet Systems. Attached is the position description. If there is any interest, please contact rey_leclerc@acml.com. Thanks. POSITION DESCRIPTION TITLE: Information Security Administrator - UNIX / Internet Systems DEPARTMENT: CSD Planning & Control REPORTS TO: AVP, Information Security, CSD Planning & Control LOCATION: New York (AMA) SUMMARY: The purpose of this job is to administer and enforce logical and manual security controls and procedures to protect company hardware, software, networks, and data in UNIX, Firewalls and Internet distributed system platforms. RESPONSIBILITIES: Evaluate, select, test, implement and enforce manual and automated security controls that promote the safeguard of Alliance Capital's assets, including the implementation and maintenance of single sign-on mechanisms. Develop user profiles or other access control devices for data access for UNIX servers, including SecurID. Ensure that security files and all system user activities comply with the existing security policies, standards and procedures established by the Information Security Committee. Install, maintain and monitor the usage of firewalls and Internet access. Perform security database administration maintenance activities including: receiving, reviewing, processing and filing all computer security forms and documents; grant, implement and revoke access to computer systems and resources; ensure all terminations and transfers are correctly reflected in the security files; make changes to the security files to reflect necessary corrections; and ensure the security files are backed up on a daily basis; and administer remote dial-in server. Perform audit activities including: daily and weekly reviews of the audit files; monitor and follow-up on apparent unauthorized access and security violations; perform periodic reviews to evaluate the effectiveness of security practices; and identify risky security areas and advise the Information Security Manager and appropriate management. Maintain ongoing communications with all system users and resource owners; operate as a security help desk by answering questions, resolving problems, providing assistance and conducting orientation sessions to system owners and resource owners. Backup to the Mainframe Information Security Administrator. Assists in the development, implementation, testing and maintenance of the disaster recovery/ business resumption plans. DIMENSIONS: NUMBER OF DIRECT REPORTS: None NUMBER SUPERVISED (EXCL. DIRECT REPORTS): N/A CSD OPERATING BUDGET: N/A CSD-CONTROLLED CAPITAL EXPENDITURE BUDGET: N/A BACKGROUND REQUIRED: EDUCATION: Bachelors Degree in business, computer science or information systems is essential. Certification as information systems auditor (CISA), information systems security professional (CISSP) or Novell NetWare Engineer (CNE) a plus. EXPERIENCE: 4-6 years experience with UNIX and Internet system administration. Knowledge of Novell NetWare, Windows NT, OS/2, and information security a plus. SPECIALIZED SKILLS: Must have technical expertise with UNIX. Knowledge of security techniques and information systems controls to secure UNIX, Sybase and firewall software. Novell Netware, Windows NT and OS/2 platforms a plus. Must be able to write information security scripts using C, Perl. Skills in recording and reporting data accurately, filing and retrieving information, checking data for completeness and compliance with standards. Skills in written and verbal communications, relating technical aspects to management and end users. Skills in reading and evaluating technical information. Skills in managing, planning and organizing their own work efforts. Ability to react calmly, quickly, and rationally during crisis situation. From firewalls-owner Fri Oct 4 06:56:56 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA24579 for firewalls-outgoing; Fri, 4 Oct 1996 06:40:57 -0700 (PDT) Received: from mailbox.neosoft.com (mailbox.neosoft.com [206.109.1.16]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA24558 for ; Fri, 4 Oct 1996 06:40:41 -0700 (PDT) Received: from fw.nmti.com (fw.baileynm.com [206.109.159.11]) by mailbox.neosoft.com (8.7.5/8.7.3) with SMTP id IAA10400; Fri, 4 Oct 1996 08:40:12 -0500 (CDT) Received: from web.nmti.com(198.178.0.201) by fw.nmti.com via smap (V1.3) id sma011785; Fri Oct 4 08:39:00 1996 Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id IAA03404; Fri, 4 Oct 1996 08:39:00 -0500 Received: by sonic.nmti.com; id AA02372; Fri, 4 Oct 1996 08:38:53 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9610041338.AA02372@sonic.nmti.com.nmti.com> Subject: Re: NT FTPd? To: genel@inforamp.net (Gene Lee) Date: Fri, 4 Oct 1996 08:38:53 -0500 (CDT) Cc: ntsecurity@iss.net, firewalls@GreatCircle.COM In-Reply-To: <01BBB188.780FF180@ts58-10.tor.iSTAR.ca> from "Gene Lee" at Oct 4, 96 00:10:35 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thursday, October 03, 1996 6:26 PM, Adam Shostack[SMTP:adam@homeport.org] wrote: >I'm looking for a FTP server to run on Windows NT. > >* Claims to offer security The FTP protocol has no security capability. If you want security, don't use FTP. See if there's an ssh server for NT and use scp, or use HTTPS/SSL. From firewalls-owner Fri Oct 4 07:36:40 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA24768 for firewalls-outgoing; Fri, 4 Oct 1996 06:43:46 -0700 (PDT) Received: from scruz.net (nic.scruz.net [165.227.1.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA24761 for ; Fri, 4 Oct 1996 06:43:31 -0700 (PDT) Received: from ws-jax-d3810 by scruz.net (8.7.3/1.34) id GAA07465; Fri, 4 Oct 1996 06:43:05 -0700 (PDT) Date: Fri, 4 Oct 96 09:43:48 From: rich Subject: smtp and auth To: firewalls@greatcircle.com X-PRIORITY: 3 (Normal) X-Mailer: Chameleon notFound, TCP/IP for Windows, NetManage Inc. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What would cause SOME mail servers to send back a AUTH/113 connection before allowing mail to be sent? Also, it seems to be random. In otherwords, some servers do it sometimes but other times they do not. Since I am blocking all connection requests from the outside in, this causes some of my internal mail servers to hang from time to time. When I looked at the firewall logs, I see SYN's coming from the mail server at the other end trying port 113. Any hints? thanks, rich From firewalls-owner Fri Oct 4 07:46:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA25052 for firewalls-outgoing; Fri, 4 Oct 1996 06:50:40 -0700 (PDT) Received: from mailbox.neosoft.com (mailbox.neosoft.com [206.109.1.16]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA25045 for ; Fri, 4 Oct 1996 06:50:31 -0700 (PDT) Received: from fw.nmti.com (fw.baileynm.com [206.109.159.11]) by mailbox.neosoft.com (8.7.5/8.7.3) with SMTP id IAA11302; Fri, 4 Oct 1996 08:50:02 -0500 (CDT) Received: from web.nmti.com(198.178.0.201) by fw.nmti.com via smap (V1.3) id sma011833; Fri Oct 4 08:48:05 1996 Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id IAA03545; Fri, 4 Oct 1996 08:48:05 -0500 Received: by sonic.nmti.com; id AA02979; Fri, 4 Oct 1996 08:47:58 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9610041347.AA02979@sonic.nmti.com.nmti.com> Subject: Re: Fireballs-Digest V5 #550 To: michael@memra.com (Michael Dillon) Date: Fri, 4 Oct 1996 08:47:58 -0500 (CDT) Cc: Firewalls@GreatCircle.COM In-Reply-To: from "Michael Dillon" at Oct 3, 96 10:43:20 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Basically, vulnerable OSes (anything but properly configured UNIX systems) Wouldn't you say that VMS was probably pretty safe, so long as you remember to change the feild service password? From firewalls-owner Fri Oct 4 07:58:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA23574 for firewalls-outgoing; Fri, 4 Oct 1996 06:28:47 -0700 (PDT) Received: from ACML.COM ([206.218.249.66]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA23478 for ; Fri, 4 Oct 1996 06:28:17 -0700 (PDT) Received: from smtpngw.acml.com by ACML.COM (SMI-8.6/SMI-SVR4) id JAA08689; Fri, 4 Oct 1996 09:33:42 -0400 Received: by smtpngw.acml.com (IBM OS/2 SENDMAIL VERSION 1.3.14/2.12um) id AA7535; Fri, 04 Oct 96 09:27:09 -0400 Message-Id: <9610041327.AA7535@smtpngw.acml.com> Received: from ACML with "Lotus Notes Mail Gateway for SMTP" id 3F7F631BAB88C4E7852563B900493280; Fri, 4 Oct 96 09:27:08 To: Firewalls-Digest Cc: firewalls-digest From: Rey LeClerc/New York/ACMC Date: 4 Oct 96 9:26:47 Subject: Information Security Administrator - UNIX / Internet Systems X-Lotus-Type: Reply to _All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I do not know if this is the right place for this, but we are currently looking for an Information Security Administrator - UNIX / Internet Systems. The position is based out of New York City. Attached is the position description. If there is any interest, please contact rey_leclerc@acml.com. Thanks. POSITION DESCRIPTION TITLE: Information Security Administrator - UNIX / Internet Systems DEPARTMENT: CSD Planning & Control REPORTS TO: AVP, Information Security, CSD Planning & Control LOCATION: New York (AMA) SUMMARY: The purpose of this job is to administer and enforce logical and manual security controls and procedures to protect company hardware, software, networks, and data in UNIX, Firewalls and Internet distributed system platforms. RESPONSIBILITIES: Evaluate, select, test, implement and enforce manual and automated security controls that promote the safeguard of Alliance Capital's assets, including the implementation and maintenance of single sign-on mechanisms. Develop user profiles or other access control devices for data access for UNIX servers, including SecurID. Ensure that security files and all system user activities comply with the existing security policies, standards and procedures established by the Information Security Committee. Install, maintain and monitor the usage of firewalls and Internet access. Perform security database administration maintenance activities including: receiving, reviewing, processing and filing all computer security forms and documents; grant, implement and revoke access to computer systems and resources; ensure all terminations and transfers are correctly reflected in the security files; make changes to the security files to reflect necessary corrections; and ensure the security files are backed up on a daily basis; and administer remote dial-in server. Perform audit activities including: daily and weekly reviews of the audit files; monitor and follow-up on apparent unauthorized access and security violations; perform periodic reviews to evaluate the effectiveness of security practices; and identify risky security areas and advise the Information Security Manager and appropriate management. Maintain ongoing communications with all system users and resource owners; operate as a security help desk by answering questions, resolving problems, providing assistance and conducting orientation sessions to system owners and resource owners. Backup to the Mainframe Information Security Administrator. Assists in the development, implementation, testing and maintenance of the disaster recovery/ business resumption plans. DIMENSIONS: NUMBER OF DIRECT REPORTS: None NUMBER SUPERVISED (EXCL. DIRECT REPORTS): N/A CSD OPERATING BUDGET: N/A CSD-CONTROLLED CAPITAL EXPENDITURE BUDGET: N/A BACKGROUND REQUIRED: EDUCATION: Bachelors Degree in business, computer science or information systems is essential. Certification as information systems auditor (CISA), information systems security professional (CISSP) or Novell NetWare Engineer (CNE) a plus. EXPERIENCE: 4-6 years experience with UNIX and Internet system administration. Knowledge of Novell NetWare, Windows NT, OS/2, and information security a plus. SPECIALIZED SKILLS: Must have technical expertise with UNIX. Knowledge of security techniques and information systems controls to secure UNIX, Sybase and firewall software. Novell Netware, Windows NT and OS/2 platforms a plus. Must be able to write information security scripts using C, Perl. Skills in recording and reporting data accurately, filing and retrieving information, checking data for completeness and compliance with standards. Skills in written and verbal communications, relating technical aspects to management and end users. Skills in reading and evaluating technical information. Skills in managing, planning and organizing their own work efforts. Ability to react calmly, quickly, and rationally during crisis situation. From firewalls-owner Fri Oct 4 08:13:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA29106 for firewalls-outgoing; Fri, 4 Oct 1996 07:35:21 -0700 (PDT) Received: from services.britgas.co.uk (gate.britgas.co.uk [193.133.101.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA29076 for ; Fri, 4 Oct 1996 07:35:03 -0700 (PDT) Received: (from news@localhost) by services.britgas.co.uk (8.6.12/8.6.9) id PAA19050; Fri, 4 Oct 1996 15:38:32 +0100 To: firewalls@greatcircle.com Path: usenet From: Keith Vickers Newsgroups: britgas.maillist.firewalls Subject: test Date: Fri, 04 Oct 1996 15:34:27 +0100 Organization: British Gas Services Lines: 1 Message-ID: <32552073.6BE@service.britgas.co.uk> NNTP-Posting-Host: 93.224.229.4 Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Mailer: Mozilla 2.0 (Win95; I) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ggfgg From firewalls-owner Fri Oct 4 08:29:04 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA28310 for firewalls-outgoing; Fri, 4 Oct 1996 07:27:54 -0700 (PDT) Received: from ultra1.dreamscape.com (ultra1.dreamscape.com [206.64.128.7]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA28276 for ; Fri, 4 Oct 1996 07:27:40 -0700 (PDT) Received: from bertha.bcbsnye.com (sd25.dreamscape.com [206.114.183.250]) by ultra1.dreamscape.com (8.7.4/8.7.3) with SMTP id KAA12573 for ; Fri, 4 Oct 1996 10:26:09 -0400 (EDT) Message-ID: <32551EF1.34AA@dreamscape.com> Date: Fri, 04 Oct 1996 10:28:01 -0400 From: "Steven E. Matkoski" X-Mailer: Mozilla 3.0 (Win95; I) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: async file transfers through firewall, how? References: <199610040800.BAA28806@miles.greatcircle.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have the requirement to allow async users to transfer files to a ftp server. The async users connect to cisco 2511's which are connected to a perimeter network where the firewall is connected. I want the user to start a file transfer (x,y,z modem) and have the terminal server convert to ftp which would be filtered by the firewall. Has anyone tried anything like this? or have any ideas if it possible? -- Thanks! -steve. matkoski@dreamscape.com From firewalls-owner Fri Oct 4 08:35:00 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA29955 for firewalls-outgoing; Fri, 4 Oct 1996 07:42:24 -0700 (PDT) Received: from yeager.nmh.org (YEAGER.NMH.ORG [165.20.13.23]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA29854 for ; Fri, 4 Oct 1996 07:41:51 -0700 (PDT) Received: from nmhnt.nmh.org (nmhnt.nmh.org [165.20.13.27]) by yeager.nmh.org (8.6.9/8.6.9) with SMTP id JAA15007; Fri, 4 Oct 1996 09:44:43 -0500 Message-Id: <199610041444.JAA15007@yeager.nmh.org> Date: Fri, 4 Oct 1996 09:54:00 -0500 From: "Davidson, Clyde" Subject: RE: Gauntlet vs. Sidewinder To: Firewalls , "'joav.kohn@us.landisstaefa.com'" X-Mailer: Worldtalk (NetConnex V4.00a)/MIME Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Since this still is the subject, I've been told that Sidewinder works just that way. External users can only send to the sendmail that is on the external side of Sidewinder. It then passes the message to the sendmail on the internal side of Sidewinder. The internal sendmail then re-routes it to the internal servers. Therefore, if you crack the sendmail on the external side you still don't have access to the internal network. Clyde Davidson Data Security Coordinator NMH ---------- Joav Kohn wrote: "The proper way to set this up is to have the firewall itself accept mail with smapd and sendmail v8.6 and then re-route that mail to the internal servers. The internal servers are never vulnerable to an attack because the outside world cannot talk directly to them." From firewalls-owner Fri Oct 4 08:41:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA29583 for firewalls-outgoing; Fri, 4 Oct 1996 07:39:31 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA29528 for ; Fri, 4 Oct 1996 07:39:01 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.6.9/8.6.9) id KAA04915; Fri, 4 Oct 1996 10:44:12 -0500 From: Adam Shostack Message-Id: <199610041544.KAA04915@homeport.org> Subject: Re: NT FTPd? To: peter@baileynm.com (Peter da Silva) Date: Fri, 4 Oct 1996 10:44:11 -0500 (EST) Cc: genel@inforamp.net, ntsecurity@iss.net, firewalls@GreatCircle.COM In-Reply-To: <9610041338.AA02372@sonic.nmti.com.nmti.com> from "Peter da Silva" at Oct 4, 96 08:38:53 am X-Mailer: ELM [version 2.4 PL24 ME8b] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Peter da Silva wrote: | On Thursday, October 03, 1996 6:26 PM, Adam | Shostack[SMTP:adam@homeport.org] wrote: | >I'm looking for a FTP server to run on Windows NT. | > | >* Claims to offer security | | The FTP protocol has no security capability. If you want security, don't use | FTP. See if there's an ssh server for NT and use scp, or use HTTPS/SSL. I may have been sloppy in my use of words. By 'claims to offfer security,' I meant that the authors had made an effort to protect the daemon itself from attack. The ftpd will be sitting behind an ftp-gw, and have other controls as part of a system that I feel offers a fair degree of security by design. The same criteria that require NT also prevent us from using other protocols in the near term. I'd like it to use the NT file security mechanisms for about the same reasons, my customer has chosen to move ahead on a tight deadline, putting band-aids on a system, and asked me to offer advice with that in mind. They are being appraised of the risks. Adam -- "Every year the Republicans campaign like Libertarians, and then go to Wasthington and spend like Democrats." Vote Harry Browne for President. http://www.harrybrowne96.org From firewalls-owner Fri Oct 4 08:41:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA27238 for firewalls-outgoing; Fri, 4 Oct 1996 07:15:41 -0700 (PDT) Received: from relay5.UU.NET (relay5.UU.NET [192.48.96.15]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA27158 for ; Fri, 4 Oct 1996 07:15:05 -0700 (PDT) Received: from netevolve.com by relay5.UU.NET with SMTP (peer crosschecked as: [206.136.48.11]) id QQbjzc14481; Fri, 4 Oct 1996 10:14:38 -0400 (EDT) Received: from lazar by netevolve.com (4.1/SMI-4.1) id AA07899; Fri, 4 Oct 96 10:17:16 EDT Message-Id: <2.2.32.19961004141153.0068802c@netevolve.com> X-Sender: lazar@netevolve.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 04 Oct 1996 10:11:53 -0400 To: firewalls@greatcircle.com From: Irwin Lazar Subject: Small network Firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greetings all. I am working on a project to increase the security on a small LAN (less than 20 users). This LAN has a live connection to the internet via a 56Kb Frame Relay pipe. So far the requirements are to set up an internal web server that can't be accessed from the Internet, to prevent SNMP scans from the Internet, to prevent Telnet from the internet, and to prevent IP Spoofing. There is also a requirement for reporting break-ins to a syslog server. An external web server and FTP server will also be setup running NT 4.0. I've been looking at using private addressing on the LAN with a NAT between the LAN and a DMZ. The NAT will be a Cisco 2500 running their new 11.2.1 release. There will also be a Cisco 2500 between the Internet and the DMZ. I will be using the Cisco's as network layer firewalls by using extended IP Access lists. Are there any application layer firewalls out there that would be usefull for a small LAN such as this? Can anyone recommend a few to look at? Does the above plan sound coherent? Also, in an unrelated request, does anyone know of a good Windows NT mailing list or perhaps a place that holds a list of mailing lists? Thanks, Irwin Lazar Network Evolutions, Inc. From firewalls-owner Fri Oct 4 08:48:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA26599 for firewalls-outgoing; Fri, 4 Oct 1996 07:09:26 -0700 (PDT) Received: from ultra1.dreamscape.com (ultra1.dreamscape.com [206.64.128.7]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA26592 for ; Fri, 4 Oct 1996 07:09:17 -0700 (PDT) Received: from bertha.bcbsnye.com (sd25.dreamscape.com [206.114.183.250]) by ultra1.dreamscape.com (8.7.4/8.7.3) with SMTP id KAA07583 for ; Fri, 4 Oct 1996 10:06:53 -0400 (EDT) Message-ID: <32551A5F.47C0@dreamscape.com> Date: Fri, 04 Oct 1996 10:08:31 -0400 From: "Steven E. Matkoski" X-Mailer: Mozilla 3.0 (Win95; I) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: cisco 2511 file transfer through firewall. References: <199610040800.BAA28806@miles.greatcircle.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am trying to set up a dial-in service for our company and would like to know how to handle file transfers between a terminal server and the firewall. Here is the layout: I have 4 cisco 2511's connected to the perimeter network (ethernet), which is attached to my firewall. I have to support async file transfers (X,Y,Z modem) to a ftp server within the secure network, how do terminal servers handle such transfers? do they convert to ftp? I dont know which ports to open for these transfers. Any help is appreciated. -- Thanks! -steve. matkoski@dreamscape.com From firewalls-owner Fri Oct 4 08:55:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA26677 for firewalls-outgoing; Fri, 4 Oct 1996 07:10:55 -0700 (PDT) Received: from mailbox.neosoft.com (mailbox.neosoft.com [206.109.1.16]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA26647 for ; Fri, 4 Oct 1996 07:10:37 -0700 (PDT) Received: from fw.nmti.com (fw.baileynm.com [206.109.159.11]) by mailbox.neosoft.com (8.7.5/8.7.3) with SMTP id JAA13247; Fri, 4 Oct 1996 09:10:04 -0500 (CDT) Received: from web.nmti.com(198.178.0.201) by fw.nmti.com via smap (V1.3) id sma011910; Fri Oct 4 09:03:18 1996 Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id JAA04102; Fri, 4 Oct 1996 09:03:18 -0500 Received: by sonic.nmti.com; id AA04139; Fri, 4 Oct 1996 09:03:11 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9610041403.AA04139@sonic.nmti.com.nmti.com> Subject: Re: PIX (CISCO) To: jeromie@garrison.com (Jeromie Jackson) Date: Fri, 4 Oct 1996 09:03:11 -0500 (CDT) Cc: Firewalls@greatcircle.com, BETTICK@boat.bt.com In-Reply-To: <9610041116.AA03519@ukn0.garrison.com.> from "Jeromie Jackson" at Oct 4, 96 06:16:24 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Lord knows I'm no fan of IP filtering but this is a straw man. > bubble around your network. IP filtering relies on header information > (src, port, dst, port, flags). My usual ACL example: > > "We do not allow any inbound connections EXCEPT SMTP" > "We allow only XYZ.COM to connect to our telnet port" > > That would be a fair policy for many corporations. No, it wouldn't. And it wouldn't be a fair policy with proxies, either. A more likely arrangement would be "we allow outbound connections, and we allow inbound SMTP and FTP connections to our public access server." From firewalls-owner Fri Oct 4 10:03:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA08303 for firewalls-outgoing; Fri, 4 Oct 1996 09:27:26 -0700 (PDT) Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id JAA08183 for ; Fri, 4 Oct 1996 09:26:38 -0700 (PDT) Received: from smtp1.sybase.com (sybgate) by halon.sybase.com (5.x/SMI-SVR4/SybFW4.0) id AA19298; Fri, 4 Oct 1996 09:27:57 -0700 Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) id AA21069; Fri, 4 Oct 96 09:26:07 PDT Received: by notesgw2.sybase.com (5.x/SMI-4.1/SybEGW3.3) id AA26761; Fri, 4 Oct 1996 09:26:07 -0700 Message-Id: <9610041626.AA26761@notesgw2.sybase.com> Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id 2F9FD24FCA6EE953882563B9005A41BA; Fri, 4 Oct 96 09:26:05 EDT To: "Bruce M." Cc: Bradley Brown , firewalls From: Ryan Russell/SYBASE Date: 4 Oct 96 9:28:32 EDT Subject: Re: Check Point and SYN Flood Attack X-Lotus-Type: Reply All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Here's a glib answer, but it may help explain things: Firewall-1 doesn't have a problem with the SYN packets for the same reason that every router along the way doesn't. It doesn't "use" the packets per se... It just keeps a table entry for it, and sends an ACK (I presume) to see if it gets a reply. It can keep track of thousands of these half open conenctions at a time.. Ryan ---------- Previous Message ---------- To: bradley cc: firewalls From: bkmarsh @ feist.com ("Bruce M.") @ smtp Date: 10/03/96 05:13:03 PM Subject: Re: Check Point and SYN Flood Attack On Thu, 3 Oct 1996, Bradley Brown wrote: > I saw your email on the FW mailing list. I suggest you read to white > paper posted on our site to get a better understanding of our solution. > The key element of the SYN Flood attack is that a site (Firewall or > Internet server) can be hosed due to the OS inability to handle the > unresolved connection attempts with an attack that uses less than 10% of > the available bandwidth across a T1 connection. With SYNDefender, the OS > is protected and valid Internet connections can pass through the > firewall to the destination server unimpeded. I read through the white paper and besides a few hazy blips about how your "patent-pending Stateful Inspection" protects Firewall-1, I still haven't received a decent refutation to my original observation: What is going to keep the firewall itself from becoming ensnared in a SYN flooding DOS attack? Even if it protects your host, won't Internet traffic essentially stop reaching it if the firewall is stuck chasing down SYNs from bogus addresses? Am I missing an important factor in this equation? ________________________________ [ Bruce M. - Feist Systems, Inc. ] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 'DISA information shows that computer attacks on the Department of Defense are successful 65 percent of the time. The DoD, despite its problems, probably has one of the strongest computer security programs in government.' -GAO/T-AIMD-96-108 From firewalls-owner Fri Oct 4 10:17:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA07117 for firewalls-outgoing; Fri, 4 Oct 1996 09:14:24 -0700 (PDT) Received: from us.checkpoint.com (us.checkpoint.com [206.86.35.130]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id JAA07110 for ; Fri, 4 Oct 1996 09:14:14 -0700 (PDT) Received: from bradley.us.checkpoint (johnc-pc) by us.checkpoint.com (5.x/SMI-SVR4) id AA29010; Fri, 4 Oct 1996 09:15:09 -0700 Message-Id: <325537D6.1F17@us.checkpoint.com> Date: Fri, 04 Oct 1996 09:14:14 -0700 From: Bradley Brown Reply-To: bradley@us.checkpoint.com Organization: CheckPoint Software Technologies, Inc. X-Mailer: Mozilla 3.0b7 (Win95; I) Mime-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: Re: Check Point SYNDefender and SYN Flood Attacks References: <199610040800.BAA28806@miles.greatcircle.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bruce M. wrote: > > On Thu, 3 Oct 1996, Bradley Brown wrote: >> I saw your email on the FW mailing list. I suggest you read to white >> paper posted on our site to get a better understanding of our solution. >> The key element of the SYN Flood attack is that a site (Firewall or >> Internet server) can be hosed due to the OS inability to handle the >> unresolved connection attempts with an attack that uses less than 10% of >> the available bandwidth across a T1 connection. With SYNDefender, the OS >> is protected and valid Internet connections can pass through the >> firewall to the destination server unimpeded. > I read through the white paper and besides a few hazy blips about how >your "patent-pending Stateful Inspection" protects Firewall-1, I still >haven't received a decent refutation to my original observation: What is >going to keep the firewall itself from becoming ensnared in a SYN >flooding DOS attack? Even if it protects your host, won't Internet traffic >essentially stop reaching it if the firewall is stuck chasing down SYNs >from bogus addresses? Am I missing an important factor in this equation? > > ________________________________ > [ Bruce M. - Feist Systems, Inc. ] > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Several points to try to make this more clear: 1. SYN Floods take advantage of a queue managed by the OS. This queue is typically small in size and requires significant resources of the host if made much larger. Typically, this queue handles about 10 connection attempts and can be filled in seconds with by a SYN Flood Attack. This is the primary reason the attack is so effective - it can be launched from a limited bandwidth link and still be effective at creating a denial of service condition on an Internet host or firewall that lacks protection. 2. Management of SYN connection attempts with FireWall-1 IS NOT managed by the OS, or a user-level process. It is managed at the kernel-level using software specifically designed to do this WITHOUT the memory/CPU overhead or limitations normally imposed by the OS. The Check Point solution can handle thousands of simultaneous connection attempts without danger of filling any queues. Valid connection attempts will be completed as per usual while invalid attempts will be timed out by the firewall and discarded from the firewall queue (the only time valid attempts would not be able to get through is if the queue filled up and could not accept additional request which is NOT a problem with FireWall-1). Assume, for example, that the attacker is sending 500 packets per second. If the timeout is set to 5 seconds, then the largest number of unresolved connections which will exist at any point in time is about 2500 which does not even come close to exceeding FireWall-1's ability to track connections and manage the queue. The only way the SYN Flood Attack can create a denial of service condition in this case is if the attacker is capable of filling the whole T1 pipe to the firewall, in which case, they might as well use another more effective approach to fill the pipe. ----------------------------------------------------------------------- Bradley Brown Email: bradley@us.checkpoint.com CheckPoint Software Technologies Phone: (415) 562-0400 x225 "Global Secure Connectivity" Fax: (415) 562-0410 From firewalls-owner Fri Oct 4 11:31:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA16969 for firewalls-outgoing; Fri, 4 Oct 1996 10:53:12 -0700 (PDT) Received: from xr3.atlas.fr (xr3.atlas.fr [194.51.9.5]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA16933 for ; Fri, 4 Oct 1996 10:52:43 -0700 (PDT) X400-Received: by /PRMD=INTERNET/ADMD=ATLAS/C=FR/; Relayed; Fri, 4 Oct 1996 19:51:47 +0200 X400-Received: by mta xr3.atlas.fr in /PRMD=INTERNET/ADMD=ATLAS/C=FR/; Relayed; Fri, 4 Oct 1996 19:51:47 +0200 X400-Received: by /ADMD=ATLAS/C=FR/; Relayed; Fri, 4 Oct 1996 19:51:05 +0200 X400-Received: by /PRMD=elf02/ADMD=ATLAS/C=FR/; Relayed; Fri, 4 Oct 1996 19:49:06 +0200 Date: Fri, 4 Oct 1996 19:49:06 +0200 X400-Originator: Maurice.Seiler@tls1.elfsanofi.fr X400-Recipients: firewalls@greatcircle.com X400-MTS-Identifier: [/PRMD=elf02/ADMD=ATLAS/C=FR/;844465746133500006seiler] X400-Content-Type: P2-1984 (2) Content-Identifier: UCOMX Alternate-Recipient: Allowed From: Mr Maurice SEILER Message-ID: <844465746133500006seiler*/G=Maurice/S=Seiler/OU=tls1/O=elfsanofi/PRMD=elf02/ADMD=ATLAS/C=FR/@MHS> To: Firewalls (Non Receipt Notification Requested) Subject: WinFrame by CITRIX Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi!, Does somebody know something about WINFRAME by CITRIX? (Sort of X-terminal by M$) Any known security problems? How does this go through the FireWall? Thanks, Maurice From firewalls-owner Fri Oct 4 11:35:09 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA18422 for firewalls-outgoing; Fri, 4 Oct 1996 11:07:28 -0700 (PDT) Received: from spot1.fvcc.cc.mt.us (spot1.fvcc.cc.mt.us [150.131.64.209]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id LAA18371 for ; Fri, 4 Oct 1996 11:07:00 -0700 (PDT) Received: from aerie.fvcc.cc.mt.us (aerie.fvcc.cc.mt.us [150.131.64.210]) by spot1.fvcc.cc.mt.us (8.6.12/8.6.9) with SMTP id MAA16571; Fri, 4 Oct 1996 12:01:25 -0600 Message-Id: <199610041801.MAA16571@spot1.fvcc.cc.mt.us> Comments: Authenticated sender is From: "Rick Owens" Organization: Flathead Valley Community College To: "Steven E. Matkoski" , Firewalls@GreatCircle.COM Date: Fri, 4 Oct 1996 12:01:38 -0700 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: async file transfers through firewall, how? X-mailer: Pegasus Mail for Windows (v2.42a) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On 4 Oct 96 at 10:28, Steven E. Matkoski wrote: > I have the requirement to allow async users to transfer files to a > ftp server. The async users connect to cisco 2511's which are > connected to a perimeter network where the firewall is connected. I > want the user to start a file transfer (x,y,z modem) and have the > terminal server convert to ftp which would be filtered by the > firewall. Has anyone tried anything like this? or have any ideas if > it possible? Possible alternate solution: If you have a spare 386 or better, how 'bout setting up the PC as a Unix server that people can telnet to? Thus JQuser dials in, telnets to the (minimal) Unix server, transfers the file with whatever protocol, and disconnects. The server could poll for new files and transfer them as appropriate. -------------------------------------------------------------------- Rick Owens | FVCC, Kalispell, MT, USA, Sol 3 #include "New restaurant on the moon. Great food, no atmosphere." -------------------------------------------------------------------- From firewalls-owner Fri Oct 4 11:41:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA16927 for firewalls-outgoing; Fri, 4 Oct 1996 10:52:29 -0700 (PDT) Received: from pcslink.com (pcslink.com [206.43.160.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA16907 for ; Fri, 4 Oct 1996 10:52:16 -0700 (PDT) Received: (from ryan@localhost) by pcslink.com (8.6.12/8.6.12) id KAA29763; Fri, 4 Oct 1996 10:51:37 -0700 From: Ryan Mooney Message-Id: <199610041751.KAA29763@pcslink.com> Subject: Re: PIX (CISCO) To: jeromie@garrison.com (Jeromie Jackson) Date: Fri, 4 Oct 1996 10:51:37 -0700 (MST) Cc: Firewalls@GreatCircle.COM, BETTICK@boat.bt.com In-Reply-To: <9610041116.AA03519@ukn0.garrison.com.> from "Jeromie Jackson" at Oct 4, 96 06:16:24 am X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Jeromie Jackson > "We do not allow any inbound connections EXCEPT SMTP" > "We allow only XYZ.COM to connect to our telnet port" > > That would be a fair policy for many corporations. Spoofing IP addresses > is quite trivial.. If someone can spoof the address of XYZ.COM, they would > effectively circumvent the ACL's in place, thus busting through the perimiter > bubble. This would be similarly true of application level gateways, although > in app. gateways you also have the ability to increase the level of assurance > of the daemons, seperate the outside network services from the internal network, > provide 2-factor authentication mechanisms, and have a decent/good audit & > data reduction tool to audit traffic. > deny input from internal networks on external port deny input from ! internal networks on internal port deny input if fragment size is too small I agree that you'd still want app level security on the "exposed" hosts that answer for e-mail etc... but the IP spoofing is IMHO handled not to badly but well designed filter rules, certainly better than by most application layer gateways. I realize that this is (somewhat) of a religious issue, and don't intend to start any flame wars.... so take this however you want... (grain of salt, packet of pepper, whatever). Just my 0.02 ---------------------------------------------------------------------------- Ryan Mooney Phone (602)265-9188 PCSLink ryan@pcslink.com Fax (602)265-9357 Internet Services The world needs more bitter, twisted souls. It would be a much better place. ----------------------------------------------------------------------------- From firewalls-owner Fri Oct 4 12:27:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA22380 for firewalls-outgoing; Fri, 4 Oct 1996 11:47:08 -0700 (PDT) Received: from FIREWALL.manulife.com (NS.MANULIFE.COM [167.92.115.15]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id LAA22350 for ; Fri, 4 Oct 1996 11:46:53 -0700 (PDT) Received: by FIREWALL.manulife.com; id AA09329; Fri, 4 Oct 96 14:44:30 EDT Received: from manu_hub_one.manulife.com(167.92.108.245) by ents-gw.manulife.com via smap (V3.1.1) id xma009319; Fri, 4 Oct 96 14:44:26 -0400 Received: by manu_hub_one.manulife.com (IBM OS/2 SENDMAIL VERSION 1.3.17/1.0) id AA3674; Fri, 04 Oct 96 14:50:49 -0700 Message-Id: <9610042150.AA3674@manu_hub_one.manulife.com> Received: from Manulife with "Lotus Notes Mail Gateway for SMTP" id C286C0301BAFCE12852563B900646170; Fri, 4 Oct 96 14:50:49 To: firewalls From: Graham Dougall Date: 4 Oct 96 14:44:01 EDT Subject: UDP 137 Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk gary flynn wrote: > I'm seeing lots of access violations for UDP 137 which is > used by Netbios name services. I'm blocking 137-139 from > the Internet. What I don't understand is why these are trying to > come in from the Internet destined for machines all over > campus...some that aren't even running Netbios services (or so > I'm told). We are seeing violations for UDP 137 as well. At the same time as the violation we see the same IP address accessing our web site which is behind the firewall recording the violation. I suspect that the systems at these IP addresses have WINS and/or NETBIOS over IP enabled whether they know it or not. In our case the IP address causing the violations appear to ISPs, so I belive that these are dialup users. Thus, when accessing our web site, WINS on their system is confused and attempts to do WINS name resolution using the address of our web site/firewall. E. Graham Dougall, CISSP, FLMI/ACS, I.S.P. Manulife Financial From firewalls-owner Fri Oct 4 12:46:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA17484 for firewalls-outgoing; Fri, 4 Oct 1996 10:59:35 -0700 (PDT) Received: from anka.mindvision.com (anka.mindvision.com [198.247.220.254]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA17461 for ; Fri, 4 Oct 1996 10:59:06 -0700 (PDT) Received: (from alan@localhost) by anka.mindvision.com (8.6.11/8.6.9) id MAA09292; Fri, 4 Oct 1996 12:58:24 -0500 Message-Id: <199610041758.MAA09292@anka.mindvision.com> Subject: Re: cisco 2511 file transfer through firewall. To: matkoski@dreamscape.com (Steven E. Matkoski) Date: Fri, 4 Oct 1996 12:58:23 -0500 (CDT) Cc: Firewalls@GreatCircle.COM In-Reply-To: <32551A5F.47C0@dreamscape.com> from "Steven E. Matkoski" at Oct 4, 96 10:08:31 am From: alan@mindvision.com (Alan Hannan) Reply-To: alan@mindvision.com (Alan Hannan) X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Steve, > I am trying to set up a dial-in service for our company and would like > to know how to handle file transfers between a terminal server and the > firewall. Here is the layout: I have 4 cisco 2511's connected to the > perimeter network (ethernet), which is attached to my firewall. TS1 TS2 TS3 TS4 RTR-To-World | | | | | ====================================== | Firewall | Internal_Network > I have > to support async file transfers (X,Y,Z modem) to a ftp server within > the secure network, how do terminal servers handle such transfers? I assume that a serial connection is constructed from the user to the appropriate terminal server. I assume that the user then initiates a telnet from the TS through the firewall to an internal_network server. If these assumptions are correct, the connection would look like this, on a physical level: Term_Prog -> Term_Server -> Firewall -> Internal_Server Therefore, the traffic _through_ the firewall would pass over the shell session, which I assume to be initiated by telnet, rsh, rlogin, etc... So, if it goes over the service telnet, rsh, rlogin, there is no difference (from the firewall's perspective) between xmodem traffic over the proxy, or character based terminal traffic. (Obv. routines could be put into the proxy server to catch and disable such traffic, but I don't know of any that filter xmodem, etc...) > do they convert to ftp? I dont know which ports to open for these > transfers. Any help is appreciated. With the system as described above, FTP is not an option. FTP would have to ride on tcp/ip back to the client, and there is no client in the path that talks ftp. So, you will be using the FTP server as an XModem server, effectively, and the filtering problem moves from a protocol/port basis to a content basis. $0.02 -alan From firewalls-owner Fri Oct 4 12:48:04 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA11456 for firewalls-outgoing; Fri, 4 Oct 1996 10:02:25 -0700 (PDT) Received: from hobbes.compusult.nf.ca (cerberus.compusult.nf.ca [198.165.106.252]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA11385 for ; Fri, 4 Oct 1996 10:02:02 -0700 (PDT) Received: from terra.compusult.nf.ca (terra.compusult.nf.ca [192.197.61.69]) by hobbes.compusult.nf.ca (8.6.10/8.6.12) with SMTP id OAA14304 for ; Fri, 4 Oct 1996 14:33:48 -0230 Message-Id: <1.5.4.32.19961004163133.0098eccc@compusult.nf.ca> X-Sender: ghynes@compusult.nf.ca X-Mailer: Windows Eudora Light Version 1.5.4 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 04 Oct 1996 14:31:33 -0200 To: Firewalls@GreatCircle.COM From: Gerard Hynes - Compusult Limited - Mount Pearl - NF - Canada Subject: Re: ATM Firewalls Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >------------------------------ >Date: Tue, 1 Oct 96 11:26:57 MDT >From: woods@ucar.edu (Greg Woods) >Subject: Re: ATM Firewalls > >> a three interface system consisting of: >> >> - 10 Mbps Ethernet - Inside Interface 1 >> - 155 Mbps ATM (LANE) - Inside Interface 2 >> - 100 Mbps FDDI - Outside Interface > >For most of us that I've heard use the term, this is not an "ATM >firewall". Although I cannot speak for anyone else, I think that to >call something like this an ATM firewall is deceptive. What *I* mean >when I use that term is something that can act as a firewall while >passing packets *at ATM speed*. While I would agree that something that >can at least pass packets at or close to FDDI speed is worthy of note, >this is not an "ATM firewall" by any reasonable definition. > >- --Greg >------------------------------ Page 24 of the September 1996, Data Communications issue has a blurb about some work done at the University of Kansas (Lawrence). >From the article they are using TIS's FWTK on DEC Alphas with OC-3 interfaces. Forwarding rate is ~110Mbit/s. Results of the U. Kansas test are also available at: http:://www.tisl.ukans.edu/aai/reports/aai-perf/ =[gh]= ****************************************************************************** * Gerard Hynes - ghynes@compusult.nf.ca * Life is what happens while * * - Systems Integration Manager - * you're busy making other * * Compusult Limited - Mount Pearl - NF * plans. * * - URL http://www.compusult.nf.ca - * John Lennon * ****************************************************************************** From firewalls-owner Fri Oct 4 12:48:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA14877 for firewalls-outgoing; Fri, 4 Oct 1996 10:31:29 -0700 (PDT) Received: from tuna.wang.com (TUNA.wang.com [150.124.136.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA14852 for ; Fri, 4 Oct 1996 10:31:13 -0700 (PDT) Received: from mars.wangfed.com (mars.Wangfed.COM [159.94.10.1]) by tuna.wang.com (8.6.12/8.6.12tf1) with SMTP id NAA13503 for ; Fri, 4 Oct 1996 13:30:25 -0400 Received: from uc0009.wangfed.com (uc0009 [159.94.10.15]) by mars.wangfed.com (8.7.5/3.8) with SMTP for delivery to "" id NAA26591; Fri, 4 Oct 1996 13:36:32 -0400 (EDT) Received: from [159.94.14.48] by uc0009.wangfed.com (BULL 5.61++/B.O.S 02.01) id AA28181; Fri, 4 Oct 96 13:22:27 -0400 Date: Fri, 4 Oct 96 13:22:27 -0400 Message-Id: <9610041722.AA28181@uc0009.wangfed.com> From: "K.M. Goertzel" Reply-To: "K.M. Goertzel" To: firewalls@GreatCircle.COM Subject: Re: Gauntlet vs. Sidewinder Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message <199610031155.HAA30042@maddie.atlantic.com> Rick Romkey writes: > 1) it must support the services that you need > 2) it must be affordable > 3) it must be secure > 4) it has to make sense It would seem that one of the considerations when selecting between products that meet requirement #3 above, that one way of "assuring" that the underlying operating system is as secure as the vendor claims it is would be to have an *independent* evaluation of the security of that operating system, instead of simply relying on the vendor's word that their method of "hardening" the OS - either using chroot or type enforcement - actually results in a "hacker-resitant" operating system. It would seem to me that a firewall that runs on an NSA evaluated operating system would at least provide that kind of independent "seal of approval". Of course, SCC have had a lot of experience building operating systems that are designed to be trustworthy. But they have yet to receive an NSA or ITSEC evaluation of their operating system. They might argue that such an evaluation is unnecessary. My feeling is that the NSA evaluation in this context is no different than a UL or Good Housekeeping seal on a household appliance. It's just one more way of knowing that experts who don't have a vested interest in the market success of the product have assured the truth of the product's security claims. For this reason, when considering requirement #3 above, I'd tend to look at a CyberGuard running on the B1 *evaluated* Nighthawk operating system. Absent a covert channel analysis on *any* of these firewall operating systems - at least for now - I'd feel warmer and fuzzier about the OS security claims made on behalf of Nighthawk than the claims made on behalf of the Sidewinder OS - at least until I've seen the certification and accreditation paperwork that comes out of the NSA's MISSI programme that will be using Sidewinder for some of its single-level X.400 firewalls. Now, can someone explain to me why Sidewinder doesn't appear on the NCSA's list of "blessed" firewalls - at least it doesn't according to the press release I received? ===== K.M. Goertzel * Manager, Business Development Secure Systems & Services Operation * WANG FEDERAL, Inc. tel (703)827 3914 * fax (703)827 3161 * email goertzek@wangfed.com "An elephant: a mouse built to government specifications" - Robert Heinlein From firewalls-owner Fri Oct 4 14:27:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA28884 for firewalls-outgoing; Fri, 4 Oct 1996 12:31:46 -0700 (PDT) Received: from trex.netrex.com (trex.netrex.com [206.253.226.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id MAA28774 for ; Fri, 4 Oct 1996 12:31:16 -0700 (PDT) Received: from foghorn.netrex.com (foghorn [206.253.226.10]) by trex.netrex.com (8.7.6/8.7.3) with SMTP id PAA18322; Fri, 4 Oct 1996 15:30:26 -0400 (EDT) Message-Id: <3.0b28.32.19961004152554.00b3b458@trex.netrex.com> X-Sender: richards@trex.netrex.com X-Mailer: Windows Eudora Pro Version 3.0b28 (32) Date: Fri, 04 Oct 1996 15:26:01 -0400 To: jeromie@garrison.com (Hmm) From: Richard Stiennon Subject: Re: Gauntlet vs. Sidewinder Cc: bdboyle@erenj.com, barbara@us.checkpoint.com, firewalls@GreatCircle.COM Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 07:07 PM 10/2/96 CDT, Hmm wrote: > > I would be interested in hearing how checkpoint is securing their >customers from SMTP based attacks! From what I have seen, they simply pass it >through to a mail machine... If that mail machine happends to be running >Sendmail 4.1, the attacker can blow holes right through the perimiter....? Well, how about not allowing telnet to the mail server? hmmm... ---------------------------------------------------------------------------- Richard Stiennon richards@netrex.com Director, Business Development http://www.netrex.com Netrex, Inc. Voice: 810-352-9643 Southfield, Michigan Fax: 810-352-2375 ----------------------------------------------------------------------------- Providing businesses and organizations with secure Internet solutions. From firewalls-owner Fri Oct 4 15:38:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA04825 for firewalls-outgoing; Fri, 4 Oct 1996 13:15:01 -0700 (PDT) Received: from bdiwall0.bracco.com (bdiwall0.bracco.com [204.255.10.129]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id NAA04802 for ; Fri, 4 Oct 1996 13:14:47 -0700 (PDT) Received: by bdiwall0.bracco.com; id QAA09719; Fri, 4 Oct 1996 16:10:27 -0400 Received: from unknown(204.255.10.36) by bdiwall0.bracco.com via smap (V3.1.1) id xma009717; Fri, 4 Oct 96 16:10:01 -0400 Received: from ccMail by bdigate0.bracco.com (IMA Internet Exchange 1.04b) id 2556f460; Fri, 4 Oct 96 16:10:46 -0400 Mime-Version: 1.0 Date: Fri, 4 Oct 1996 16:14:16 -0400 Message-ID: <2556f460@bracco.com> From: mcruz@bracco.com (Michael Cruz) Subject: Re: WinFrame by CITRIX To: firewalls@greatcircle.com, Mr Maurice SEILER Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We use it. Works well on the local LAN and via dial-up 14400 or 28800. We've not tried going through the firewall. No need to yet. I'm not the WINFRAME guru around here, but you should only have to open the WINFRAME port(1494) through your firewall. It rides on TCP/IP so whatever procedure you use now will work the same way for WINFRAME. I'm not sure of any other implications of this. I'd be leary of doing it. mike Michael W. Cruz BRACCO Diagnostics Inc. Princeton, New Jersey mcruz@bracco.com ______________________________ Reply Separator _________________________________ Subject: WinFrame by CITRIX Author: Mr Maurice SEILER at *Internet* Date: 10/4/96 7:49 PM Hi!, Does somebody know something about WINFRAME by CITRIX? (Sort of X-terminal by M$) Any known security problems? How does this go through the FireWall? Thanks, Maurice From firewalls-owner Sat Oct 5 17:27:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA03383 for firewalls-outgoing; Fri, 4 Oct 1996 13:02:36 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id NAA03322 for ; Fri, 4 Oct 1996 13:02:06 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id NAA03503; Fri, 4 Oct 1996 13:00:25 -0700 Received: from qs.secapl.com(192.131.69.9) by mycroft via smap (V1.3mjr) id sma003484; Fri Oct 4 12:59:26 1996 Received: from Cookie.secapl.com (Cookie.secapl.com [192.108.247.19]) by qs.secapl.com (8.6.12/8.6.12) with SMTP id OAA137476; Fri, 4 Oct 1996 14:48:35 -0500 Received: from Fozzie.secapl.com by Cookie.secapl.com (AIX 3.2/UCB 5.64/4.03) id AA149725; Fri, 4 Oct 1996 15:00:09 -0500 Received: from localhost by fozzie.secapl.com (AIX 4.1/UCB 5.64/4.03) id AA35236; Fri, 4 Oct 1996 15:59:05 -0400 Date: Fri, 4 Oct 1996 15:59:03 -0400 (EDT) From: Tony Iannotti To: Mr Maurice SEILER Cc: Firewalls Subject: Re: WinFrame by CITRIX In-Reply-To: <844465746133500006seiler*/G=Maurice/S=Seiler/OU=tls1/O=elfsanofi/PRMD=elf02/ADMD=ATLAS/C=FR/@MHS> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 4 Oct 1996, Mr Maurice SEILER wrote: > Does somebody know something about WINFRAME by CITRIX? (Sort of X-terminal by M$) We've been evaluating it here, it's not really an X-terminal per se, though it can deliver windows programs or the whole NT desktop to an X-window... It's more like a multi-user version of NT. (Also, not by MS, though based on licensed code) > Any known security problems? Seems to be a few rev's behind NT, 3.51 with only one service pack I think, so it's really the same as NT. Add to that the fact that (if running on X at least) everything is in the clear. > How does this go through the FireWall? This I couldn't say, we don't let it. _________________________________________________________________________ Tony Iannotti "Sed quis custodiet ipsos custodes?" Security APL tony@secapl.com -Juvenal 101 Hudson Street 201/332-2020 Jersey City, NJ 07302 From firewalls-owner Sat Oct 5 17:31:39 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA01437 for firewalls-outgoing; Fri, 4 Oct 1996 12:46:51 -0700 (PDT) Received: from intfw.bear.com (intfw.bear.com [206.25.172.66]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id MAA01276 for ; Fri, 4 Oct 1996 12:46:05 -0700 (PDT) Received: by intfw.bear.com (4.1/SMI-4.1) id AA11801; Fri, 4 Oct 96 15:45:29 EDT Received: from fastbear(165.168.74.3) by intfw via smap (V1.3) id sma011139; Fri Oct 4 15:37:04 1996 Received: from ursa2.bear.com by fastbear.bear.com (4.1/SMI-4.1/1.0 AMR 12/15/94) id AA05509; Fri, 4 Oct 96 15:41:46 EDT Received: from whip_xfr.bear.com (whip-xfr) by ursa2.bear.com (4.1/SMI-4.1/AMR+DJMS(2)) id AA10542; Fri, 4 Oct 96 15:38:04 EDT Received: from wizard.bsnet by whip_xfr.bear.com (SMI-8.6/SMI-SVR4) id PAA26744; Fri, 4 Oct 1996 15:37:15 -0400 Received: from neptune by wizard.bsnet (SMI-8.6/SMI-SVR4) id PAA21632; Fri, 4 Oct 1996 15:37:15 -0400 Message-Id: <3255676B.3A0C@bear.com> Date: Fri, 04 Oct 1996 15:37:15 -0400 From: Shahryar Jahangir Organization: Bear Stearns X-Mailer: Mozilla 3.0Gold (X11; I; SunOS 5.5 sun4m) Mime-Version: 1.0 To: Irwin Lazar Cc: firewalls@greatcircle.com Subject: Re: Small network Firewall References: <2.2.32.19961004141153.0068802c@netevolve.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Irwin, All the firewalls discussed on this group can be implemented. I would suggest using a Netra as your firewall and run FW-first or FW-light from checkpoint sftwr. It can do everything you are looking for. I must admit that Gaunlet will also do the job, but with a complete SUN solution right out of the box, what could be easier ? luck sj Irwin Lazar wrote: > > Greetings all. I am working on a project to increase the security on a > small LAN (less than 20 users). This LAN has a live connection to the > internet via a 56Kb Frame Relay pipe. > > So far the requirements are to set up an internal web server that can't be > accessed from the Internet, to prevent SNMP scans from the Internet, to > prevent Telnet from the internet, and to prevent IP Spoofing. There is also > a requirement for reporting break-ins to a syslog server. An external web > server and FTP server will also be setup running NT 4.0. > > I've been looking at using private addressing on the LAN with a NAT between > the LAN and a DMZ. The NAT will be a Cisco 2500 running their new 11.2.1 > release. There will also be a Cisco 2500 between the Internet and the DMZ. > I will be using the Cisco's as network layer firewalls by using extended IP > Access lists. > > Are there any application layer firewalls out there that would be usefull > for a small LAN such as this? Can anyone recommend a few to look at? Does > the above plan sound coherent? > > Also, in an unrelated request, does anyone know of a good Windows NT mailing > list or perhaps a place that holds a list of mailing lists? > > Thanks, > Irwin Lazar > Network Evolutions, Inc. -- ........................................... " Is there a God ? I don't know, the computer is down !" Shahryar Jahangir Information Services Bear Stearns & Co. Inc. 245 Park Avenue New York, NY 10167 email: sj@bear.com Tel: 212 272 7764 Fax : 212 499 6977 ........................................... -- ******************************************************************************* Bear Stearns is not responsible for any recommendation, solicitation, offer or agreement or any information about any transaction, customer account or account activity contained in this communication. ******************************************************************************* From firewalls-owner Sat Oct 5 17:58:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA08179 for firewalls-outgoing; Fri, 4 Oct 1996 13:32:10 -0700 (PDT) Received: from kcpgw2.kcp.com (kcpgw2.kcp.com [198.62.69.67]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id NAA07941 for ; Fri, 4 Oct 1996 13:31:00 -0700 (PDT) Received: by kcpgw2.kcp.com id AA03154 (InterLock SMTP Gateway 3.0 for firewalls@greatcircle.com); Fri, 4 Oct 1996 15:30:29 -0500 Message-Id: <199610042030.AA03154@kcpgw2.kcp.com> Received: by kcpgw2.kcp.com (Protected-side Proxy Mail Agent-2); Fri, 4 Oct 1996 15:30:29 -0500 Received: by kcpgw2.kcp.com (Protected-side Proxy Mail Agent-1); Fri, 4 Oct 1996 15:30:29 -0500 Mime-Version: 1.0 Date: Fri, 4 Oct 1996 15:25:09 -0500 From: dharris@kcp.com (Delmer Harris) Subject: Re: Financial transactions and firewalls. To: firewalls@greatcircle.com, Colin Campbell Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Colin/list: The "gentleman" in question has many brothers and sisters in other fields. I have only been at this firewall stuff for about three years and I have already had to fight off three requests for "just a tiny hole" in my firewall so we could use the latest "firewalls unaware" application that we just _had_ to have. In each case the application developer was aghast when I suggested that the product would be much more useful if it was firewall aware _and_ based on a standard ("well understood") protocol like telnet, http, or ftp. Keep fighting the good fight. If it isn't firewalls aware it probably isn't security aware either. BTW: From a class I took at Interop I got the impression that SET is not incompatible with firewalls because it rides on top of other protocols which firewalls can handle. Is this impression correct? Delmer D. Harris dharris@kcp.com ______________________________ Reply Separator _________________________________ Subject: Financial transactions and firewalls. Author: Colin Campbell at INTERNET-MAIL Date: 10/3/96 4:14 PM Hi, I recently spent several hours (yes hours!) on the phone discussing the relative merits of my "stupid firewall philosophy" with a gentleman representing a company implementing secure financial services on the Internet. His service, if I understood correctly, was based on (something like?) SWIFT which has been in use in Europe for 15-20 years by many large financial institutions and therefore was not going to be changed quickly if at all. My firewall was stupid (based on fwtk) because it put proxies in bewteen my inside hosts and external servers. Furthermore, any firewall that did any sort of network address translation or proxying was brain-dead. (My interpretation of his statements). Why? Because his software passed an identifying "ticket" with every packet. This ticket comprised an encrypted date+time, the IP address of the client machine and some other stuff. When the server saw a packet from a host whose IP address did not match that in the ticket, alarm bells would sound and the fraud squad would be on the door step within minutes. When I suggested to him that 80% (just guessing, so be nice to me) of the firewalls outside of the financial world use NAT and or proxies he scoffed at the prospect, suggesting that people using such stupid technologies were going to miss out on the upcoming revolution about to hit the Internet with secure financial transactions that would not work through such firewalls. He also mentioned the "new Microsoft software" several times (anyone know which?). Does anyone have any comments on this guy's philosophy, or mine for that matter? I would especially like to hear from anyone who's been following the development of secure financial transactions (SET comes to mind, right track?) and how these systems are expected to operate through "stupid firewalls" like mine. Colin From firewalls-owner Sat Oct 5 18:05:30 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA18198 for firewalls-outgoing; Fri, 4 Oct 1996 14:48:33 -0700 (PDT) Received: from user1.scranton.com (user1.scranton.com [204.186.119.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id OAA18154 for ; Fri, 4 Oct 1996 14:48:19 -0700 (PDT) Received: from localhost (moroni@localhost) by user1.scranton.com (8.6.12/8.6.9) with SMTP id RAA02750 for ; Fri, 4 Oct 1996 17:54:18 -0400 X-Authentication-Warning: user1.scranton.com: moroni owned process doing -bs Date: Fri, 4 Oct 1996 17:54:18 -0400 (EDT) From: Moroni To: firewalls@GreatCircle.COM Subject: Pumpcon Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have been busy and may have missed an announcement on the Pumpcon so could anyone tell me what hotel in Philly it is this year? Also ,is it open invitation? Please respond by email to me personally rather than taking up bandwidth. Thanks in Advance From firewalls-owner Sat Oct 5 18:12:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA29722 for firewalls-outgoing; Fri, 4 Oct 1996 16:06:49 -0700 (PDT) Received: from Fox.nstn.ca (fox.nstn.ca [137.186.128.12]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id QAA29678 for ; Fri, 4 Oct 1996 16:06:29 -0700 (PDT) Received: from 204.191.136.4.istar.ca (ts1-11.ott.iSTAR.ca [204.191.144.31]) by Fox.nstn.ca (8.7.5/8.7.3) with SMTP id UAA22262; Fri, 4 Oct 1996 20:04:59 -0300 (ADT) Date: Fri, 4 Oct 1996 20:04:59 -0300 (ADT) Message-Id: <199610042304.UAA22262@Fox.nstn.ca> X-Sender: champ@fox.nstn.ca X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Adam Shostack From: "L. Champagne" Subject: Re: NT FTPd? Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You could use IIS (Internet Information Service) from Microsoft. Version 1.0 runs well on NT 3.5.1, version 2.0 is out, runs on NT 4.0 (actually it comes with NT 4.0). Its free and has three services: gopher, ftp and http. It's simple, integrates with the OS. Start/Stop (un)desired services. Also heard good comments about FTP Serv-U. Go www.altavista.digital.com and search: serv-u. Lyn Champagne "Knowing more than one language is an asset knowing when to shup is of equal value." At 22:26 10/03/96 -0500, you wrote: >(Cross posted to Firewalls, ntsec) > >I'm looking for a FTP server to run on Windows NT. > >My criteria are: > >* Claims to offer security >* Can provide ability to prevent moving up a directory tree. (chroot) >* Can use NT login mechanisms to control login & activity as >different users. > >Source would be nice. Free would be nice, but a downloadable demo >version is a must for pay software. > >Please respond to me, and I'll summarize. > > >Adam >-- >"Every year the Republicans campaign like Libertarians, and then go to >Wasthington and spend like Democrats." > >Vote Harry Browne for President. http://www.harrybrowne96.org > > > > > From firewalls-owner Sat Oct 5 18:26:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA14042 for firewalls-outgoing; Fri, 4 Oct 1996 17:27:10 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id RAA09122 for ; Fri, 4 Oct 1996 17:01:10 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id QAA07121; Fri, 4 Oct 1996 16:59:28 -0700 Received: from nic.incolumitas.se(194.52.80.4) by mycroft via smap (V1.3mjr) id sma007099; Fri Oct 4 16:59:11 1996 Received: (from rom@localhost) by nic.incolumitas.se (8.7.5/8.7.3) id CAA10384; Sat, 5 Oct 1996 02:04:11 +0200 (MET DST) Date: Sat, 5 Oct 1996 02:04:11 +0200 (MET DST) From: Robert Malmgren Message-Id: <199610050004.CAA10384@nic.incolumitas.se> To: genel@inforamp.net, peter@baileynm.com Subject: Re: [NTSEC] Re: NT FTPd? Cc: ntsecurity@iss.net, firewalls@GreatCircle.COM Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-MD5: 8d+sJMLi8rn2r/7If9gsRg== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From owner-ntsecurity@iss.net Fri Oct 4 23:27 MET 1996 > From: peter@baileynm.com (Peter da Silva) > Subject: [NTSEC] Re: NT FTPd? > To: genel@inforamp.net (Gene Lee) > Date: Fri, 4 Oct 1996 08:38:53 -0500 (CDT) > Cc: ntsecurity@iss.net, firewalls@GreatCircle.COM > > On Thursday, October 03, 1996 6:26 PM, Adam Shostack[SMTP:adam@homeport.org] wrote: > >I'm looking for a FTP server to run on Windows NT. > > > >* Claims to offer security > > The FTP protocol has no security capability. If you want security, don't use > FTP. See if there's an ssh server for NT and use scp, or use HTTPS/SSL. > Well... this is not completely true. There has been a draft RFC on how to negotiate secure authentication and a secure session. There are a number of implementation of this as well. I have a kerberized version of FTP that uses these features. Unfortunately there are no port of it to NT, I just use it on UNIX-boxes so far. But the source for a neat kerberos-package that includes this and more network utils just sits in ftp.nada.kth.se:/pub/krb/src waiting for someone to port it ;-) But the _vanilla_ version of FTP is, as you point out, rather unsecure... piraya$ /usr/athena/bin/ftp spam Connected to spam 220 spam FTP server (Version 6.00) ready. Trying KERBEROS_V4... Kerberos login successful. Name (spam:rom): P:232 User rom logged in. Remote system type is UNIX. -- Robert From firewalls-owner Sat Oct 5 18:26:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA13141 for firewalls-outgoing; Fri, 4 Oct 1996 13:59:27 -0700 (PDT) Received: from xyzzy.plugh.edmonton.ab.ca (xyzzy.plugh.edmonton.ab.ca [198.161.22.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id NAA13094 for ; Fri, 4 Oct 1996 13:59:05 -0700 (PDT) Received: (from uucp@localhost) by xyzzy.plugh.edmonton.ab.ca (8.6.12/8.6.9) id OAA10278; Fri, 4 Oct 1996 14:57:33 -0600 Received: from beckio.precise.ab.ca(192.168.30.61), claiming to be "snouts.obtuse.com" via SMTP by mailhost.Plugh.edmonton.ab.ca, id smtpd10276aaa; Fri Oct 4 14:57:25 1996 Received: (from beck@localhost) by snouts.obtuse.com (8.7.5/8.7.3) id OAA02912; Fri, 4 Oct 1996 14:57:29 -0600 From: Bob Beck Message-Id: <199610042057.OAA02912@snouts.obtuse.com> Subject: Re: smtp and auth To: raf@ezunx.com (rich) Date: Fri, 4 Oct 1996 14:57:27 -0600 (MDT) Cc: firewalls@GreatCircle.COM In-Reply-To: from "rich" at Oct 4, 96 09:43:48 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > What would cause SOME mail servers to send back a AUTH/113 connection before > allowing mail to be sent? Also, it seems to be random. In otherwords, some > servers do it sometimes but other times they do not. Since I am blocking > all connection requests from the outside in, this causes some of my internal > mail servers to hang from time to time. When I looked at the firewall logs, > I see SYN's coming from the mail server at the other end trying port 113. > Any hints? > Sendmail and others (as well as the tcp wrappers) can be configured to shoot connecting beasts with an ident request. It should (if they have it configured right) just time out and proceed, but ya never know. It's of dubious value on external SMTP connections, but different strokes for different folks, It's how some people set up their world. You mail server probably shouldn't "hang" on these type of requests. It should just give up after a reasonable amount of time, So you might want to take a look at what your mail server is doing when talking to a catatonic server. It should hopefully give up and die. Failing that, you can just open up ident to your mailmachine, and put a dumb ident daemon on it that answers all requests with "xxxx" or something if you don't feel like giving out any information. doing that is basically harmless (done right anyway). -Bob From firewalls-owner Sat Oct 5 18:57:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA28161 for firewalls-outgoing; Fri, 4 Oct 1996 21:10:19 -0700 (PDT) Received: from morbius.softiron.com ([199.233.153.120]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id VAA28154 for ; Fri, 4 Oct 1996 21:10:09 -0700 (PDT) From: woody@softiron.com Received: by morbius.softiron.com (SMI-8.6/SMI-SVR4) id VAA03507; Fri, 4 Oct 1996 21:07:49 -0700 Date: Fri, 4 Oct 1996 21:07:49 -0700 Message-Id: <199610050407.VAA03507@morbius.softiron.com> To: raf@ezunx.com CC: firewalls@greatcircle.com In-reply-to: (message from rich on Fri, 4 Oct 96 09:43:48) Subject: Re: smtp and auth Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Date: Fri, 4 Oct 96 09:43:48 What would cause SOME mail servers to send back a AUTH/113 connection before allowing mail to be sent? Also, it seems to be random. In otherwords, some servers do it sometimes but other times they do not. I had xinetd query remote authorization for acceptance of mail when I was running a smtp server in a dangerous area. Perhaps that is what you are seeing: the remote site wants some indication that a user isn't trying to trivially spoof mail. No idea why the hosts would not do this consistently, though. All my models suggest they should do this all the time. --woody -- Robert Wooddell Weaver email: robertw@softiron.com Senior Systems Engineer voice: 510.855.2072 SoftIRON Systems pager: 510.702.4334 alpha page at: http://www.metrocall.com/Page.html From firewalls-owner Sat Oct 5 19:00:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA29383 for firewalls-outgoing; Fri, 4 Oct 1996 21:17:40 -0700 (PDT) Received: from minotaur.labyrinth.net.au (minotaur.labyrinth.net.au [203.9.148.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id VAA29374 for ; Fri, 4 Oct 1996 21:17:23 -0700 (PDT) Received: (from mail@localhost) by minotaur.labyrinth.net.au (8.7.2/8.7.2) id OAA02790; Sat, 5 Oct 1996 14:20:09 +1000 (EST) X-Authentication-Warning: minotaur.labyrinth.net.au: mail set sender to using -f Received: from gate.quick.com.au(203.12.250.130) by minotaur.labyrinth.net.au via smap (V1.3) id sma002771; Sat Oct 5 14:19:43 1996 Received: (from sjg@localhost) by zen.quick.com.au (8.7.3/8.6.9) id OAA20126; Sat, 5 Oct 1996 14:18:44 +1000 (EST) Date: Sat, 5 Oct 1996 14:18:44 +1000 (EST) From: "Simon J. Gerraty" Message-Id: <199610050418.OAA20126@zen.quick.com.au> To: mchatel@dial.oleane.com Cc: firewalls@greatcircle.com Subject: Re: Need volunteer FTP archive site to host new security software Newsgroups: lists.firewalls References: <1.5.4.32.19961003205647.00698e6c@pop.dial.oleane.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Marc Chatel writes: > S4 is best described as "a security glueware compromise". The goal of S4 >is to minimize the time necessary to accomplish the following: >The installer spends most of that time pressing "Y", "N", and RETURN to accept >Although it currently runs on only one platform (OSF/Digital Unix on Alpha), You might like to have a look at ftp://ftp.quick.com.au/pub/unix/config-sh.cpio.Z which is a very generic tool for doing this sort of thing - with no user interaction required. Indeed, I've used it quite a bit for building firewall bastions (like a cookie cutter). Its all written in Bourne shell and is quite portable (*BSD,SunOS,Solaris,IRIX, and even HP-UX[*], all known to work), on Solaris, it also takes care of installing patches. You can build a single config tree that supports multiple systems and architectures, ftp://ftp.quick.com.au/pub/unix/config-example.cpio.Z is a subset of my configs tree here and contains many useful bits of shell script etc. No, it does not contain the bastion configs :-) For more detail, see http://www.quick.com.au/FreeWare/ --sjg From firewalls-owner Sat Oct 5 19:13:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA07626 for firewalls-outgoing; Fri, 4 Oct 1996 19:32:33 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id TAA06969 for ; Fri, 4 Oct 1996 19:30:46 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id SAA08865; Fri, 4 Oct 1996 18:13:03 -0700 Received: from mail13.digital.com(192.208.46.30) by mycroft via smap (V1.3mjr) id sma008858; Fri Oct 4 18:12:50 1996 Received: from whyvms.ako.dec.com by mail13.digital.com (8.7.5/UNX 1.2/1.0/WV) id VAA25811; Fri, 4 Oct 1996 21:09:06 -0400 (EDT) Received: from isbu-mail.ljo.dec.com by whyvms.ako.dec.com (5.65/MS-010395) id AA12210; Fri, 4 Oct 1996 21:07:28 -0400 Received: from tun-26.imc.das.dec.com [16.136.208.26] (HELO ccstest44) by isbu-mail.ljo.dec.com (AltaVista Mail V1.0/1.0 BL17 listener) id 0000_0042_3255_b548_d4b2; Fri, 04 Oct 1996 21:09:28 -0400 Message-Id: <1.5.4.32.19961005015131.006c5a8c@isbu-mail.ljo.dec.com> X-Sender: jim.lester@isbu-mail.ljo.dec.com X-Mailer: Windows Eudora Light Version 1.5.4 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 04 Oct 1996 20:51:31 -0500 To: "Steven E. Matkoski" , Firewalls@GreatCircle.COM From: Jim Lester Subject: Re: async file transfers through firewall, how? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You can do this Digital's Altavista tunnels. Go to the URL shown in my signature, page down and enter the frames or no-frames product section, click on products and tunnel. Download a whitepaper or an eval copy of the product. Good luck. At 10:28 AM 10/4/96 -0400, Steven E. Matkoski wrote: >I have the requirement to allow async users to transfer files to a ftp >server. The async users connect to cisco 2511's which are connected to >a perimeter network where the firewall is connected. I want the user >to start a file transfer (x,y,z modem) and have the terminal server >convert to ftp which would be filtered by the firewall. Has anyone >tried anything like this? or have any ideas if it possible? > >-- > >Thanks! >-steve. >matkoski@dreamscape.com > Jim Lester, Business Alliance Manager Altavista Internet Software Digital Equipment Corporation http://altavista.software.digital.com voice: 404.843.9645 From firewalls-owner Sat Oct 5 19:20:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA20542 for firewalls-outgoing; Fri, 4 Oct 1996 20:26:38 -0700 (PDT) Received: from mail13.digital.com (mail13.digital.com [192.208.46.30]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id UAA15110 for ; Fri, 4 Oct 1996 20:03:08 -0700 (PDT) Received: from whyvms.ako.dec.com by mail13.digital.com (8.7.5/UNX 1.2/1.0/WV) id WAA11997; Fri, 4 Oct 1996 22:55:52 -0400 (EDT) Received: from isbu-mail.ljo.dec.com by whyvms.ako.dec.com (5.65/MS-010395) id AA12257; Fri, 4 Oct 1996 21:12:49 -0400 Received: from tun-26.imc.das.dec.com [16.136.208.26] (HELO ccstest44) by isbu-mail.ljo.dec.com (AltaVista Mail V1.0/1.0 BL17 listener) id 0000_0042_3255_b68f_d555; Fri, 04 Oct 1996 21:14:55 -0400 Message-Id: <1.5.4.32.19961005015658.006c5218@isbu-mail.ljo.dec.com> X-Sender: jim.lester@isbu-mail.ljo.dec.com X-Mailer: Windows Eudora Light Version 1.5.4 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 04 Oct 1996 20:56:58 -0500 To: Irwin Lazar , firewalls@GreatCircle.COM From: Jim Lester Subject: Re: Small network Firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Irwin, go to altavista.software.digital.com and download an eval copy of Digital's AltaVista firewall for NT or Unix. Both are NCSA certified. Look at Altavista tunnels if you also want a means of providing rock solid (128bit RSA RC4 encryption)for user access outside the firewall. At 10:11 AM 10/4/96 -0400, Irwin Lazar wrote: >Greetings all. I am working on a project to increase the security on a >small LAN (less than 20 users). This LAN has a live connection to the >internet via a 56Kb Frame Relay pipe. > >So far the requirements are to set up an internal web server that can't be >accessed from the Internet, to prevent SNMP scans from the Internet, to >prevent Telnet from the internet, and to prevent IP Spoofing. There is also >a requirement for reporting break-ins to a syslog server. An external web >server and FTP server will also be setup running NT 4.0. > >I've been looking at using private addressing on the LAN with a NAT between >the LAN and a DMZ. The NAT will be a Cisco 2500 running their new 11.2.1 >release. There will also be a Cisco 2500 between the Internet and the DMZ. >I will be using the Cisco's as network layer firewalls by using extended IP >Access lists. > >Are there any application layer firewalls out there that would be usefull >for a small LAN such as this? Can anyone recommend a few to look at? Does >the above plan sound coherent? > >Also, in an unrelated request, does anyone know of a good Windows NT mailing >list or perhaps a place that holds a list of mailing lists? > >Thanks, >Irwin Lazar >Network Evolutions, Inc. > > Jim Lester, Business Alliance Manager Altavista Internet Software Digital Equipment Corporation http://altavista.software.digital.com voice: 404.843.9645 From firewalls-owner Sat Oct 5 19:41:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA15424 for firewalls-outgoing; Sat, 5 Oct 1996 06:28:59 -0700 (PDT) Received: from internet_host (internet_host.spmu.rssi.ru [194.85.234.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA11999 for ; Sat, 5 Oct 1996 06:10:53 -0700 (PDT) Received: from proliant.spmu.rssi.ru by internet_host (NTMail 3.01.03) id na030745; Sat, 5 Oct 1996 15:47:53 +0300 Message-ID: <32564B8D.4796@spmu.rssi.ru> Date: Sat, 05 Oct 1996 15:50:37 +0400 From: Lawrence Beobachter X-Mailer: Mozilla 2.0 (WinNT; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: DMZ server References: <2.2.32.19961003154359.00769410@pop-srvr> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Info: Evaluation version at internet_host Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello! I saw this term here several times in connection with bastion host. What does this acronym mean? From firewalls-owner Sat Oct 5 19:57:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA19448 for firewalls-outgoing; Sat, 5 Oct 1996 17:57:47 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA25866 for ; Sat, 5 Oct 1996 07:28:19 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.6.9/8.6.9) id KAA09000; Sat, 5 Oct 1996 10:33:53 -0500 From: Adam Shostack Message-Id: <199610051533.KAA09000@homeport.org> Subject: Re: NT FTPd? To: Russ.Cooper@RC.Toronto.on.ca (Russ) Date: Sat, 5 Oct 1996 10:33:52 -0500 (EST) Cc: firewalls@greatcircle.com In-Reply-To: from "Russ" at Oct 5, 96 09:42:31 am X-Mailer: ELM [version 2.4 PL24 ME8b] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Russ wrote: | The IIS FTPd can do authentication using Windows NT accounts from the | server's SAM database. Its important to note that these logins will be | sent in clear text, so someone sniffing could get valid NT User account | information by watching an FTP login sequence. Thats part of the FTP protocol, but thanks for pointing it out. The accounts will hopefully be tied down so that they can only ftp, so the sniffing is less of a problem. | The .. bug that plagued the earlier FTPd has long been fixed in the IIS | FTPd, and today, the IIS FTPd is considered quite stable and secure. It When I say software is secure, I usually mean that I've done a design review and a source inspection of it. If I can't do the source review I examine binaries with a debugger and other tools (strings, ar, nm, ldd are all useful) to try to get an idea of what it can do. I also run it under a monitor (truss, ktrace, trace) and watch what it does. Doing these things builds my confidence level that it doesn't make any nasty calls. Many people have told me that the IIS ftpd is secure, and I'm wondering what generates that confidence. -- "Every year the Republicans campaign like Libertarians, and then go to Wasthington and spend like Democrats." Vote Harry Browne for President. http://www.harrybrowne96.org From firewalls-owner Sat Oct 5 20:11:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA17241 for firewalls-outgoing; Sat, 5 Oct 1996 17:28:05 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id TAA07060 for ; Fri, 4 Oct 1996 19:30:59 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id SAA09212; Fri, 4 Oct 1996 18:21:27 -0700 Received: from mail13.digital.com(192.208.46.30) by mycroft via smap (V1.3mjr) id sma009184; Fri Oct 4 18:20:49 1996 Received: from whyvms.ako.dec.com by mail13.digital.com (8.7.5/UNX 1.2/1.0/WV) id VAA29051; Fri, 4 Oct 1996 21:17:47 -0400 (EDT) Received: from isbu-mail.ljo.dec.com by whyvms.ako.dec.com (5.65/MS-010395) id AA12289; Fri, 4 Oct 1996 21:16:09 -0400 Received: from tun-26.imc.das.dec.com [16.136.208.26] (HELO ccstest44) by isbu-mail.ljo.dec.com (AltaVista Mail V1.0/1.0 BL17 listener) id 0000_0042_3255_b751_d5db; Fri, 04 Oct 1996 21:18:09 -0400 Message-Id: <1.5.4.32.19961005020012.006c8938@isbu-mail.ljo.dec.com> X-Sender: jim.lester@isbu-mail.ljo.dec.com X-Mailer: Windows Eudora Light Version 1.5.4 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 04 Oct 1996 21:00:12 -0500 To: "Steven E. Matkoski" , Firewalls@GreatCircle.COM From: Jim Lester Subject: Re: cisco 2511 file transfer through firewall. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Steve, Digital's AltaVista Tunnels will allow your folks access through your firewall and into your intranet for ftp, web, mail, telnet and file and print services. The tunnels provide 512bit authentication and 128bit RSA RC4 encryption of all traffic. The cost is about $150 per user, turnkey. Go to the URL in my address line to download an eval copy. At 10:08 AM 10/4/96 -0400, Steven E. Matkoski wrote: >I am trying to set up a dial-in service for our company and would like >to know how to handle file transfers between a terminal server and the >firewall. Here is the layout: I have 4 cisco 2511's connected to the >perimeter network (ethernet), which is attached to my firewall. I have >to support async file transfers (X,Y,Z modem) to a ftp server within >the secure network, how do terminal servers handle such transfers? >do they convert to ftp? I dont know which ports to open for these >transfers. Any help is appreciated. > >-- > >Thanks! >-steve. >matkoski@dreamscape.com > Jim Lester, Business Alliance Manager Altavista Internet Software Digital Equipment Corporation http://altavista.software.digital.com voice: 404.843.9645 From firewalls-owner Sat Oct 5 20:14:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA18168 for firewalls-outgoing; Sat, 5 Oct 1996 17:34:46 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id TAA07105 for ; Fri, 4 Oct 1996 19:31:06 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id SAA09219; Fri, 4 Oct 1996 18:21:27 -0700 Received: from mail13.digital.com(192.208.46.30) by mycroft via smap (V1.3mjr) id sma009187; Fri Oct 4 18:20:59 1996 Received: from whyvms.ako.dec.com by mail13.digital.com (8.7.5/UNX 1.2/1.0/WV) id VAA20894; Fri, 4 Oct 1996 21:19:43 -0400 (EDT) Received: from isbu-mail.ljo.dec.com by whyvms.ako.dec.com (5.65/MS-010395) id AA12318; Fri, 4 Oct 1996 21:18:04 -0400 Received: from tun-26.imc.das.dec.com [16.136.208.26] (HELO ccstest44) by isbu-mail.ljo.dec.com (AltaVista Mail V1.0/1.0 BL17 listener) id 0000_0042_3255_b7d2_d60b; Fri, 04 Oct 1996 21:20:18 -0400 Message-Id: <1.5.4.32.19961005020221.006c2550@isbu-mail.ljo.dec.com> X-Sender: jim.lester@isbu-mail.ljo.dec.com X-Mailer: Windows Eudora Light Version 1.5.4 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 04 Oct 1996 21:02:21 -0500 To: "Steven E. Matkoski" , Firewalls@GreatCircle.COM From: Jim Lester Subject: Re: cisco 2511 file transfer through firewall. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Steve, (Oops!, the prior email made it sound like the eval was $150. The eval is our course free! Sorry!) Digital's AltaVista Tunnels will allow your folks access through your firewall and into your intranet for ftp, web, mail, telnet and file and print services. The tunnels provide 512bit authentication and 128bit RSA RC4 encryption of all traffic. The cost is about $150 per user, turnkey. Go to the URL in my address line to download a free eval copy. At 10:08 AM 10/4/96 -0400, Steven E. Matkoski wrote: >I am trying to set up a dial-in service for our company and would like >to know how to handle file transfers between a terminal server and the >firewall. Here is the layout: I have 4 cisco 2511's connected to the >perimeter network (ethernet), which is attached to my firewall. I have >to support async file transfers (X,Y,Z modem) to a ftp server within >the secure network, how do terminal servers handle such transfers? >do they convert to ftp? I dont know which ports to open for these >transfers. Any help is appreciated. > >-- > >Thanks! >-steve. >matkoski@dreamscape.com > Jim Lester, Business Alliance Manager Altavista Internet Software Digital Equipment Corporation http://altavista.software.digital.com voice: 404.843.9645 From firewalls-owner Sat Oct 5 20:32:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA20596 for firewalls-outgoing; Sat, 5 Oct 1996 18:05:13 -0700 (PDT) Received: from su1.in.net (su1.in.net [199.0.62.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA00693 for ; Sat, 5 Oct 1996 07:57:18 -0700 (PDT) Received: from pm2-14.in.net by su1.in.net with SMTP (5.65/1.2-eef) id AA09342; Sat, 5 Oct 96 09:54:19 -0400 Date: Sat, 5 Oct 96 09:54:19 -0400 Message-Id: <9610051354.AA09342@su1.in.net> X-Sender: frankw@in.net X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.com From: Frank Willoughby Subject: Re: Gauntlet vs. Sidewinder Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 01:22 PM 10/4/96 -0400, "K.M. Goertzel" allegedly wrote: >Now, can someone explain to me why Sidewinder doesn't appear on the NCSA's list >of "blessed" firewalls - at least it doesn't according to the press release I >received? I could venture a guess - they don't feel there is any added value in being added to NCSA's list and I would agree with their choice. A cursory examination of the firewalls which made it into the list would tend to support my conclusion. Many (can we spell most) of the firewalls mentioned in their list are susceptible to a couple of types of attacks. Also, of all of the firewalls on their list, there are only 1 or two that I would consider for recommending to a client. This brings me to another subject. Several companies have been getting into the business of "certifying" firewalls and from what I have seen so far, I'm rather underwhelmed at the results. Some companies will run the satan/santa or other product against a firewall and then "certify" it - if the firewall passes the test. IMHO, free satan/santa tool is vastly over-rated and will (at best) tell you if the sysadmin has made a feeble attempt in keeping up with the CERT advisories and has been trying to keep the patches current. This is a far cry from the ability to protect the corporations networks from an attack by a determined hacker over the Internet. While I am not really wild about firewall certifications, nor am I thrilled about the apparent conflict-of-interest issues surrounding the certifications, my main gripe is with the methodologies used to approve the firewalls. Personally, I would recommend that they re-examine the methodologies and come up with better tests. FWIW, Marcus Ranum wrote a good article about "firewall certifications". Last time I checked, it could be found on V-ONE's home page. >K.M. Goertzel * Manager, Business Development >Secure Systems & Services Operation * WANG FEDERAL, Inc. >tel (703)827 3914 * fax (703)827 3161 * email goertzek@wangfed.com > >"An elephant: a mouse built to government specifications" > - Robert Heinlein Best Regards, Frank Any sufficiently advanced bug is indistinguishable from a feature. -- Rich Kulawiec The opinions expressed above are of the author and may not necessarily be representative of Fortified Networks Inc. Fortified Networks Inc. - Information Security Consulting http://www.fortified.com Phone: (317) 573-0800 FAX: (317) 573-0817 Home of the Free Internet Firewall Evaluation Checklist From firewalls-owner Sat Oct 5 20:41:54 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA12965 for firewalls-outgoing; Sat, 5 Oct 1996 20:05:35 -0700 (PDT) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id UAA12947 for ; Sat, 5 Oct 1996 20:05:26 -0700 (PDT) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id VAA01202; Sat, 5 Oct 1996 21:56:51 -0400 Date: Sat, 5 Oct 1996 21:56:48 -0400 (EDT) From: Rabid Wombat To: John J McMahon cc: firewalls@GreatCircle.COM Subject: Re: ATM Firewalls In-Reply-To: <32513C32.13728473@tis.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I don't doubt this can be built, but I DO wonder how well the firewall was able to keep up with the load. Do you have any info on the performance? TIA -r.w. On Tue, 1 Oct 1996, John J McMahon wrote: > Dr. Bill Hancock wrote: > > (edited) > > FYI, there were two refereed papers on high-speed firewalls > > delivered at the April 1996 InterOP show in Las Vegas... > > FYI - > > The Firewall in the NOC at Interop Las Vegas and Atlanta > this year was partially on ATM. I can't speak for the Las > Vegas design (I didn't build it), but the Atlanta design was > a three interface system consisting of: > > - 10 Mbps Ethernet - Inside Interface 1 > - 155 Mbps ATM (LANE) - Inside Interface 2 > - 100 Mbps FDDI - Outside Interface > > The base system was a Sun SparcStation 20, running SunOS 4.1.4 > and TIS Gauntlet 3.1.1. The FDDI and ATM boards came from > Interphase. > > Cheers, > John > -- > John "FuzzFace" McMahon > Gauntlet Internet Firewall Technical Support > Support: gauntlet-support@trusted.com, 301-527-9555, 301-527-0482 (fax) > Pennsic XXV: Cry Havoc... And let slip the golf carts of War... > Is this a comment on the "new affluence" of SCA members in the information age? :) -r.w. From firewalls-owner Sat Oct 5 21:18:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA25240 for firewalls-outgoing; Sat, 5 Oct 1996 20:58:06 -0700 (PDT) Received: from hustle.rahul.net (hustle.rahul.net [192.160.13.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id UAA24906 for ; Sat, 5 Oct 1996 20:57:02 -0700 (PDT) Received: from mistik.UUCP by hustle.rahul.net with UUCP id AA28476 (5.67b8/IDA-1.5 for firewalls@greatcircle.com); Sat, 5 Oct 1996 20:56:37 -0700 Received: by mistik.express.net (UUPC/extended 1.12r); Sat, 05 Oct 1996 23:56:20 -0400 Message-Id: <32572de4.mistik@mistik.express.net> Date: Sat, 05 Oct 1996 23:56:07 -0400 From: "Mustafa Soysal MS57" Organization: . To: firewalls@greatcircle.com Subject: inability of Greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Well folks, I have tried to get off this list by sending messages to majordomo@greatcircle.com which seemed to be maintained by MSen.com at some point which explains why things are broken. I don't see any other way than start bouncing the mail back for getting off the list. A company involved in firewalls should be able to find a better internet provider to run their list and even help them protect their machines with firewalls. Something isn't working in that picture ;) Goodbye! Mustafa Soysal From firewalls-owner Sat Oct 5 22:11:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA04309 for firewalls-outgoing; Sat, 5 Oct 1996 22:02:58 -0700 (PDT) Received: from [198.102.244.97] (pb520-ppp.greatcircle.com [198.102.244.97]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id WAA04290; Sat, 5 Oct 1996 22:02:42 -0700 (PDT) X-Sender: brent@miles.greatcircle.com Message-Id: In-Reply-To: <32572de4.mistik@mistik.express.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sat, 5 Oct 1996 23:57:47 -0600 To: "Mustafa Soysal MS57" , firewalls@greatcircle.com From: Brent Chapman Subject: Re: inability of Greatcircle.com Cc: mcb@greatcircle.com, postmaster@mistik.express.net, postmaster@express.net Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 11:56 PM -0400 10/5/96, Mustafa Soysal MS57 wrote: >Well folks, I have tried to get off this list by sending messages to >majordomo@greatcircle.com which seemed to be maintained by MSen.com at >some point which explains why things are broken. The Firewalls mailing list has never been maintained by anyone other than GreatCircle.COM. Great Circle Associates is not currently, and never has been, a customer, partner, vendor, or any other affiliate of MSen. I've checked the archive of messages sent to Majordomo@GreatCircle.COM so far this month; we haven't received any containing the strings "mustaafa" or "express.net". >I don't see any other way than start bouncing the mail back for getting >off the list. A petty tantrum of vandalism, in other words. How about something as radical as forwarding copies of the messages you've gotten to me, or to Postmaster@GreatCircle.COM, so that we can take a look at them and maybe figure out what's going on? >A company involved in firewalls should be able to find a better internet >provider to run their list and even help them protect their machines >with firewalls. Something isn't working in that picture ;) We're quite happy with our Internet service provider, thank you, though you seem a little confused as to who that is. We run our own mailing lists, and always have, though you seem certain it is otherwise. Maybe you're not looking at the same picture I am? >Goodbye! > >Mustafa Soysal Good riddance. -Brent ----------------------+----------------------------+------------------------ Brent Chapman | Great Circle Associates | 1057 West Dana Street Brent@GreatCircle.COM | http://www.greatcircle.com | Mountain View, CA 94041 ----------------------+----------------------------+------------------------ Internet Tutorials from the Experts! From firewalls-owner Sat Oct 5 23:33:00 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA11346 for firewalls-outgoing; Sat, 5 Oct 1996 23:15:58 -0700 (PDT) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id XAA11329 for firewalls@greatcircle.com; Sat, 5 Oct 1996 23:15:48 -0700 (PDT) Received: from giswitch.sggw.waw.pl (giswitch.sggw.waw.pl [148.81.186.111]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA12086 for ; Fri, 4 Oct 1996 10:08:08 -0700 (PDT) Received: (from guest@localhost) by giswitch.sggw.waw.pl (8.6.12/8.6.9) id SAA12600 for ; Fri, 4 Oct 1996 18:57:59 +0100 Posted-Date: Fri, 4 Oct 1996 18:57:59 +0100 Received: from localhost(127.0.0.1) by giswitch.sggw.waw.pl via smap (V1.3) id sma012597; Fri Oct 4 18:57:02 1996 Date: Fri, 4 Oct 1996 18:57:02 +0100 (MET) From: Marek Czajko To: firewalls@GreatCircle.COM Subject: Re: Welcome to fwtk-users In-Reply-To: <3221.9610041339@gmap.leeds.ac.uk> Message-ID: Organization: DSIS&FG WAU Rakowiecka 26/30 02-528 Warsaw Poland MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 4 Oct 1996, Danny Cox wrote: > [To unsubscribe from this list send the message "unsubscribe fwtk-users" in the > BODY of a mail message to majordomo@tis.com.] > > > > [To unsubscribe from this list send the message "unsubscribe fwtk-users" in the > > BODY of a mail message to majordomo@tis.com.] > > > > Anyone else getting messages with a lot of these in ? I've had about ten today so far. > I also --- Marek Czajko ( e-mail: mcj@giswitch.sggw.waw.pl ) ( Address, PGP public key: finger info@giswitch.sggw.waw.pl ) --- Department of Spatial Information Systems and Forest Geodesy Warsaw Agricultural University From firewalls-owner Sat Oct 5 23:56:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA11358 for firewalls-outgoing; Sat, 5 Oct 1996 23:16:13 -0700 (PDT) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id XAA11349 for firewalls@greatcircle.com; Sat, 5 Oct 1996 23:16:03 -0700 (PDT) Received: from smtp2.interramp.com (smtp2.interramp.com [38.8.200.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id LAA18933 for ; Fri, 4 Oct 1996 11:12:02 -0700 (PDT) Received: from davidh.interramp.com by smtp2.interramp.com (8.6.12/SMI-4.1.3-PSI-irsmtp) id OAA29315; Fri, 4 Oct 1996 14:11:33 -0400 Message-ID: <32555FE9.1BAD@checkpoint.com> Date: Fri, 04 Oct 1996 14:05:13 -0500 From: David Helms Organization: CheckPoint Software Technologies X-Mailer: Mozilla 2.02Gold (Win95; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: [Fwd: Re: Gauntlet vs. Sidewinder] Content-Type: multipart/mixed; boundary="------------619227BD5283" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is a multi-part message in MIME format. --------------619227BD5283 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Joav, I disagree with the concept of ever letting anyone connect to the firewall unless it provides significant value. Stateful inspection lets you route through the firewall securely without ever having to connect to the firewall. David -- __________________________________ David Helms Senior Technical Consultant CheckPoint Software Technologies ph 703.684.4824 fx 703.684.4847 davidh@checkpoint.com __________________________________ --------------619227BD5283 Content-Type: message/rfc822 Content-Transfer-Encoding: 7bit Content-Disposition: inline Return-Path: Received: from cale.checkpoint.com by us.checkpoint.com (5.x/SMI-SVR4) id AA26139; Thu, 3 Oct 1996 12:55:37 -0700 Received: from relay5.UU.NET (relay5.UU.NET [192.48.96.15]) by cale.checkpoint.com (8.7.5/8.7.1) with ESMTP id WAA01472 for ; Thu, 3 Oct 1996 22:52:25 +0200 (IST) Received: from miles.greatcircle.com by relay5.UU.NET with ESMTP (peer crosschecked as: miles.greatcircle.com [198.102.244.34]) id QQbjwh28938; Thu, 3 Oct 1996 15:48:58 -0400 (EDT) Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA09288 for firewalls-outgoing; Thu, 3 Oct 1996 10:13:10 -0700 (PDT) Received: from gatekeep.us.landisgyr.com (gatekeep.us.landisgyr.com [206.175.68.122]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA09246; Thu, 3 Oct 1996 10:12:57 -0700 (PDT) Received: by gatekeep.us.landisgyr.com; id JAA24079; Thu, 3 Oct 1996 09:06:43 -0400 Received: from unknown(204.207.110.148) by gatekeep.us.landisgyr.com via smap (V3.1) id xmac24042; Thu, 3 Oct 96 09:06:33 -0400 Received: from mailrelay.us.landisgyr.com by pmdf.us.landisgyr.com (PMDF V5.0-4 #10101) id <01IA7ELGC48000042X@pmdf.us.landisgyr.com>; Thu, 03 Oct 1996 11:59:12 -0500 (CDT) Received: with PMDF-MR; Thu, 03 Oct 1996 07:06:32 -0500 (CDT) Mr-Received: by mta PFMSV1.MUAS; Relayed; Thu, 03 Oct 1996 07:06:32 -0500 Mr-Received: by mta PFMSV1; Relayed; Thu, 03 Oct 1996 07:06:32 -0500 Mr-Received: by mta PFMMRX; Relayed; Thu, 03 Oct 1996 07:07:59 -0500 Disclose-Recipients: prohibited Date: Thu, 03 Oct 1996 07:06:32 -0500 (CDT) From: Joav Kohn Subject: Re: Gauntlet vs. Sidewinder In-Reply-To: <9610030326.AA03445@ukn0.garrison.com> To: firewalls-owner , jeromie , "david.helms" Cc: firewalls Message-Id: <2432060703101996/A00383/PFMSV1/11AA19C61F00*@MHS.us.landisgyr.com> Autoforwarded: false Mime-Version: 1.0 Content-Transfer-Encoding: 7BIT Importance: normal Sensitivity: Company-Confidential Ua-Content-Id: 11AA19C61F00 X400-Mts-Identifier: [;2432060703101996/A00383/PFMSV1] Hop-Count: 2 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Content-Type: TEXT/PLAIN; CHARSET=US-ASCII X-Mozilla-Status: 0011 > 1) People generally have their SMTP server sitting somewhere within > the "[Internal Net]". The firewall would say something like "We only allow > connections to port 25 of the SMTP gateway". If the SMTP gateway is sitting > inside, the perimiter is broken. > The proper way to set this up is to have the firewall itself accept mail with smapd and sendmail v8.6 and then re-route that mail to the internal servers. The internal servers are never vulnerable to an attack because the outside world cannot talk directly to them. > > 2) If the internet SMTP gateway sits on the DMZ, and the customer > has several internal SMTP gateways that distribute all the mail, then again, > the SMTP gateway on the DMZ would have access to send data to the inside SMTP > hosts, thus providing information flow. If the internal SMTP gateways are > vulerable to attack (IE: version of sendmail that have problems, IE: ALL) then > again, the perimiter is broken. > The best way to secure things is to assume nothing is secure on your internal network. Reduce your points of faliure on the DMZ, and trust nothing. If you make sure that your DMZ versions of sendmail are secure and they talk to your internal servers, no direct communication ever takes place from the external network to the internal network. -joav --------------619227BD5283-- From firewalls-owner Sun Oct 6 01:26:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA29226 for firewalls-outgoing; Sun, 6 Oct 1996 00:22:04 -0700 (PDT) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id AAA29152 for firewalls@greatcircle.com; Sun, 6 Oct 1996 00:21:41 -0700 (PDT) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id WAA09854 for firewalls; Sat, 5 Oct 1996 22:57:10 -0700 (PDT) Message-Id: <199610060557.WAA09854@miles.greatcircle.com> From: mcb@greatcircle.com (Michael C. Berch) Date: Sat, 5 Oct 1996 22:57:09 +0000 In-Reply-To: <32572de4.mistik@mistik.express.net> X-Mailer: Mail User's Shell (7.2.5 10/14/92) To: firewalls Subject: Re: inability of Greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk "Mustafa Soysal MS57" wrote: > Well folks, I have tried to get off this list by sending messages to > majordomo@greatcircle.com which seemed to be maintained by MSen.com at > some point which explains why things are broken. > > I don't see any other way than start bouncing the mail back for getting > off the list. Just to follow up on Brent's response to this, please be assured that the Majordomo server here is working just fine, and no, we have no idea what he's talking about either. :-) -- Michael C. Berch Postmaster and List Manager, Great Circle Associates mcb@greatcircle.com From firewalls-owner Sun Oct 6 07:42:17 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA10658 for firewalls-outgoing; Sun, 6 Oct 1996 07:26:49 -0700 (PDT) Received: from po-external.FCNBD.COM ([147.113.146.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA10648 for ; Sun, 6 Oct 1996 07:26:40 -0700 (PDT) Received: from po-internal.FCNBD.COM (internalhost.FCNBD.COM [147.113.104.10]) by po-external.FCNBD.COM (8.7.5/fcnbd/domain/1.5.1) with ESMTP id JAA28922; Sun, 6 Oct 1996 09:29:20 -0500 (CDT) Received: from abacab.cmg.FCNBD.COM (abacab.cmg.FCNBD.COM [147.113.112.11]) by po-internal.FCNBD.COM (8.7.5/fcnbd/internal-domain/1.4.1) with ESMTP id JAA23788; Sun, 6 Oct 1996 09:27:13 -0500 (CDT) Received: from abernathy.cmg.FCNBD.COM (pmarc@abernathy.cmg.FCNBD.COM [147.113.118.125]) by abacab.cmg.FCNBD.COM (8.7.5/fcnbd/server-subdomain/2.3) with ESMTP id JAA06061; Sun, 6 Oct 1996 09:26:04 -0500 (CDT) Received: (from pmarc@localhost) by abernathy.cmg.FCNBD.COM (8.7.5/8.7.5) id JAA00290; Sun, 6 Oct 1996 09:26:02 -0500 (CDT) Message-Id: <199610061426.JAA00290@abernathy.cmg.FCNBD.COM> MIME-Version: 1.0 (NeXT Mail 3.3risc v118.3) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable In-Reply-To: <199610042030.AA03154@kcpgw2.kcp.com> X-Nextstep-Mailer: Mail 3.3 (Enhance 1.3) Received: by NeXT.Mailer (1.118.3) From: "Paul M. Cardon" Date: Sun, 6 Oct 96 09:25:46 -0500 To: dharris@kcp.com (Delmer Harris) Subject: Re: Financial transactions and firewalls. cc: firewalls@greatcircle.com, Colin Campbell Reply-To: pmarc@cmg.FCNBD.COM References: <199610042030.AA03154@kcpgw2.kcp.com> X-Warners: Yakko, Wakko, and Dot Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My MUA insists that dharris@kcp.com (Delmer Harris) wrote: > BTW: =46rom a class I took at Interop I got the impression that = SET > is not incompatible with firewalls because it rides on top of = other > protocols which firewalls can handle. Is this impression = correct? The SET protocol is designed to be transport independent. = However,=20 for the purposes of providing clear definitions of how transport = mechanisms=20 should be used to foster interoperability, a SET Transport Summit = will be=20 held in Dallas, Texas, USA from Monday, October 28 through = Wednesday,=20 October 30. The results of this summit will be published in a new Book 4 to be = added to=20 the three books of the current SET specification. --- Paul M. Cardon - System Officer Capital Markets Systems - First Chicago NBD Corporation pmarc@cmg.fcnbd.com - (312) 732-7392 I never give them hell. I just tell the truth and they think it's = hell. - H. Truman MD5 (/dev/null) =3D d41d8cd98f00b204e9800998ecf8427e From firewalls-owner Sun Oct 6 11:26:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA21703 for firewalls-outgoing; Sun, 6 Oct 1996 11:16:30 -0700 (PDT) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id LAA21654 for firewalls@greatcircle.com; Sun, 6 Oct 1996 11:16:18 -0700 (PDT) Received: from lokkur.dexter.mi.us (lokkur.dexter.mi.us [148.59.2.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id JAA16676 for ; Sun, 6 Oct 1996 09:21:34 -0700 (PDT) Received: (from scs@localhost) by lokkur.dexter.mi.us (8.7.5/8.7.5/lokkur-1.1-scs) id MAA23849; Sun, 6 Oct 1996 12:20:42 -0400 (EDT) To: firewalls@GreatCircle.COM Path: lokkur.dexter.mi.us!not-for-mail From: scs@lokkur.dexter.mi.us (Steve Simmons) Newsgroups: local.firewalls Subject: Re: inability of Greatcircle.com Date: 6 Oct 1996 12:20:41 -0400 Organization: Inland Sea Lines: 13 Distribution: local Message-ID: <538m8p$n96@lokkur.dexter.mi.us> References: <32572de4.mistik@mistik.express.net> X-Newsreader: NN version 6.5.0 CURRENT #2 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk "Mustafa Soysal MS57" writes: >Well folks, I have tried to get off this list by sending messages to >majordomo@greatcircle.com which seemed to be maintained by MSen.com at >some point which explains why things are broken. For the record, Msen never ran the firewalls mailing list nor maintained majordomo. I ought to know, I was an owner at Msen. -- ``There is sufficient body of legal precedent allowing that you can't have obscenity when you have a work that has ideas of even the slightest social importance. Ideas, Mr. Bacchus. What did your wooden pecker represent?'' ``I have no idea. It was my birthday.'' -- Eddie Campbell, Bacchus #16 From firewalls-owner Sun Oct 6 13:26:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA28472 for firewalls-outgoing; Sun, 6 Oct 1996 13:09:58 -0700 (PDT) Received: from news.be.innet.net (news.be.innet.net [194.7.1.5]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id NAA28465 for ; Sun, 6 Oct 1996 13:09:47 -0700 (PDT) Received: from pool011-28.innet.be (pool011-28.innet.be [194.7.12.59]) by news.be.innet.net (8.7.6/8.7.3) with SMTP id WAA16252; Sun, 6 Oct 1996 22:09:05 +0200 (MET DST) Message-Id: <199610062009.WAA16252@news.be.innet.net> X-Sender: fdehert@pophost.innet.be X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 06 Oct 1996 22:13:23 -0100 To: patton@sysnet.net From: fdehert@innet.be (Frank J.J. De Hert) Subject: Re: NT Security Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >> This is true if the user hasn't taken ownership of certain directories and >> set the permissions such that only the user has access. For even an > >ahh, so local users have FULL CONTROL so they can play havoc with file Discretionary Access Control does mean just that, the user can decide who gets access to his/her OWN files, and what kind of access. However, it does not mean that the user should have full control of 'system files', especially executables. One of the main principles you have to stick by when securing a computer system is making sure that system executables are read and/or execute (whichever is appropriate for your O.S.) ONLY. NT however demands that a lot of executables (mostly .DLLs) are Change enabled for Everyone. Well, bring in the Trojan Horses... >ownership and permissions? You got a bigger problem. I don't blame >you, NT's permissions out of the box are bar none the worst in the As I mentioned in one of my previous msgs, we're used to a VMS environment, and when we looked at how NT came out of the box we nearly had a fit. We tried to mimic VMS file protections, which resulted in a setup that was useless to the users. e.g. MSOffice shortcutbar showed only questionmarks in stead of the usual icons (small problem to us but not, apparently, to the majority of users. Mind you for the Administrator the shortcutbar had all its correct icons!), Word stopped working, PowerPoint had problems, helpfiles wouldn't open, etc, etc, etc, ... >industry. I bet 99.9% of admins don't even look to see how bad it >really is. Tightening them up can be quite a chore, especially when >you're doing it by trial and error. But I've managed to pull it off on >one of our public boxes. Was a several week hastle though. After running around fixing files left and right, we're now at the point where we, sadly enough, give Everyone (shudder) full control and then deny access to a list of directories and files half a mile long. We hope we have most files covered, but if your method works well, maybe you'd like to share it with us so we can try it out and compare. Because currently, of course, users can still play havoc on their 'own' drive and trash any of the applications they have installed. > > -- Frank De Hert System/Security Manager NATO Programming Centre. "It's the damndest job, but some poor schmuck has to do it!" From firewalls-owner Sun Oct 6 17:45:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA11409 for firewalls-outgoing; Sun, 6 Oct 1996 17:32:12 -0700 (PDT) Received: from LIVEDGAR.gsionline.com (livedgar.gsionline.com [204.254.209.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id RAA11389 for ; Sun, 6 Oct 1996 17:32:03 -0700 (PDT) Received: from LIVEDGAR.gsionline.com by LIVEDGAR.gsionline.com (NTMail 3.02.09) with ESMTP id na034541 for ; Sun, 6 Oct 1996 20:31:00 -0400 X-Sender: nbk#204.254.209.2@192.168.0.22 X-Mailer: Windows Eudora Version 1.4.3 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: dharris@kcp.com (Delmer Harris) From: nkeenan@gsionline.com (Nick Keenan) Subject: Re: Financial transactions and firewalls. Cc: firewalls@greatcircle.com, Colin Campbell Date: Sun, 6 Oct 1996 20:31:00 -0400 Message-Id: <00310073409783@gsionline.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk As an application developer I have to respond: 1. The "gentleman" from the orignal post was out of bounds. It should be obvious to anyone who's got an eye on the 'net these days that proxying is the wave of the future, and will be getting much bigger. It solves a lot of problems, and not just with security, but with administration and network design. Anyone writing software these days that does not support proxies is behind the times. 2. Delmer wrote: >The "gentleman" in question has many brothers and sisters in other fields. I >have only been at this firewall stuff for about three years and I have already >had to fight off three requests for "just a tiny hole" in my firewall so we >could use the latest "firewalls unaware" application that we just _had_ to have. >In each case the application developer was aghast when I suggested that the >product would be much more useful if it was firewall aware _and_ based on a >standard ("well understood") protocol like telnet, http, or ftp. I am an application developer. I have been on the other side of this conversation, when some security guy says: "Why can't you just do it using HTTP? If you really knew what you were doing, you could." Well, I know what I am doing, and there are two reasons why I can't and won't: 1. HTTP and FTP are stateless. Most really useful programs are stateful. Try as you might, you can't make a stateless program stateful. And even if you were to use some of the fancy HTTP extensions like server-push, or cookies, or META tags to simulate stateful behavior, it probably wouldn't work through half of the proxy servers out there. 2. OK, let's say I write a really clever program that uses some known protocol in a way different from the way it was intended. Let's say I write a client that uses HTTP or telnet to encapsulate TCP/IP, so that a person inside your network can "tunnel" to my server and have complete unfettered access to the Internet. Would you let people use that software? You shouldn't. It would defeat the whole idea of having a firewall and a security policy. Well-known ports should be used for their stated purpose and for none other. And there is a time when standard software just won't do the job. Which brings us to my third point: 3. You have to give application developers a way. Users don't want their software just to make your life difficult, but because they have a genuine business need. Application developers want their software to be used -- and it doesn't take long to learn that there are almost no companies that allow direct access to the Internet from users desks. But no matter how you make your application firewall aware, it requires the assistance of the person controlling the firewall to make it work. I'm amazed at how many sites insist that they will allow only HTTP or FTP traffic. I've written my software to use every proxying scheme that I've ever heard of, and yet a substantial number of places don't support any at all. For a while I was toying with the idea of writing my own proxy and giving the source code away for free, but I figure that those places probably wouldn't want my proxy more any more than the others they reject. Is there something terrible about SOCKS that I haven't been told? Is there a hidden danger with mapped links? I don't get it. I think this dialogue is healthy for both sides. I'm interested to here responses from the security side. Cheers, Nick From firewalls-owner Sun Oct 6 18:27:19 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA14965 for firewalls-outgoing; Sun, 6 Oct 1996 18:22:37 -0700 (PDT) Received: from neon.ingenia.com (neon.ingenia.com [205.207.219.29]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id SAA14948 for ; Sun, 6 Oct 1996 18:22:15 -0700 (PDT) Received: (from shaver@localhost) by neon.ingenia.com (8.8.Alpha.2/8.6.9) id VAA23365; Sun, 6 Oct 1996 21:35:15 -0400 From: Mike Shaver Message-Id: <199610070135.VAA23365@neon.ingenia.com> Subject: Re: Financial transactions and firewalls. To: nkeenan@gsionline.com (Nick Keenan) Date: Sun, 6 Oct 1996 21:35:15 -0400 (EDT) Cc: dharris@kcp.com, firewalls@GreatCircle.COM, sgcccdc@citec.qld.gov.au In-Reply-To: <00310073409783@gsionline.com> from "Nick Keenan" at Oct 6, 96 08:31:00 pm Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thus spake Nick Keenan: > I am an application developer. I have been on the other side of this > conversation, when some security guy says: "Why can't you just do it using > HTTP? If you really knew what you were doing, you could." Well, I know > what I am doing, and there are two reasons why I can't and won't: 1. HTTP > and FTP are stateless. FTP is stateful...you log in, you send comands, you log out. > Most really useful programs are stateful. Try as > you might, you can't make a stateless program stateful. And even if you > were to use some of the fancy HTTP extensions like server-push, or cookies, > or META tags to simulate stateful behavior, it probably wouldn't work > through half of the proxy servers out there. `Probably' sounds like a hand-wave, and in fact I'm pretty sure that's exactly what it is. Cookies work through proxies, server-push should, and tags and URL-munging _have_ to. It's still HTML, even when it's proxied. Mike (a security weenie _and_ application developer) -- #> Mike Shaver (shaver@ingenia.com) Information Warfare Division #> Chief Tactical and Strategic Officer "Saepe fidelis" #> #> "I like your game, but we have to change the rules." -- Anon #> From firewalls-owner Sun Oct 6 18:41:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA15361 for firewalls-outgoing; Sun, 6 Oct 1996 18:30:43 -0700 (PDT) Received: from mailbox.neosoft.com (mailbox.neosoft.com [206.109.1.16]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id SAA15353 for ; Sun, 6 Oct 1996 18:30:34 -0700 (PDT) Received: from fw.nmti.com (fw.baileynm.com [206.109.159.11]) by mailbox.neosoft.com (8.7.5/8.7.3) with SMTP id UAA12370; Sun, 6 Oct 1996 20:30:01 -0500 (CDT) Received: from web.nmti.com(198.178.0.201) by fw.nmti.com via smap (V1.3) id sma020501; Sun Oct 6 20:20:59 1996 Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id UAA13168; Sun, 6 Oct 1996 20:20:59 -0500 Received: by sonic.nmti.com; id AA08182; Sun, 6 Oct 1996 20:20:52 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9610070120.AA08182@sonic.nmti.com.nmti.com> Subject: Re: Financial transactions and firewalls. To: nkeenan@gsionline.com (Nick Keenan) Date: Sun, 6 Oct 1996 20:20:51 -0500 (CDT) Cc: dharris@kcp.com, firewalls@greatcircle.com, sgcccdc@citec.qld.gov.au In-Reply-To: <00310073409783@gsionline.com> from "Nick Keenan" at Oct 6, 96 08:31:00 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > For a while I was toying with the idea of writing my own proxy and > giving the source code away for free, but I figure that those places > probably wouldn't want my proxy more any more than the others they reject. If you gave me the source to your proxy and a description of your protocol, and my users had a business need for your protocol, I absolutely *would* consider it. IN fact, I just sent mail to an application vendor asking them for information on proxying their protocol through... they're still in beta, and if they had a proxy available before they shipped it'd make a *big* difference in whether we could use their software. From firewalls-owner Sun Oct 6 18:58:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA15616 for firewalls-outgoing; Sun, 6 Oct 1996 18:35:08 -0700 (PDT) Received: from pinky.junction.net (pinky.junction.net [199.166.227.12]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id SAA15592 for ; Sun, 6 Oct 1996 18:34:50 -0700 (PDT) Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by pinky.junction.net (8.6.12/8.6.12) with ESMTP id RAA16819 for ; Sun, 6 Oct 1996 17:48:21 -0700 Received: from localhost (michael@localhost) by sidhe.memra.com (8.6.12/8.6.12) with SMTP id SAA01728 for ; Sun, 6 Oct 1996 18:29:39 -0700 Date: Sun, 6 Oct 1996 18:29:39 -0700 (PDT) From: Michael Dillon To: firewalls@greatcircle.com Subject: Re: TCP SYN attacks - a simple solution (fwd) Message-ID: Organization: Memra Software Inc. - Internet consulting MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ---------- Forwarded message ---------- Date: Sun, 6 Oct 1996 16:30:14 -0700 From: Matthew Kaufman To: rex@cs.su.oz.au, bugtraq@netspace.org, nanog@merit.edu, iepg@iepg.org Cc: matthew@nic.scruz.net Subject: Re: TCP SYN attacks - a simple solution Original message <199610062314.TAA29781@merit.edu> From: rex@staff.cs.su.oz.au (Rex di Bona) Date: Oct 7, 8:10 Subject: TCP SYN attacks - a simple solution > ... > I propose a solution where the initial sequence number is calculated > (not random), and is based on a cryptographic calculation of the > senders Initial Sequence Number, the ports, and a "per boot" > secret number. In this way the initial packet can be discarded, > and on receipt of the third SYN packet can be recalculated. ... The idea has been floated before, and I believe it to be the right solution to this problem. However, I have some suggested improvements: 1. The use of a "per boot" secret number allows an attacker to poll your machine to deduce the secret, and then attack you with that knowledge. A solution to this problem is to use a rapidly changing secret, the pattern of which cannot be easily deduced, and a sliding window of acceptance. (If the hash doesn't match the current scheme, but matches the scheme we were using in the past N seconds, then accept the packet) The change interval needs to be short enough that, by the time an attacker has been able to compute the next number, the window for accepting that has closed. 2. The TCP specification allows data to ride along with the initial SYN, and requires that after the three-way handshake, that the data be presented to the application layer. One solution is to realize that very few implementations take advantage of this, and simply not accept this form of SYN. A second solution is to NOT ack the data that is riding along, but the TCP state machine definition has some holes here which may not work for all implementations. The solution of buffering those SYN's which contain data is unacceptable, because attackers will simply switch to sending SYNs with data. I believe that switching to this sort of scheme would also thwart most attacks which rely on sequence number prediction, and save memory significantly over schemes which simply increase the number of TCBs allowed. -matthew kaufman matthew@scruz.net ps. I've been meaning to write this entire scheme, with the enhancements I propose here, as a draft specification, but I keep getting interrupted by flooded phone rooms and the like this weekend. *sigh* From firewalls-owner Sun Oct 6 19:11:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA17421 for firewalls-outgoing; Sun, 6 Oct 1996 18:56:52 -0700 (PDT) Received: from pinky.junction.net (pinky.junction.net [199.166.227.12]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id SAA17394 for ; Sun, 6 Oct 1996 18:56:38 -0700 (PDT) Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by pinky.junction.net (8.6.12/8.6.12) with ESMTP id SAA17128; Sun, 6 Oct 1996 18:10:10 -0700 Received: from localhost (michael@localhost) by sidhe.memra.com (8.6.12/8.6.12) with SMTP id SAA01926; Sun, 6 Oct 1996 18:51:27 -0700 Date: Sun, 6 Oct 1996 18:51:25 -0700 (PDT) From: Michael Dillon To: Nick Keenan cc: firewalls@GreatCircle.COM Subject: Re: Financial transactions and firewalls. In-Reply-To: <00310073409783@gsionline.com> Message-ID: Organization: Memra Software Inc. - Internet consulting MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sun, 6 Oct 1996, Nick Keenan wrote: > all. For a while I was toying with the idea of writing my own proxy and > giving the source code away for free, but I figure that those places > probably wouldn't want my proxy more any more than the others they reject. No wonder they won't run your software. The only reason we let RealAudio through the firewall here is that they did write a proxy and give away the source code free. > Is there something terrible about SOCKS that I haven't been told? Yes. We don't use it. Why? Because we don't. When looking at various options we decided that the TIS/Gauntlet style of proxies would work for what we needed and SOCKS seemed to be messier to set up. Michael Dillon - ISP & Internet Consulting Memra Software Inc. - Fax: +1-604-546-3049 http://www.memra.com - E-mail: michael@memra.com From firewalls-owner Sun Oct 6 19:33:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA15587 for firewalls-outgoing; Sun, 6 Oct 1996 18:34:36 -0700 (PDT) Received: from pinky.junction.net (pinky.junction.net [199.166.227.12]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id SAA15580 for ; Sun, 6 Oct 1996 18:34:25 -0700 (PDT) Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by pinky.junction.net (8.6.12/8.6.12) with ESMTP id RAA16803 for ; Sun, 6 Oct 1996 17:47:16 -0700 Received: from localhost (michael@localhost) by sidhe.memra.com (8.6.12/8.6.12) with SMTP id SAA01718 for ; Sun, 6 Oct 1996 18:28:32 -0700 Date: Sun, 6 Oct 1996 18:28:31 -0700 (PDT) From: Michael Dillon To: firewalls@greatcircle.com Subject: TCP SYN attacks - a simple solution (fwd) Message-ID: Organization: Memra Software Inc. - Internet consulting MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ---------- Forwarded message ---------- Date: Mon, 07 Oct 1996 08:10:27 +1000 From: Rex di Bona Reply-To: rex@cs.su.oz.au To: bugtraq@netspace.org, nanog@merit.edu, iepg@iepg.org Cc: rex@cs.su.oz.au Subject: TCP SYN attacks - a simple solution There have been several (many?) products attempting to solve the TCP SYN attack through timeouts. They watch the SYN packets, and flush ones, by doing a RESET on the connection if the third packet isn't received in time. Or letting conenctions fail by flushing the infant connection table when full. I believe this is wrong! There is, I believe, a much simpler solution. The problem is, as I see it, that the current implementations are keeping the first packet (in some form) around, as state. Instead, we want to discard all this state information, to allow us to accept more packets. Only when we have a full connection do we want to keep state information. The only piece of information we require at this early stage is the initial sequence number for our side. I propose a solution where the initial sequence number is calculated (not random), and is based on a cryptographic calculation of the senders Initial Sequence Number, the ports, and a "per boot" secret number. In this way the initial packet can be discarded, and on receipt of the third SYN packet can be recalculated. This means that initial packets, fired from random addreses will never have the third packet, and no overheads are consumed, except for the hash calculation. Since there is only one random number in the connection, the initial sequence number from the originating site, there is a higher probability of "rogue", or lost packets, but if the initial ISN was truely random this shouldn't be to much of a problem (hmmm - am I sure?). Pictorally: Host A to conenct to Host B host A (good) Host B (good) gen ISN send packet to B ---> receives packet, and ISN. uses F(ISN(A) + ports + secret) as calculated ISN for return and sends to A, discards all receives packet <---- state. as normal, and sends third packet ---> receives packet, recalculates ISN from 1st step. If it matches the ACK in the packet then this is a valid connection. The nice thing about this is that no changes have to occur on the sending side. This solution will work with current IP stacks, but will automatically reject bogus connections, and has no silly timeout on valid connections. This scheme does have implications with firewalls that base all decisions on the first packet, such as packet filtering firewalls, but then again, I don't consider them real firewalls. :-) I'm going to implement this, using boring old md5, and give it a try, but I was wondering if there are any thoughts about this as a solution? Any obvious holes I missed. Rex di Bona. From firewalls-owner Sun Oct 6 19:42:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA19458 for firewalls-outgoing; Sun, 6 Oct 1996 19:14:18 -0700 (PDT) Received: from rara.kotel.co.kr (rara.kotel.co.kr [147.6.15.64]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id TAA19420 for ; Sun, 6 Oct 1996 19:14:04 -0700 (PDT) Received: by rara.kotel.co.kr (8.6.9H1/8.6.4) id LAA00543; Mon, 7 Oct 1996 11:14:19 +1000 From: Kim Message-Id: <199610070114.LAA00543@rara.kotel.co.kr> Subject: how to route mails to a mail server ? To: firewalls@GreatCircle.COM Date: Mon, 7 Oct 1996 11:14:19 +0900 (GMT+9:00) X-Mailer: ELM [version 2.4 PL21-h4] MIME-Version: 1.0 Content-Type: text/plain; charset=iso-2022-kr Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'd like to route all external mails going inside to one mail server. During mail connection, every workstation working independantly connects to external mail servers directly without going to mail server. The same external mail going inside. Our policy is to permit all output but restrict input but direct mail connection made it hard. That you for your suggestion. --- Kim From firewalls-owner Sun Oct 6 19:56:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA20754 for firewalls-outgoing; Sun, 6 Oct 1996 19:23:48 -0700 (PDT) Received: from mail.Clark.Net (mail.clark.net [168.143.0.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id TAA20661 for ; Sun, 6 Oct 1996 19:23:20 -0700 (PDT) Received: from mjr.clark.net (mjr.clark.net [168.143.19.61]) by mail.Clark.Net (8.7.3/8.6.5) with SMTP id WAA25044 for ; Sun, 6 Oct 1996 22:22:57 -0400 (EDT) Message-Id: <199610070222.WAA25044@mail.Clark.Net> Comments: Authenticated sender is From: "Marcus J. Ranum" Organization: V-ONE Corp, Baltimore Office To: firewalls@greatcircle.com Date: Sun, 6 Oct 1996 22:21:13 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: Financial transactions and firewalls. X-mailer: Pegasus Mail for Win32 (v2.42) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Colin Campbell writes: >I recently spent several hours (yes hours!) on the phone discussing >the relative merits of my "stupid firewall philosophy" with a >gentleman representing a company implementing secure financial >services on the Internet. His service, if I understood correctly, was >based on (something like?) SWIFT which has been in use in Europe for >15-20 years by many large financial institutions and therefore was not >going to be changed quickly if at all. There are a number of such protocols in use: SWIFT is popular in Europe. In the US there's a thing called FIX. Many of these protocols, it has been "explained" to me, are secure because they are complicated (IBM wrote a lot of FIX, see) and therefore are not easily broken. Amusingly, standards bodies will sell you protocol specs if you ask the right places. :) What's frustrating about many of the financial transaction languages is that they assume a secure channel because, after all, they were designed to be used over dialup - AND WE ALL KNOW NOBODY CAN HACK DIALUP RIGHT? In general, the protocols seem to be badly designed - evolution by accretion - rather than carefully crafted for security. If I were you, and I ran up against one of these protocols, I'd consider using an encrypting router or some kind of application encryption shim or something -- anything -- rather than trusting that stuff over a bare wire. mjr. From firewalls-owner Sun Oct 6 20:11:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA20753 for firewalls-outgoing; Sun, 6 Oct 1996 19:23:42 -0700 (PDT) Received: from mail.Clark.Net (mail.clark.net [168.143.0.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id TAA20633 for ; Sun, 6 Oct 1996 19:23:12 -0700 (PDT) Received: from mjr.clark.net (mjr.clark.net [168.143.19.61]) by mail.Clark.Net (8.7.3/8.6.5) with SMTP id WAA25018 for ; Sun, 6 Oct 1996 22:22:48 -0400 (EDT) Message-Id: <199610070222.WAA25018@mail.Clark.Net> Comments: Authenticated sender is From: "Marcus J. Ranum" Organization: V-ONE Corp, Baltimore Office To: firewalls@greatcircle.com Date: Sun, 6 Oct 1996 22:21:13 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: Gauntlet vs. Sidewinder X-mailer: Pegasus Mail for Win32 (v2.42) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk "K.M. Goertzel" writes: >It would seem that one of the considerations when selecting between >products that meet requirement #3 above, that one way of "assuring" >that the underlying operating system is as secure as the vendor claims >it is would be to have an *independent* evaluation of the security of >that operating system, instead of simply relying on the vendor's word >that their method of "hardening" the OS - either using chroot or type >enforcement - actually results in a "hacker-resitant" operating >system. I'm not sure I agree. Independent design review of a product is always a good idea, but an independent evaluation of the operating system on which the firewall runs can be (in some cases) completely useless. It depends a *LOT* on how the firewall's designers built the firewall. In cases where the O/S is exposed to outside attack, then the hardening of the O/S and its evaluation might make a big difference. In cases where the O/S is unexposed, I don't see how it matters as much as the implementation of the part that protects the O/S from exposure! Let's imagine a firewall where it does some kind of screening in a routine that sits between the network interface drivers and the network protocol stacks. In other words, it's below IP, ARP, etc. If I then configure the firewall so that no IP or upper-level traffic will reach the firewall's address, then who CARES about the configuration of the O/S?? What you'd want to test carefully is the implementation of my screening layer, and you'd want to make sure there were no back-channels that would let a packet leap from the driver to the protocol stack without permission. Note that an Orange Book-style evaluation wouldn't help this particular firewall at all because the O/S is completely unreachable to the attacker, *AND* the add-in filtering layer isn't part of the evaluated O/S and wouldn't be looked at. >It would seem to me that a firewall that runs on an NSA evaluated >operating system would at least provide that kind of independent "seal >of approval". It seems to me that a firewall that runs on an NSA evaluated operating system would have something for the marketing guys to squeal about but wouldn't be substantially better than any other firewall unless the firewall's implementation components (proxies or filters or whatever) were also evaluated components of the TCB. Heh. That'd be fun to see. Of course, you'd never get that past the specs -- it'd have to be a generic upgrader/downgrader and all kinds of nonsense. > Of course, SCC have had a lot of experience building >operating systems that are Lots of people have experience with Orange Book stuff, but that doesn't make the Orange Book stuff useable. :) That being said, the folks at SCC have a lot of experience with computer security and secure software design and that *IS* useful. One thing that makes me kind of unhappy about the "firewall industry" these days is the large number of Johnny-come-latelies who really don't know anything about security but smell money and are bashing products together and tossing them over the fence. Frank Willoughby writes: > FWIW, Marcus Ranum wrote a good article about "firewall certifications". > Last time I checked, it could be found on V-ONE's home page. It may have moved because it's not really an official position of the company's, and reflects my highly unofficial and biassed opinion. :) I definitely know it's on http://www.clark.net/pub/mjr/pubs along with my other various rantings. mjr. From firewalls-owner Sun Oct 6 21:26:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA05503 for firewalls-outgoing; Sun, 6 Oct 1996 21:18:41 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id VAA05496 for ; Sun, 6 Oct 1996 21:18:31 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.6.9/8.6.9) id AAA13662; Mon, 7 Oct 1996 00:24:06 -0500 From: Adam Shostack Message-Id: <199610070524.AAA13662@homeport.org> Subject: NT FTPd, partial summary To: firewalls@greatcircle.com (Firewalls mailing list) Date: Mon, 7 Oct 1996 00:24:06 -0500 (EST) Cc: ntsecurity@iss.net X-Mailer: ELM [version 2.4 PL24 ME8b] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Peter da Silva correctly pointed out that FTP inherently has no security, and suggested ssh or https. (I have other layers of security, I just want an ftp daemon that I can put some trust into to not serve up the whole filesystem.) Many folks suggested the IIS FTPd. Kevin Lam suggested the War or Vermillion daemons. Lyn Champagne suggested 'Serv-u' http://mercury.texoma.com/mirror/tucows/server95.html had a list of ftp daemons. Its part of the TUCOWS archive, www.tucows.com Vermillion claims to offer high security, as do others, but no one has said that they've looked in depth into any of these products. I don't mean to start a flame war, but I do try to examine products carefully before using them; has no one done that for any of the NT daemons? Adam -- "Every year the Republicans campaign like Libertarians, and then go to Wasthington and spend like Democrats." Vote Harry Browne for President. http://www.harrybrowne96.org From firewalls-owner Sun Oct 6 22:26:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA08538 for firewalls-outgoing; Sun, 6 Oct 1996 22:10:24 -0700 (PDT) Received: from firewall.harker.com (firewall.harker.com [192.102.231.125]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id WAA08531 for ; Sun, 6 Oct 1996 22:10:18 -0700 (PDT) Received: from harker.harker.com (harker.harker.com [192.102.231.1]) by firewall.harker.com (8.6.9/8.6.12) with ESMTP id OAA13296; Sun, 6 Oct 1996 14:02:43 GMT Received: (from harker@localhost) by harker.harker.com (8.8.0-RetRcpt/8.8.Beta.5a) id WAA28310; Sun, 6 Oct 1996 22:10:26 -0700 (PDT) Date: Sun, 6 Oct 1996 22:10:26 -0700 (PDT) From: Robert Harker Message-Id: <199610070510.WAA28310@harker.harker.com> To: cgkim@rara.kotel.co.kr Subject: Re: how to route mails to a mail server ? Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am assuming that you are using a packet filtering firewall configuration and are advertizing your internal DNS information to the out side world. In this case the solution to directing mail to a single firewall is handled with DNS MX records. Since you are advertizing every host to the Internet by advertizing an A record, you must use host specific MX record for each host. host1.your.dom A 1.2.3.4 MX 5 host1.your.dom MX 20 firewall.your.dom host2.your.dom A 1.2.3.5 MX 5 host2.your.dom MX 20 firewall.your.dom If you want to direct the mail to a mail hub rather than the host itself, then use MX records as follows: host3.your.dom A 1.2.3.6 MX 10 mailhub.your.dom MX 20 firewall.your.dom I use the low value MX preference of 5 for a standalone mail host that accepts mail for local delivery itself and 10 for a host that wants its mail forwarded to a mail hub. This is strictly for my convenient. At 2:00 AM when my brain has turned to mush, I can quickly distinguish between a standalone mail host (MX 5) and a mail client (MX 10). The drawback of this approach is that incoming mail will first have to time out on the first low value MX record before connecting to the firewall host. Not a problem on your end of the connection, but a performance impact on people (mailing lists) trying to send mail to you. Also note that wildcard MX records will not work unless you use split DNS or do not advertize your internal hosts. Many people (myself included when I first saw them) think that a wildcard MX record will apply to every host in their domain. As I like to say in my "Managing Internet Mail" class, that statement is *EXACTLY* wrong! A wildcard MX record applies to every host in your domain, *EXCEPT* every host that is a valid Fully Qualified Domain Name (has a published A, CNAME, MX, SOA, NS, or other resource record) Wildcard MX records also cause all kinds of problems with canonicalization of hostnames in sendmail, you should avoid them. Hope this helps RLH > For info about our "Managing Internet Mail, Setting Up and Trouble < > Shooting sendmail and DNS" and a schedule of dates and locations, < > please send email to info@harker.com, or visit www.harker.com < Robert Harker Harker Systems Sendmail and TCP/IP Network Training 1180 Hester Ave Sendmail and Network Consulting San Jose, CA 95126 harker@harker.com 408-295-9432 From firewalls-owner Mon Oct 7 00:41:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA14692 for firewalls-outgoing; Mon, 7 Oct 1996 00:38:06 -0700 (PDT) Received: from mailout01.btx.dtag.de (mailout01.btx.dtag.de [194.25.2.149]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id AAA14685 for ; Mon, 7 Oct 1996 00:37:57 -0700 (PDT) Received: from mailto00.btx.dtag.de ([172.16.2.1]) by mailout01.btx.dtag.de with smtp (S3.1.29.1) id ; Mon, 7 Oct 96 09:13 MET DST Received: from funnel13.btx.dtag.de (022157600012-0002(btxid)@[194.25.2.14]) by mailto00.btx.dtag.de with smtp (S3.1.29.1) id ; Mon, 7 Oct 96 09:13 MET DST Message-ID: <3258C96D.6AA1@t-online.de> Date: Mon, 07 Oct 1996 09:13:26 +0000 Organization: Siemens AG X-Mailer: Mozilla 3.0b6 (Win95; I; 16bit) MIME-Version: 1.0 Followup-To: firewalls@GreatCircle.COM To: Lawrence Beobachter CC: firewalls@GreatCircle.COM Subject: Re: DMZ server References: <2.2.32.19961003154359.00769410@pop-srvr> <32564B8D.4796@spmu.rssi.ru> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Sender: 022157600012-0002@t-online.de (Krauss Siemens AG) From: Krauss.SiemensAG@t-online.de (Dietmar Krauss) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Lawrence Beobachter wrote: > > Hello! > > I saw this term here several times in connection with > bastion host. What does this acronym mean? DMZ stands for 'Demilitarized Zone' and is another expression for the screened subnet (where the bastion host in located) within a firwall using external and internal router . The expression comes from the border area between North and South Korea and delivers a pretty picture for what is going on in a firewall subnet. internet | +---+ bastion host +-+-+ external | | (WWW, FTP, SMTP) | | router | | +-+-+ +-+-+ | | o--+----------------------+----+--o DMZ | +-+-+ | | internal router +-+-+ | ..----+----... corporate LAN Hope that helps Dietmar -- +-------------------------------------------------------------------+ | Krauss.SiemensAG@t-online.de | | Dietmar Krauss | | Consulting Communication | | Siemens AG, Germany (www.siemens.de/pn) | +-------------------------------------------------------------------+ From firewalls-owner Mon Oct 7 01:42:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA18621 for firewalls-outgoing; Mon, 7 Oct 1996 01:25:52 -0700 (PDT) Received: from firefly (firefly.parc.anglia.ac.uk [194.82.46.33]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id BAA18614 for ; Mon, 7 Oct 1996 01:25:42 -0700 (PDT) Received: from maverick.parc.anglia.ac.uk by firefly (SMI-8.6/SMI-SVR4) id JAA11419; Mon, 7 Oct 1996 09:20:47 +0100 Received: by maverick.parc.anglia.ac.uk (SMI-8.6/SMI-SVR4) id JAA05321; Mon, 7 Oct 1996 09:17:48 +0100 Date: Mon, 7 Oct 1996 09:17:48 +0100 From: colinj@parc.anglia.ac.uk (Colin Johnston) Message-Id: <199610070817.JAA05321@maverick.parc.anglia.ac.uk> To: Krauss.SiemensAG@t-online.de, firewalls@GreatCircle.COM Subject: Re: DMZ server Cc: colinj@parc.anglia.ac.uk Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-MD5: t55mS5vzYxoxyaa+2y4++g== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, in regards to DMZ with relation to North and South Korea does that mean that the recent incursion by North Korean special forces into South Korea territory was due to a badly configured firewall machine :):) Presumably the very old submarine used as transport for the special forces had a communications network using TCP/IP enabled for a SYN attack :):) any comments made above are joke comments. Bye Colin Johnston From firewalls-owner Mon Oct 7 02:26:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA23288 for firewalls-outgoing; Mon, 7 Oct 1996 02:15:17 -0700 (PDT) Received: from saturn.koto.nikkei.co.jp (saturn.koto.nikkei.co.jp [138.101.199.8]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id CAA23247 for ; Mon, 7 Oct 1996 02:14:57 -0700 (PDT) Received: from saturn (localhost [127.0.0.1]) by saturn.koto.nikkei.co.jp (8.7.6/8.7.3) with ESMTP id SAA29106; Mon, 7 Oct 1996 18:11:37 +0900 (JST) Message-Id: <199610070911.SAA29106@saturn.koto.nikkei.co.jp> To: Kim Cc: firewalls@GreatCircle.COM Subject: Re: how to route mails to a mail server ? In-reply-to: Your message of "Mon, 07 Oct 1996 11:14:19 JST." <199610070114.LAA00543@rara.kotel.co.kr> Date: Mon, 07 Oct 1996 18:11:37 +0900 From: Nobuhiko Yoshimoto Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I'd like to route all external mails going inside to one mail server. > During mail connection, every workstation working independantly connects > to external mail servers directly without going to mail server. > The same external mail going inside. > Our policy is to permit all output but restrict input but direct mail > connection made it hard. > That you for your suggestion. > > --- > Kim Define MX list in your name server as below. @ SOA IN MX 10 internal mail server IN MX 20 external mail server Then define packet filter in the router connected to your ISP like this (If it were CISCO, otherwise please consult the vendoer's manual). permit tcp any external_mail_server smtp A host on Internet attempts to connect to the internal mail server for the first time, because its preference value is lower than the internal one. The connection, however, can not be established, because the packet is discarded by the router. So, the host tries to the external server and sends mail successfully. The external server having received the mail, transfers it to the internal server, because deletes itself from MX list.(Cunsult RFC974). Nobuhiko Yoshimoto Nihon Keizai Shimbun Inc. yoshi@nikkei.co.jp From firewalls-owner Mon Oct 7 03:28:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA28926 for firewalls-outgoing; Mon, 7 Oct 1996 03:15:42 -0700 (PDT) Received: from h01.scientia.com (h01.scientia.com [194.216.183.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id DAA28919 for ; Mon, 7 Oct 1996 03:15:25 -0700 (PDT) Received: by h01.scientia.com with SMTP id LAA05088 for ; Mon, 7 Oct 1996 11:15:07 +0100 Message-Id: <199610071015.LAA05088@h01.scientia.com> X-Sender: firewall@pop-server X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 07 Oct 1996 10:14:12 +0100 To: From: Ian Miller Subject: Re: TCP SYN attacks - a simple solution (fwd) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 18:29 06/10/96 -0700, Michael Dillon wrote: >From: rex@staff.cs.su.oz.au (Rex di Bona) >Date: Oct 7, 8:10 >Subject: TCP SYN attacks - a simple solution >> >... >> I propose a solution where the initial sequence number is calculated >> (not random), and is based on a cryptographic calculation of the >> senders Initial Sequence Number, the ports, and a "per boot" >> secret number. In this way the initial packet can be discarded, >> and on receipt of the third SYN packet can be recalculated. >... > >1. The use of a "per boot" secret number allows an attacker to > poll your machine to deduce the secret, and then attack you with > that knowledge. How do you "deduce the secret" from a cryptographic message digest? The whole point of such functions is that this is wholly infeasible. Changing the secret more often than each boot time seems merely to add complexity not security. Ian From firewalls-owner Mon Oct 7 04:56:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA04824 for firewalls-outgoing; Mon, 7 Oct 1996 04:50:32 -0700 (PDT) Received: from hsa2.hva.uni-bremen.de (hsa2.hva.uni-bremen.de [134.102.144.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id EAA04816 for ; Mon, 7 Oct 1996 04:50:25 -0700 (PDT) Received: from kemmer by hsa2.hva.uni-bremen.de (AIX 3.2/UCB 5.64/4.96.02.05.roet) id AA16001; Mon, 7 Oct 1996 13:09:34 +0200 Message-Id: <9610071109.AA16001@hsa2.hva.uni-bremen.de> Comments: Authenticated sender is From: "Ralf Roettinghausen" To: firewalls@greatcircle.com Date: Mon, 7 Oct 1996 13:13:09 +0000 Subject: TIMBUKTU X-Mailer: Pegasus Mail for Windows (v2.23DE) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've got only a simple question ? I've heard about a thing called TIMBUKTU ! What (not where) is TIMBUKTU and how does it work ? Mit freundlichem Gruss Der Senator fuer Haefen, ueberregionalen Verkehr und Aussenhandel Referat 03 / Netzadministration Ralf Roettinghausen From firewalls-owner Mon Oct 7 05:41:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA07320 for firewalls-outgoing; Mon, 7 Oct 1996 05:26:18 -0700 (PDT) Received: from rio.infodirekt.de (rio.infodirekt.de [194.97.120.29]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id FAA07289 for ; Mon, 7 Oct 1996 05:26:05 -0700 (PDT) Received: from [194.97.120.28] (mac.infodirekt.de [194.97.120.28]) by rio.infodirekt.de (8.6.12/8.6.12) with SMTP id NAA19238; Mon, 7 Oct 1996 13:24:54 +0100 X-Sender: ts@rio.infodirekt.de Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 7 Oct 1996 14:21:59 +0200 To: "Ralf Roettinghausen" From: ts@infodirekt.de (Thomas Schreiber) Subject: Re: TIMBUKTU Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >I've got only a simple question ? >I've heard about a thing called TIMBUKTU ! > > >What (not where) is TIMBUKTU and how does it work ? > > >Mit freundlichem Gruss > >Der Senator fuer Haefen, ueberregionalen Verkehr und Aussenhandel >Referat 03 / Netzadministration > >Ralf Roettinghausen The TIMBUKTU I know about has nothing to do with Firewalls: (see www.farallon.com) DESCRIPTION: TIMBUKTU/REMOTE 3.0 LETS REMOTE MACINTOSH USERS CONNECT OVER TELEPHONE LINES OR ISDN LINKS TO CONTROL, OBSERVE, SEND, OR EXCHANGE FILES. USE TIMBUKTU/REMOTE TO MAKE CHANGES AND EDITS IN REAL TIME BY VIEWING AND OPERATING THE COLOR SCREEN OF A REMOTE MACINTOSH IN A WINDOW ON YOUR OWN MAC DESKTOP. TIMBUKTU/REMOTE IS USED FOR ACTIVITIES SUCH AS USER SUPPORT ACROSS DISTANCES, TELECONFERENCING THAT SUPPLEMENTS PHONE CONVERSATIONS WITH COMPUTER SCREEN IMAGES, TELECOMMUTING FROM HOME TO OFFICE MACINTOSH COMPUTERS, AND PORTABLE COMPUTING FROM THE FIELD. TIMBUKTU/REMOTE 3.0 IS FULLY COMPATIBLE WITH APPLE S SYSTEM 7 SOFTWARE. OTHER NEW FEATURES INCLUDE AUTOSCROLLING FOR EASIER NAVIGATION AROUND A REMOTE SCREEN, AND ENHANCED SECURITY FEATURES SUCH AS PASSWORD PROTECTION AND SECURITY CALL-BACK. Thomas ____________________________________________________________ infodirekt - Thomas Schreiber Tel: +49 89/324796-50 Frankfurter Ring 193a Fax: +49 89/324796-51 80807 Muenchen, Germany email: ts@infodirekt.de ________________________ See you at http://www.infodirekt.de From firewalls-owner Mon Oct 7 06:53:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA12563 for firewalls-outgoing; Mon, 7 Oct 1996 06:35:37 -0700 (PDT) Received: from jpmgate1.jpmorgan.com (jpmorgan.jpmorgan.com [146.149.99.127]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA12556 for ; Mon, 7 Oct 1996 06:35:30 -0700 (PDT) Received: from jpmgate1.jpmorgan.com (mrzip.ny.jpmorgan.com [146.149.1.2]) by jpmgate1.jpmorgan.com (8.7.5/8.7.5) with SMTP id JAA06029 for ; Mon, 7 Oct 1996 09:34:09 -0400 Received: from NYC-NTGW-N02.ny.jpmorgan.com (nyc_ntgw_n02.ny.jpmorgan.com [198.75.84.103]) by mrzip.ny.jpmorgan.com (8.8.0/8.7.6) with SMTP id JAA24485 for <@mrzip.ny.jpmorgan.com:firewalls@GreatCircle.COM>; Mon, 7 Oct 1996 09:34:11 -0400 (EDT) Received: by NYC-NTGW-N02.ny.jpmorgan.com (IBM OS/2 SENDMAIL VERSION 1.3.14/1.0) id AA6632; Mon, 07 Oct 96 09:34:05 -0400 Message-Id: <9610071334.AA6632@NYC-NTGW-N02.ny.jpmorgan.com> Received: by JPMORGAN (Lotus Notes Mail Gateway for SMTP V1.1) id AC252072D0028EE4802563BC00499281; Mon, 7 Oct 96 09:34:04 To: "Ralf Roettinghausen" Cc: firewalls From: Brian B Mitchell Date: 7 Oct 96 14:29:38 Subject: Re: TIMBUKTU Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ralf, TIMBUKTU is a piece of remote control software for MACINTOSH computers. It works just like PC Anywhere, LAPLINK for Windows, etc etc. It can run over IP or through APPLETALK. Using TCP, the follwoing ports are the defaults. timbuktu 407/tcp Timbuktu timbuktu-srv1 1417/tcp Timbuktu Service 1 Port timbuktu-srv2 1418/tcp Timbuktu Service 2 Port timbuktu-srv3 1419/tcp Timbuktu Service 3 Port timbuktu-srv4 1420/tcp Timbuktu Service 4 Port Regards brianm To: firewalls @ GreatCircle.COM @ SMTP cc: From: ralf @ hsa2.hva.uni-bremen.de ("Ralf Roettinghausen") @ SMTP Sent: Mon 07/10/96 13:13:09 EDT Subject: TIMBUKTU I've got only a simple question ? I've heard about a thing called TIMBUKTU ! What (not where) is TIMBUKTU and how does it work ? Mit freundlichem Gruss Der Senator fuer Haefen, ueberregionalen Verkehr und Aussenhandel Referat 03 / Netzadministration Ralf Roettinghausen From firewalls-owner Mon Oct 7 07:10:27 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA13659 for firewalls-outgoing; Mon, 7 Oct 1996 06:54:35 -0700 (PDT) Received: from bulldog.ca (indy.bulldog.ca [204.101.141.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA13620 for ; Mon, 7 Oct 1996 06:54:10 -0700 (PDT) Received: from belgium.bulldog.ca by bulldog.ca via SMTP (940816.SGI.8.6.9/940406.SGI) id JAA25391; Mon, 7 Oct 1996 09:55:48 -0400 Received: by belgium.bulldog.ca with Microsoft Mail id <01BBB435.EB473780@belgium.bulldog.ca>; Mon, 7 Oct 1996 09:57:15 -0400 Message-ID: <01BBB435.EB473780@belgium.bulldog.ca> From: Dan Tshin To: "'Richard Stiennon'" , "firewalls@GreatCircle.COM" Subject: RE: Gauntlet vs. Sidewinder Date: Mon, 7 Oct 1996 09:57:14 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Friday, October 04, 1996 3:26 PM, Richard Stiennon[SMTP:richards@netrex.com] wrote: >At 07:07 PM 10/2/96 CDT, Hmm wrote: >> > I would be interested in hearing how checkpoint is securing their >>customers from SMTP based attacks! From what I have seen, they simply >pass it >>through to a mail machine... If that mail machine happends to be running >>Sendmail 4.1, the attacker can blow holes right through the perimiter....? > >Well, how about not allowing telnet to the mail server? > How do you do that and not allow mail hacking? I have tried disabling telnet to a machine, but when I telnet to that machine's port 25, I'm in. How about firewalls that actually store mail and then hand it off to an internal mail server? dt _______________________________________________ Dan Tshin The Bulldog Group Inc. Research and Development 416.594.9207:252 http://www.bulldog.ca 416.594.1473 Fax _______________________________________________ A head is not merely a hat hangar. Just Use It. From firewalls-owner Mon Oct 7 07:17:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA13844 for firewalls-outgoing; Mon, 7 Oct 1996 06:56:33 -0700 (PDT) Received: from gateway.damark.com (GATEWAY.DAMARK.COM [204.17.145.230]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA13826 for ; Mon, 7 Oct 1996 06:56:18 -0700 (PDT) Received: by gateway.damark.com; id IAA29025; Mon, 7 Oct 1996 08:55:35 -0500 (CDT) Received: from sco.damark.com(172.31.254.231) by gateway.damark.com via smap (V3.1) id xme029015; Mon, 7 Oct 96 08:55:15 -0500 Received: by damark.com (5.65/1.2-eef) id AA26654; Mon, 7 Oct 96 08:53:22 -0500 Message-Id: <9610071353.AA26654@damark.com> From: "william.wells" To: michael Subject: Re: Fireballs-Digest V5 #550 Date: Mon, 07 Oct 96 08:52:00 +6C Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >> Basically, vulnerable OSes (anything but properly configured UNIX systems) >Wouldn't you say that VMS was probably pretty safe, so long as you remember >to change the feild service password? I've been away from VMS for a while: have they ever fixed the bug where an ID with an expired password can be used for batch jobs and non-interactive remote access forever? As I recall, you could use DECnet to access other systems using old IDs. The only time password expiration was checked (or updated?) was when you accessed the system using telnet or similar; as long a you avoided that access, the expired ID worked forever. William Wells Manager, Systems Administration Damark International, Inc william.wells@damark.com Comments expressed are mine. From firewalls-owner Mon Oct 7 07:38:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA15687 for firewalls-outgoing; Mon, 7 Oct 1996 07:17:21 -0700 (PDT) Received: from wintermute.imsi.com (wintermute.imsi.com [206.181.239.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA15591 for ; Mon, 7 Oct 1996 07:16:52 -0700 (PDT) Received: from relay.imsi.com (relay.imsi.com [158.134.17.30]) by wintermute.imsi.com (8.7.5/1.0w) with ESMTP id KAA27068 for ; Mon, 7 Oct 1996 10:16:25 -0400 (EDT) Received: from gt-40 (gt-40.imsi.com [158.134.24.29]) by relay.imsi.com (8.7.5/8.7.3) with SMTP id KAA23753 for ; Mon, 7 Oct 1996 10:16:23 -0400 (EDT) From: "Robert Carbone" Message-Id: <961007101742.ZM2855@gt-40> Date: Mon, 7 Oct 1996 10:17:39 -0400 X-Mailer: Z-Mail 4.0.1 (4.0.1 Apr 9 1996) To: firewalls@GreatCircle.COM Subject: NT Security Descriptors Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk If some one could help me out for a sec. I was looking in the registry under security ( I have LOGON/LOGOFF security enabled) and when the machine comes up I get a user ANONYMOUS going into the machine . I believe this is the token passing algorithm for the SID being sent to WinLOGON, though I could definately be wrong. Also I get some Processes on the LOGON which are: 1. NTLanMan- I am not sure? 2. KsecDD - Is this the Network DDE stuff ?? 3. User32 - the LOGON verification Process? I am running NT 3.51 service Pack 4. I wanted to run Socks for NT on this machine , but until I understand the processes that run on NT for LOGON I cannot verify how secure it can be robc -- Robert L. Carbone ___ ___....-----'---`-----....___ ========================================= Systems Administrator ___`---..._______...---'___ Email : robc@imsi.com (___) _|_|_|_ (___) Phone : (212)339-2742 \\____.-'_.---._`-.____// ~~~~`.__`---'__.'~~~~ `~~~' Investment Management Services Inc. That Which Does Not kill you Makes you hurt that much longer ! -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQBtAzH0EB0AAAEDAJ9n/Z1pc6huEtmCxn5S9auUm/JY6AqKyvOMesajpgsqa+VW MVLLTC4EieJf2g5raW3d0GSjm63GNC4PVYbbm4duZfKQfBKPOv9eWuNNxJTYrasp njcwzkGbedG9AZTO/QAFE7Qdcm9iZXJ0IGNhcmJvbmU8cm9iY0BpbXNpLmNvbT6J AHUDBRAx9BBBm3nRvQGUzv0BAUqaAv9TAJ5ABDcaL6GHpW+wme1dApkQhE9mNbBU +Gxe+eulkf/ugFfD1Fdh4+BSM1lk2dDhEc1p8cWTX5WTyzFeJgJo2VJPjsPOG0Zg 1x5v4w7+u5qJeno/8+w2SApTy/ER0sw= =Zw8h -----END PGP PUBLIC KEY BLOCK----- From firewalls-owner Mon Oct 7 09:01:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA25834 for firewalls-outgoing; Mon, 7 Oct 1996 08:53:05 -0700 (PDT) Received: from kcpgw2.kcp.com (kcpgw2.kcp.com [198.62.69.67]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id IAA25728 for ; Mon, 7 Oct 1996 08:51:40 -0700 (PDT) Received: by kcpgw2.kcp.com id AA05115 (InterLock SMTP Gateway 3.0 for firewalls@GreatCircle.COM); Mon, 7 Oct 1996 10:49:54 -0500 Message-Id: <199610071549.AA05115@kcpgw2.kcp.com> Received: by kcpgw2.kcp.com (Protected-side Proxy Mail Agent-2); Mon, 7 Oct 1996 10:49:54 -0500 Received: by kcpgw2.kcp.com (Protected-side Proxy Mail Agent-1); Mon, 7 Oct 1996 10:49:54 -0500 Mime-Version: 1.0 Date: Mon, 7 Oct 1996 10:31:42 -0500 From: dharris@kcp.com (Delmer Harris) Subject: Re: DMZ server To: firewalls@GreatCircle.COM, Lawrence Beobachter Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk DMZ - DeMilitarized Zone Popularized in one of our favorite police actions, the Korean Conflict, this is an area where access is strictly controlled and is a buffer between two hostile forces. Currently used to name that section of "your" network where the outside world has controlled access. Any host in this section should be hardened and considered to be continuously corrupted and thus untrusted. Please see also "Free Fire Zone", an artifact of a more recent police action. For more useful tidbits, check out http://www.ccil.org/jargon Delmer D. Harris dharris@kcp.com ______________________________ Reply Separator _________________________________ Subject: DMZ server Author: Lawrence Beobachter at INTERNET-MAIL Date: 10/5/96 3:50 PM Hello! I saw this term here several times in connection with bastion host. What does this acronym mean? From firewalls-owner Mon Oct 7 09:11:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA26525 for firewalls-outgoing; Mon, 7 Oct 1996 09:02:12 -0700 (PDT) Received: from phoenix.iss.net (phoenix.iss.net [204.241.60.5]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id JAA26509 for ; Mon, 7 Oct 1996 09:01:54 -0700 (PDT) Received: from alexf.iss.net (alexf.iss.net [204.241.60.153]) by phoenix.iss.net (8.6.13/8.6.12) with SMTP id MAA00829; Mon, 7 Oct 1996 12:00:17 -0400 Received: by alexf.iss.net with Microsoft Mail id <01BBB447.0E066B40@alexf.iss.net>; Mon, 7 Oct 1996 11:59:55 -0400 Message-ID: <01BBB447.0E066B40@alexf.iss.net> From: Alex Filacchione To: "campbell@c2.net" , "'Skeeve Stevens'" Cc: "cypherpunks@toad.com" , "'firewalls@greatcircle.com'" Subject: RE: Dole web site cracked? Date: Mon, 7 Oct 1996 11:59:40 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ---------- From: Skeeve Stevens[SMTP:skeeve@skeeve.net] Sent: Monday, October 07, 1996 1:10 PM To: campbell@c2.net Cc: cypherpunks@toad.com Subject: Re: Dole web site cracked? You, Rick Campbell, shaped the electrons to say: + +So, I just finished watching the debate and at the very end, Bob Dole +suggested that people check out www.dole-kemp.org. I was already on +playing decision96.digital.com so I went for it. + +The first page says ``Oops! You've tried to access the old +way. Please choose the new way instead.'' Clicking on `new' gives a +black background page with two yellow arrows, one left and one right. +The left one gives you ``Nope, you can't go back now''. The Right one +gives you www.cg96.org, the Clinton-Gore home page. Yeah.... definatly hacked... not much point in mirroring this one. hmm it goes to www.dole-kemp.com which then sends it to cg96.org...... hmmmm the INTERNIC entry for dole-kemp.com looks find... and its a redirect, so they prolly hacked both sites... not sure... anyone else have any ideas? My understanding is that everyone has been fooled. The addresses www.dole-kemp.com and www.dole-kemp.org seem to be spoofed sites. The REAL sites are www.dolekemp96.org and www.dole96.org. These sites have not been touched. Hmm, and I thought that internic was supposed to be watching this stuff (domain names). I wonder if mcdonalds.org is still available... Alex F alexf@iss.net From firewalls-owner Mon Oct 7 09:26:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA27508 for firewalls-outgoing; Mon, 7 Oct 1996 09:19:48 -0700 (PDT) Received: from burrito.insource.com (burrito.insource.com [206.97.167.190]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id JAA27498 for ; Mon, 7 Oct 1996 09:19:41 -0700 (PDT) Received: (from michaelj@localhost) by burrito.insource.com (8.7.5/8.7.3) id LAA00592; Mon, 7 Oct 1996 11:22:58 -0500 (CDT) From: Michael Jarvis Message-Id: <199610071622.LAA00592@burrito.insource.com> Subject: Re: smtp and auth To: raf@ezunx.com (rich) Date: Mon, 7 Oct 1996 11:22:58 -0500 (CDT) Cc: firewalls@GreatCircle.com In-Reply-To: from "rich" at Oct 4, 96 09:43:48 am X-Mailer: ELM [version 2.4 PL24 PGP3 *ALPHA*] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > What would cause SOME mail servers to send back a AUTH/113 connection > before allowing mail to be sent? Also, it seems to be random. In > otherwords, some servers do it sometimes but other times they do not. > Since I am blocking all connection requests from the outside in, this > causes some of my internal mail servers to hang from time to time. > When I looked at the firewall logs, I see SYN's coming from the mail > server at the other end trying port 113. Any hints? Sendmail 8.x and several other popular SMTP servers attempt to do an "ident" lookup for all SMTP connections. (See RFC-1413 for more information.) Since ident replies are easily faked, this information is of dubious use. If you'd like, just add a firewall rule to drop or reject all tcp/113 traffic. If you're running wu-ftpd or Sendmail or some sort of service that likes to make ident queries, then permit outbound tcp/113 packets and the appropriate replies. -michael -- Michael A. Jarvis Technology Consultant, Internet Solutions Group Insource Technology, Houston, TX michaelj@insource.com 713.955.3672 From firewalls-owner Mon Oct 7 09:42:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA28559 for firewalls-outgoing; Mon, 7 Oct 1996 09:33:31 -0700 (PDT) Received: from relcom.eu.net (virgin.Relcom.EU.net [193.124.23.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id JAA28552 for ; Mon, 7 Oct 1996 09:33:21 -0700 (PDT) Received: from virgin (esakov@virgin.Relcom.EU.net [193.124.23.4]) by relcom.eu.net (8.7.3/8.7.Ru) with SMTP id UAA15128 for ; Mon, 7 Oct 1996 20:32:46 +0400 (MSD) Date: Mon, 7 Oct 1996 20:32:45 +0400 (MSD) From: Esakov Dmitriy X-Sender: esakov@virgin To: firewalls@greatcircle.com Subject: Sniffer detection. Message-ID: Organization: Relcom Corp. MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi! Do someone knows how the ethernet sniffer can be detected. Any help is greatly appreciated! All ideas are welcome! ------------------------------------------- Have a nice day! Esakov Dmitriy RELCOM corp. esakov@relcom.eu.net Moscow, Russia From firewalls-owner Mon Oct 7 10:27:04 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA03658 for firewalls-outgoing; Mon, 7 Oct 1996 10:21:49 -0700 (PDT) Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA03628 for ; Mon, 7 Oct 1996 10:21:29 -0700 (PDT) Received: from smtp1.sybase.com (sybgate) by halon.sybase.com (5.x/SMI-SVR4/SybFW4.0) id AA14050; Mon, 7 Oct 1996 10:22:35 -0700 Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) id AA20599; Mon, 7 Oct 96 10:20:47 PDT Received: by notesgw2.sybase.com (5.x/SMI-4.1/SybEGW3.3) id AA26099; Mon, 7 Oct 1996 10:20:44 -0700 Message-Id: <9610071720.AA26099@notesgw2.sybase.com> Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id 3D2CAE0B93F6C9D1882563BC005ED413; Mon, 7 Oct 96 10:20:43 EDT To: Dima Volodin Cc: firewalls From: Ryan Russell/SYBASE Date: 7 Oct 96 10:23:22 EDT Subject: Re: Check Point and SYN Flood Attack X-Lotus-Type: Reply All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hmm....no. Perhaps I worded that poorly. When I say "use" I mean (And I assumed everyone else here would understand what I meant by it) that the thing the packet is intended for will typically fire off some non-trivial process, set aside some memory, send replies, perform some fair amount of calculation. If you're into the OSI layer model, I mean that it goes up to the app layer and makes some decisions based on the data there. Routers, and some firewalls( NAT, SPF types) , do some of these things, and not others. They typically only look as far into the packet as they need to, and usually don't look at the application layer stuff. Now, for the SYN attack stuff, what the recipient will do that routers and some firwalls along the way will not is set aside some (often limited) resources and wait. Routers don't usually have to set aside any resources. SPF type firewalls will typically do something to the effect of adding a few bytes to a lookup table. Ryan ---------- Previous Message ---------- To: Ryan.Russell cc: bkmarsh, bradley, firewalls From: dvv @ sprint.net (Dima Volodin) @ smtp Date: 10/06/96 10:05:59 AM Subject: Re: Check Point and SYN Flood Attack It might be a surprise to you, but OSes (well, at least the ones I know) don't use, as you put it, packets per se - they just keep table (or list, in the worst case) entries for them. Dima Ryan Russell/SYBASE writes: > > Here's a glib answer, but it may help > explain things: > > Firewall-1 doesn't have a problem with > the SYN packets for the same reason > that every router along the way doesn't. > > It doesn't "use" the packets per se... > It just keeps a table entry for it, and > sends an ACK (I presume) to see if it > gets a reply. It can keep track of thousands > of these half open conenctions at a time.. > > Ryan From firewalls-owner Mon Oct 7 10:46:00 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA04209 for firewalls-outgoing; Mon, 7 Oct 1996 10:27:44 -0700 (PDT) Received: from Walden.MO.NET (walden.mo.net [199.250.196.5]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA04187 for ; Mon, 7 Oct 1996 10:27:31 -0700 (PDT) Received: from gate.hussmann.com (gate.hussmann.com [205.139.246.2]) by Walden.MO.NET (8.7.4/8.6.10) with ESMTP id MAA14276; Mon, 7 Oct 1996 12:27:10 -0500 (CDT) Received: (from nobody@localhost) by gate.hussmann.com (8.7.1/8.7.3) id LAA17465; Mon, 7 Oct 1996 11:31:57 -0500 Message-Id: <199610071631.LAA17465@gate.hussmann.com> Received: from mail-gate.hussmann.com(129.1.5.4) by gate.hussmann.com via smap (V1.3) id tmp017463; Mon Oct 7 11:31:48 1996 Date: Mon, 7 Oct 1996 13:20:00 -0500 From: "Hicks, Rick" Subject: RE: SparcLinux/OS for a secure bastion h To: "'Firewalls List'" Cc: "'adam@homeport.org'" X-Mailer: Worldtalk (NetConnex V4.00a)/MIME Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >| You can even run Linux with / and /usr on a CDROM. >| >| RedHat sells a 'live' filesystem Linux CDROM that you can run a fairly >| generic configuration off of -- though you would likely want to look at >| what they have done and custom 'burn' your own for firewall use. >| >| A "write disabled" Zip, Jaz or Syquest cartridge should also be good >| (anyone run one under Linux drivers?). > > Write protection on a Zip drive is software based. Don't know >about Jaz or Syquest. > You can still buy hard drives that have a Write Protect jumper on them. I got a Hawk from Seagate that has this feature. I even soldered some leads and ran a little switch from it so I don't have to crack the hood when I need to make a change. Rick ________________________________________________ Rick Hicks Systems Specialist Hussmann Corporation rhicks@hussmann.com http://www.hussmann.com From firewalls-owner Mon Oct 7 10:57:54 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA07071 for firewalls-outgoing; Mon, 7 Oct 1996 10:48:11 -0700 (PDT) Received: from user1.scranton.com (user1.scranton.com [204.186.119.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA07056 for ; Mon, 7 Oct 1996 10:47:54 -0700 (PDT) Received: from localhost (moroni@localhost) by user1.scranton.com (8.6.12/8.6.9) with SMTP id NAA01876; Mon, 7 Oct 1996 13:47:10 -0400 X-Authentication-Warning: user1.scranton.com: moroni owned process doing -bs Date: Mon, 7 Oct 1996 13:47:10 -0400 (EDT) From: Moroni To: Esakov Dmitriy cc: firewalls@GreatCircle.COM Subject: Re: Sniffer detection. In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk How is a sniffer placed on a line. On Mon, 7 Oct 1996, Esakov Dmitriy wrote: > Hi! > Do someone knows how the ethernet sniffer can be detected. > > Any help is greatly appreciated! > All ideas are welcome! > ------------------------------------------- > Have a nice day! > > Esakov Dmitriy > RELCOM corp. > esakov@relcom.eu.net > Moscow, Russia > > From firewalls-owner Mon Oct 7 11:16:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA05399 for firewalls-outgoing; Mon, 7 Oct 1996 10:35:54 -0700 (PDT) Received: from novell.com (prv-mail20.Provo.Novell.COM [137.65.40.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA05379 for ; Mon, 7 Oct 1996 10:35:44 -0700 (PDT) Received: from INET-PRV-Message_Server by novell.com with Novell_GroupWise; Mon, 07 Oct 1996 11:35:29 -0600 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Mon, 07 Oct 1996 11:33:33 -0600 From: Harris Demel To: dtshin@bulldog.ca, firewalls@GreatCircle.COM, richards@netrex.com Subject: RE: Gauntlet vs. Sidewinder -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greetings all - We have four different mail exchangers inside four different DMZs throughout the company. The DMZs consist of a two-router solution. The mail exchangers queue incoming mail and forward it through the inner-company firewall (so we allow smtp traffic through the firewall from those specific mail exchangers). The outer-firewall machines are running UnixWare 2.1 mail (aka mailsurr), which is completely modularized, unlike sendmail. The inner-firewall machines are running GroupWise 4.1 SMTP Gateways on NetWare. For outbound mail, we send directly from the inner-firewall machines to the Internet with out passing through or queuing on the DMZ machines. The assumption is that the DMZ mail exchangers (or any other machine in the DMZ) could be cracked and are, therefore, unsafe. However, if someone were to crack any of those machines, alarms would sound, (hopefully) giving us enough time to handle/recover from the attack. Regards, - Harris Demel Former Novell, Inc. Postmaster >>> Dan Tshin 10/07/96 07:57am >>> On Friday, October 04, 1996 3:26 PM, Richard Stiennon[SMTP:richards@netrex.com] wrote: >At 07:07 PM 10/2/96 CDT, Hmm wrote: >> > I would be interested in hearing how checkpoint is securing their >>customers from SMTP based attacks! From what I have seen, they simply >pass it >>through to a mail machine... If that mail machine happends to be running >>Sendmail 4.1, the attacker can blow holes right through the perimiter....? > >Well, how about not allowing telnet to the mail server? > How do you do that and not allow mail hacking? I have tried disabling telnet to a machine, but when I telnet to that machine's port 25, I'm in. How about firewalls that actually store mail and then hand it off to an internal mail server? dt _______________________________________________ Dan Tshin The Bulldog Group Inc. Research and Development 416.594.9207:252 http://www.bulldog.ca 416.594.1473 Fax _______________________________________________ A head is not merely a hat hangar. Just Use It. From firewalls-owner Mon Oct 7 11:26:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA07870 for firewalls-outgoing; Mon, 7 Oct 1996 10:57:45 -0700 (PDT) Received: from sss00205.schwab.com (sch-emsrv.schwab.com [162.93.15.188]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA07755 for ; Mon, 7 Oct 1996 10:57:20 -0700 (PDT) Received: by sss00205.schwab.com; id AA23676; Mon, 7 Oct 96 10:56:41 PDT Received: from s0043dev.schwab.com(162.93.19.150) by sss00205.schwab.com via smap (V3.1.1) id xma023551; Mon, 7 Oct 96 10:56:29 -0700 Received: from w0102dev.schwab.com by s0043dev.Schwab.Com (4.1/SMI-4.1(950622rm)) id AA20954; Mon, 7 Oct 96 13:54:39 EDT Received: by w0102dev.schwab.com (SMI-8.6/SMI-SVR4) id LAA15209; Mon, 7 Oct 1996 11:01:44 -0700 Date: Mon, 7 Oct 1996 11:01:44 -0700 From: rricardo@Schwab.Com (ray ricardo) Message-Id: <199610071801.LAA15209@w0102dev.schwab.com> To: firewalls@greatcircle.com Subject: Cisco ports 769 / 781 X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In my dmz i have been recieving messages from my cisco router on port 769 and 781 destined to devices on my service segment. Does anyone know what port 769/781 is? From firewalls-owner Mon Oct 7 12:01:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA14489 for firewalls-outgoing; Mon, 7 Oct 1996 11:45:39 -0700 (PDT) Received: from lithium.geocel.com (lithium.geocel.com [208.199.81.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA14465 for ; Mon, 7 Oct 1996 11:45:28 -0700 (PDT) Received: from sodium.geocel.com (sodium.geocel.com [208.199.81.218]) by lithium.geocel.com (8.7.5/8.7.5) with SMTP id NAA08083; Mon, 7 Oct 1996 13:44:32 -0500 (CDT) Message-Id: <2.2.32.19961007183636.007508b0@lithium> X-Sender: benc@lithium X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 07 Oct 1996 13:36:36 -0500 To: Michael Dillon , firewalls@greatcircle.com From: Ben Camp Subject: Re: BoS: TCP SYN attacks - a simple solution (fwd) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk But then wouldn't it be fairly easy to determine the secret number by creating a real connection? At 06:28 PM 10/6/96 -0700, Michael Dillon wrote: > >---------- Forwarded message ---------- >Date: Mon, 07 Oct 1996 08:10:27 +1000 >From: Rex di Bona >Reply-To: rex@cs.su.oz.au >To: bugtraq@netspace.org, nanog@merit.edu, iepg@iepg.org >Cc: rex@cs.su.oz.au >Subject: TCP SYN attacks - a simple solution > >There have been several (many?) products attempting to solve the TCP >SYN attack through timeouts. They watch the SYN packets, and flush >ones, by doing a RESET on the connection if the third packet isn't >received in time. Or letting conenctions fail by flushing the infant >connection table when full. I believe this is wrong! > >There is, I believe, a much simpler solution. >The problem is, as I see it, that the current implementations >are keeping the first packet (in some form) around, as state. > >Instead, we want to discard all this state information, to allow >us to accept more packets. Only when we have a full connection >do we want to keep state information. The only piece of >information we require at this early stage is the initial sequence >number for our side. > >I propose a solution where the initial sequence number is calculated >(not random), and is based on a cryptographic calculation of the >senders Initial Sequence Number, the ports, and a "per boot" >secret number. In this way the initial packet can be discarded, >and on receipt of the third SYN packet can be recalculated. > >This means that initial packets, fired from random addreses will >never have the third packet, and no overheads are consumed, >except for the hash calculation. > >Since there is only one random number in the connection, the >initial sequence number from the originating site, there is a >higher probability of "rogue", or lost packets, but if the >initial ISN was truely random this shouldn't be to much of a >problem (hmmm - am I sure?). > >Pictorally: >Host A to conenct to Host B > > host A (good) Host B (good) > gen ISN > send packet to B ---> receives packet, and ISN. > uses F(ISN(A) + ports + secret) > as calculated ISN for return > and sends to A, discards all > receives packet <---- state. > as normal, and > sends third packet ---> receives packet, recalculates > ISN from 1st step. If it > matches the ACK in the packet > then this is a valid connection. > >The nice thing about this is that no changes have to occur on the >sending side. This solution will work with current IP stacks, but >will automatically reject bogus connections, and has no silly >timeout on valid connections. > >This scheme does have implications with firewalls that base all >decisions on the first packet, such as packet filtering firewalls, but >then again, I don't consider them real firewalls. :-) > >I'm going to implement this, using boring old md5, and give it a try, >but I was wondering if there are any thoughts about this as a solution? >Any obvious holes I missed. > >Rex di Bona. > > > From firewalls-owner Mon Oct 7 12:26:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA16733 for firewalls-outgoing; Mon, 7 Oct 1996 12:02:08 -0700 (PDT) Received: from sandy.sandpiper.com (sandy.sandpiper.com [204.96.232.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id MAA16701 for ; Mon, 7 Oct 1996 12:01:40 -0700 (PDT) Received: by sandy.sandpiper.com (4.1/SMI-4.1) id AA11989; Mon, 7 Oct 96 11:58:22 PDT Date: Mon, 7 Oct 96 11:58:22 PDT From: chris@sandpiper.com (Chris Newton) Message-Id: <9610071858.AA11989@sandy.sandpiper.com> To: firewalls@greatcircle.com Subject: read only root file system on Solaris 2.5 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I was wondering if anyone had any experience with running a Solaris 2.5 system with the root file system marked read-only. Any pointers as to which files and directories need to be symlinks, references papers on the subject etc. would be appreciated TIA chris newton sandpiper software consulting From firewalls-owner Mon Oct 7 12:57:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA19202 for firewalls-outgoing; Mon, 7 Oct 1996 12:17:05 -0700 (PDT) Received: from bulldog.ca (indy.bulldog.ca [204.101.141.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id MAA19193 for ; Mon, 7 Oct 1996 12:16:57 -0700 (PDT) Received: from belgium.bulldog.ca by bulldog.ca via SMTP (940816.SGI.8.6.9/940406.SGI) for id PAA09027; Mon, 7 Oct 1996 15:19:07 -0400 Received: by belgium.bulldog.ca with Microsoft Mail id <01BBB463.17CB9300@belgium.bulldog.ca>; Mon, 7 Oct 1996 15:20:37 -0400 Message-ID: <01BBB463.17CB9300@belgium.bulldog.ca> From: Dan Tshin To: "firewalls@GreatCircle.com" Subject: Any thoughts on these firewalls? Date: Mon, 7 Oct 1996 15:20:36 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I was wondering who has been using Milkyway firwalls and Borderware = firewalls? Anything you really liked? Any beefs? How would it compare to = Firewall-1, Altavista, Portus, for large networks? (ie ~300 = workstations)? My hypothesis is that they are designed for smaller to = mid-sized networks. Any answer would be appreciated. Oh BTW: When did the firewalls thread become "Fireballs?" (Check some of = the previous subject headers!) ;-) dan From firewalls-owner Mon Oct 7 13:07:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA16926 for firewalls-outgoing; Mon, 7 Oct 1996 12:03:13 -0700 (PDT) Received: from access1.digex.net (access1.digex.net [205.197.245.192]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id MAA16833 for ; Mon, 7 Oct 1996 12:02:46 -0700 (PDT) Received: from localhost (brads@localhost) by access1.digex.net (8.6.12/8.6.12) with SMTP id PAA04915 ; for ; Mon, 7 Oct 1996 15:02:16 -0400 Date: Mon, 7 Oct 1996 15:02:15 -0400 (EDT) From: Bradley Smith X-Sender: brads@access1.digex.net To: Esakov Dmitriy cc: firewalls@GreatCircle.COM Subject: Re: Sniffer detection. In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I used to do something very basic for this. There are several code snippets available to get interface values (i.e. cpm, ifstatus). I'd run these from cron, mail results to file, tail file with swatch and look for a lexical string indicating the interface was in prom (sp) mode. If the status code returned indicated a "sniffer," I'd mail the results to my pager and shut the interface down. You could get even more creative than this with netstats, reverse finger, etc.. -brad On Mon, 7 Oct 1996, Esakov Dmitriy wrote: > Hi! > Do someone knows how the ethernet sniffer can be detected. > > Any help is greatly appreciated! > All ideas are welcome! > ------------------------------------------- > Have a nice day! > > Esakov Dmitriy > RELCOM corp. > esakov@relcom.eu.net > Moscow, Russia > > > From firewalls-owner Mon Oct 7 13:13:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA21419 for firewalls-outgoing; Mon, 7 Oct 1996 12:35:47 -0700 (PDT) Received: from genelrs (ts4-05.vcr.iSTAR.ca [204.191.152.85]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id MAA21409 for ; Mon, 7 Oct 1996 12:35:39 -0700 (PDT) Received: from genelrs (loopback [127.0.0.1]) by genelrs (AIX4.2/UCB 8.7/8.7) with SMTP id MAA15872; Mon, 7 Oct 1996 12:35:32 -0400 (EDT) Message-ID: <32593153.41C6@inforamp.net> Date: Mon, 07 Oct 1996 12:35:31 -0400 From: Gene Lee Organization: Me, Incorporated X-Mailer: Mozilla 3.0 (X11; I; AIX 2) MIME-Version: 1.0 To: Esakov Dmitriy CC: firewalls@GreatCircle.COM Subject: Re: Sniffer detection. References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Esakov Dmitriy wrote: > Do someone knows how the ethernet sniffer can be detected. Try checking out: http://iss.net/sec_info/sniff.html It should have some info on how to set up sniffer detection, but it's not very promising. Other than a physical inspection of all ethernet cards on the network, you're out of luck. So any remote inspection other than telnet-ing to the suspected host is virtually impossible. The above document does give some helpful tips on how to set up your network to make sniffing attempts harder to do. -- Gene Lee genel@inforamp.net genelee@vnet.ibm.com From firewalls-owner Mon Oct 7 13:27:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA21684 for firewalls-outgoing; Mon, 7 Oct 1996 12:37:20 -0700 (PDT) Received: from mail.ottawa.istar.net (mail.ottawa.istar.net [204.191.213.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id MAA21598 for ; Mon, 7 Oct 1996 12:36:46 -0700 (PDT) Received: from istar.ca ([204.191.136.4]) by mail.ottawa.istar.net with ESMTP id <846615-26703>; Mon, 7 Oct 1996 15:34:31 -0500 Received: from genelrs (ts4-05.vcr.iSTAR.ca [204.191.152.85]) by istar.ca (8.7.3/8.7) with SMTP id PAA09491; Mon, 7 Oct 1996 15:46:15 -0400 (EDT) Message-ID: <32593191.167E@inforamp.net> Date: Mon, 07 Oct 1996 12:36:33 -0400 From: Gene Lee Organization: Me, Incorporated X-Mailer: Mozilla 3.0 (X11; I; AIX 2) MIME-Version: 1.0 To: Esakov Dmitriy CC: firewalls@GreatCircle.COM Subject: Re: Sniffer detection. References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Esakov Dmitriy wrote: > Do someone knows how the ethernet sniffer can be detected. Try checking out: http://iss.net/sec_info/sniff.html It should have some info on how to set up sniffer detection, but it's not very promising. Other than a physical inspection of all ethernet cards on the network, you're out of luck. So any remote inspection other than telnet-ing to the suspected host is virtually impossible. The above document does give some helpful tips on how to set up your network to make sniffing attempts harder to do. -- Gene Lee genel@inforamp.net genelee@vnet.ibm.com From firewalls-owner Mon Oct 7 14:13:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA04551 for firewalls-outgoing; Mon, 7 Oct 1996 14:04:35 -0700 (PDT) Received: from lehman.Lehman.COM (lehman.Lehman.COM [192.147.66.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id OAA04509 for ; Mon, 7 Oct 1996 14:04:14 -0700 (PDT) From: carson@lehman.com Received: (from smap@localhost) by lehman.Lehman.COM (8.6.12/8.6.12) id RAA12015; Mon, 7 Oct 1996 17:03:42 -0400 Received: from relay.mail.lehman.com(192.9.140.112) by lehman via smap (V1.3) id tmp012003; Mon Oct 7 17:03:39 1996 Received: from kublai.lehman.com by relay.lehman.com (4.1/LB-0.6) id AA14247; Mon, 7 Oct 96 17:03:37 EDT Received: from dragon.lehman.com by kublai.lehman.com (4.1/Lehman Bros. V1.6) id AA03815; Mon, 7 Oct 96 17:03:34 EDT Received: by dragon.lehman.com (SMI-8.6/Lehman Bros. V1.5) id RAA29070; Mon, 7 Oct 1996 17:03:34 -0400 Date: Mon, 7 Oct 1996 17:03:34 -0400 Message-Id: <199610072103.RAA29070@dragon.lehman.com> To: "Marcus J. Ranum" Cc: firewalls@GreatCircle.COM Subject: Re: Financial transactions and firewalls. In-Reply-To: <199610070222.WAA25044@mail.Clark.Net> References: <199610070222.WAA25044@mail.Clark.Net> Reply-To: carson@lehman.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>>>> "Marcus" == Marcus J Ranum writes: Marcus> There are a number of such protocols in use: SWIFT is popular in Marcus> Europe. In the US there's a thing called FIX. Many of these Marcus> protocols, it has been "explained" to me, are secure because they Marcus> are complicated (IBM wrote a lot of FIX, see) and therefore are not Marcus> easily broken. Amusingly, standards bodies will sell you protocol FIX is point-to-point encrypted, using some combo of public and private key systems (based on PGP, last I heard). I haven't looked at the cryptography, but folks much better at it than I am have, and they seem happy with it. -- Carson Gaspar -- carson@cs.columbia.edu carson@lehman.com http://www.cs.columbia.edu/~carson/home.html From firewalls-owner Mon Oct 7 14:42:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA06740 for firewalls-outgoing; Mon, 7 Oct 1996 14:23:37 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id OAA06717 for ; Mon, 7 Oct 1996 14:23:29 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id OAA19092; Mon, 7 Oct 1996 14:21:50 -0700 Received: from unknown(200.18.200.1) by mycroft via smap (V1.3mjr) id sma019089; Mon Oct 7 14:21:11 1996 Received: from eolo.stj.gov.br (eolo.stj.gov.br [10.60.0.23]) by palas-atena.stj.gov.br (8.7.5/8.7.5) with SMTP id TAA08238 for ; Mon, 7 Oct 1996 19:25:37 -0300 Received: by eolo.stj.gov.br with Microsoft Mail id <3259BAD8@eolo.stj.gov.br>; Mon, 07 Oct 96 19:22:16 PDT From: Carlos Eduardo Miranda Zottman <24279@hades01.stj.gov.br> To: "'smtp:firewalls@greatcircle.com'" Subject: proxies Date: Mon, 07 Oct 96 19:21:00 PDT Message-ID: <3259BAD8@eolo.stj.gov.br> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello everybody! We are analyzing some firewall products here and a friend of mine just recommended Socks, because the ease of configuration and supposed security for being a freeware product which has been tested a lot. Did anyone out there have experiences using Socks? Is it realy safe? I would like every opinion you might have! Thanks in advance! Carlos. From firewalls-owner Mon Oct 7 14:51:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA04344 for firewalls-outgoing; Mon, 7 Oct 1996 14:02:54 -0700 (PDT) Received: from mail.ottawa.istar.net (mail.ottawa.istar.net [204.191.213.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id OAA04291 for ; Mon, 7 Oct 1996 14:02:39 -0700 (PDT) Received: from istar.ca ([204.191.136.4]) by mail.ottawa.istar.net with ESMTP id <846950-26703>; Mon, 7 Oct 1996 17:00:15 -0500 Received: from genelrs (ts4-05.vcr.iSTAR.ca [204.191.152.85]) by istar.ca (8.7.3/8.7) with SMTP id RAA26643; Mon, 7 Oct 1996 17:11:45 -0400 (EDT) Message-ID: <32594599.446B@inforamp.net> Date: Mon, 07 Oct 1996 14:02:01 -0400 From: Gene Lee Organization: Me, Incorporated X-Mailer: Mozilla 3.0 (X11; I; AIX 2) MIME-Version: 1.0 To: Bradley Smith CC: Esakov Dmitriy , firewalls@GreatCircle.COM Subject: Re: Sniffer detection. References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bradley Smith wrote: > I used to do something very basic for this. There are several code > snippets available to get interface values (i.e. cpm, ifstatus). I'd run > these from cron, mail results to file, tail file with swatch and look for > a lexical string indicating the interface was in prom (sp) mode. > > If the status code returned indicated a "sniffer," I'd mail the results to > my pager and shut the interface down. You could get even more creative > than this with netstats, reverse finger, etc.. This is fine for unix machines which you have administative control over, but what about a rogue PC notebook running DataGlance or LANAlyzer inserted into your Ethernet network somewhere on the wire? Also keep in mind some NICs are custom built to not broadcast the fact that they are in promiscuous mode. The only way to detect something like this would be to physically check each interface connected to your network. -- Gene Lee genel@inforamp.net genelee@vnet.ibm.com From firewalls-owner Mon Oct 7 15:21:54 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA08120 for firewalls-outgoing; Mon, 7 Oct 1996 14:33:07 -0700 (PDT) Received: from wr.wstnres.com (WR.WSTNRES.COM [138.230.48.18]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id OAA08081 for ; Mon, 7 Oct 1996 14:32:56 -0700 (PDT) Received: from wr.wstnres.com (daemon@localhost) by wr.wstnres.com (8.7.2/8.7.2) with ESMTP id QAA22632 for ; Mon, 7 Oct 1996 16:34:37 -0500 (CDT) Received: from cc.wstnres.com (cc.wstnres.com [138.230.208.2]) by wr.wstnres.com (8.7.2/8.7.2) with SMTP id QAA22616 for ; Mon, 7 Oct 1996 16:34:35 -0500 (CDT) Received: from ccMail by cc.wstnres.com (SMTPLINK V2.11.01) id AA844730978; Mon, 07 Oct 96 16:29:18 CST Date: Mon, 07 Oct 96 16:29:18 CST From: "Dick Mosher" Message-Id: <9609078447.AA844730978@cc.wstnres.com> To: firewalls-digest@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Has anyone set up a hot firewall backup for their system? We are wanting to provide as close to 24x7 access to the Web as we can, and would like to put in a hot backup for the firewall. We have been unable to resolve IP addressing and routing questions, and have found no auto-sensing and -switching device to make this work. Has anyone done this sort of thing? Any suggestions? Or people to contact for advice? Thanks. dick_mosher@wstnres.com From firewalls-owner Mon Oct 7 15:25:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA07158 for firewalls-outgoing; Mon, 7 Oct 1996 14:27:28 -0700 (PDT) Received: from nubis.sprintsec.com (nubis.sprintsec.com [206.230.84.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id OAA07118 for ; Mon, 7 Oct 1996 14:27:16 -0700 (PDT) Received: from vulture.sprintsec.com by nubis.sprintsec.com via smtpd (for miles.greatcircle.com [198.102.244.34]) with SMTP; 7 Oct 1996 21:26:53 UT Received: from buzzard. (buzzard [206.230.85.3]) by vulture.sprintsec.com (8.7.3/8.7.3) with SMTP id QAA03191; Mon, 7 Oct 1996 16:26:49 -0500 (CDT) Received: by buzzard. (SMI-8.6/SMI-SVR4) id QAA00847; Mon, 7 Oct 1996 16:24:53 -0500 Date: Mon, 7 Oct 1996 16:24:53 -0500 From: giubileo@sprintsec.com (John Giubileo) Message-Id: <199610072124.QAA00847@buzzard.> To: esakov@relcom.eu.net, genel@inforamp.net Subject: Re: Sniffer detection. Cc: firewalls@GreatCircle.COM Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-MD5: W3tiMD/JK8agRkaxX1Xoaw== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The HP Netmetrix program (along with network probes installed throughout your network) can also be configured to deetect when a sniffer goes up on your network. -jpg ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ _ _ _ | || || | |_______| John Paul Giubileo \__ ___ / Sprint |___|_| Corporate Security |_| _ | Kansas City, Mo. |_____| Senior Manager Data Network Security (_ _ _ _) Voice: 913.624.4796 /_______\ giubileo@sprintsec.com From firewalls-owner Mon Oct 7 15:39:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA10031 for firewalls-outgoing; Mon, 7 Oct 1996 14:49:43 -0700 (PDT) Received: from beach.sctc.com (beach.sctc.com [192.55.214.50]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id OAA09999 for ; Mon, 7 Oct 1996 14:49:33 -0700 (PDT) Received: from mfil.terminal (mfil@localhost) by beach.sctc.com (8.7.5/8.7.3) with SMTP id QAA23528 for ; Mon, 7 Oct 1996 16:44:29 -0500 (CDT) Received: from sphinx.sctc.com (sphinx.sctc.com [172.17.192.3]) by beach.sctc.com (8.7.5/8.7.3) with ESMTP id QAA23434 for ; Mon, 7 Oct 1996 16:43:20 -0500 (CDT) Received: from [172.17.1.61] (smith.sctc.com [172.17.1.61]) by sphinx.sctc.com (8.7.5/8.7.3) with SMTP id QAA03055 for ; Mon, 7 Oct 1996 16:36:49 -0500 (CDT) X-Sender: smith@mailhost.sctc.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 7 Oct 1996 16:37:47 -0600 To: firewalls@GreatCircle.COM From: smith@sctc.com (Rick Smith) Subject: Re: Gauntlet vs. Sidewinder (NCSA) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Karen Goertzel asked: >Now, can someone explain to me why Sidewinder doesn't appear on the NCSA's >list of "blessed" firewalls - at least it doesn't according to the press >release I received? Sidewinder *has* been issued NCSA's certification. I don't know why it isn't listed on their Web site, though we only got around to it relatively recently. In our experience, high end customers who are willing to pay extra for assurance and *real* seals of approval are happiest to go to some independent tester and have them "certify" their Sidewinder after installation. We've had numerous customers do this, including, of course, the NSA. I wish they'd publicly release their reports on Sidewinder, too. :-> It is true that a Sidewinder based DMS Firewall is currently under test and evaluation for use by the Defense Message System. Rick. smith@sctc.com secure computing corporation From firewalls-owner Mon Oct 7 15:42:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA16493 for firewalls-outgoing; Mon, 7 Oct 1996 15:35:24 -0700 (PDT) Received: from darkstar.sysinfo.com (darkstar.sysinfo.com [204.246.65.62]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id PAA16454 for ; Mon, 7 Oct 1996 15:35:11 -0700 (PDT) Received: from parka.winternet.com (parka.winternet.com [198.174.169.9]) by darkstar.sysinfo.com (8.6.11/8.6.9) with SMTP id RAA01524; Mon, 7 Oct 1996 17:42:43 -0500 Date: Mon, 7 Oct 1996 17:29:15 -0500 (CDT) From: Ron DuFresne To: Moroni cc: Esakov Dmitriy , firewalls@GreatCircle.COM Subject: Re: Sniffer detection. In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 7 Oct 1996, Moroni wrote: > How is a sniffer placed on a line. Very carefully so as not to bruise it's paws while placing the beast... > > On Mon, 7 Oct 1996, Esakov Dmitriy wrote: > > > Hi! > > Do someone knows how the ethernet sniffer can be detected. > > A forked stick will do the job, point it down an ethernet segment and it will pull you right to the nearest sniffer placed carefully on line... Later, Ron DuFresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. From firewalls-owner Mon Oct 7 16:03:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA18636 for firewalls-outgoing; Mon, 7 Oct 1996 15:51:03 -0700 (PDT) Received: from gateway.damark.com (GATEWAY.DAMARK.COM [204.17.145.230]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id PAA18549 for ; Mon, 7 Oct 1996 15:50:11 -0700 (PDT) Received: by gateway.damark.com; id RAA11261; Mon, 7 Oct 1996 17:49:43 -0500 (CDT) Received: from sco.damark.com(172.31.254.231) by gateway.damark.com via smap (V3.1) id xme011257; Mon, 7 Oct 96 17:49:19 -0500 Received: by damark.com (5.65/1.2-eef) id AA13705; Mon, 7 Oct 96 17:49:17 -0500 Message-Id: <9610072249.AA13705@damark.com> From: "william.wells" To: FIREWALLS Subject: RE: Date: Mon, 07 Oct 96 17:47:00 +6C Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From: "Dick Mosher" >--------------------------------------------------------------------------- --- > Has anyone set up a hot firewall backup for their system? We are > wanting to provide as close to 24x7 access to the Web as we can, > and would like to put in a hot backup for the firewall. We have > been unable to resolve IP addressing and routing questions, and > have found no auto-sensing and -switching device to make this > work. Has anyone done this sort of thing? Any suggestions? Or > people to contact for advice? Thanks. > dick_mosher@wstnres.com I have similar demands. In my case, I'm researching both hot firewall backup (perhaps into a different location of the country) and a hot backup web system. I'd appreciate any pointers here also. William Wells Manager, System Administration Damark International, Inc william.wells@damark.com From firewalls-owner Mon Oct 7 16:57:10 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA24951 for firewalls-outgoing; Mon, 7 Oct 1996 16:38:23 -0700 (PDT) Received: from aahz.jf.intel.com (aahz.jf.intel.com [134.134.208.37]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id QAA24937 for ; Mon, 7 Oct 1996 16:38:16 -0700 (PDT) Received: by aahz.jf.intel.com (Smail3.1.28.1 #13) id m0vAPEp-000hxPC; Mon, 7 Oct 96 16:37 PDT Message-Id: From: batie@aahz.jf.intel.com (Alan Batie) Subject: Re: Sniffer detection. To: giubileo@sprintsec.com (John Giubileo) Date: Mon, 7 Oct 1996 16:37:31 -0700 (PDT) Cc: esakov@relcom.eu.net, genel@inforamp.net, firewalls@GreatCircle.COM In-Reply-To: <199610072124.QAA00847@buzzard.> from "John Giubileo" at Oct 7, 96 04:24:53 pm X-Mailer: ELM [version 2.4 PL24 ME8] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > The HP Netmetrix program (along with network probes installed throughout your > network) can also be configured to deetect when a sniffer goes up on your > network. Can it tell when I run tcpdump on my unix system? -- Alan Batie ------ What goes up, must come down. batie@aahz.jf.intel.com \ / Ask any system administrator. +1 503-264-8844 (voice) \ / --unknown D0 D2 39 0E 02 34 D6 B4 \/ 5A 41 21 8F 23 5F 08 9D From firewalls-owner Mon Oct 7 16:59:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA21271 for firewalls-outgoing; Mon, 7 Oct 1996 16:08:59 -0700 (PDT) Received: from renoir.op.net (renoir.op.net [206.84.208.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id QAA21145 for ; Mon, 7 Oct 1996 16:08:10 -0700 (PDT) Received: from sulcus.op.net (jaw@sulcus.op.net [206.84.208.6]) by renoir.op.net (8.7.1/8.7.1/$Revision: 1.10 $) with ESMTP id TAA12952; Mon, 7 Oct 1996 19:07:32 -0400 (EDT) From: Jeff Weisberg Received: (jaw@localhost) by sulcus.op.net (8.6.12/$Revision: 1.1 $) id TAA25043; Mon, 7 Oct 1996 19:07:29 -0400 Date: Mon, 7 Oct 1996 19:07:29 -0400 Message-Id: <199610072307.TAA25043@sulcus.op.net> To: firewalls@GreatCircle.COM, benc@geocel.com Subject: Re: BoS: TCP SYN attacks - a simple solution (fwd) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk | >I propose a solution where the initial sequence number is calculated | >(not random), and is based on a cryptographic calculation of the | >senders Initial Sequence Number, the ports, and a "per boot" | >secret number. In this way the initial packet can be discarded, | >and on receipt of the third SYN packet can be recalculated. This idea has ben floating around for a while now. For an implementation look at: ftp.op.net:/pub/src/syn-prophylactica/ | But then wouldn't it be fairly easy to determine the secret number by | creating a real connection? no. using iss = md5(secret_stuff, timer, public_stuff) one would need to invert md5() to learn the secret_stuff. inverting md5 is difficult (for now). --jeff From firewalls-owner Mon Oct 7 17:07:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA12905 for firewalls-outgoing; Mon, 7 Oct 1996 15:11:41 -0700 (PDT) Received: from access1.digex.net (access1.digex.net [205.197.245.192]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id PAA12851 for ; Mon, 7 Oct 1996 15:11:26 -0700 (PDT) Received: from localhost (brads@localhost) by access1.digex.net (8.6.12/8.6.12) with SMTP id SAA16549 ; for ; Mon, 7 Oct 1996 18:10:53 -0400 Date: Mon, 7 Oct 1996 18:10:53 -0400 (EDT) From: Bradley Smith X-Sender: brads@access1.digex.net To: Gene Lee cc: Esakov Dmitriy , firewalls@GreatCircle.COM Subject: Re: Sniffer detection. In-Reply-To: <32594599.446B@inforamp.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Point taken, but if an unauthorized individual has the opportunity to physically jack into your network like that, I would say that getting your packets sniffed is probably the least of your worries. As a side note, I've heard here and there that NIC's are available that cannot be operated in promiscuous mode. Does anyone have experience with these devices? Or can tell me what vendor(s) are manufacturing? -brad On Mon, 7 Oct 1996, Gene Lee wrote: > Bradley Smith wrote: > > I used to do something very basic for this. There are several code > > snippets available to get interface values (i.e. cpm, ifstatus). I'd run > > these from cron, mail results to file, tail file with swatch and look for > > a lexical string indicating the interface was in prom (sp) mode. > > > > If the status code returned indicated a "sniffer," I'd mail the results to > > my pager and shut the interface down. You could get even more creative > > than this with netstats, reverse finger, etc.. > > This is fine for unix machines which you have administative control > over, but what about a rogue PC notebook running DataGlance or LANAlyzer > inserted into your Ethernet network somewhere on the wire? Also keep in > mind some NICs are custom built to not broadcast the fact that they are > in promiscuous mode. The only way to detect something like this would be > to physically check each interface connected to your network. > > -- > Gene Lee > genel@inforamp.net > genelee@vnet.ibm.com > From firewalls-owner Mon Oct 7 17:19:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA19872 for firewalls-outgoing; Mon, 7 Oct 1996 16:00:02 -0700 (PDT) Received: from smtp2.interramp.com (smtp2.interramp.com [38.8.200.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id PAA19844 for ; Mon, 7 Oct 1996 15:59:48 -0700 (PDT) Received: from davidh.interramp.com by smtp2.interramp.com (8.6.12/SMI-4.1.3-PSI-irsmtp) id SAA12054; Mon, 7 Oct 1996 18:59:16 -0400 Message-ID: <325997CC.792A@checkpoint.com> Date: Mon, 07 Oct 1996 18:52:44 -0500 From: David Helms Organization: CheckPoint Software Technologies X-Mailer: Mozilla 2.02Gold (Win95; I) MIME-Version: 1.0 To: Dick Mosher CC: firewalls-digest@GreatCircle.COM Subject: Re: References: <9609078447.AA844730978@cc.wstnres.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dick, I swear this is not an ad! Take a look at the new announcement for FW-1 V3.0. It's on our web site and was just released this morning. http://www.checkpoint.com V3.0 provides state-sharing, which allows multiple firewalls to support the same connection. Fixes the Asymmetrical routing issue and provides a high-availability solution as well. Hope you find it helpful. David Helms Dick Mosher wrote: > > Has anyone set up a hot firewall backup for their system? We are > wanting to provide as close to 24x7 access to the Web as we can, > and would like to put in a hot backup for the firewall. We have > been unable to resolve IP addressing and routing questions, and > have found no auto-sensing and -switching device to make this > work. Has anyone done this sort of thing? Any suggestions? Or > people to contact for advice? Thanks. > dick_mosher@wstnres.com -- __________________________________ David Helms Senior Technical Consultant CheckPoint Software Technologies ph 703.684.4824 fx 703.684.4847 davidh@checkpoint.com __________________________________ From firewalls-owner Mon Oct 7 17:58:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA19842 for firewalls-outgoing; Mon, 7 Oct 1996 15:59:46 -0700 (PDT) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id PAA19822 for ; Mon, 7 Oct 1996 15:59:37 -0700 (PDT) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id RAA05054; Mon, 7 Oct 1996 17:50:50 -0400 Date: Mon, 7 Oct 1996 17:50:46 -0400 (EDT) From: Rabid Wombat To: Dick Mosher cc: firewalls@greatcircle.com Subject: Re: your mail In-Reply-To: <9609078447.AA844730978@cc.wstnres.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Just a guess of the top of my head (I have not set anything like this up): Obtain seperate links to two ISPs. Firewall each incoming link with a seperate firewall, and dual-home the web servers a seperate bastion segment off each firewall, with no routing enabled on the web servers. Set up "round robin" references to the two different addresses on each web server, as though each were two seperate systems. Comments, anyone? (Internal Nets) | | |-------------| Bastion Segment #1 -- from ISP #1 ------| Firewall #1 |------------------------- |-------------| | |----------| |Web Server| ... |----------| |-------------| | -- from ISP #2 ------| Firewall #2 |-------------------------- |-------------| Bastion Segment #2 On Mon, 7 Oct 1996, Dick Mosher wrote: > Has anyone set up a hot firewall backup for their system? We are > wanting to provide as close to 24x7 access to the Web as we can, > and would like to put in a hot backup for the firewall. We have > been unable to resolve IP addressing and routing questions, and > have found no auto-sensing and -switching device to make this > work. Has anyone done this sort of thing? Any suggestions? Or > people to contact for advice? Thanks. > dick_mosher@wstnres.com > > From firewalls-owner Mon Oct 7 17:58:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA22124 for firewalls-outgoing; Mon, 7 Oct 1996 16:16:38 -0700 (PDT) Received: from intfw.bear.com (intfw.bear.com [206.25.172.66]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id QAA22064 for ; Mon, 7 Oct 1996 16:16:00 -0700 (PDT) Received: by intfw.bear.com (4.1/SMI-4.1) id AA20555; Mon, 7 Oct 96 19:15:31 EDT Received: from fastbear(165.168.74.3) by intfw via smap (V1.3) id sma019925; Mon Oct 7 19:08:03 1996 Received: from ursa2.bear.com by fastbear.bear.com (4.1/SMI-4.1/1.0 AMR 12/15/94) id AA26099; Mon, 7 Oct 96 19:13:00 EDT Received: from whip_xfr.bear.com (whip-xfr) by ursa2.bear.com (4.1/SMI-4.1/AMR+DJMS(2)) id AA22295; Mon, 7 Oct 96 19:09:05 EDT Received: from wizard.bsnet by whip_xfr.bear.com (SMI-8.6/SMI-SVR4) id TAA08397; Mon, 7 Oct 1996 19:08:16 -0400 Received: from neptune by wizard.bsnet (SMI-8.6/SMI-SVR4) id TAA10070; Mon, 7 Oct 1996 19:08:16 -0400 Message-Id: <32598D60.591C@bear.com> Date: Mon, 07 Oct 1996 19:08:16 -0400 From: Shahryar Jahangir Organization: Bear Stearns X-Mailer: Mozilla 3.0Gold (X11; I; SunOS 5.5 sun4m) Mime-Version: 1.0 To: Dick Mosher Cc: firewalls-digest@GreatCircle.COM Subject: Re: References: <9609078447.AA844730978@cc.wstnres.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dick, You can build this configuration using Openvision HA. It requires some additional scripts (shell) being added to the rc files. I have done this and it works perfectly ... luck sj Dick Mosher wrote: > > Has anyone set up a hot firewall backup for their system? We are > wanting to provide as close to 24x7 access to the Web as we can, > and would like to put in a hot backup for the firewall. We have > been unable to resolve IP addressing and routing questions, and > have found no auto-sensing and -switching device to make this > work. Has anyone done this sort of thing? Any suggestions? Or > people to contact for advice? Thanks. > dick_mosher@wstnres.com -- ........................................... " Is there a God ? I don't know, the computer is down !" Shahryar Jahangir Information Services Bear Stearns & Co. Inc. 245 Park Avenue New York, NY 10167 email: sj@bear.com Tel: 212 272 7764 Fax : 212 499 6977 ........................................... -- ******************************************************************************* Bear Stearns is not responsible for any recommendation, solicitation, offer or agreement or any information about any transaction, customer account or account activity contained in this communication. ******************************************************************************* From firewalls-owner Mon Oct 7 18:11:54 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA21014 for firewalls-outgoing; Mon, 7 Oct 1996 16:07:32 -0700 (PDT) Received: from gatekeeper.Bridge.COM (gatekeeper.bridge.com [167.76.159.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id QAA20965 for ; Mon, 7 Oct 1996 16:07:01 -0700 (PDT) From: ken@bridge.com Received: (from mailproxy@localhost) by gatekeeper.Bridge.COM (8.6.12/8.6.9) id SAA09580; Mon, 7 Oct 1996 18:05:56 -0500 Received: from dns1srv.bridge.com(167.76.36.6) by gatekeeper.Bridge.COM via smap (V1.3) id sma009570; Mon Oct 7 18:05:45 1996 Received: from wskbh1.bridge.com (wskbh1.bridge.com [167.76.24.150]) by dns1srv.bridge.com (8.7.6/8.7.3) with ESMTP id SAA28396; Mon, 7 Oct 1996 18:06:05 -0500 (CDT) Received: (from ken@localhost) by wskbh1.bridge.com (8.7.5/8.7) id SAA13480; Mon, 7 Oct 1996 18:04:17 -0500 (CDT) Date: Mon, 7 Oct 1996 18:04:17 -0500 (CDT) Message-Id: <199610072304.SAA13480@wskbh1.bridge.com> To: dick_mosher@wstnres.com Subject: Re: hot firewall backup Cc: firewalls@greatcircle.com X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Has anyone set up a hot firewall backup for their system? We are > wanting to provide as close to 24x7 access to the Web as we can, > and would like to put in a hot backup for the firewall. We have > been unable to resolve IP addressing and routing questions, and > have found no auto-sensing and -switching device to make this > work. Has anyone done this sort of thing? Any suggestions? Or > people to contact for advice? Thanks. > dick_mosher@wstnres.com Part of the solution, if your primary and backup firewalls need to have different IP addresses, could be to use an internal HTTP proxy like the Harvest or Squid caches. They can be configured with any number of parent proxies, and will use either UDP echo (port 7) or ICP (Internet Cache Protocol?) to determine which parent to use. If your users all use the internal proxy, that proxy can determine dynamically which of many potential firewalls to use for Internet access. I'm using the Squid cache internally and am quite pleased with it. I am not using it in the manner I've just described with multiple parents, but that's how it's described as working. See: http://www.nlanr.gov/Cache and http://harvest.transarc.com/ But that will leave you with the problem of how to provide hot backup for your internal proxy, possibly leaving you right where you started. The Netscape automatic proxy configuration allows you to provide multiple proxies for a given URL, with automatic failover to secondary, tertiary, etc., proxies in the even of failure. See: http://home.netscape.com/eng/mozilla/2.0/relnotes/demo/proxy-live.html Of course, that only covers you for your Netscape users, unless MS has implemented this also, unbeknownst to me, but that's probably too much to hope for. -- KH From firewalls-owner Mon Oct 7 18:21:04 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA18503 for firewalls-outgoing; Mon, 7 Oct 1996 15:49:58 -0700 (PDT) Received: from user1.scranton.com (user1.scranton.com [204.186.119.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id PAA18465 for ; Mon, 7 Oct 1996 15:49:35 -0700 (PDT) Received: from localhost (moroni@localhost) by user1.scranton.com (8.6.12/8.6.9) with SMTP id SAA03426; Mon, 7 Oct 1996 18:48:50 -0400 X-Authentication-Warning: user1.scranton.com: moroni owned process doing -bs Date: Mon, 7 Oct 1996 18:48:50 -0400 (EDT) From: Moroni To: Ron DuFresne cc: Esakov Dmitriy , firewalls@GreatCircle.COM Subject: Re: Sniffer detection. In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk cute. On Mon, 7 Oct 1996, Ron DuFresne wrote: > On Mon, 7 Oct 1996, Moroni wrote: > > > How is a sniffer placed on a line. > > Very carefully so as not to bruise it's paws while placing the beast... > > > > > On Mon, 7 Oct 1996, Esakov Dmitriy wrote: > > > > > Hi! > > > Do someone knows how the ethernet sniffer can be detected. > > > > > A forked stick will do the job, point it down an ethernet segment and it > will pull you right to the nearest sniffer placed carefully on line... > > Later, > > Ron DuFresne > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > "Cutting the space budget really restores my faith in humanity. It > eliminates dreams, goals, and ideals and lets us get straight to the > business of hate, debauchery, and self-annihilation." -- Johnny Hart > ***testing, only testing, and damn good at it too!*** > > OK, so you're a Ph.D. Just don't touch anything. > From firewalls-owner Mon Oct 7 18:27:31 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA08548 for firewalls-outgoing; Mon, 7 Oct 1996 18:14:11 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id SAA08502 for ; Mon, 7 Oct 1996 18:13:52 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.6.9/8.6.9) id VAA00429; Mon, 7 Oct 1996 21:19:13 -0500 From: Adam Shostack Message-Id: <199610080219.VAA00429@homeport.org> Subject: Re: Financial transactions and firewalls. To: carson@lehman.com Date: Mon, 7 Oct 1996 21:19:12 -0500 (EST) Cc: mjr@v-one.com, firewalls@GreatCircle.COM In-Reply-To: <199610072103.RAA29070@dragon.lehman.com> from "carson@lehman.com" at Oct 7, 96 05:03:34 pm X-Mailer: ELM [version 2.4 PL24 ME8b] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk carson@lehman.com wrote: | >>>>> "Marcus" == Marcus J Ranum writes: | | Marcus> There are a number of such protocols in use: SWIFT is popular in | Marcus> Europe. In the US there's a thing called FIX. Many of these | Marcus> protocols, it has been "explained" to me, are secure because they | Marcus> are complicated (IBM wrote a lot of FIX, see) and therefore are not | Marcus> easily broken. Amusingly, standards bodies will sell you protocol | | FIX is point-to-point encrypted, using some combo of public and private key | systems (based on PGP, last I heard). I haven't looked at the cryptography, | but folks much better at it than I am have, and they seem happy with it. PGP is an implementation, not a cryptosystem. Can you provide names of people who have looked at FIX? Anonymous reviewers mentioned on a mailing list don't cut it when considering protocols that carry large sums of money. Adam -- "Every year the Republicans campaign like Libertarians, and then go to Wasthington and spend like Democrats." Vote Harry Browne for President. http://www.harrybrowne96.org From firewalls-owner Mon Oct 7 18:51:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA12108 for firewalls-outgoing; Mon, 7 Oct 1996 18:35:07 -0700 (PDT) Received: from nis.acs.uci.edu (nis.acs.uci.edu [128.200.16.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id SAA12066 for ; Mon, 7 Oct 1996 18:34:50 -0700 (PDT) Received: from bingy.acs.uci.edu by nis.acs.uci.edu (8.7.6) id SAA09405; Mon, 7 Oct 1996 18:32:41 -0700 (PDT) Message-ID: <3259AF29.2031@hydra.acs.uci.edu> Date: Mon, 07 Oct 1996 18:32:25 -0700 From: Dan Stromberg X-Mailer: Mozilla 3.0 (X11; I; SunOS 5.5.1 sun4m) MIME-Version: 1.0 To: Marc Chatel CC: best-of-security@suburbia.net, firewalls@greatcircle.com Subject: Re: BoS: Need volunteer FTP archive site to host new security software References: <1.5.4.32.19961003205647.00698e6c@pop.dial.oleane.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk One might reasonably contrast S4 with the "autoinstall" environment set up here at UCI: http://www.oac.uci.edu/support/dcs/automation. The goals appear to be quite similar: fix security holes and provide services in a quick, consistent manner. We've chosen to focus on 100% non-interactivity - all choices related to a machine's configuration are recorded in various scripts, and there they remain, conveniently available for future upgrades and disaster recovery. Our current autoinstall environment handles Solaris 2.5.1 (on sparc), Irix 6.2, OSF/1 3.2c and SunOS 4.1.4. Linux (based on debian) is planned. Some rudimentary support for older versions of some of these operating systems are also included. We have 150+ hosts configured with this system. There is a fair amount of traffic on similar subjects, on the auto-net list: auto-net@math.gatech.edu. Marc Chatel wrote: > > Hello all, > > I am looking for one or more anonymous FTP sites that would be > interested in hosting a new security software kit called "S4". S4 stands > for the "Secure System Setup Script". The kit is currently about 6.5 megabytes > (and will probably grow), and it may be necessary to keep several versions > archived over time if the kit proves popular. > > The kit does not currently contain anything that would cause "export > control" problems if hosted in the U.S., but this COULD change over time. > Because of this (and if sites are interested, of course), the ideal setup > may be for a non-U.S. master FTP site, with mirrors in the U.S or elsewhere. > Better suggestions from people more knowledgeable than me about the problem > are welcome. :-) > > Interested sites may contact me at mchatel@dial.oleane.com. > I will need to use a "simple" authentication method to update the FTP area, > since I live in France and basically cannot use any serious crypto without > a permit. > > A bit more detail on S4 is included below for your reading pleasure... > > Sincere Regards, > > Marc Chatel > 9, ave Jean Monnet > 74940 ANNECY-LE-VIEUX > FRANCE > > Private E-mail: mchatel@dial.oleane.com > > ----------- details on S4 (the Secure System Setup Script) ------------- > > S4 is best described as "a security glueware compromise". The goal of S4 > is to minimize the time necessary to accomplish the following: > > Move from a) system with freshly installed base operating system > with no config done yet > > to b) system with a maximum number of obvious security holes > closed, ready to connect to an insecure network, > and which offers some basic services that people need today: > FTP/WWW/SMTP/POP. Most services offered (including the ones > I just listed) run chrooted and non-privileged. > > The current S4 is able to move a system from a) to b) in approx. 60 minutes. > The installer spends most of that time pressing "Y", "N", and RETURN to accept > default parameters and page through the output. I guess it could be described > as an "automatic system defense tool", as opposed to "automatic system > scanning tools", which are more common... > > Although it currently runs on only one platform (OSF/Digital Unix on Alpha), > I believe people will find the tool interesting (even if it is just to pick > some parts out of it). My goal in publishing S4 is to find volunteers that > will find it useful enough to add functionality to it, and help me port it > to other platforms (my experience is that testing a tool like this requires > exclusive access to at least one machine of the type being tested, > preferably two). > > The actual S4 "kit" is composed at > 90% of software packages already > published on Internet and written by many people. All packages included are > in source form (S4 compiles all packages during installation, that's why it > takes an hour to run). In some cases, I have made slight modifications to > the packages (usually to improve drop privilege/chroot methods and to fix > syslog issues introduced by chroot environments). > > Packages currently included in the S4 kit (either as-is or modified) are: > ----------------------------------------------------------------------------- > "aftpd", originally written by Marcus J. Ranum, based on Berkeley > sources > > "arpwatch" from the University of California, Lawrence Berkeley Laboratory > > the Berkeley "db" package, from the University of California at Berkeley > > "gzip", from the Free Software Foundation > > "libpcap" from the University of California, Lawrence Berkeley Laboratory > > the NCSA "httpd" web server, from the National Center for Supercomputing > Applications at the University of Illinois at Urbana-Champaign > > PERL (version 5.003), from Larry Wall > > "poppasswd", originally from Daniel L. Leavitt at MITRE (I believe) > > "qpopper", a collective work currently hosted at QualComm > > "sendmail", from the University of California at Berkeley > > "spop", put in the public domain by the RAND Corporation > > "tcpd", from Wietse Venema at the Eindhoven University of Technology > ----------------------------------------------------------------------------- > > The parts of S4 actually written by me are mostly installation shellscripts, > and a few C programs here and there to handle specific issues. > > *************************** > LICENSING/COPYRIGHT ISSUES: > *************************** > > My primary goal is usefulness. > > To some extent, the S4 kit can be considered an "aggregation" of many > software packages (the S4 shellscripts sit in their own directory and drive > each package's installation script from outside). Each package included > in the S4 kit remains on its own license/copyright terms. > > The top directory of the S4 kit includes a file called S4_LICENSE.txt > that includes the basic license text from all of the parties involved > (I think). Each kit included is in source and includes its own license > text. > > For the parts of S4 specifically written by me, I chose licensing > terms as convenient as possible. The S4-specific files include the > following text: > > # ------------------------------------------------------------------------------ > # Copyright (c) 1995,1996 Donated to the public domain > # > # Original author and maintainer: Marc Chatel mchatel@dial.oleane.com > # Last known maintainer: Marc Chatel mchatel@dial.oleane.com > # > # This file was created as part of the S4 (Secure System Setup Script) kit. > # Permission is granted to any person or entity to do any of the following: > # a) use this file alone or in some other software > # b) modify this file or include parts of this file in other files > # c) re-distribute this file AS IS or modified, for non-commercial > # or commercial purposes, alone or as part of some software package > # > # No warranties of any kind, express or implied, on the functionality and safety > # of the contents of this file. Use at your own risk! > # > # If you do useful changes to this file (bug fixes, portability fixes, > # enhancements), you should TRY to contact the current maintainer, who may be > # maintaining a "latest greatest" version of the file. You do not HAVE TO, > # but you should TRY. Promote software reuse! It helps everybody, including you! > # ------------------------------------------------------------------------------ > > --------------- end of message ----------------- From firewalls-owner Mon Oct 7 19:12:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA15309 for firewalls-outgoing; Mon, 7 Oct 1996 15:27:17 -0700 (PDT) Received: from hermes.intel.com (hermes.intel.com [143.183.152.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id PAA15172 for ; Mon, 7 Oct 1996 15:26:41 -0700 (PDT) Received: from ts5-01.vcr.iSTAR.ca by hermes.intel.com (8.7.6/10.0i); Mon, 7 Oct 1996 15:22:23 -0700 Received: by ts5-01.vcr.iSTAR.ca with Microsoft Mail id <01BBB47B.FA833320@ts5-01.vcr.iSTAR.ca>; Mon, 7 Oct 1996 18:18:45 -0400 Message-ID: <01BBB47B.FA833320@ts5-01.vcr.iSTAR.ca> From: Gene Lee To: Gene Lee , "'Bradley Smith'" Cc: Esakov Dmitriy , "firewalls@GreatCircle.COM" Subject: RE: Sniffer detection. Date: Mon, 7 Oct 1996 18:18:43 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Monday, October 07, 1996 2:10 PM, Bradley Smith[SMTP:brads@access.digex.net] wrote: >Point taken, but if an unauthorized individual has the opportunity to >physically jack into your network like that, I would say that getting your >packets sniffed is probably the least of your worries. What about employees sniffing the wire for things like manager ID/password pairs, payroll information, etc? Attacks from the inside, where access to the wire is often not as strictly controlled as attacks from the outside, are still common nonetheless. -- Gene Lee genel@inforamp.net genelee@vnet.ibm.com From firewalls-owner Mon Oct 7 19:15:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA18322 for firewalls-outgoing; Mon, 7 Oct 1996 15:48:00 -0700 (PDT) Received: from firewall1_int.glaxowellcome.com (firewall1_ext.glaxo.com [192.58.204.204]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id PAA18302 for ; Mon, 7 Oct 1996 15:47:52 -0700 (PDT) Received: by firewall1_int.glaxowellcome.com id SAA09502; Mon, 7 Oct 1996 18:51:13 -0400 (EDT) Received: from ussun2f.glaxo.com(152.51.19.71) by firewall1.glaxo.com via smap (3.2) id xma009500; Mon, 7 Oct 96 18:51:03 -0400 Received: by ussun2f.glaxo.com id SAA18527; Mon, 7 Oct 1996 18:49:46 -0400 (EDT) Date: Mon, 7 Oct 1996 18:49:45 -0400 (EDT) From: Gary Hull X-Sender: ggh14854@ussun2f To: carson@lehman.com cc: "Marcus J. Ranum" , firewalls@GreatCircle.COM Subject: Re: Financial transactions and firewalls. In-Reply-To: <199610072103.RAA29070@dragon.lehman.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 7 Oct 1996 carson@lehman.com wrote: > >>>>> "Marcus" == Marcus J Ranum writes: > > Marcus> There are a number of such protocols in use: SWIFT is popular in > Marcus> Europe. In the US there's a thing called FIX. Many of these > Marcus> protocols, it has been "explained" to me, are secure because they > Marcus> are complicated (IBM wrote a lot of FIX, see) and therefore are not > Marcus> easily broken. Amusingly, standards bodies will sell you protocol > > FIX is point-to-point encrypted, using some combo of public and private key > systems (based on PGP, last I heard). I haven't looked at the cryptography, > but folks much better at it than I am have, and they seem happy with it. Where can a person learn more about FIX (i.e.; what platforms can it run on [just IBM?] or can UNIX be used)? Thanks in advance for shedding more light on this product. |/ ---o0o-@@-o0o--------- Gary G. Hull - Technical Consultant Howard Systems International - Glaxo Wellcome Inc. Five Moore Drive - Raleigh, North Carolina 27709 Tel : (919) 941-4867 - Fax : (919) 248-2831 email: ggh14854@ussun2f.glaxo.com From firewalls-owner Mon Oct 7 19:27:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA15880 for firewalls-outgoing; Mon, 7 Oct 1996 18:53:46 -0700 (PDT) Received: from relay2.smtp.psi.net (relay2.smtp.psi.net [38.8.188.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id SAA15749 for ; Mon, 7 Oct 1996 18:53:11 -0700 (PDT) Received: from internet-gw1 by relay2.smtp.psi.net (8.6.12/SMI-5.4-PSI) id VAA08846; Mon, 7 Oct 1996 21:52:47 -0400 Received: from internet-gw2.HEA.COM by internet-gw1 (4.1/SMI-4.1/HEA-GCA-gw1-940329-1) id AA07200; Mon, 7 Oct 96 19:18:48 PDT Received: from dbwhdsk.hyundai.com by internet-gw2.HEA.COM (4.1/SMI-4.1/HEA-GCA-gw2-940329-1) id AA22985; Mon, 7 Oct 96 18:51:33 PDT Received: by dbwhdsk.hyundai.com (5.x/SMI-SVR4) id AA05650; Mon, 7 Oct 1996 18:45:59 -0700 Date: Mon, 7 Oct 1996 18:45:59 -0700 From: nsaputra@HEA.COM (Nancy Saputra X8387) Message-Id: <9610080145.AA05650@dbwhdsk.hyundai.com> To: firewalls@greatcircle.com Subject: sendmail & bind (DNS) version X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, Which version of sendmail and bind is a good version to run in terms of stability and security? Thanks, Nancy From firewalls-owner Mon Oct 7 19:34:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA07796 for firewalls-outgoing; Mon, 7 Oct 1996 18:10:00 -0700 (PDT) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id SAA07663 for ; Mon, 7 Oct 1996 18:09:14 -0700 (PDT) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id UAA05337; Mon, 7 Oct 1996 20:00:35 -0400 Date: Mon, 7 Oct 1996 20:00:32 -0400 (EDT) From: Rabid Wombat To: Bradley Smith cc: Gene Lee , Esakov Dmitriy , firewalls@GreatCircle.COM Subject: Re: Sniffer detection. In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Much more secure to implement secure hubs and be done with it. For those who don't know what these are, they overwrite the data portion of the packet (from layer two inward) on a copy of the packet - the port handling the MAC address of the recipient gets the real packet, and all other ports xmit the copy w/ the overwritten data, to comply w/ ethernet rules requiring everyone to "see" the packet. If a sniffer is placed on such a segment, all they will be able to do is get a list of MAC addresses and measure traffic volume to each. Not a bad addition to your bastion segment, in addition to internal use. -r.w. On Mon, 7 Oct 1996, Bradley Smith wrote: > Point taken, but if an unauthorized individual has the opportunity to > physically jack into your network like that, I would say that getting your > packets sniffed is probably the least of your worries. > > As a side note, I've heard here and there that NIC's are available that > cannot be operated in promiscuous mode. Does anyone have experience with > these devices? Or can tell me what vendor(s) are manufacturing? > > -brad > > On Mon, 7 Oct 1996, Gene Lee wrote: > > > Bradley Smith wrote: > > > I used to do something very basic for this. There are several code > > > snippets available to get interface values (i.e. cpm, ifstatus). I'd run > > > these from cron, mail results to file, tail file with swatch and look for > > > a lexical string indicating the interface was in prom (sp) mode. > > > > > > If the status code returned indicated a "sniffer," I'd mail the results to > > > my pager and shut the interface down. You could get even more creative > > > than this with netstats, reverse finger, etc.. > > > > This is fine for unix machines which you have administative control > > over, but what about a rogue PC notebook running DataGlance or LANAlyzer > > inserted into your Ethernet network somewhere on the wire? Also keep in > > mind some NICs are custom built to not broadcast the fact that they are > > in promiscuous mode. The only way to detect something like this would be > > to physically check each interface connected to your network. > > > > -- > > Gene Lee > > genel@inforamp.net > > genelee@vnet.ibm.com > > > > From firewalls-owner Mon Oct 7 20:45:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA23649 for firewalls-outgoing; Mon, 7 Oct 1996 19:32:11 -0700 (PDT) Received: from mail.Clark.Net (mail.clark.net [168.143.0.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id TAA23559 for ; Mon, 7 Oct 1996 19:31:45 -0700 (PDT) Received: from clark.net (proberts@clark.net [168.143.0.7]) by mail.Clark.Net (8.7.3/8.6.5) with ESMTP id WAA01410; Mon, 7 Oct 1996 22:31:24 -0400 (EDT) Received: from localhost (proberts@localhost) by clark.net (8.7.1/8.7.1) with SMTP id WAA02675; Mon, 7 Oct 1996 22:31:23 -0400 (EDT) X-Authentication-Warning: clark.net: proberts owned process doing -bs Date: Mon, 7 Oct 1996 22:31:23 -0400 (EDT) From: "Paul D. Robertson" To: Rabid Wombat cc: Dick Mosher , firewalls@GreatCircle.COM Subject: Re: your mail In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 7 Oct 1996, Rabid Wombat wrote: > Just a guess of the top of my head (I have not set anything like this up): > > Obtain seperate links to two ISPs. Firewall each incoming link with a > seperate firewall, and dual-home the web servers a seperate bastion > segment off each firewall, with no routing enabled on the web servers. Set > up "round robin" references to the two different addresses on each web > server, as though each were two seperate systems. > Round robin still loses you traffic on an adapter or network failure. I'd probably start looking at using NAT on both firewalls, and BGP the same network externally, and NAT the same address on both firewalls to a different one on each interface, with weighted routes to each firewall from the external routers. If you want to consider router failure, you'll also have to do some duaul interfacing on the outside of each wall, or put them on a hub, and make the firewalls part of an IBGP group or something. > > Comments, anyone? > > (Internal Nets) > | > | > |-------------| Bastion Segment #1 > -- from ISP #1 ------| Firewall #1 |------------------------- > |-------------| | > |----------| > |Web Server| ... > |----------| > |-------------| | > -- from ISP #2 ------| Firewall #2 |-------------------------- > |-------------| Bastion Segment #2 > > > > > Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@clark.net which may have no basis whatsoever in fact." PSB#9280 From firewalls-owner Mon Oct 7 20:56:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA08876 for firewalls-outgoing; Mon, 7 Oct 1996 20:53:26 -0700 (PDT) Received: from io.Farallon.COM (io.farallon.com [163.176.4.31]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id UAA08805 for ; Mon, 7 Oct 1996 20:53:08 -0700 (PDT) Received: from farallon.com (miracle.farallon.com [163.176.8.11]) by io.Farallon.COM (8.8.0/8.7.3) with SMTP id UAA28688; Mon, 7 Oct 1996 20:50:38 -0700 (PDT) Received: from [163.176.132.147] by farallon.com (4.1/SMI-4.1) id AA14230; Mon, 7 Oct 96 20:51:10 PDT X-Sender: tupshin@shellx.best.com Message-Id: In-Reply-To: <9610071334.AA6632@NYC-NTGW-N02.ny.jpmorgan.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 7 Oct 1996 20:50:00 -0800 To: Brian B Mitchell , "Ralf Roettinghausen" , firewalls@GreatCircle.COM From: Tupshin Harper Subject: Re: TIMBUKTU Cc: firewalls Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A couple clarifications. Timbuktu Pro exists for Macintosh, Windows 3.1, WFW, Windows95, and Windows NT 3.51(4.0 support due in January), and you can remotely control from one OS to another. Both the Mac and the PC versions work over either TCP/IP or IPX(the Mac version also supports Appletalk). The port numbers list were correct except that the first one(used for establishing connections) is actually UDP 407, not TCP 407. If you have any other questions about it, feel free to ask. -Tupshin Harper -Technical Support Specialist -Timbuktu Products -Farallon Communications At 2:29 PM -0800 10/7/96, Brian B Mitchell wrote: >Ralf, > >TIMBUKTU is a piece of remote control software for MACINTOSH computers. It >works just like PC Anywhere, LAPLINK for Windows, etc etc. > >It can run over IP or through APPLETALK. > >Using TCP, the follwoing ports are the defaults. > >timbuktu 407/tcp Timbuktu >timbuktu-srv1 1417/tcp Timbuktu Service 1 Port >timbuktu-srv2 1418/tcp Timbuktu Service 2 Port >timbuktu-srv3 1419/tcp Timbuktu Service 3 Port >timbuktu-srv4 1420/tcp Timbuktu Service 4 Port > >Regards > >brianm > > >To: firewalls @ GreatCircle.COM @ SMTP >cc: >From: ralf @ hsa2.hva.uni-bremen.de ("Ralf Roettinghausen") @ SMTP >Sent: Mon 07/10/96 13:13:09 EDT >Subject: TIMBUKTU > > >I've got only a simple question ? >I've heard about a thing called TIMBUKTU ! > > >What (not where) is TIMBUKTU and how does it work ? > > >Mit freundlichem Gruss > >Der Senator fuer Haefen, ueberregionalen Verkehr und Aussenhandel >Referat 03 / Netzadministration > >Ralf Roettinghausen From firewalls-owner Mon Oct 7 21:12:10 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA08124 for firewalls-outgoing; Mon, 7 Oct 1996 20:47:25 -0700 (PDT) Received: from malasada.lava.net (malasada.lava.net [199.222.42.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id UAA07900 for ; Mon, 7 Oct 1996 20:46:40 -0700 (PDT) Received: by malasada.lava.net (Smail3.1.28.1 #9) id m0vAT7V-000AUMC; Mon, 7 Oct 96 17:46 WET Message-Id: Date: Mon, 7 Oct 96 17:46 WET From: rbc@lava.net (Robert B. Carleton) To: nsaputra@HEA.COM CC: firewalls@greatcircle.com In-reply-to: <9610080145.AA05650@dbwhdsk.hyundai.com> (nsaputra@HEA.COM) Subject: Re: sendmail & bind (DNS) version Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Nancy, sendmail 8.7.6 is the latest of the stable sendmail linage. It can be found in ftp://ftp.cs.berkeley.edu/ucb/sendmail. 8.8.0 is out but I believe that it is in a alpha state. Aloha, --Bruce -- Robert B. Carleton + rbc@lava.net + http://www.lava.net/~rbc From firewalls-owner Mon Oct 7 21:26:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA07109 for firewalls-outgoing; Mon, 7 Oct 1996 20:40:08 -0700 (PDT) Received: from franklin.seas.gwu.edu (franklin.seas.gwu.edu [128.164.9.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id UAA07102 for ; Mon, 7 Oct 1996 20:40:00 -0700 (PDT) Received: from seas.gwu.edu (root@felix.seas.gwu.edu [128.164.9.3]) by franklin.seas.gwu.edu (8.7.1/8.7.1) with ESMTP id XAA27032 for ; Mon, 7 Oct 1996 23:39:32 -0400 (EDT) Received: from reto.seas.gwu.edu (reto@felix [128.164.9.3]) by seas.gwu.edu (8.7.1/8.7.1) with SMTP id XAA29884 for ; Mon, 7 Oct 1996 23:02:26 -0400 (EDT) Message-Id: <199610080302.XAA29884@seas.gwu.edu> X-Sender: reto@seas.gwu.edu X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 07 Oct 1996 23:03:14 -0400 To: firewalls@greatcircle.com From: Reto Haeni Subject: firewall testing and penetration Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am writing on a paper on firewall testing and penetration. I attach my outline (subject to change as always :) ) at the end of this message. One of the subject in the paper will be what Security Policies have to include and what not. For this I would be grateful if you could point me to good existing security policies and/or to sources how to formulate them. Another part will contain how to test/penetrate firewalls. There, I am still looking for additional information, mainly about the dangers of open services (proxies). I dont expect that you solve my problems (well, if you would insist.... :) ) but a few hints would be appreciated that I dont get lost in the theoretical details. greetings and TIA Reto -------------------------------------------------------------------------------- Penetration/Testing of Firewalls 1. Security policies - what they should contain - what they should not contain 2. Gaining information on the target Network/Host/Firewall - probing techniques - tools 3. Firewall penetration in general - overload - bad packets - packet filter approach (IP spoofing..) - approach to proxy's 4. Policy decisions and its consequences (possible attachks in relation to open services) - e-mail - ftp - telnet - rexec - NNTP - http - finger/whois - DNS - NW management services SNMP RIP ping traceroute - NTP - NFS 5. Security incidents - responding to an incident - tracking down an intruder - policy issues when an incident occured _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ Reto E. Haeni Cyberspace Policy Institute The George Washington University 2033 K Str. NW Suite 340N School of Engineering and Applied Science Washington DC 20006 ph (202) 994-5512 (We, Th) http://www.cpi.seas.gwu.edu/ reto@seas.gwu.edu http://www.seas.gwu.edu/student/reto/ _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ From firewalls-owner Mon Oct 7 21:39:37 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA00779 for firewalls-outgoing; Mon, 7 Oct 1996 20:03:57 -0700 (PDT) Received: from lehman.Lehman.COM (lehman.Lehman.COM [192.147.66.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id UAA00557 for ; Mon, 7 Oct 1996 20:03:05 -0700 (PDT) From: carson@lehman.com Received: (from smap@localhost) by lehman.Lehman.COM (8.6.12/8.6.12) id XAA24227; Mon, 7 Oct 1996 23:02:43 -0400 Received: from relay.mail.lehman.com(192.9.140.112) by lehman via smap (V1.3) id tmp024225; Mon Oct 7 23:02:42 1996 Received: from kublai.lehman.com by relay.lehman.com (4.1/LB-0.6) id AA12662; Mon, 7 Oct 96 23:02:41 EDT Received: from dragon.lehman.com by kublai.lehman.com (4.1/Lehman Bros. V1.6) id AA17541; Mon, 7 Oct 96 23:02:40 EDT Received: by dragon.lehman.com (SMI-8.6/Lehman Bros. V1.5) id XAA04245; Mon, 7 Oct 1996 23:02:39 -0400 Date: Mon, 7 Oct 1996 23:02:39 -0400 Message-Id: <199610080302.XAA04245@dragon.lehman.com> To: Adam Shostack Cc: mjr@v-one.com, firewalls@GreatCircle.COM Subject: Re: Financial transactions and firewalls. In-Reply-To: <199610080219.VAA00429@homeport.org> References: <199610072103.RAA29070@dragon.lehman.com> <199610080219.VAA00429@homeport.org> Reply-To: carson@lehman.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>>>> "Adam" == Adam Shostack writes: Adam> PGP is an implementation, not a cryptosystem. Yup. It sure is. And that's why I said based on PGP, not uses PGP for encryption. AFAIK, they yanked the encryption code right out of the PGP distribution for the sample implementation of FIX, and therefore use IDEA for the secret key, with RSA for the key exchange. Adam> Can you provide names of people who have looked at FIX? Anonymous Adam> reviewers mentioned on a mailing list don't cut it when considering Adam> protocols that carry large sums of money. Right again. I suggest you hire a cryptographer to review the protocol before you transfer lerge sums of money via it. I can't name names without going through a tiresome burocracy involving Lehman's legal department, and it just isn't that important to me. My message was not meant to convince the world that FIX is a magnificent gift to mankind, only that FIX, possibly unlike SWIFT, _has_ undergone severe security reviews by several large investment banks. The first draft of the protocol waved several hands and said that the protocol will be secure. That did _not_ go over well. The version that is deployed was written by a consulting firm hired by members of the FIX consortium, and supposedly includes strong encryption. As I haven't reviewed the source code, I can't say if they got it right or not, but it is more than security by vigorous assertion. I have just about exhausted my complete knowledge of FIX. I was involved at the early stages here at Lehman (and was one of the folks to laugh the original spec out of existance), but have been uninvolved for quite some time. For all I know, all of the above has changed and they're now trusting a Psychic Hotline to notify them of security problems, but I doubt it. -- Carson Gaspar -- carson@cs.columbia.edu carson@lehman.com http://www.cs.columbia.edu/~carson/home.html From firewalls-owner Mon Oct 7 21:40:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA02963 for firewalls-outgoing; Mon, 7 Oct 1996 17:37:14 -0700 (PDT) Received: from hermes.intel.com (hermes.intel.com [143.183.152.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id RAA02944 for ; Mon, 7 Oct 1996 17:37:06 -0700 (PDT) Received: from ts5-01.vcr.iSTAR.ca by hermes.intel.com (8.7.6/10.0i); Mon, 7 Oct 1996 17:36:10 -0700 Received: by ts5-01.vcr.iSTAR.ca with Microsoft Mail id <01BBB48E.AE8F4040@ts5-01.vcr.iSTAR.ca>; Mon, 7 Oct 1996 20:32:38 -0400 Message-ID: <01BBB48E.AE8F4040@ts5-01.vcr.iSTAR.ca> From: Gene Lee To: "esakov@relcom.eu.net" , "'John Giubileo'" Cc: "firewalls@GreatCircle.COM" Subject: RE: Sniffer detection. Date: Mon, 7 Oct 1996 20:32:36 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Monday, October 07, 1996 5:24 PM, John Giubileo[SMTP:giubileo@sprintsec.com] wrote: >The HP Netmetrix program (along with network probes installed throughout your >network) can also be configured to deetect when a sniffer goes up on your network. How does it accomplish this? What role do the probes play? -- Gene Lee genel@inforamp.net genelee@vnet.ibm.com From firewalls-owner Mon Oct 7 21:41:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA13873 for firewalls-outgoing; Mon, 7 Oct 1996 21:31:45 -0700 (PDT) Received: from firewall.harker.com (firewall.harker.com [192.102.231.125]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id VAA13822 for ; Mon, 7 Oct 1996 21:31:31 -0700 (PDT) Received: from harker.harker.com (harker.harker.com [192.102.231.1]) by firewall.harker.com (8.6.9/8.6.12) with ESMTP id NAA15834; Mon, 7 Oct 1996 13:24:38 GMT Received: (from harker@localhost) by harker.harker.com (8.8.0-RetRcpt/8.8.Beta.5a) id VAA06754; Mon, 7 Oct 1996 21:31:45 -0700 (PDT) Date: Mon, 7 Oct 1996 21:31:45 -0700 (PDT) From: Robert Harker Message-Id: <199610080431.VAA06754@harker.harker.com> To: firewalls@GreatCircle.COM, nsaputra@HEA.COM Subject: Re: sendmail & bind (DNS) version Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Current production versions of sendmail and BIND are: sendmail 8.7.6 ftp://ftp.cs.berkeley.edu/ucb/src/sendmail bind 4.9.4 ftp://ftp.vix.com/pub/bind/4.9.4 Sendmail 8.8.0 has just been released, but it did not go through an extensive beta so I would recommend waiting for 8.8.1 or 8.8.2 for firewalls, let other people shake the bugs out of it. BIND 4.9.4 is mostly a bug fix release for 4.9.3, so I would say go for it. BIND 4.9.5 has some interesting new stuff like support for CIDR style allocation of the in-addr.arpa domain, but it is still beta, so wait. Hope this helps RLH > For info about our "Managing Internet Mail, Setting Up and Trouble < > Shooting sendmail and DNS" and a schedule of dates and locations, < > please send email to info@harker.com, or visit www.harker.com < Robert Harker Harker Systems Sendmail and TCP/IP Network Training 1180 Hester Ave Network and Sysadmin Consulting San Jose, CA 95126 harker@harker.com 408-295-9432 From firewalls-owner Mon Oct 7 21:58:04 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA01253 for firewalls-outgoing; Mon, 7 Oct 1996 17:24:27 -0700 (PDT) Received: from anka.mindvision.com (anka.mindvision.com [198.247.220.254]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id RAA01236 for ; Mon, 7 Oct 1996 17:24:15 -0700 (PDT) Received: (from alan@localhost) by anka.mindvision.com (8.6.11/8.6.9) id TAA04437; Mon, 7 Oct 1996 19:23:44 -0500 Message-Id: <199610080023.TAA04437@anka.mindvision.com> Subject: Re: Redundant Firewall Construction To: dick_mosher@wstnres.com (Dick Mosher) Date: Mon, 7 Oct 1996 19:23:43 -0500 (CDT) Cc: firewalls@greatcircle.com In-Reply-To: <9609078447.AA844730978@cc.wstnres.com> from "Dick Mosher" at Oct 7, 96 04:29:18 pm From: alan@mindvision.com (Alan Hannan) Reply-To: alan@mindvision.com (Alan Hannan) X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Dick, > Has anyone set up a hot firewall backup for their system? We are > wanting to provide as close to 24x7 access to the Web as we can, > and would like to put in a hot backup for the firewall. I have not installed one, but I've done Proof-of-concept on the below, and it works well. World | Router_To_World | ============================ | | Firewall_A Firewall_B | | ============================ | | Router_A Router_B ...... | | Int_Net_A Int_Net_B Router_A and Router_B would be your departmental routers, or your campus routers, depending on the size of your network. Regardless, they're meant to be the "top" or the hierarchical network one step below the common meet point or DMZ. Router_A is configured to default to Firewall_A. Router_A has a less preferable default route to Firewall_B. Router_B is configued to default to Firewall_A (just like Router_A) Router_B has a less preferable default route to Firewall_B. In the situation where Firewall_A were to break, Router_A would realize that that route wasn't available, and switch over to Firewall_B. This can be done manually or automatically. This sort of construction gives you some very very nifty possibilities, like loadsharing between firewalls from your internal network with fully meshed redundancy and such.... Router_A could default primary to Firewall_A and secondary to Firewall_B, as well as Router_B defaulting primary Firewall_B, and secondary to Firewall_A. > We have > been unable to resolve IP addressing and routing questions, and > have found no auto-sensing and -switching device to make this > work. Well, certainly the "broked-ness" of the firewall can vary. The above situation can be constructed to fallover automatically when a firewall's interface crashes (ie power problem or crash). If this isn't a good enough "broked" then you could script some checking from inside and trigger manual fall-over. The issue of synchronizing the databases (not logs) is rather straight-forward, yet time consuming... > Has anyone done this sort of thing? Any suggestions? Or > people to contact for advice? Thanks. If the above stuffs is interesting, or if you've questions, mail me. See you, Alan From firewalls-owner Mon Oct 7 22:57:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA28077 for firewalls-outgoing; Mon, 7 Oct 1996 22:52:16 -0700 (PDT) Received: from dg-rtp.dg.com (dg-rtp.rtp.dg.com [128.222.1.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id WAA28052 for ; Mon, 7 Oct 1996 22:52:02 -0700 (PDT) Received: from splinter.rtp.dg.com by dg-rtp.dg.com (5.4R3.10/dg-rtp-v02) id AA25844; Tue, 8 Oct 1996 01:51:41 -0400 Received: by splinter.rtp.dg.com (8.6.10/200.15.1.2) id BAA09679; Tue, 8 Oct 1996 01:49:05 -0400 From: spencerj@dg-rtp.dg.com (Jon Spencer) Message-Id: <199610080549.BAA09679@splinter.rtp.dg.com> Subject: Re: Dole web site cracked? To: alexf@iss.net (Alex Filacchione) Date: Tue, 8 Oct 1996 01:49:02 -0400 (EDT) Cc: campbell@c2.net, skeeve@skeeve.net, cypherpunks@toad.com, firewalls@greatcircle.com In-Reply-To: <01BBB447.0E066B40@alexf.iss.net> from "Alex Filacchione" at Oct 7, 96 11:59:40 am X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > The addresses www.dole-kemp.com and www.dole-kemp.org seem to be spoofed > sites. The REAL sites are www.dolekemp96.org and www.dole96.org. These > sites have not been touched. Hmm, and I thought that internic was supposed > to be watching this stuff (domain names). I wonder if mcdonalds.org is > still available... > Well, as of 1:49 AM on Oct 8, www.dole96.org is hacked. www.dolekemp96.org is OK. -- Jon F. Spencer spencerj@rtp.dg.com (uunet!rtp.dg.com!spencerj) Data General Corp. Phone : (919)248-6246 62 T.W. Alexander Dr, MS #119 FAX : (919)248-6108 Research Triangle Park, NC 27709 Office RTP 121/9 Reality is an illusion - perception is what counts. No success can compensate for failure in the home. President David O. McKay ***** UCC 1-207 ******** From firewalls-owner Mon Oct 7 23:11:50 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA28657 for firewalls-outgoing; Mon, 7 Oct 1996 22:56:23 -0700 (PDT) Received: from mail.Clark.Net (mail.clark.net [168.143.0.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id WAA28534 for ; Mon, 7 Oct 1996 22:55:56 -0700 (PDT) Received: from mjr.clark.net (mjr.clark.net [168.143.19.61]) by mail.Clark.Net (8.7.3/8.6.5) with SMTP id BAA00376; Tue, 8 Oct 1996 01:55:12 -0400 (EDT) Message-Id: <199610080555.BAA00376@mail.Clark.Net> Comments: Authenticated sender is From: "Marcus J. Ranum" Organization: V-ONE Corp, Baltimore Office To: carson@lehman.com Date: Tue, 8 Oct 1996 01:53:39 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: Financial transactions and firewalls. CC: firewalls@GreatCircle.COM X-mailer: Pegasus Mail for Win32 (v2.42) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Carson writes: > My message was not meant to convince the world that FIX is a magnificent > gift to mankind, only that FIX, possibly unlike SWIFT, _has_ undergone > severe security reviews by several large investment banks. The first draft > of the protocol waved several hands and said that the protocol will be > secure. That did _not_ go over well. The first draft of the protocol was the one I was referring to as being the sub-optimal one. I haven't looked at the latest version so I really shouldn't comment (and I should have been more specific in my first comments). I also don't know, but am concerned about, possible penetration/implementation of the first version. One of the things that tends to compound protocol security nightmares is the early adopters who then refus to upgrade. :) > written by a consulting firm hired by members of the FIX consortium, and > supposedly includes strong encryption. As I haven't reviewed the source > code, I can't say if they got it right or not, but it is more than security > by vigorous assertion. And, in some cases, its assertion by virtue of obscurity. It's really unfortunate that there are still a LOT of people who expect the security expert to buy an argument like: "the protocol is too complicated for anyone to crack or spoof correctly." Uh-huh. Yeah. Especially if it's a standard. > For all I know, all of the above has changed and they're now trusting > a Psychic Hotline to notify them of security problems, but I doubt it. Carson, Carson, Carson -- psychics for security are completely passe!! All the real experts these days are using voodoo. Papa Legba review dis' code! mjr. [In case anyone's been wondering about my sudden activity level, it's because I've finally gotten around to installing a detached mailer on my laptop. This week and next week I will be spending a LOT of time in airplanes! :)] From firewalls-owner Mon Oct 7 23:26:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA27931 for firewalls-outgoing; Mon, 7 Oct 1996 22:50:40 -0700 (PDT) Received: from anka.mindvision.com (anka.mindvision.com [198.247.220.254]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id WAA27913 for ; Mon, 7 Oct 1996 22:50:29 -0700 (PDT) Received: (from alan@localhost) by anka.mindvision.com (8.6.11/8.6.9) id AAA07155; Tue, 8 Oct 1996 00:50:08 -0500 Message-Id: <199610080550.AAA07155@anka.mindvision.com> Subject: Re: Redundant Firewall Construction To: dick_mosher@wstnres.com Date: Tue, 8 Oct 1996 00:50:06 -0500 (CDT) Cc: firewalls@greatcircle.com In-Reply-To: <199610080023.TAA04437@anka.mindvision.com> from "Alan Hannan" at Oct 7, 96 07:23:43 pm From: alan@mindvision.com (Alan Hannan) Reply-To: alan@mindvision.com (Alan Hannan) X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Erm, the below stuffs assumes transparency. Thanks you-know-who for pointing that out.... -alan > > > Hi Dick, > > > Has anyone set up a hot firewall backup for their system? We are > > wanting to provide as close to 24x7 access to the Web as we can, > > and would like to put in a hot backup for the firewall. > > I have not installed one, but I've done Proof-of-concept on the > below, and it works well. > > World > | > Router_To_World > | > ============================ > | | > Firewall_A Firewall_B > | | > ============================ > | | > Router_A Router_B ...... > | | > Int_Net_A Int_Net_B > > Router_A and Router_B would be your departmental routers, or your > campus routers, depending on the size of your network. > Regardless, they're meant to be the "top" or the hierarchical > network one step below the common meet point or DMZ. > > Router_A is configured to default to Firewall_A. > Router_A has a less preferable default route to Firewall_B. > Router_B is configued to default to Firewall_A (just like Router_A) > Router_B has a less preferable default route to Firewall_B. > > In the situation where Firewall_A were to break, Router_A would > realize that that route wasn't available, and switch over to > Firewall_B. This can be done manually or automatically. > > This sort of construction gives you some very very nifty possibilities, > like loadsharing between firewalls from your internal network with > fully meshed redundancy and such.... Router_A could default > primary to Firewall_A and secondary to Firewall_B, as well as > Router_B defaulting primary Firewall_B, and secondary to > Firewall_A. > > > We have > > been unable to resolve IP addressing and routing questions, and > > have found no auto-sensing and -switching device to make this > > work. > > Well, certainly the "broked-ness" of the firewall can vary. The > above situation can be constructed to fallover automatically when > a firewall's interface crashes (ie power problem or crash). If > this isn't a good enough "broked" then you could script some > checking from inside and trigger manual fall-over. > > The issue of synchronizing the databases (not logs) is rather > straight-forward, yet time consuming... > > > Has anyone done this sort of thing? Any suggestions? Or > > people to contact for advice? Thanks. > > If the above stuffs is interesting, or if you've questions, mail > me. > > See you, > > Alan > -- Alan Hannan Not Employed Networking, Ltd. email: alan@mindvision.com. phone: 402/488-0238 From firewalls-owner Tue Oct 8 01:26:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA16406 for firewalls-outgoing; Tue, 8 Oct 1996 01:19:52 -0700 (PDT) Received: from hadrian.sbil.co.uk (sbil.co.uk [193.116.107.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id BAA16398 for ; Tue, 8 Oct 1996 01:19:43 -0700 (PDT) From: jason.crow@sbil.co.uk Received: (from gate@localhost) by hadrian.sbil.co.uk (8.7.5/8.6.6) id JAA03344; Tue, 8 Oct 1996 09:19:04 +0100 (BST) X-Authentication-Warning: hadrian.sbil.co.uk: gate set sender to using -f Received: from europe.sbil.co.uk(129.14.115.12) by hadrian.sbil.co.uk via smap (V1.3) id sma003342; Tue Oct 8 09:19:03 1996 Received: from trident.sbil.co.uk (trident [129.14.114.238]) by europe.sbil.co.uk (8.7.3/8.6.6) with ESMTP id JAA27909; Tue, 8 Oct 1996 09:19:03 +0100 (BST) Received: (crow@localhost) by trident.sbil.co.uk (SMI-8.6/8.6.6) id JAA16712; Tue, 8 Oct 1996 09:19:02 +0100 Date: Tue, 8 Oct 1996 09:19:02 +0100 Message-Id: <199610080819.JAA16712@trident.sbil.co.uk> To: carson@lehman.com, ggh14854@glaxowellcome.com Subject: Re: Financial transactions and firewalls. Cc: firewalls@GreatCircle.COM Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-MD5: dc9IzmIlsfo0JkOsh+N6EQ== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Folks, All the information and specifications for FIX can be found at the following web site:- http://www.world.std.com/~fix Regards Jason --------------------------------------------------------------- Jason Crow Salomon Brothers International Limited ----------------------------------------------- Global Technology - Europe Fax: +44 (0)171-721-2605 Information Security Manager Tel: +44 (0)171-721-2580 From firewalls-owner Tue Oct 8 02:42:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA21741 for firewalls-outgoing; Tue, 8 Oct 1996 02:30:42 -0700 (PDT) Received: from h01.scientia.com (h01.scientia.com [194.216.183.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id CAA21704 for ; Tue, 8 Oct 1996 02:30:20 -0700 (PDT) Received: by h01.scientia.com with SMTP id KAA00336 for ; Tue, 8 Oct 1996 10:29:49 +0100 Message-Id: <199610080929.KAA00336@h01.scientia.com> X-Sender: firewall@pop-server X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 08 Oct 1996 09:28:58 +0100 To: From: Ian Miller Subject: RE: Dole web site cracked? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 11:59 07/10/96 -0400, Alex Filacchione wrote: >The addresses www.dole-kemp.com and www.dole-kemp.org seem to be spoofed >sites. The REAL sites are www.dolekemp96.org and www.dole96.org. These >sites have not been touched. Hmm, and I thought that internic was supposed >to be watching this stuff (domain names). No. Network Solutions (InterNIC) are very explicit that they DON'T watch this stuff. I suspect they fear that if they reject one application on such grounds they may be held liable for failing to reject another one. To quote from their recent message (Subject: InterNIC Policy Revision) to all Administrative contacts:- > Second-level domain names are registered on "first-come, > first-serve" basis. > > Network Solutions does not determine legality of domain > name registrations. Ian From firewalls-owner Tue Oct 8 03:42:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA25195 for firewalls-outgoing; Tue, 8 Oct 1996 03:25:47 -0700 (PDT) Received: from lexicon.ins.com (lexicon.ins.com [199.0.193.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id DAA25170 for ; Tue, 8 Oct 1996 03:25:38 -0700 (PDT) Received: from martin_d.cci.cox.com ([206.98.143.200]) by lexicon.ins.com (8.7.5/8.7.3) with SMTP id DAA04729; Tue, 8 Oct 1996 03:25:13 -0700 (PDT) Message-Id: <2.2.32.19961008102506.0069b2e4@lexicon.ins.com> X-Sender: martin_d@lexicon.ins.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 08 Oct 1996 06:25:06 -0400 To: rricardo@Schwab.Com (ray ricardo) From: Darwin Martinez Subject: Re: Cisco ports 769 / 781 Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Port 769 is some application named "vid". Not sure if that refers to video or not. Uses either tcp or udp. Port 781 is unknown to me. At 11:01 AM 10/7/96 -0700, you wrote: > >In my dmz i have been recieving messages from my cisco router on port 769 and 781 destined to devices on my service segment. Does anyone know what port 769/781 is? > > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Darwin L. Martinez, NSE Email: darwin_martinez@ins.com Atlanta Office Client: 404-843-5954 International Network Services Pager: 1-800-INS-1-INS "Providing the power of operable networks" ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ From firewalls-owner Tue Oct 8 04:12:40 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA27812 for firewalls-outgoing; Tue, 8 Oct 1996 04:00:28 -0700 (PDT) Received: from merlim.mandic.com.br (merlim.mandic.com.br [200.246.227.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id EAA27724 for ; Tue, 8 Oct 1996 04:00:07 -0700 (PDT) From: sysop@idealbbs.mandic.com.br Received: by merlim.mandic.com.br (8.6.12/SMI-SVR4) id IAA14195; Tue, 8 Oct 1996 08:59:40 -0300 >Received: by idealbbs.mandic.com.br (UUPM-1.51) id D6325aE Tue, Oct 08, 1996 08:05:21 EDT Message-Id: <9610080805.D6325aE@idealbbs.mandic.com.br> X-Mailer: UUPlus Mail 1.51 To: Firewalls@GreatCircle.com Organization: Ideal BBS-Ubatuba-SP-BR Date: Tue, 08 Oct 96 08:05:21 EST Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Tue Oct 8 05:26:53 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA04135 for firewalls-outgoing; Tue, 8 Oct 1996 05:15:04 -0700 (PDT) Received: from mail11.digital.com (mail11.digital.com [192.208.46.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id FAA04123 for ; Tue, 8 Oct 1996 05:14:57 -0700 (PDT) From: ollie@fws.ilo.dec.com Received: from ilonet.ilo.dec.com by mail11.digital.com (8.7.5/UNX 1.2/1.0/WV) id IAA27259; Tue, 8 Oct 1996 08:14:34 -0400 (EDT) Received: by ilonet.ilo.dec.com (5.65/MS-012594); id AA00711; Tue, 8 Oct 1996 13:20:27 +0100 Received: from fwsrtr.fws.ilo.dec.com by morse.ilo.dec.com; (5.65/1.1.8.2/22Jan96-8.2MPM) id AA29514; Tue, 8 Oct 1996 13:14:15 +0100 Received: by fwsrtr.fws.ilo.dec.com; (5.65v3.2/1.3/10May95) id AA24354; Tue, 8 Oct 1996 13:14:13 +0100 Message-Id: <9610081214.AA00858@starsky.fws.ilo.dec.com> To: firewalls@GreatCircle.COM Subject: SYN flooding and kernel parameters Date: Tue, 08 Oct 96 13:14:12 +0100 X-Mts: smtp Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bradley Brown wrote: > >Several points to try to make this more clear: >1. SYN Floods take advantage of a queue managed by the OS. This queue is >typically small in size and requires significant resources of the host >if made much larger. Typically, this queue handles about 10 connection >attempts and can be filled in seconds with a SYN Flood Attack. This is Typically the que length on a BSD based stack is 8, but most kernels can be configured much higher than that. On Digital UNIX, for example, the length of the queue can be increased to a max of 32767 without an appreciable loss of host performance. So, for the default timeout of 75 seconds, a sustained attack of more than 400 bogus SYN's per second would be required to swamp the kernel. If you set the timeout to a more realistic 20 seconds it would require a sustained attack of more than 1600 SYN's per second. If you are running Digital UNIX see the web site http://www.digital.com/info/internet/document/ias/tuning.html for details on tuning. This page is targeted at tuning web servers, the parameters that are relevent for hardening against SYN attacks are somaxconn, sominconn and tcp_keepinit. Ollie Leahy Of course, it's me saying all this, not Digital. ~ From firewalls-owner Tue Oct 8 05:56:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA05252 for firewalls-outgoing; Tue, 8 Oct 1996 05:45:45 -0700 (PDT) Received: from Relay1.Austria.EU.net (relay1.Austria.EU.net [192.92.138.47]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id FAA05232 for ; Tue, 8 Oct 1996 05:45:35 -0700 (PDT) Received: from gate.psk.co.at ([193.83.62.5]) by Relay1.Austria.EU.net with SMTP id AA15765 (5.67b/IDA-1.5 for ); Tue, 8 Oct 1996 14:45:10 +0200 Received: by gate gate 1707 id AA28078; Tue, 8 Oct 1996 14:45:48 +0200 Received: from proxy(10.9.6.207) by gate via smap (V1.3mjr) id sma028586; Tue Oct 8 14:45:34 1996 Received: from st (st.psk.co.at [10.9.100.2]) by proxy.psk.co.at (AIX4.2/UCB 8.7/8.7) with SMTP id OAA12034 for ; Tue, 8 Oct 1996 14:48:20 +0200 (DFT) Message-Id: <325A4A9D.1F10BB1@gate.psk.co.at> Date: Tue, 08 Oct 1996 14:35:41 +0200 From: "Alexander H. Hackenberg" Organization: p.s.k. X-Mailer: Mozilla 3.0 (X11; I; Linux 2.0.21 i486) Mime-Version: 1.0 To: firewalls@greatcircle.com Subject: udp ports <33400 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk hi, can anybody tell me what the udp ports 334xx-335xx are for ??? some nice guy (or gal;) sends lots of these packets to our domain. TIA a.h.h. -- ...................................................................... > alexander h. hackenberg > tel. +43/1/51400-3226 > fax. +43/1/51400-3299 > email mailto:ahh@gate.psk.co.at > > these opinions are mine - mine, mine, mine - > mineminemineminemineminemineminemineminemineminemineminemineminemine From firewalls-owner Tue Oct 8 06:27:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA06937 for firewalls-outgoing; Tue, 8 Oct 1996 06:12:58 -0700 (PDT) Received: from ctss02.telecom.hydro.qc.ca (ctss02.telecom.hydro.qc.ca [131.195.64.12]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA06883 for ; Tue, 8 Oct 1996 06:12:39 -0700 (PDT) Received: from neptune (neptune.telecom.hydro.qc.ca [131.195.237.170]) by ctss02.telecom.hydro.qc.ca (8.7.5/8.7.1) with SMTP id JAA19710; Tue, 8 Oct 1996 09:12:08 -0400 (EDT) Message-ID: <325A53A1.2862@telecom.hydro.qc.ca> Date: Tue, 08 Oct 1996 09:14:09 -0400 From: "bettez@telecom.hydro.qc.ca" Organization: Hydro-Québec X-Mailer: Mozilla 3.0Gold (X11; I; SunOS 5.4 sun4m) MIME-Version: 1.0 To: Dan Tshin CC: firewalls@greatcircle.com Subject: Re: Any thoughts on these firewalls? References: <01BBB463.17CB9300@belgium.bulldog.ca> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dan Tshin wrote: > > Hi, > > I was wondering who has been using Milkyway firwalls and Borderware firewalls? > > Anything you really liked? Any beefs? How would it compare to Firewall-1, Altavista, Portus, for large networks? (ie ~300 workstations)? My hypothesis is that they are designed for smaller to mid-sized networks. > BlackHole is very very cool. And no, there are not designed for smaller networks. _______________________________ Jean-Sebastien Bettez From firewalls-owner Tue Oct 8 06:57:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA10260 for firewalls-outgoing; Tue, 8 Oct 1996 06:43:20 -0700 (PDT) Received: from hp01.vak12ed.edu (hp01.vak12ed.edu [141.104.150.251]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA10217 for ; Tue, 8 Oct 1996 06:43:01 -0700 (PDT) Message-Id: <199610081343.GAA10217@miles.greatcircle.com> Received: by hp01.vak12ed.edu (1.37.109.20/16.2) id AA168402269; Tue, 8 Oct 1996 09:44:29 -0400 From: "W.C. Epperson" Subject: Re: Dole web site cracked? To: firewalls@greatcircle.com Date: Tue, 08 Oct 1996 9:44:29 EDT In-Reply-To: <199610080549.BAA09679@splinter.rtp.dg.com>; from "Jon Spencer" at Oct 8, 96 1:49 am Reply-To: epperson@vak12ed.edu X-Mailer: Elm [revision: 109.18] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jon may have said: > Well, as of 1:49 AM on Oct 8, www.dole96.org is hacked. www.dolekemp96.org > is OK. Well, lessee: www.dolekemp96.org seems to have a broken first page, while www.dole96.org is the kind of understated parody one might expect of a site run by the Ancient Order of Bavarian Seers (whois the domain, then the admin contact's domain). I guess what's "OK" depends on what you expect.... -- W.C. Epperson "I have great faith in fools. Senior SE Self-confidence, my friends call it." Information Security Officer --Edgar Allan Poe-- DBA Emeritus Curmudgeon-for-Life Virginia Dept. of Education epperson@pen.k12.va.us From firewalls-owner Tue Oct 8 07:22:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA10088 for firewalls-outgoing; Tue, 8 Oct 1996 06:41:54 -0700 (PDT) Received: from dialup.oar.net (dialup.oar.net [131.187.1.130]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA10072 for ; Tue, 8 Oct 1996 06:41:44 -0700 (PDT) Received: from sun1plus.liebert.com for legg@sun1plus.liebert.com by dialup.oar.net (8.6.10/931123.1402) id JAA07840; Tue, 8 Oct 1996 09:41:08 -0400 Received: from td407 (td407.liebert.com) by sun1plus.liebert.com (5.0/SMI-SVR4) id AA00315; Tue, 8 Oct 1996 09:36:31 +0500 Message-Id: <325A598A.1F2F@liebert.com> Date: Tue, 08 Oct 1996 09:39:22 -0400 From: Jim Legg Reply-To: legg@sun1plus.liebert.com Organization: Liebert Corp. X-Mailer: Mozilla 3.0 (WinNT; U) Mime-Version: 1.0 To: "Alexander H. Hackenberg" Cc: firewalls@greatcircle.com Subject: Re: udp ports <33400 References: <325A4A9D.1F10BB1@gate.psk.co.at> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Alexander H. Hackenberg wrote: > > hi, > > can anybody tell me what the udp ports 334xx-335xx are for ??? > some nice guy (or gal;) sends lots of these packets to our domain. > > TIA > > a.h.h. > -- > ...................................................................... > > alexander h. hackenberg > > tel. +43/1/51400-3226 > > fax. +43/1/51400-3299 > > email mailto:ahh@gate.psk.co.at > > > > these opinions are mine - mine, mine, mine - > > mineminemineminemineminemineminemineminemineminemineminemineminemine I've seen these from someone doing a traceroute. -jim- From firewalls-owner Tue Oct 8 07:26:54 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA13917 for firewalls-outgoing; Tue, 8 Oct 1996 07:16:50 -0700 (PDT) Received: from ctss02.telecom.hydro.qc.ca (ctss02.telecom.hydro.qc.ca [131.195.64.12]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA13892 for ; Tue, 8 Oct 1996 07:16:34 -0700 (PDT) Received: from neptune (neptune.telecom.hydro.qc.ca [131.195.237.170]) by ctss02.telecom.hydro.qc.ca (8.7.5/8.7.1) with SMTP id KAA20377; Tue, 8 Oct 1996 10:15:52 -0400 (EDT) Message-ID: <325A6291.34FC@telecom.hydro.qc.ca> Date: Tue, 08 Oct 1996 10:17:53 -0400 From: "bettez@telecom.hydro.qc.ca" Organization: Hydro-Québec X-Mailer: Mozilla 3.0Gold (X11; I; SunOS 5.4 sun4m) MIME-Version: 1.0 To: Dan Tshin CC: firewalls@greatcircle.com Subject: Re: Any thoughts on these firewalls? References: <01BBB4FE.983C4480@belgium.bulldog.ca> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dan Tshin wrote: > > On Tuesday, October 08, 1996 9:14 AM, bettez@telecom.hydro.qc.ca wrote: > >Dan Tshin wrote: > >> > >> Hi, > >> > >> I was wondering who has been using Milkyway firwalls and Borderware firewalls? > >> > >> Anything you really liked? Any beefs? How would it compare to Firewall-1, Altavista, Portus, for large networks? (ie ~300 workstations)? My hypothesis is that they are designed for smaller to mid-sized networks. > >> > > > >BlackHole is very very cool. > >And no, there are not designed for smaller networks. > > > >_______________________________ > >Jean-Sebastien Bettez > > > > > > Hi, can you tell me more about what you've seen and experienced? Have you worked with other firewalls? > Have you had any problems setting up BlackHole, or has it been problem/hassle free? > > Thx for any thoughts. > > dan > cool features of bh (3.0): - everything is proxy (no packet filtering) - proxy http/smtp/ftp/telnet/realaudio(!) etc - generic tcp proxy - generic udp proxy(!) - very nice/cool/easy interface - a SQL DBMS for reporting (built-in) - NAT (in 2 flavors) - VPN (if you buy it, of course) - secure OS(!) and I probably forget a lot of little nice features. We evaluate FW/1, but we didn't find it enough secure. wander why everybody is talking about it(?) P.S. i'm not in any religious mystical hackerist firewalls order.;) P.S.S. Be tolerant, my english is under construct.8) _______________________________ Jean-Sebastien Bettez From firewalls-owner Tue Oct 8 07:42:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA15328 for firewalls-outgoing; Tue, 8 Oct 1996 07:32:55 -0700 (PDT) Received: from gauntlet-1.trusted.com (gauntlet-1.trusted.com [204.254.155.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA15312 for ; Tue, 8 Oct 1996 07:32:43 -0700 (PDT) Received: by gauntlet-1.trusted.com; id KAA12345; Tue, 8 Oct 1996 10:37:06 -0400 Received: from hilo.trusted.com(10.0.1.126) by gauntlet-1.trusted.com via smap (V3.1.1) id xma012325; Tue, 8 Oct 96 10:36:36 -0400 Received: from dyn189.trusted.com by hilo.trusted.com with SMTP (1.37.109.4/16.2) id AA02252; Tue, 8 Oct 96 10:34:10 -0400 Message-Id: <2.2.32.19961008142955.006f7434@pop.trusted.com> X-Sender: avolio@pop.trusted.com (Unverified) X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 08 Oct 1996 10:29:55 -0400 To: firewalls@greatcircle.com From: Frederick M Avolio Subject: TIS Sponsored Free Security Seminars -- short Sender: firewalls-owner@GreatCircle.COM Precedence: bulk TIS Sponsored Free Security Seminars (U.S.) "Current Risks of the Internet and Firewall Solutions", Keynote Address by Michael Zboray, Vice President, Gartner Group "Securing the Perimeter", Features and overview of Internet firewalls "Firewalls Alone are Not Enough", The need for risk assessment and security policy See TIS web page (http://www.tis.com) for dates and locations and registration form. Fred From firewalls-owner Tue Oct 8 07:59:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA14950 for firewalls-outgoing; Tue, 8 Oct 1996 07:29:06 -0700 (PDT) Received: from itchy.mindspring.com (itchy.mindspring.com [204.180.128.6]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA14922 for ; Tue, 8 Oct 1996 07:28:52 -0700 (PDT) Received: from [168.121.206.219] (user-168-121-206-219.dialup.mindspring.com [168.121.206.219]) by itchy.mindspring.com (8.7.5/8.7.3) with SMTP id KAA14874; Tue, 8 Oct 1996 10:28:23 -0400 (EDT) Date: Tue, 8 Oct 1996 10:28:23 -0400 (EDT) Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: smith@sctc.com (Rick Smith) From: pelicans@mindspring.com (BeachCruiser) Subject: Sidewinder, NSA prod endorsm'ts,ISSB. Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 4:37 PM 10/7/96, Rick Smith wrote: >In our experience, high end customers who are willing to pay extra for >assurance and *real* seals of approval are happiest to go to some >independent tester and have them "certify" their Sidewinder after >installation. We've had numerous customers do this, including, of course, >the NSA. >I wish they'd publicly release their reports on Sidewinder, too. Doubt it will happen during your career Rick. Unless Congress and the DoD rewrite the rules, NCSC's refusal to endorse Sidewinder is a good business lesson for those who might be thinking about looking to the Department of Defense for financial support in commercial product development and then looks again to the DoD to endorse what it funded. If you guys had stayed in the TYPE ONE cryptosystem business the endorsement problem would have gone away. Of course no one other than the U.S. Government user community would be allowed to by your products. Although SCC has done about as well as anyone and better than most, transcending market boundaries in the information security business by attempting to leverage a "position" with government can be a very tricky. Most attempts are not tremendously successful. Don't know if you've heard this but...The National Security Telecommunications Advisory Committee (NSTAC) has recently explored the notion of establishing an industry driven, government supported organization to get a grip on rules, standards, criteria, etc., for test, approval, and certification of commercially developed information security systems, products and services, and the centers of excellence that handle the process. While some of you who are interested might want to keep your ear to the ground, I wouldn't spend alot of time on it. The proposed organization, called the ISSB or Information Systems Security Board already is in trouble on two primary issues: First, coming up with an acceptable business model to fund and manage the organization will be a real exercise...as is the case whenever you attempt to get a consensus of a number of powerful agendas not the least of which is the USG. Secondly,(and this will bring some of you out of your chairs), apparently the biggest impediment to getting the ISSB off the ground is that some influential folks feel that puting up the effort and expense is not justified by the size and nature of the threat. You won't find this in this morning's Washington Post...but, the White House's healded pronoucements regarding security and the National Information Infrastructure aside...apparently, a significant number of Fortune 500 CEO's, and, some well placed information security specialists within the Defense and Intelligence community simply do not believe that the real or preceived threats to their information infrastructures supports placing that target on their radar screens. Hummmmmm. Pretty difficult to launch a major information security initiative given that thinking. ___________________________ Bob McKisson Cypress Systems Corporation 804 Vanderbilt Ave. Virginia Beach, VA 23451 (757) 425-4195 Voice (757) 425-4196 FAX (757) 442-0888 STU-III pelicans@mindspring.com From firewalls-owner Tue Oct 8 08:29:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA19513 for firewalls-outgoing; Tue, 8 Oct 1996 08:07:28 -0700 (PDT) Received: from toybox.allina.com (toybox.allina.com [167.177.80.20]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA19481 for ; Tue, 8 Oct 1996 08:07:19 -0700 (PDT) Received: (from hilditch@localhost) by toybox.allina.com (AIX4.2/UCB 8.7/8.7) id KAA18760; Tue, 8 Oct 1996 10:00:56 -0500 (CDT) Date: Tue, 8 Oct 1996 10:00:56 -0500 (CDT) From: bruce hilditch Message-Id: <199610081500.KAA18760@toybox.allina.com> To: darwin_martinez@INS.COM, rricardo@Schwab.Com Subject: Re: Cisco ports 769 / 781 Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk the AIX /etc/services files shows 781 to be something called "hp-collector". -bruce- From firewalls-owner Tue Oct 8 08:32:50 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA18459 for firewalls-outgoing; Tue, 8 Oct 1996 08:00:36 -0700 (PDT) Received: from mailbox.neosoft.com (mailbox.neosoft.com [206.109.1.16]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA18450 for ; Tue, 8 Oct 1996 08:00:27 -0700 (PDT) Received: from fw.nmti.com (fw.baileynm.com [206.109.159.11]) by mailbox.neosoft.com (8.7.5/8.7.3) with SMTP id KAA17486; Tue, 8 Oct 1996 10:00:03 -0500 (CDT) Received: from web.nmti.com(198.178.0.201) by fw.nmti.com via smap (V1.3) id sma027005; Tue Oct 8 09:54:22 1996 Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id JAA16893; Tue, 8 Oct 1996 09:54:21 -0500 Received: by sonic.nmti.com; id AA31136; Tue, 8 Oct 1996 09:54:13 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9610081454.AA31136@sonic.nmti.com.nmti.com> Subject: Re: Dole web site cracked? To: firewalls@scientia.com (Ian Miller) Date: Tue, 8 Oct 1996 09:54:13 -0500 (CDT) Cc: firewalls@greatcircle.com In-Reply-To: <199610080929.KAA00336@h01.scientia.com> from "Ian Miller" at Oct 8, 96 09:28:58 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > No. Network Solutions (InterNIC) are very explicit that they DON'T watch > this stuff. Unless you pick something like "m1cr0s0ft.com". From firewalls-owner Tue Oct 8 08:58:27 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA24877 for firewalls-outgoing; Tue, 8 Oct 1996 08:51:23 -0700 (PDT) Received: from ctss02.telecom.hydro.qc.ca (ctss02.telecom.hydro.qc.ca [131.195.64.12]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA24818 for ; Tue, 8 Oct 1996 08:51:09 -0700 (PDT) Received: from neptune (neptune.telecom.hydro.qc.ca [131.195.237.170]) by ctss02.telecom.hydro.qc.ca (8.7.5/8.7.1) with SMTP id LAA21511; Tue, 8 Oct 1996 11:50:06 -0400 (EDT) Message-ID: <325A78A6.1145@telecom.hydro.qc.ca> Date: Tue, 08 Oct 1996 11:52:06 -0400 From: "bettez@telecom.hydro.qc.ca" Organization: Hydro-Québec X-Mailer: Mozilla 3.0Gold (X11; I; SunOS 5.4 sun4m) MIME-Version: 1.0 To: Frederick M Avolio CC: firewalls@greatcircle.com Subject: Re: Any thoughts on these firewalls? References: <2.2.32.19961008150449.00708a40@pop.trusted.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Frederick M Avolio wrote: > > > - generic udp proxy(!) > >We evaluate FW/1, but we didn't find it enough secure. > >wander why everybody is talking about it(?) > > Generic proxies are practically filters. > I don't think filters are secure > enough either, > but why would you think a generic UDP proxy is secure? > well well well In packet filtering mode, the FW base is decision on ip adresses and ports number in an connectionless mode. I prefer tcp proxies because the client >have to< establish a connection with the FW. I heard (but I'm not sure) that you can bypass packet filtering access list with (I think) packet fragmentation. You won't see this kind of problem with generic proxies. The best is to use both packet filtering and proxies. The philosophy behind the Linux firewall is very cool. You have three kind of packet filtering access list: - One for packets entering an interface - One for packets forwards to an other interface - One for packets leaving an interface And you can redirect packets to an arbitery port on the FW for proxing the connection. _____________________________ Jean-Sebastien Bettez From firewalls-owner Tue Oct 8 09:35:54 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA27944 for firewalls-outgoing; Tue, 8 Oct 1996 09:11:05 -0700 (PDT) Received: from europe.std.com (europe.std.com [199.172.62.20]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id JAA27926 for ; Tue, 8 Oct 1996 09:10:57 -0700 (PDT) Received: from world.std.com by europe.std.com (8.7.5/BZS-8-1.0) id MAA24686; Tue, 8 Oct 1996 12:10:36 -0400 (EDT) Received: by world.std.com (5.65c/Spike-2.0) id AA28565; Tue, 8 Oct 1996 12:10:09 -0400 From: heiser@world.std.com (Bill Heiser) Message-Id: <199610081610.AA28565@world.std.com> Subject: allow "whois" requests outbound? To: firewalls@greatcircle.com Date: Tue, 8 Oct 1996 12:10:09 -0400 (EDT) X-Mailer: ELM [version 2.4 PL25] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Would it be safe to allow outbound "whois" requests (tcp/43) from an internal network to the Internet via a packet-filtering style firewall such as Firewall-1? Are there any known "gotchas" to this particular service? Thanks in advance, Bill -- Bill Heiser heiser@world.std.com From firewalls-owner Tue Oct 8 09:42:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA28601 for firewalls-outgoing; Tue, 8 Oct 1996 09:15:43 -0700 (PDT) Received: from state.ut.us (email.state.ut.us [168.180.96.41]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id JAA28561 for ; Tue, 8 Oct 1996 09:15:15 -0700 (PDT) Received: from STATE-DOMAIN-Message_Server by state.ut.us with Novell_GroupWise; Tue, 08 Oct 1996 10:13:48 -0600 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Tue, 08 Oct 1996 10:13:34 -0600 From: Mike Rogers To: BETTICK@boat.bt.com, firewalls@greatcircle.com Subject: RE: PIX (CISCO) -Reply Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >It has Private Link Encryption which allows users to communicate in privacy >over a public IP network (secure tunnels). Are these secure tunnels point to point encryption? Is this between two PIX firewalls or can the originator (user) be behind a Cisco router with the latest and greatest software (vers 11.1??) I've been talking to Cisco about authentication of remote users, as they access our backbone via hostile network (like the Internet)... the results I'm hearing have left me with little hope for a Cisco fix for secure access from a remote user. Even when that remote user is behind similar Cisco products. At the risk of being flamed for getting off subject, I'd be glad to go into more detail off-line. --------------------------------------------------------------------------------------------------------------- "There were a helluva lot of things they didn't tell me when I hired on with this outfit." - anonymous member of Gen. Custer's cavalry unit Mike Rogers DP Security Analyst State of Utah From firewalls-owner Tue Oct 8 10:23:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA28602 for firewalls-outgoing; Tue, 8 Oct 1996 09:15:43 -0700 (PDT) Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id JAA28505 for ; Tue, 8 Oct 1996 09:14:56 -0700 (PDT) Received: from smtp1.sybase.com (sybgate) by halon.sybase.com (5.x/SMI-SVR4/SybFW4.0) id AA00443; Tue, 8 Oct 1996 09:16:28 -0700 Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) id AA14921; Tue, 8 Oct 96 09:14:39 PDT Received: by notesgw2.sybase.com (5.x/SMI-4.1/SybEGW3.3) id AA03594; Tue, 8 Oct 1996 09:14:36 -0700 Message-Id: <9610081614.AA03594@notesgw2.sybase.com> Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id DD2CA8A7107DC129882563BD00594D53; Tue, 8 Oct 96 09:14:31 EDT To: Rabid Wombat Cc: Bradley Smith , Gene Lee , Esakov Dmitriy , firewalls From: Ryan Russell/SYBASE Date: 8 Oct 96 9:16:36 EDT Subject: Re: Sniffer detection. X-Lotus-Type: Reply All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Just buy a switch. It would be cheaper, and give you more functionality. I've never seen any info on a "secure hub." Do you have the name of a manufacturer of one? Ryan ---------- Previous Message ---------- To: brads cc: genel, esakov, firewalls From: wombat @ mcfeely.bsfs.org (Rabid Wombat) @ smtp Date: 10/07/96 08:00:32 PM Subject: Re: Sniffer detection. Much more secure to implement secure hubs and be done with it. For those who don't know what these are, they overwrite the data portion of the packet (from layer two inward) on a copy of the packet - the port handling the MAC address of the recipient gets the real packet, and all other ports xmit the copy w/ the overwritten data, to comply w/ ethernet rules requiring everyone to "see" the packet. If a sniffer is placed on such a segment, all they will be able to do is get a list of MAC addresses and measure traffic volume to each. Not a bad addition to your bastion segment, in addition to internal use. -r.w. On Mon, 7 Oct 1996, Bradley Smith wrote: > Point taken, but if an unauthorized individual has the opportunity to > physically jack into your network like that, I would say that getting your > packets sniffed is probably the least of your worries. > > As a side note, I've heard here and there that NIC's are available that > cannot be operated in promiscuous mode. Does anyone have experience with > these devices? Or can tell me what vendor(s) are manufacturing? > > -brad > > On Mon, 7 Oct 1996, Gene Lee wrote: > > > Bradley Smith wrote: > > > I used to do something very basic for this. There are several code > > > snippets available to get interface values (i.e. cpm, ifstatus). I'd run > > > these from cron, mail results to file, tail file with swatch and look for > > > a lexical string indicating the interface was in prom (sp) mode. > > > > > > If the status code returned indicated a "sniffer," I'd mail the results to > > > my pager and shut the interface down. You could get even more creative > > > than this with netstats, reverse finger, etc.. > > > > This is fine for unix machines which you have administative control > > over, but what about a rogue PC notebook running DataGlance or LANAlyzer > > inserted into your Ethernet network somewhere on the wire? Also keep in > > mind some NICs are custom built to not broadcast the fact that they are > > in promiscuous mode. The only way to detect something like this would be > > to physically check each interface connected to your network. > > > > -- > > Gene Lee > > genel@inforamp.net > > genelee@vnet.ibm.com > > > > From firewalls-owner Tue Oct 8 10:28:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA07305 for firewalls-outgoing; Tue, 8 Oct 1996 10:12:13 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA07277 for ; Tue, 8 Oct 1996 10:12:03 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.6.9/8.6.9) id NAA02976; Tue, 8 Oct 1996 13:17:41 -0500 From: Adam Shostack Message-Id: <199610081817.NAA02976@homeport.org> Subject: Re: allow "whois" requests outbound? To: heiser@world.std.com (Bill Heiser) Date: Tue, 8 Oct 1996 13:17:41 -0500 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: <199610081610.AA28565@world.std.com> from "Bill Heiser" at Oct 8, 96 12:10:09 pm X-Mailer: ELM [version 2.4 PL24 ME8b] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bill Heiser wrote: | Would it be safe to allow outbound "whois" requests (tcp/43) from | an internal network to the Internet via a packet-filtering style | firewall such as Firewall-1? Are there any known "gotchas" to this | particular service? Why not encourage people to use a web gateway to whois? That saves you from asking questions about the client software. Adam -- "Every year the Republicans campaign like Libertarians, and then go to Wasthington and spend like Democrats." Vote Harry Browne for President. http://www.harrybrowne96.org From firewalls-owner Tue Oct 8 11:02:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA10383 for firewalls-outgoing; Tue, 8 Oct 1996 10:28:44 -0700 (PDT) Received: from brownz.rhn.orst.edu (brownz.RHN.ORST.EDU [128.193.137.78]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA10352 for ; Tue, 8 Oct 1996 10:28:29 -0700 (PDT) Received: from localhost (zab@localhost) by brownz.rhn.orst.edu (8.7.5/8.7.3) with SMTP id KAA16141; Tue, 8 Oct 1996 10:32:07 -0700 X-Authentication-Warning: brownz.rhn.orst.edu: zab owned process doing -bs Date: Tue, 8 Oct 1996 10:32:06 -0700 (PDT) From: Zach X-Sender: zab@brownz.rhn.orst.edu To: Jim Legg cc: "Alexander H. Hackenberg" , firewalls@GreatCircle.COM Subject: Re: udp ports <33400 In-Reply-To: <325A598A.1F2F@liebert.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 8 Oct 1996, Jim Legg wrote: > Alexander H. Hackenberg wrote: > > > > hi, > > > > can anybody tell me what the udp ports 334xx-335xx are for ??? > > some nice guy (or gal;) sends lots of these packets to our domain. > > > > TIA > > > > a.h.h. > > -- > > ...................................................................... > > > alexander h. hackenberg > > > tel. +43/1/51400-3226 > > > fax. +43/1/51400-3299 > > > email mailto:ahh@gate.psk.co.at > > > > > > these opinions are mine - mine, mine, mine - > > > mineminemineminemineminemineminemineminemineminemineminemineminemine > > I've seen these from someone doing a traceroute. > > -jim- yup. from the unix source: u_short port = 32768+666; /* start udp dest port # for probe packets */ :) it then increments for each packet it sends out. someone can of course change the port it starts with though. zach From firewalls-owner Tue Oct 8 11:12:26 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA14984 for firewalls-outgoing; Tue, 8 Oct 1996 10:57:40 -0700 (PDT) Received: from reliastar.com ([205.243.0.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA14716 for ; Tue, 8 Oct 1996 10:56:29 -0700 (PDT) From: Theresa.Fisher@reliastar.com Received: from isocor.reliastar.com ([204.86.39.10]) by bfw.reliastar.com with SMTP id <12312>; Tue, 8 Oct 1996 12:56:40 -0500 Received: from emx.reliastar.com by isocor.reliastar.com with SMTP (1.38.193.4/16.2) id AA11221; Tue, 8 Oct 1996 12:47:05 -0500 X400-Originator: Theresa.Fisher@reliastar.com X400-Recipients: firewalls@greatcircle.com X400-Mts-Identifier: [/PRMD=RELIASTAR/ADMD=TELEMAIL/C=US/;0041700001193318000002] X400-Content-Type: P2-1988 (22) Message-Id: <0041700001193318000002*@MHS> To: " - (052)firewalls(a)greatcircle.com" Subject: UDP Port 137 Date: Tue, 8 Oct 1996 13:13:30 -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I know there has been discussion about UDP Port 137, but what I want to know specifically is why, say, 100 attempts would be made from an external address and what are they looking for or to do? Any information would be much appreciated! Theresa Fisher ReliaStar Financial theresa.fisher@reliastar.com From firewalls-owner Tue Oct 8 12:02:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA16095 for firewalls-outgoing; Tue, 8 Oct 1996 11:03:49 -0700 (PDT) Received: from jack.yellowchicken.com (fried.yellowchicken.com [38.230.103.100]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA16035 for ; Tue, 8 Oct 1996 11:03:27 -0700 (PDT) Received: from jack.no.org (localhost [127.0.0.1]) by jack.yellowchicken.com (8.7.6/8.7.3) with ESMTP id OAA12457; Tue, 8 Oct 1996 14:00:00 -0500 Message-Id: <199610081900.OAA12457@jack.yellowchicken.com> X-Mailer: exmh version 1.6.7 05/05/96 To: "bettez@telecom.hydro.qc.ca" cc: firewalls@GreatCircle.COM From: Joshua Heling Reply-To: Joshua Heling Subject: Re: Any thoughts on these firewalls? In-reply-to: Your message of "Tue, 08 Oct 1996 11:52:06 EDT." <325A78A6.1145@telecom.hydro.qc.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 08 Oct 1996 13:59:59 -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message <325A78A6.1145@telecom.hydro.qc.ca>, "bettez@telecom.hydro.qc.ca" wr ites: >Frederick M Avolio wrote: >> >> Generic proxies are practically filters. >> I don't think filters are secure >> enough either, >> but why would you think a generic UDP proxy is secure? >> > >well well well > >In packet filtering mode, the FW base is decision on ip adresses and >ports number in an connectionless mode. I prefer tcp proxies because the >client >have to< establish a connection with the FW. I heard (but I'm >not sure) that you can bypass packet filtering access list with (I >think) packet fragmentation. >You won't see this kind of problem with generic proxies. > >The best is to use both packet filtering and proxies. >The philosophy behind the Linux firewall is very cool. You have three >kind of packet filtering access list: > - One for packets entering an interface > - One for packets forwards to an other interface > - One for packets leaving an interface >And you can redirect packets to an arbitery port on the FW for proxing >the connection. > > not to mention that, at least in recent kernels (>=2.0.0, I believe), you can set "CONFIG_IP_ALWAYS_DEFRAG", which causes the firewall to reconstitute packet fragments before passing them through the firewall. --Joshua -------- Joshua Heling jrh@yellowchicken.com, jrh@netplan.com, heling@sar.usf.edu pgp key info: http://www.sar.usf.edu/~heling/keys/ From firewalls-owner Tue Oct 8 12:17:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA24006 for firewalls-outgoing; Tue, 8 Oct 1996 11:50:40 -0700 (PDT) Received: from beach.sctc.com (beach.sctc.com [192.55.214.50]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA23940 for ; Tue, 8 Oct 1996 11:50:19 -0700 (PDT) Received: from mfil.terminal (mfil@localhost) by beach.sctc.com (8.7.5/8.7.3) with SMTP id NAA13107; Tue, 8 Oct 1996 13:45:25 -0500 (CDT) Received: from sphinx.sctc.com (sphinx.sctc.com [172.17.192.3]) by beach.sctc.com (8.7.5/8.7.3) with ESMTP id NAA13102; Tue, 8 Oct 1996 13:45:15 -0500 (CDT) Received: from [172.17.1.61] (smith.sctc.com [172.17.1.61]) by sphinx.sctc.com (8.7.5/8.7.3) with SMTP id NAA03375; Tue, 8 Oct 1996 13:38:23 -0500 (CDT) X-Sender: smith@mailhost.sctc.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 8 Oct 1996 13:39:23 -0600 To: pelicans@mindspring.com (BeachCruiser) From: smith@sctc.com (Rick Smith) Subject: Re: Sidewinder, NSA prod endorsm'ts,ISSB. Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 10:28 AM 10/8/96, Bob McKisson wrote: >>I wish they'd publicly release their reports on Sidewinder, too. > >Doubt it will happen during your career Rick. Unless Congress and the DoD >rewrite the rules, NCSC's refusal to endorse Sidewinder is a good business >lesson for those who might be thinking about looking to the Department of >Defense for financial support in commercial product development and then >looks again to the DoD to endorse what it funded. Just as a clarification, Sidewinder development was *not* paid for with Government funds, just good old fashioned venture capital. And it *is* typical of buyers to not release independent evaluations they've paid for. Bob is probably aware of this, but it wasn't clear from the above paragraph. >...the notion of establishing an industry driven, government >supported organization to get a grip on rules, standards, criteria, etc., for >approval, and certification of commercially developed information security >systems, products and services, ... The proposed >organization, called the ISSB or Information Systems Security Board already >is in trouble on two primary issues: > >First, coming up with an acceptable business model to fund and manage the >organization will be a real exercise...as is the case whenever you attempt >to get a consensus of a number of powerful agendas not the least of which >is the USG. No surprise here. IMHO the commercial world will take care of itself. I find it interesting to watch just how slowly these highly touted Public Key Certification Infrastructures are growing -- businesses are cautious perhaps because of the uncertain liability situation. They are not being foolish by being cautious. >Secondly,(and this will bring some of you out of your chairs), apparently >the biggest impediment to getting the ISSB off the ground is that some >influential folks feel that puting up the effort and expense is not >justified by the size and nature of the threat. On the military/government side, with NIPRNET and SIPRNET, I'm a little more surprised, but not too much so. We can theorize about threats all day long but until people start attacking it's hard to tell how to protect yourself in a cost effective way. I guess it's like advertising: 50% of the cost is wasted, but you rarely know which 50%. There are interesting parallels with the history surrounding Pearl Harbor. They made an honest effort to protect against their highest priority threats: they just picked the wrong ones. Speaking from inside a vendor organization I have to say I'd love for them to spend money in some defensive direction that includes our products. But given the absence of real "infowar battles" to study, I can appreciate their reluctance. The best I hope for is that the DOD will be "embarrassed" into installing stronger defenses (like what we offer) given the example of the DOJ, CIA, and Dole campaign. Rick. smith@sctc.com secure computing corporation From firewalls-owner Tue Oct 8 12:26:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA11768 for firewalls-outgoing; Tue, 8 Oct 1996 10:36:42 -0700 (PDT) Received: from ALABAMA.CF.CS.YALE.EDU (RT-GW.CS.YALE.EDU [128.36.0.13]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA11616 for ; Tue, 8 Oct 1996 10:36:11 -0700 (PDT) From: long-morrow@CS.YALE.EDU Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU (8.7.1/res.host.cf-4.0) with ESMTP id NAA26352; Tue, 8 Oct 1996 13:34:58 -0400 (EDT) sender long-morrow@CS.YALE.EDU for Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-8.7.1/res.client.cf-4.0) id NAA01214; Tue, 8 Oct 1996 13:34:55 -0400 (EDT) Date: Tue, 8 Oct 1996 13:34:55 -0400 (EDT) Message-Id: <199610081734.NAA01214@SPARKY.CF.CS.YALE.EDU> To: firewalls@greatcircle.com, heiser@world.std.com Subject: Re: allow "whois" requests outbound? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk heiser@world.std.com (Bill Heiser) wrote: >Would it be safe to allow outbound "whois" requests (tcp/43) from >an internal network to the Internet via a packet-filtering style >firewall such as Firewall-1? Are there any known "gotchas" to this >particular service? If you allow connects to arbitrary Internet whois servers (rather than restricting whois requests to just ds.internic.net and rs.internic.net (etc.) then users on async terminals and terminal emulators can be vulnerable to the same type of remote trap attacks as have been conducted via 'talk' and 'finger' : sending back output containing escape sequences and/or control characters to freeze the screen, program or dump strings assigned to the function keys, etc. - Morrow From firewalls-owner Tue Oct 8 12:24:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA25532 for firewalls-outgoing; Tue, 8 Oct 1996 12:02:14 -0700 (PDT) Received: from ns1.inet.net (ns1.inet.net [199.233.93.51]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id MAA25523 for ; Tue, 8 Oct 1996 12:02:05 -0700 (PDT) Received: from bahu (bahu [199.233.93.16]) by ns1.inet.net (8.7.5/8.6.12) with SMTP id OAA28148; Tue, 8 Oct 1996 14:58:41 -0400 (EDT) Date: Tue, 8 Oct 1996 14:58:40 -0400 (EDT) From: Brian Harvell X-Sender: harvell@bahu To: Reto Haeni cc: firewalls@GreatCircle.COM Subject: Re: firewall testing and penetration In-Reply-To: <199610080302.XAA29884@seas.gwu.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I am writing on a paper on firewall testing and penetration. > I attach my outline (subject to change as always :) ) at the > end of this message. > I tell you, a lot of people are writing these papers, but I have yet to see many. Where are they all. Brian Brian Harvell harvell@iNet.net http://www.iNet.net/~harvell echo '[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq'|dc From firewalls-owner Tue Oct 8 13:12:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA01978 for firewalls-outgoing; Tue, 8 Oct 1996 13:03:38 -0700 (PDT) Received: from smartwall.v-one.com (smartwall.v-one.com [206.205.89.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id NAA01971 for ; Tue, 8 Oct 1996 13:03:30 -0700 (PDT) Received: by smartwall.v-one.com; id QAA14991; Tue, 8 Oct 1996 16:00:01 -0400 (EDT) Received: from mail.v-one.com(198.69.135.6) by smartwall.v-one.com via smap (V3.1.1) id xma014969; Tue, 8 Oct 96 15:59:48 -0400 Received: from crowland.v-one.com ([198.69.135.39]) by mail.v-one.com (8.7.4/8.7.3) with SMTP id QAA04993; Tue, 8 Oct 1996 16:14:38 -0400 (EDT) Message-Id: <199610082014.QAA04993@mail.v-one.com> Comments: Authenticated sender is From: "Craig H. Rowland" Organization: V-ONE Corporation To: Theresa.Fisher@reliastar.com, firewalls@greatcircle.com Date: Tue, 8 Oct 1996 16:02:14 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: UDP Port 137 X-mailer: Pegasus Mail for Win32 (v2.42a) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: Theresa.Fisher@reliastar.com > To: " - (052)firewalls(a)greatcircle.com" > Subject: UDP Port 137 > Date: Tue, 8 Oct 1996 13:13:30 -0500 > I know there has been discussion about UDP Port 137, but what I want > to know specifically is why, say, 100 attempts would be made from an > external address and what are they looking for or to do? > > Any information would be much appreciated! You will see activity on this port from Microsoft networking clients such as WFW, Windows NT, etc. Ports 137, 138, and 139 are used by Server Message Block (aka SMB, Microsoft Networking, NetBIOS over IP) to establish network connections, perform name lookups and pass other sordid information. In this case port 137 is a UDP based service that is used to resolve NetBIOS names (i.e. for "Browsing" a network). Some MS clients will try to resolve the NetBIOS name when making a connection to another host by trying to access this port. In particular, I've noticed that when you are sending mail to a Microsoft Exchange SMTP server that it will first attempt to do a name lookup on the connecting host. I'm not sure of the purpose of this, however I suspect it is similiar to the ident lookup performed by sendmail servers and fairly innocuous. If this is the case your packet filter will show a port 137 connect from the Exchange host it is talking to. If you correlate your outgoing maillogs with the dates of the security alerts on port 137 you'll probably see that they match. Hope that helps... -- Craig > > Theresa Fisher > ReliaStar Financial > > theresa.fisher@reliastar.com > > Craig H. Rowland Virtual Open Networking Environments (V-ONE) Security Consulting Group (301) 838-8900 x208 crowland@v-one.com http://www.v-one.com From firewalls-owner Tue Oct 8 13:49:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA05582 for firewalls-outgoing; Tue, 8 Oct 1996 13:39:45 -0700 (PDT) Received: from wilma.mbsi.net (wilma.mbsi.net [206.54.233.21]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id NAA05574 for ; Tue, 8 Oct 1996 13:39:38 -0700 (PDT) Received: from Miles.mbsi.net ([206.54.237.183]) by wilma.mbsi.net (Netscape Mail Server v1.1) with SMTP id AAA10805; Tue, 8 Oct 1996 15:37:53 -0500 Message-ID: <325ABBC7.1EB@ix.netcom.com> Date: Tue, 08 Oct 1996 15:38:31 -0500 From: Rodger Miles Reply-To: Rodger@ix.netcom.com Organization: The D & R Network Group X-Mailer: Mozilla 3.0Gold (Win95; I) MIME-Version: 1.0 To: Mario Pereyra CC: BETTICK@boat.bt.com, Firewalls@GreatCircle.COM Subject: Re: Dynamic Address allocation References: <199610032131.SAA10757@abayuba.soltel.com.uy> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mario Pereyra wrote: > > Karim, you must view http://socks.nec.com/ I think you mean http://www.socks.nec.com/ From firewalls-owner Tue Oct 8 14:20:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA08572 for firewalls-outgoing; Tue, 8 Oct 1996 14:02:17 -0700 (PDT) Received: from amaterasu.sandelman.ottawa.on.ca (amaterasu.sandelman.ottawa.on.ca [205.233.54.134]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id OAA08537 for ; Tue, 8 Oct 1996 14:02:05 -0700 (PDT) Received: from amaterasu.sandelman.ocunix.on.ca (LOCALHOST [127.0.0.1]) by amaterasu.sandelman.ottawa.on.ca (8.7.5/8.6.12) with ESMTP id RAA29485; Tue, 8 Oct 1996 17:01:54 -0400 (EDT) Message-Id: <199610082101.RAA29485@amaterasu.sandelman.ottawa.on.ca> CC: "Dick Mosher" To: firewalls@greatcircle.com Subject: firewall hot backup In-reply-to: Your message of "Mon, 07 Oct 1996 16:29:18 CST." Date: Tue, 08 Oct 1996 17:01:51 -0400 From: Michael Richardson Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A lot of this depends on what kind of firewall. Non-transparent application layer firewalls (Raptor, other Socksbased stuff, FWTK, etc..) could just have the hot-backups ping the "master", and when it doesn't respond, could ifconfig themselves as the firewall's IP addresses and take over. (Probably, you'd want to then forceably remove power from the broken machine) Non-stateful packet filters do not need any failover mechanism other than what routers already provide. Stateful packet filters and transparent application layer firewalls have to more careful, particularly with incoming stuff (for services networks, for instance). The cisco web server load balancing product ought to be able to do it. (I do not have a reference handy). It is pricy at ~$30k. I have done some work on doing a load balancing system; it is essentially a stateful bridge. You get fault roleover because a broken firewall is the same as a very slow one. To achieve single fault tolerance, just provide n+1 firewalls if n firewalls would handle your normal load. Actually, I'm lying about "fault tolerance" --- from the user's point of view, it is really high reliability. Connections that are established are lost. This means that users have to push "reload" on their web server when they get caught by a fault. The other nice thing about hot backup is that one can upgrade or test patches without taking everyone offline. The packet sorting problem is really just half the battle. The real trick is making sure that things like OPIE and other one time password tokens work. You need redundant servers to hold the OPIE data and stuff, and must coordinate this info between servers before accepting new logins from those users. Failure to do this for OPIE means that the server holding old data could provide authentication based on a pass phrase that is already been used. The PieterZ papers on securid point to similar issues. I did something about how to build fault tolerant application layer firewalls, and came to the conclusion that they'd be very, very, very slow. :!mcr!: | Network security consulting and Michael Richardson | contract programming WWW: mcr@sandelman.ottawa.on.ca. PGP key available. From firewalls-owner Tue Oct 8 14:35:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA09512 for firewalls-outgoing; Tue, 8 Oct 1996 14:16:35 -0700 (PDT) Received: from snlmail.snlnet.com (mail.snlnet.com [208.203.57.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id OAA09503 for ; Tue, 8 Oct 1996 14:16:28 -0700 (PDT) From: bhowell@snlnet.com Received: from ccMail by snlmail.snlnet.com (IMA Internet Exchange 1.04b) id 25a84c00; Tue, 8 Oct 96 12:43:44 -0400 Mime-Version: 1.0 Date: Tue, 8 Oct 1996 12:43:16 -0400 Message-ID: <25a84c00@snlnet.com> Subject: Protocol Jumping Cc: firewalls@GreatCircle.COM Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk If I set up a dual homed PC such as a mail gateway in my DMZ and run IP on the "external" interface, IPX on the other, would it be relatively safe to allow the IPX traffic to bypass the firewall? From firewalls-owner Tue Oct 8 15:28:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA10654 for firewalls-outgoing; Tue, 8 Oct 1996 14:57:13 -0700 (PDT) Received: from mail.Clark.Net (mail.clark.net [168.143.0.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id OAA10647 for ; Tue, 8 Oct 1996 14:57:06 -0700 (PDT) Received: from clark.net (proberts@clark.net [168.143.0.7]) by mail.Clark.Net (8.7.3/8.6.5) with ESMTP id RAA29695; Tue, 8 Oct 1996 17:56:16 -0400 (EDT) Received: from localhost (proberts@localhost) by clark.net (8.7.1/8.7.1) with SMTP id RAA13408; Tue, 8 Oct 1996 17:56:14 -0400 (EDT) X-Authentication-Warning: clark.net: proberts owned process doing -bs Date: Tue, 8 Oct 1996 17:56:14 -0400 (EDT) From: "Paul D. Robertson" To: Brian Harvell cc: Reto Haeni , firewalls@GreatCircle.COM Subject: Re: firewall testing and penetration In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 8 Oct 1996, Brian Harvell wrote: > > I am writing on a paper on firewall testing and penetration. > > I attach my outline (subject to change as always :) ) at the > > end of this message. > > > > I tell you, a lot of people are writing these papers, but I have yet to see > many. Where are they all. Perhaps they're all doing "Field research"? ;) Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@clark.net which may have no basis whatsoever in fact." PSB#9280 From firewalls-owner Tue Oct 8 15:35:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA11158 for firewalls-outgoing; Tue, 8 Oct 1996 15:08:12 -0700 (PDT) Received: from credence.com (stargate.credence.com [206.169.1.51]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id PAA11149 for ; Tue, 8 Oct 1996 15:07:58 -0700 (PDT) Received: (from uucp@localhost) by credence.com (8.6.12/CSC 1.4 96/06/17) id PAA09402; Tue, 8 Oct 1996 15:10:47 -0700 Received: from mailvon.credence.com(10.1.1.15) by stargate.credence.com via smap (V1.3) id sma009394; Tue Oct 8 15:10:20 1996 Received: from ca.credence.com (eagle.ca.credence.com [10.2.2.235]) by mailhub.credence.com (8.6.12/INFO 1.5 96/05/29) with ESMTP id PAA11969; Tue, 8 Oct 1996 15:03:14 -0700 Received: from honolulu ([10.2.2.179]) by ca.credence.com (8.6.12/CA 1.15 96/10/02) with SMTP id PAA12391; Tue, 8 Oct 1996 15:07:44 -0700 Message-ID: <325ACFFC.5C0E@credence.com> Date: Tue, 08 Oct 1996 15:04:44 -0700 From: James Grimm X-Mailer: Mozilla 2.0 (X11; I; SunOS 5.5 sun4m) MIME-Version: 1.0 To: "bettez@telecom.hydro.qc.ca" CC: Frederick M Avolio , firewalls@GreatCircle.COM Subject: Re: Any thoughts on these firewalls? References: <2.2.32.19961008150449.00708a40@pop.trusted.com> <325A78A6.1145@telecom.hydro.qc.ca> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk bettez@telecom.hydro.qc.ca wrote: > > Frederick M Avolio wrote: > > > > > - generic udp proxy(!) > > >We evaluate FW/1, but we didn't find it enough secure. > > >wander why everybody is talking about it(?) Jean-Sebastien, Quick question: What Linux firewall are you referring to? -James > The best is to use both packet filtering and proxies. > The philosophy behind the Linux firewall is very cool. You have three > kind of packet filtering access list: > - One for packets entering an interface > - One for packets forwards to an other interface > - One for packets leaving an interface > And you can redirect packets to an arbitery port on the FW for proxing > the connection. > > _____________________________ > Jean-Sebastien Bettez From firewalls-owner Tue Oct 8 16:17:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA11614 for firewalls-outgoing; Tue, 8 Oct 1996 15:19:24 -0700 (PDT) Received: from cypress.nwnet.net (cypress.nwnet.net [192.80.13.56]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id PAA11596 for ; Tue, 8 Oct 1996 15:19:14 -0700 (PDT) Received: by cypress.nwnet.net (5.0/SMI-SVR4) id AA25335; Tue, 8 Oct 1996 15:18:30 -0700 Date: Tue, 8 Oct 1996 15:18:29 -0700 (PDT) From: "Larry J. Hughes Jr." X-Sender: larry@cypress To: Firewalls@GreatCircle.COM Subject: experiences w/stateful inspection vs. proxying Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Vendors whose products perform stateful multi-level inspection (or the same rose by another name) are proclaiming that they are providing "third generation" technology, and that proxy-based products are "second generation" -- clearly implying that proxies are out of date and not as secure. All marketing propoganda aside, it seems to me that SMLI is definitely superior to proxying in some ways, and yet potentially inferior in other ways. My question: to those of you who have deployed both technologies in environments subject to regular attack -- and have witnessed both technologies in action -- what conclusions have you individually drawn? I know better than to take any one set of experience as gospel, but I'm curious to hear the war stories, both successes and failures. (But skip the religion please :-). --- Larry J. Hughes Jr. larry@nwnet.net http://www.nwnet.net/~larry/ From firewalls-owner Tue Oct 8 16:27:00 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA14390 for firewalls-outgoing; Tue, 8 Oct 1996 16:12:25 -0700 (PDT) Received: from syd02igw.fujitsu.com.au (syd02igw.fujitsu.com.au [137.172.248.100]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id QAA14367 for ; Tue, 8 Oct 1996 16:12:08 -0700 (PDT) Received: from fujitsu.com.au (platinum) by syd02igw.fujitsu.com.au with SMTP id AA26994 (5.65c/IDA-1.4.4 for ); Wed, 9 Oct 1996 09:12:18 +0100 Received: from mars.fujitsu.com.au by fujitsu.com.au (5.x/SMI-SVR4) id AA29760; Wed, 9 Oct 1996 09:10:31 +1000 Received: by mars.fujitsu.com.au (SMI-8.6/SMI-SVR4) id JAA16466; Wed, 9 Oct 1996 09:10:32 +1000 Date: Wed, 9 Oct 1996 09:10:32 +1000 From: "Richard.Ford" Message-Id: <199610082310.JAA16466@mars.fujitsu.com.au> To: firewalls@miles.greatcircle.com Subject: IPX-TCP/IP Firewall Support X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello all. Most of the talk on the list is about TCP/IP based Firewalls. Our network is primarily TCP/IP but we also have Novell's IPX. Do current Firewall systems support protocols such as these? If so, how? Otherwise how do you work around this. Thanks, Richard E-mail richard.ford@fujitsu.com.au From firewalls-owner Tue Oct 8 17:42:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA27308 for firewalls-outgoing; Tue, 8 Oct 1996 17:31:53 -0700 (PDT) Received: from isl.sri.com (sheffield.isl.SRI.COM [128.18.23.46]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id RAA27278 for ; Tue, 8 Oct 1996 17:31:40 -0700 (PDT) Received: from babylon by isl.sri.com (SMI-8.6/SMI-SVR4) id RAA12254; Tue, 8 Oct 1996 17:31:21 -0700 Received: from [128.18.23.66] by babylon (SMI-8.6/SMI-SVR4) id RAA16185; Tue, 8 Oct 1996 17:31:19 -0700 X-Sender: terry@128.18.23.46 Message-Id: In-Reply-To: <199610080302.XAA29884@seas.gwu.edu> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Date: Tue, 8 Oct 1996 17:31:14 -0700 To: Reto Haeni From: Terry Bernstein Subject: Re: firewall testing and penetration Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Take a look at our recently released book, "Internet Security For Business". The first half covers policy type business issues which may be of interest to you. The second half covers more technical aspects of Internet security. It should be in most bookstores, or try the the Wiley Web page at http://www.wiley.com/compbooks/catalog/07/13752-9.html -- terry -- At 8:03 PM -0700 10/7/96, Reto Haeni wrote: >I am writing on a paper on firewall testing and penetration. >I attach my outline (subject to change as always :) ) at the >end of this message. > >One of the subject in the paper will be what Security Policies >have to include and what not. For this I would be grateful if >you could point me to good existing security policies and/or to >sources how to formulate them. > >Another part will contain how to test/penetrate firewalls. There, >I am still looking for additional information, mainly about the dangers >of open services (proxies). > >I dont expect that you solve my problems (well, if you would insist.... :) = ) >but a few hints would be appreciated that I dont get lost in the >theoretical details. > >greetings and TIA > >Reto >---------------------------------------------------------------------------= ---- >- >Penetration/Testing of Firewalls > >1. Security policies > - what they should contain > - what they should not contain > >2. Gaining information on the target Network/Host/Firewall > - probing techniques > - tools > >3. Firewall penetration in general > - overload > - bad packets > - packet filter approach (IP spoofing..) > - approach to proxy's > >4. Policy decisions and its consequences > (possible attachks in relation to open services) > - e-mail > - ftp > - telnet > - rexec > - NNTP > - http > - finger/whois > - DNS > - NW management services > SNMP > RIP > ping > traceroute > - NTP > - NFS > > >5. Security incidents > - responding to an incident > - tracking down an intruder > - policy issues when an incident occured >_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ > Reto E. Haeni >Cyberspace Policy Institute The George Washington University > 2033 K Str. NW Suite 340N School of Engineering and Applied Science > Washington DC 20006 > > ph (202) 994-5512 (We, Th) > http://www.cpi.seas.gwu.edu/ > reto@seas.gwu.edu http://www.seas.gwu.edu/student/ret= o/ > >_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ ---------- Terry Bernstein SRI Consulting terry_bernstein@sri.com http://www.ice.sri.com/~terry From firewalls-owner Tue Oct 8 18:41:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA06808 for firewalls-outgoing; Tue, 8 Oct 1996 18:28:31 -0700 (PDT) Received: from millenium.texas.net (millenium.texas.net [206.127.0.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id SAA06778 for ; Tue, 8 Oct 1996 18:28:21 -0700 (PDT) Received: from localhost (rtadams@localhost) by millenium.texas.net (8.7.6/TXNet) with SMTP id UAA08774; Tue, 8 Oct 1996 20:28:02 -0500 (CDT) X-Authentication-Warning: millenium.texas.net: rtadams owned process doing -bs Date: Tue, 8 Oct 1996 20:28:02 -0500 (CDT) From: R To: firewalls@greatcircle.com cc: Rob Adams Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk All this does is slow the intruder down! Even with a switch or a "secure hub", you still have to worry about point-to-point sniffing. An intruder who gets into Box A can sniff any connections made from or to it. Once someone telnets from A to B, now the intruder has access to Box B, gets root on it, and now he/she has two sniffers running. From there, it snowballs. True, it's slower than sniffing a shared physical medium, but you're still going down. > On 8 Oct 1996, Ryan Russell/SYBASE wrote: > > Just buy a switch. It would be cheaper, and give > you more functionality. > > I've never seen any info on a "secure hub." Do you > have the name of a manufacturer of one? > > Ryan > > ---------- Previous Message ---------- > To: brads > cc: genel, esakov, firewalls > From: wombat @ mcfeely.bsfs.org (Rabid Wombat) @ smtp > Date: 10/07/96 08:00:32 PM > Subject: Re: Sniffer detection. > > > > Much more secure to implement secure hubs and be done with it. > > For those who don't know what these are, they overwrite the data portion > of the packet (from layer two inward) on a copy of the packet - the port > handling the MAC address of the recipient gets the real packet, and all > other ports xmit the copy w/ the overwritten data, to comply w/ ethernet > rules requiring everyone to "see" the packet. > > If a sniffer is placed on such a segment, all they will be able to do is > get a list of MAC addresses and measure traffic volume to each. > > Not a bad addition to your bastion segment, in addition to internal use. > > -r.w. > > On Mon, 7 Oct 1996, Bradley Smith wrote: > > > Point taken, but if an unauthorized individual has the opportunity to > > physically jack into your network like that, I would say that getting your > > packets sniffed is probably the least of your worries. > > > > As a side note, I've heard here and there that NIC's are available that > > cannot be operated in promiscuous mode. Does anyone have experience with > > these devices? Or can tell me what vendor(s) are manufacturing? > > > > -brad > > > > On Mon, 7 Oct 1996, Gene Lee wrote: > > > > > Bradley Smith wrote: > > > > I used to do something very basic for this. There are several code > > > > snippets available to get interface values (i.e. cpm, ifstatus). I'd run > > > > these from cron, mail results to file, tail file with swatch and look for > > > > a lexical string indicating the interface was in prom (sp) mode. > > > > > > > > If the status code returned indicated a "sniffer," I'd mail the results to > > > > my pager and shut the interface down. You could get even more creative > > > > than this with netstats, reverse finger, etc.. > > > > > > This is fine for unix machines which you have administative control > > > over, but what about a rogue PC notebook running DataGlance or LANAlyzer > > > inserted into your Ethernet network somewhere on the wire? Also keep in > > > mind some NICs are custom built to not broadcast the fact that they are > > > in promiscuous mode. The only way to detect something like this would be > > > to physically check each interface connected to your network. > > > > > > -- > > > Gene Lee > > > genel@inforamp.net > > > genelee@vnet.ibm.com > > > > > > > > > > > > From firewalls-owner Tue Oct 8 19:56:50 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA13592 for firewalls-outgoing; Tue, 8 Oct 1996 19:50:15 -0700 (PDT) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id TAA13585 for ; Tue, 8 Oct 1996 19:50:08 -0700 (PDT) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id VAA08143; Tue, 8 Oct 1996 21:41:21 -0400 Date: Tue, 8 Oct 1996 21:41:17 -0400 (EDT) From: Rabid Wombat To: R cc: firewalls@GreatCircle.COM, Rob Adams Subject: Re: your mail In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk If this is a bastion system, why let anyone telnet between two boxes in the first place? If it is an internal system, you've at least made it much more difficult for the attacker. You could couple the secure hub approach with encrypted authentication systems for better host level security, but this probably goes beyond the needs and budget of many. On Tue, 8 Oct 1996, R wrote: > > > All this does is slow the intruder down! Even with a switch or a "secure > hub", you still have to worry about point-to-point sniffing. An intruder > who gets into Box A can sniff any connections made from or to it. Once > someone telnets from A to B, now the intruder has access to Box B, gets > root on it, and now he/she has two sniffers running. From there, it > snowballs. True, it's slower than sniffing a shared physical medium, but > you're still going down. > > > > On 8 Oct 1996, Ryan Russell/SYBASE wrote: > > > > Just buy a switch. It would be cheaper, and give > > you more functionality. > > > > I've never seen any info on a "secure hub." Do you > > have the name of a manufacturer of one? From firewalls-owner Tue Oct 8 21:28:19 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA20467 for firewalls-outgoing; Tue, 8 Oct 1996 21:19:18 -0700 (PDT) Received: from jack.yellowchicken.com (fried.yellowchicken.com [38.230.103.100]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id VAA20459 for ; Tue, 8 Oct 1996 21:18:57 -0700 (PDT) Received: from jack.no.org (localhost [127.0.0.1]) by jack.yellowchicken.com (8.7.6/8.7.3) with ESMTP id AAA18025; Wed, 9 Oct 1996 00:14:02 -0500 Message-Id: <199610090514.AAA18025@jack.yellowchicken.com> X-Mailer: exmh version 1.6.7 05/05/96 To: James Grimm cc: firewalls@GreatCircle.COM From: Joshua Heling Reply-To: Joshua Heling Subject: Re: Any thoughts on these firewalls? In-reply-to: Your message of "Tue, 08 Oct 1996 15:04:44 PDT." <325ACFFC.5C0E@credence.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 09 Oct 1996 00:14:01 -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message <325ACFFC.5C0E@credence.com>, James Grimm writes: >Jean-Sebastien, > Quick question: What Linux firewall are you referring to? > >-James recent linux kernels (optionally) have a packet-filtering firewall built in. -------- Joshua Heling jrh@yellowchicken.com, jrh@netplan.com, heling@sar.usf.edu pgp key info: http://www.sar.usf.edu/~heling/keys/ From firewalls-owner Tue Oct 8 22:13:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA23201 for firewalls-outgoing; Tue, 8 Oct 1996 22:08:52 -0700 (PDT) Received: from sili.adn.edu.ph (sili.adn.edu.ph [165.220.57.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id WAA23194 for ; Tue, 8 Oct 1996 22:08:41 -0700 (PDT) Received: (from jonats@localhost) by sili.adn.edu.ph (8.6.11/8.6.9) id MAA15888; Wed, 9 Oct 1996 12:02:08 +1000 Date: Wed, 9 Oct 1996 12:02:07 +1000 (GMT+1000) From: Jonathan Arcilla To: firewalls@GreatCircle.COM Subject: HTML password configuration In-Reply-To: <325A78A6.1145@telecom.hydro.qc.ca> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I know this is a very elementary question but since this list talks about security in general, and since i've been around this list for quite some time now, i might as well ask you guys. I tried setting up the .htaccess and .htpasswd files to enable password authentication on Apache-1.1.1 but i don't seem to get it right. The only reference i have is a HOWTO for NCSA, and docs from www.apache.org. This is my current configuration: ".htaccess" AuthType Basic AuthName Access Permission AuthUserFile .htpasswd require valid-user surfer ".htpasswd" surfer:gwScJuFIZkCJY Am i missing something here? Or do i need to modify other configuration files as well? Thanks in advance. :) ADNet Tech. Support Group Naga City Philippines From firewalls-owner Tue Oct 8 23:59:17 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA29210 for firewalls-outgoing; Tue, 8 Oct 1996 23:54:16 -0700 (PDT) Received: from pinky.junction.net (pinky.junction.net [199.166.227.12]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id XAA29203 for ; Tue, 8 Oct 1996 23:54:10 -0700 (PDT) Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by pinky.junction.net (8.6.12/8.6.12) with ESMTP id XAA26024 for ; Tue, 8 Oct 1996 23:07:42 -0700 Received: from localhost (michael@localhost) by sidhe.memra.com (8.6.12/8.6.12) with SMTP id XAA02706 for ; Tue, 8 Oct 1996 23:48:56 -0700 Date: Tue, 8 Oct 1996 23:48:55 -0700 (PDT) From: Michael Dillon To: firewalls@greatcircle.com Subject: Re: Internet II is coming... (fwd) Message-ID: Organization: Memra Software Inc. - Internet consulting MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ---------- Forwarded message ---------- Date: Wed, 9 Oct 96 07:04:08 UTC From: Hank Nussbacher To: Sean Doran , "Dorian R. Kim" Cc: nanog@merit.edu Subject: Re: Internet II is coming... On Tue, 8 Oct 1996 19:23:47 -0400 (EDT) Dorian R. Kim wrote: >This sort of proposal, i.e. building a Higher Ed private network for >research, is in and of itself not such a bad thing. > >The grow of Internet since NSFNet shut down has put serious strains on the >infrastructure that researchy folks used to use to do(and still do) their >various work on. How will throwing OC48 pipes at the university network solve the problem? Today a common university has about 10,000 PCs each with sound cards and the kids all do CuseeMe and Vocaltec. 3 years down the road they will all have VR gear attached to their PC in the dorm and will be doing netgaming in the evening. So the OC48 pipes gets stuffed and the researchers complain. Universities will use whatever bandwidth you throw at them. The reason for this is that within the university, access and use is unlimited and uncontrolled. The student and the professor have equal access from their workstation. That is why the Israeli university consortium has come up with a different solution. It is called chokepoint. A unix system that acts as a firewall/gateway. If the total access speed to the Internet is T1 then at the chokepoint one can define that port80 can use a maximum of 700kb. And one can define that telnet is guaranteed 30kb. And that 10.2.1.1 is guaranteed 128kb no matter what. This way, faculty server and faculty workstations can be given priority over student access. In addition, no one faculty member can "hog" the system. Faculty can even pay to the chokepoint to improve their service over others. An entire set of rules based on protocol and IP address can be set up and implemented. They have been running this way for the past 6 months. Perhaps rather than throwing $10M at the Internet II to buy more uncontrolled bandwidth, perhaps they would be interested in funding further research and development of this "chokepoint" to control better their taxpayer paid for resources? I am sure the Israeli university consortium would be willing to help their American counterparts. :-) >-dorian, speaking strictly for himself. Hank Nussbacher Israel From firewalls-owner Wed Oct 9 00:42:10 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA00939 for firewalls-outgoing; Wed, 9 Oct 1996 00:26:06 -0700 (PDT) Received: from josef.ifi.unizh.ch (josef.ifi.unizh.ch [130.60.48.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id AAA00932 for ; Wed, 9 Oct 1996 00:25:55 -0700 (PDT) Received: from alcatraz.ifi.unizh.ch by josef.ifi.unizh.ch with SMTP (PP) id <24976-0@josef.ifi.unizh.ch>; Wed, 9 Oct 1996 09:25:30 +0100 Message-ID: <325B6179.41C67EA6@ifi.unizh.ch> Date: Wed, 09 Oct 1996 09:25:30 +0100 From: Alejandro Motta X-Mailer: Mozilla 3.0 (X11; I; SunOS 4.1.4 sun4m) MIME-Version: 1.0 To: Majordomo Subject: Virus on Internet Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Can someone tell me, if there are commercial firewalls, who can recognize and eliminate virus on internet, before entering in the private net ? I am doing an evaluation of commercial firewalls and I appreciate to have some information from you. Thanks Alex From firewalls-owner Wed Oct 9 01:05:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA02773 for firewalls-outgoing; Wed, 9 Oct 1996 00:49:28 -0700 (PDT) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id AAA02765 for firewalls@greatcircle.com; Wed, 9 Oct 1996 00:49:24 -0700 (PDT) Received: from interramp.com (pop3.interramp.com [38.8.32.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id PAA11660 for ; Tue, 8 Oct 1996 15:21:53 -0700 (PDT) Received: from .interramp.com by interramp.com (8.6.12/SMI-4.1.3-PSI-pop-local) id SAA06054; Tue, 8 Oct 1996 18:21:25 -0400 Date: Tue, 8 Oct 96 18:11:44 PDT From: Ed Young Subject: FW: RE: Sniffer detection. To: firewalls@greatcircle.com X-PRIORITY: 3 (Normal) X-Mailer: Chameleon 4.6.3, TCP/IP for Windows, NetManage Inc. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk --- On Tue, 8 Oct 96 18:06:22 PDT Ed Young wrote: Return-Path: Received: from .interramp.com by interramp.com (8.6.12/SMI-4.1.3-PSI-pop-local) id SAA05411; Tue, 8 Oct 1996 18:19:31 -0400 Date: Tue, 8 Oct 96 18:06:22 PDT From: Ed Young Subject: RE: Sniffer detection. To: Esakov Dmitriy X-PRIORITY: 3 (Normal) X-Mailer: Chameleon 4.6.3, TCP/IP for Windows, NetManage Inc. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Use a sniffer to find a sniffer.A Distributed sniffer can monitor the network for any new devices and send an alarm to a pager or NMS station. Additionaly, on Token Ring, devices will send out a trace tool present packet on the network letting the Lan Manager station know that it is there.configure the Lan Manager to not allow trace tools. For FDDI, ATM and WAN protocols the link must be broken. Again, use a sniffer to find a sniffer. Ed Young Network General Corp. --- On Mon, 7 Oct 1996 20:32:45 +0400 (MSD) Esakov Dmitriy wrote: Return-Path: Received: from gw1.mail.psi.net by interramp.com (8.6.12/SMI-4.1.3-PSI-pop-local) id OAA10042; Mon, 7 Oct 1996 14:28:16 -0400 Received: from relay1.UU.NET by gw1.mail.psi.net (8.7.5/SMI-5.5-PSI) id OAA27141; Mon, 7 Oct 1996 14:28:12 -0400 (EDT) Received: from miles.greatcircle.com by relay1.UU.NET with ESMTP (peer crosschecked as: miles.greatcircle.com [198.102.244.34]) id QQbkku25411; Mon, 7 Oct 1996 14:14:42 -0400 (EDT) Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA28559 for firewalls-outgoing; Mon, 7 Oct 1996 09:33:31 -0700 (PDT) Received: from relcom.eu.net (virgin.Relcom.EU.net [193.124.23.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id JAA28552 for ; Mon, 7 Oct 1996 09:33:21 -0700 (PDT) Received: from virgin (esakov@virgin.Relcom.EU.net [193.124.23.4]) by relcom.eu.net (8.7.3/8.7.Ru) with SMTP id UAA15128 for ; Mon, 7 Oct 1996 20:32:46 +0400 (MSD) Date: Mon, 7 Oct 1996 20:32:45 +0400 (MSD) From: Esakov Dmitriy X-Sender: esakov@virgin To: firewalls@greatcircle.com Subject: Sniffer detection. Message-ID: Organization: Relcom Corp. MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi! Do someone knows how the ethernet sniffer can be detected. Any help is greatly appreciated! All ideas are welcome! ------------------------------------------- Have a nice day! Esakov Dmitriy RELCOM corp. esakov@relcom.eu.net Moscow, Russia -----------------End of Original Message----------------- ------------------------------------- Name: Edward Young E-mail: us002628@pop3.interramp.com (Edward Young) Date: 03/06/95 Time: 04:01:07 ------------------------------------- -----------------End of Original Message----------------- ------------------------------------- Name: Edward Young E-mail: us002628@pop3.interramp.com (Edward Young) Date: 03/06/95 Time: 04:01:07 ------------------------------------- From firewalls-owner Wed Oct 9 02:18:31 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA12781 for firewalls-outgoing; Wed, 9 Oct 1996 02:04:56 -0700 (PDT) Received: from mail.rijnhaave.nl (mail.rijnhaave.nl [194.151.56.21]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id CAA12755 for ; Wed, 9 Oct 1996 02:04:03 -0700 (PDT) Received: from thierry (alfa.rijnhaave.nl [194.151.56.61]) by mail.rijnhaave.nl (8.7.5/8.7.3) with SMTP id KAA27635 for ; Wed, 9 Oct 1996 10:03:27 +0100 (MET) Message-Id: <2.2.32.19961009100458.006a5bdc@mail.rijnhaave.nl> X-Sender: thierry@mail.rijnhaave.nl X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 09 Oct 1996 11:04:58 +0100 To: Firewalls@GreatCircle.COM From: Thierry van Herwijnen Subject: Re: Firewalls-Digest V5 #559 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk That is why the Israeli university consortium has come up with >a different solution. It is called chokepoint. A unix system that acts >as a firewall/gateway. If the total access speed to the Internet is >T1 then at the chokepoint one can define that port80 can use a maximum of >700kb. And one can define that telnet is guaranteed 30kb. And that Why? Just use a simple route, like cisco with several LAN interfaces ,,, (o-o) --------.oOO--(_)--OOo.-------------------------------------------------- ing. Thierry van Herwijnen \ t.vanherwijnen@rijnhaave.net Consultant \ \ thierry@herwijnen.com Rijnhaave Internet Services \ Louis Braillelaan 6 \ http://www.rijnhaave.net 2719 EJ Zoetermeer \ The Netherlands \ ------------------------------------------------------------------------- From firewalls-owner Wed Oct 9 02:28:10 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA13521 for firewalls-outgoing; Wed, 9 Oct 1996 02:20:32 -0700 (PDT) Received: from relay5.UU.NET (relay5.UU.NET [192.48.96.15]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id CAA13479 for ; Wed, 9 Oct 1996 02:20:05 -0700 (PDT) Received: from ismael.gmv.es by relay5.UU.NET with SMTP (peer crosschecked as: ismael.gmv.es [194.74.160.3]) id QQbkqv06229; Wed, 9 Oct 1996 05:19:43 -0400 (EDT) Received: by ismael.gmv.es; id LAA23592; Wed, 9 Oct 1996 11:26:53 +0200 Received: from melmac.gmv.es(193.127.48.3) by ismael.gmv.es via smap (V3.1.1) id xma023589; Wed, 9 Oct 96 11:26:48 +0200 Received: from pcjccs (pcjccs.gmv.es) by gmv.es (4.1/GMV-1.10) id AA06998; Wed, 9 Oct 96 11:18:01 +0200 Message-Id: <325B7B88.3322B241@esegi.es> Date: Wed, 09 Oct 1996 11:16:40 +0100 From: Juan Carlos Canet Saixo Organization: SGI Soluciones Globales Internet X-Mailer: Mozilla 3.0 (X11; I; Linux 2.0.21 i586) Mime-Version: 1.0 To: firewalls@GreatCircle.COM Subject: NT Firewalls Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm looking for a firewall for a Intel based device and Windows NT operating system. I've found information about these firewalls: o Altavista firewall o Eagle (Raptor) o Firewall-1 o WatchGuard (??) I've read a lot of things about these firewalls, but I don't know which of them I have to choose. Do you have any experience with them?. I need advice. Thanks in advance -- ---- Juan Carlos Canet Saixo ---- ---- SGI Soluciones Globales Internet ---- e-mail: jccanet@esegi.es From firewalls-owner Wed Oct 9 02:43:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA14925 for firewalls-outgoing; Wed, 9 Oct 1996 02:39:03 -0700 (PDT) Received: from snet (dataprep.com.my [202.190.57.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id CAA14914 for ; Wed, 9 Oct 1996 02:38:51 -0700 (PDT) Received: from palan-net by snet (SMI-8.6/SMI-SVR4) id RAA17728; Wed, 9 Oct 1996 17:44:51 -0800 Date: Wed, 9 Oct 1996 17:44:51 -0800 Message-Id: <199610100144.RAA17728@snet> X-Sender: palan@dataprep.com.my (Unverified) X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: Kogulapalan Subject: Subnet Routing Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I have very long story down here, please read it and reply me a solution. Ooppps, its not a Firewall question ;) sorry, desperate for solution. I'm using Sun Sparc i5 to do a routing for our internal packets. I have problem in routing the subnet of Class C address. I break the Class C address into 4 networks which means it has mask of 255.255.255.192 and I got the following network numbers (correct me if I'm wrong): 1.2.3.0 1.2.3.64 1.2.3.128 1.2.3.192 The first network (1.2.3.0) used for WAN between ROUTER A and ROUTER B. * The routing table on Sun shows : Network Gateway 1.2.3.0 1.1.1.1 (which is ROUTER A's LAN) (no problem at this moment) I add the second network (1.2.3.64) which is also a WAN connection between ROUTER C and ROUTER D. * The routing table on Sun shows : Network Gateway 1.2.3.0 1.1.1.1 (which is ROUTER A's LAN) 1.2.3.64 1.1.1.2 (which is ROUTER C's LAN) (I have problem over here...) I can't PING the WAN interface on ROUTER C and ROUTER D. I get a reply ICMP from ROUTER A sayinh host unreachable. But I can ping the LAN on ROUTER C. --> All the four routers are on the same LAN (1.1.1.0). --> Edited etc/networks and etc/netmasks approriately. --> Flushed routing table, rebooted Sun. --> Removed the first route 1.2.3.0 -- 1.1.1.1 from table. I did all the above and still can't reach the WAN of ROUTER C. I remove all the route, and added this : Network Gateway 1.2.3.0 1.1.1.2 (which is ROUTER C's LAN) Guess what ? It works :) I can ping ROUTER C and ROUTER D. But I can't reach ROUTER A and ROUTER B :( now. I beleive this is because the Sun doesn't seems to understand the subnet and assumes the 1.2.3.64 as a HOST and not as a NETWORK address. (Am I missing anothing over here and Am I correct ?) I need some advice and suggestions and reasons why is this doesn't work. If any of you had experience this, please let me know whats the solution. regards, PaLaN palan@mailhost.net "If you can reach them, They can reach you" From firewalls-owner Wed Oct 9 03:12:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA17444 for firewalls-outgoing; Wed, 9 Oct 1996 03:00:11 -0700 (PDT) Received: from cacofonix.utr.ac.za (cacofonix.utr.ac.za [192.96.20.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id CAA17220 for ; Wed, 9 Oct 1996 02:59:05 -0700 (PDT) From: sysman@UTTFS1.utr.ac.za Received: from uttfs1.utr.ac.za (uttfs1.utr.ac.za [192.96.20.19]) by cacofonix.utr.ac.za (8.6.9/8.6.9) with ESMTP id MAA23716 for ; Wed, 9 Oct 1996 12:05:12 +0200 Received: from UTTFS1/SpoolDir by uttfs1.utr.ac.za (Mercury 1.21); 9 Oct 96 13:07:38 +0200 Received: from SpoolDir by UTTFS1 (Mercury 1.30); 9 Oct 96 13:07:09 +0200 Organization: University of Transkei To: firewalls@GreatCircle.com Date: Wed, 9 Oct 1996 13:06:58 SAT MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Borderware Firewall X-mailer: Pegasus Mail for Windows (v2.42a) Message-ID: <2DBD7B3296@uttfs1.utr.ac.za> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello I have been looking at different firewalls and I see a lots of comments on CheckPoint, Gauntlet and Sidewinder but does anybody have any comments on Borderware's firewall. Thanks Shane Boulle Computer Services Department University of Transkei South Africa Tel 27-471-3022201 Fax 27-471-3022456 Cell 0822007713 From firewalls-owner Wed Oct 9 04:26:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA25206 for firewalls-outgoing; Wed, 9 Oct 1996 04:21:05 -0700 (PDT) Received: from passport.cadrus.fr (passport.cadrus.fr [194.51.236.33]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id EAA25197; Wed, 9 Oct 1996 04:20:53 -0700 (PDT) Received: from localhost.cadrus.fr by passport.cadrus.fr; Wed, 9 Oct 1996 13:20:32 +0200 (EET) Received: (from pyb@localhost) by localhost (8.6.12/8.6.12) id LAA07037; Wed, 9 Oct 1996 11:59:00 +0100 Date: Wed, 9 Oct 1996 11:59:00 +0100 Message-Id: <199610091059.LAA07037@localhost> From: Pierre-Yves Bonnetain To: Firewalls@GreatCircle.COM, ahh@psk.co.at CC: firewalls-digest@GreatCircle.COM In-reply-to: <199610090143.SAA07696@miles.greatcircle.com> (firewalls-digest-owner@GreatCircle.COM) Subject: Re: Firewalls-Digest V5 #558 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Date: Tue, 08 Oct 1996 14:35:41 +0200 > From: "Alexander H. Hackenberg" > Subject: udp ports <33400 > > hi, > > can anybody tell me what the udp ports 334xx-335xx are for ??? > some nice guy (or gal;) sends lots of these packets to our domain. > TRACE 33434-33533/udp # Traceroute ports (100 hops) -- -+-+ Pierre-Yves BONNETAIN (aka Pyb) Consultant Internet/Securite B & A Consultants - PROXIMA - Rue des Pyrénées 31330 Grenade-Sur-Garonne Tel : 05.62.79.32.61 - Fax : 05.61.82.42.21 From firewalls-owner Wed Oct 9 04:42:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA25332 for firewalls-outgoing; Wed, 9 Oct 1996 04:24:02 -0700 (PDT) Received: from relay.ashton.csc.com (relay.ashton.csc.com [20.2.54.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id EAA25315 for ; Wed, 9 Oct 1996 04:23:43 -0700 (PDT) Received: by relay.ashton.csc.com; id HAA18763; Wed, 9 Oct 1996 07:20:08 -0400 Received: from ckostick.sed.csc.com(20.2.53.154) by relay.ashton.csc.com via smap (g3.0.1) id sma018759; Wed, 9 Oct 96 07:19:49 -0400 Received: by ckostick.sed.csc.com with Microsoft Mail id <01BBB5B1.A4539300@ckostick.sed.csc.com>; Wed, 9 Oct 1996 07:15:25 -0400 Message-ID: <01BBB5B1.A4539300@ckostick.sed.csc.com> From: Chris Kostick To: "'Alejandro Motta'" , Majordomo Subject: RE: Virus on Internet Date: Wed, 9 Oct 1996 07:15:24 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk FireWall-1 3.0 is suppose to have this functionality for FTP transfers. v3.0 is not available yet, but should be in 4th qtr '96. ---------- From: Alejandro Motta[SMTP:amotta@ifi.unizh.ch] Sent: Wednesday, October 09, 1996 4:25 AM To: Majordomo Subject: Virus on Internet Can someone tell me, if there are commercial firewalls, who can recognize and eliminate virus on internet, before entering in the private net ? I am doing an evaluation of commercial firewalls and I appreciate to have some information from you. Thanks Alex From firewalls-owner Wed Oct 9 05:11:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA28494 for firewalls-outgoing; Wed, 9 Oct 1996 04:59:27 -0700 (PDT) Received: from mippet.ci.com.au (mippet.ci.COM.AU [192.65.182.30]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id EAA28109 for ; Wed, 9 Oct 1996 04:55:59 -0700 (PDT) Received: from fgh.fgh.oz.au (daemon@localhost) by mippet.ci.com.au (8.7.5/8.7.3/CE) with MHSnet id VAA07256 for Firewalls@GreatCircle.COM; Wed, 9 Oct 1996 21:55:06 +1000 (EST) Received: by fgh.fgh.oz.au (5.0) from localhost id AA06655; Wed, 9 Oct 1996 21:54:18 --1000 Date: Wed, 9 Oct 1996 21:54:17 +1000 (EST) From: Dave Horsfall To: Firewalls@GreatCircle.COM Subject: Re: udp ports <33400 In-Reply-To: <199610090143.SAA07696@miles.greatcircle.com> Message-Id: X-Witty-Saying: "Klein Bottle - open other end" X-Disclaimer: "Me, speak for us?" Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > u_short port = 32768+666; /* start udp dest port # for probe packets */ The Port of the Beast :-) -- Dave Horsfall VK2KFU dave@fgh.oz.au Ph: +61 2 9957-4224 Fx: +61 2 9922-5286 FGH Decision Support Systems P/L, 77 Pacific Hwy, Nth. Sydney, 2060, Australia From firewalls-owner Wed Oct 9 05:27:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA29433 for firewalls-outgoing; Wed, 9 Oct 1996 05:05:32 -0700 (PDT) Received: from C930CONC.publicitas.com (c930conc.publicitas.com [193.73.102.141]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id FAA29406 for ; Wed, 9 Oct 1996 05:05:18 -0700 (PDT) Received: from c930smtp.publicitas.com (Administrator@localhost) by C930CONC.publicitas.com (1.0 (Berkeley 8.7) Build 340/Configuration 4) with SMTP id NAA00207; Wed, 09 Oct 1996 13:00:44 +0100 Received: from ccMail by c930smtp.publicitas.com (IMA Internet Exchange 2.02 Enterprise) id 25B94CD0; Wed, 9 Oct 96 14:04:29 +0200 Mime-Version: 1.0 Date: Wed, 9 Oct 1996 13:40:04 +0200 Message-ID: <25B94CD0.@publicitas.com> From: ddurand@publicitas.com (DURAND DIDIER) Subject: Re: Virus on Internet To: Majordomo , Alejandro Motta Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi there, 1) We are currently beginning tests of MacAfee product called WebShield: it is a separate ant-virus product for firewall systems. Runs on a dedicated Pentium PC. URL: http://www.mcafee.com 2) Netscape recently announced an add-on from MicroTrend on their Proxy Server. Not available yet (beg 1997 ?) Dr Didier DURAND Consultas SA - Groupe PUBLICITAS Avenue des Mousquines 4 CH-1005 Lausanne Switzerland Tel: +41-21-213-61-11 Direct: +41-21-213-61-26 Fax: +41-21-312-44-09 E-mail: ddurand@publicitas.com ========================================================================= ______________________________ Reply Separator _________________________________ Subject: Virus on Internet Author: Alejandro Motta at INTERNET Date: 9.10.96 09:25 Can someone tell me, if there are commercial firewalls, who can recognize and eliminate virus on internet, before entering in the private net ? I am doing an evaluation of commercial firewalls and I appreciate to have some information from you. Thanks Alex From firewalls-owner Wed Oct 9 05:42:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA01497 for firewalls-outgoing; Wed, 9 Oct 1996 05:17:41 -0700 (PDT) Received: from mail.clark.net (100-mail.clark.net [207.97.20.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id FAA01283 for ; Wed, 9 Oct 1996 05:16:50 -0700 (PDT) Received: from clark.net (proberts@explorer.clark.net [168.143.0.7]) by mail.clark.net (8.7.3/8.6.5) with ESMTP id IAA06041; Wed, 9 Oct 1996 08:16:40 -0400 (EDT) Received: from localhost (proberts@localhost) by clark.net (8.7.1/8.7.1) with SMTP id IAA01318; Wed, 9 Oct 1996 08:16:18 -0400 (EDT) X-Authentication-Warning: clark.net: proberts owned process doing -bs Date: Wed, 9 Oct 1996 08:16:18 -0400 (EDT) From: "Paul D. Robertson" To: Ed Young cc: firewalls@GreatCircle.COM Subject: Re: FW: RE: Sniffer detection. In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 8 Oct 1996, Ed Young wrote: > Use a sniffer to find a sniffer.A Distributed sniffer can monitor the > network for any new devices and send an alarm to a pager or NMS station. Which doesn't solve the probelm of an ethernet adapter already on the net going into promiscuous mode. Nor does it find a device that is added and doesn't send any packets. It also doesn't find MAC spoofed addresses that come on-line with an existing address. The last two can, and should be solved with physical security. Then there's the fun of managing adapter changes, and laptop users while seeding the database. > Additionaly, on Token Ring, devices will send out a trace tool present ^^^^ That's "should", not "will", I've seen Token Ring sniffers that can be configured not to send that packet. Fortunately, for those on Token Ring networks, most cards won't go into promiscuous mode, reducing the existing machine threat. > packet on the network letting the Lan Manager station know that it is > there.configure the Lan Manager to not allow trace tools. For FDDI, ATM Not sure if FDDI needs to be broken if there's a hub, and not an adapter to adapter ring, perhaps someone knows for sure? > and WAN protocols the link must be broken. > > Again, use a sniffer to find a sniffer. > Which is weak at best, and rather expensive if you're relying on something like a DSS for this protection. I *like* the DSS', and have four or five of them, but in this case, I don't think it's the propper tool. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@clark.net which may have no basis whatsoever in fact." PSB#9280 From firewalls-owner Wed Oct 9 05:58:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA04646 for firewalls-outgoing; Wed, 9 Oct 1996 05:45:03 -0700 (PDT) Received: from relay7.UU.NET (relay7.UU.NET [192.48.96.17]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id FAA04571 for ; Wed, 9 Oct 1996 05:44:42 -0700 (PDT) Received: from smtp.caas.com by relay7.UU.NET with ESMTP (peer crosschecked as: smtp.caas.com [207.19.203.3]) id QQbkri06093; Wed, 9 Oct 1996 08:43:48 -0400 (EDT) Received: from computer10 ([207.19.203.20]) by smtp.caas.com (8.6.11/8.6.9) with SMTP id IAA22659; Wed, 9 Oct 1996 08:20:26 -0400 Received: by computer10 with Microsoft Mail id <01BBB5BD.96D357E0@computer10>; Wed, 9 Oct 1996 08:40:56 -0400 Message-ID: <01BBB5BD.96D357E0@computer10> From: Cyndi Crutchfield To: "'Alejandro Motta'" , "'Chris Kostick'" , Majordomo Cc: Damian , JoAnn , John Subject: RE: Virus on Internet Date: Wed, 9 Oct 1996 08:40:53 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The Norman Firewall, from its inception, has done virus scanning. The = virus scanner operates on the FTP proxy and the FTP portion of the HTTP = proxy. Additionally, it does hot-word scanning for these same proxies. = The inclusion of a virus removing routine is not feasible at this time = because the routines require too much computer overhead, restricting the = processing capability of the computer for other connections. Also, the = automatic routines would most likely destroy approximately 80% of the = infected files. The Norman virus scanner will recursively decompress (zip, gzip, tar, = etc.) compressed files for complete scanning. =20 ---------- From: Chris Kostick[SMTP:ckostick@csc.com] Sent: Wednesday, October 09, 1996 7:15 AM To: 'Alejandro Motta'; Majordomo Subject: RE: Virus on Internet FireWall-1 3.0 is suppose to have this functionality for FTP transfers. v3.0 is not available yet, but should be in 4th qtr '96. ---------- From: Alejandro Motta[SMTP:amotta@ifi.unizh.ch] Sent: Wednesday, October 09, 1996 4:25 AM To: Majordomo Subject: Virus on Internet Can someone tell me, if there are commercial firewalls, who can recognize and eliminate virus on internet, before entering in the private net ? I am doing an evaluation of commercial firewalls and I appreciate to have some information from you. Thanks Alex From firewalls-owner Wed Oct 9 06:17:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA08423 for firewalls-outgoing; Wed, 9 Oct 1996 06:07:16 -0700 (PDT) Received: from habanero.jmu.edu (habanero.jmu.edu [134.126.71.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA08342; Wed, 9 Oct 1996 06:07:05 -0700 (PDT) Message-Id: <199610091307.GAA08342@miles.greatcircle.com> Received: by habanero.jmu.edu (1.37.109.16/16.2) id AA012026143; Wed, 9 Oct 1996 09:02:23 -0400 Date: Wed, 9 Oct 1996 09:02:23 -0400 From: gary flynn To: firewalls-owner@GreatCircle.COM, firewalls@GreatCircle.COM Subject: Re: Internet II is coming... (fwd) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: Hank Nussbacher > > How will throwing OC48 pipes at the university network solve the problem? > Today a common university has about 10,000 PCs each with sound cards and > the kids all do CuseeMe and Vocaltec. 3 years down the road they will all have > VR gear attached to their PC in the dorm and will be doing netgaming in the > evening. So the OC48 pipes gets stuffed and the researchers complain. > Universities will use whatever bandwidth you throw at them. > > The reason for this is that within the university, access and use is unlimited > and uncontrolled. This may not be true in the Internet II scenario. There could be two separate Internet connections with appropriate controls for the "research network". From firewalls-owner Wed Oct 9 07:12:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA09659 for firewalls-outgoing; Wed, 9 Oct 1996 06:12:47 -0700 (PDT) Received: from reflections.mindspring.com (reflections.mindspring.com [204.180.142.192]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA09608 for ; Wed, 9 Oct 1996 06:12:32 -0700 (PDT) Received: (from lists@localhost) by reflections.mindspring.com (8.7.1/8.7.1) id JAA23447; Wed, 9 Oct 1996 09:12:41 -0400 Date: Wed, 9 Oct 1996 09:12:40 -0400 (EDT) From: Todd Graham Lewis To: Chris Kostick cc: "'Alejandro Motta'" , Majordomo Subject: RE: Virus on Internet In-Reply-To: <01BBB5B1.A4539300@ckostick.sed.csc.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 9 Oct 1996, Chris Kostick wrote: > FireWall-1 3.0 is suppose to have this functionality for FTP > transfers. v3.0 is not available yet, but should be in 4th qtr '96. > > ---------- > From: Alejandro Motta[SMTP:amotta@ifi.unizh.ch] > Sent: Wednesday, October 09, 1996 4:25 AM > Subject: Virus on Internet > > Can someone tell me, if there are commercial firewalls, who can > recognize and eliminate virus on internet, before entering in the > private net ? I'd be, umm, interested in seeing how this is done in reliable and consistent manner; I have yet to see one that works, and many (including myself) think they are impossible. __ Todd Graham Lewis Linux! Core Engineering Mindspring Enterprises tlewis@mindspring.com (800) 719 4664, x2804 From firewalls-owner Wed Oct 9 07:16:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA13123 for firewalls-outgoing; Wed, 9 Oct 1996 06:34:42 -0700 (PDT) Received: from tiger.misty.com (tigger.misty.com [205.164.128.201]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA13116 for ; Wed, 9 Oct 1996 06:34:35 -0700 (PDT) Received: (from tkraft@localhost) by tiger.misty.com (8.7.5/8.7.3) id JAA06199; Wed, 9 Oct 1996 09:33:06 -0400 (EDT) Date: Wed, 9 Oct 1996 09:33:05 -0400 (EDT) From: Todd Kraft X-Sender: tkraft@tiger.misty.com To: Alejandro Motta cc: Majordomo Subject: Re: Virus on Internet In-Reply-To: <325B6179.41C67EA6@ifi.unizh.ch> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 9 Oct 1996, Alejandro Motta wrote: > Can someone tell me, if there are commercial firewalls, who can > recognize and eliminate virus on internet, before entering in the > private net ? > I am doing an evaluation of commercial firewalls and I appreciate to > have some information from you. > > Thanks > > Alex > A variety of products are reviewed at http://www.pcweek.com/archive/1328/pcwk0041.htm. As far back as 1994, the GreatCircle archives have rather heated discussions about virus checking. for example see: http://www.netsys.com/firewalls/firewalls-9405/0163.html http://netsys.com/firewalls/firewalls-9410/0248.html I think the general concensus in this list is: 1. Filtering all of the viruses all of the time is impossible. 2. Filtering some of the viruses most of the time is possible. 3. Filtering some of the viruses most of the time is better than filtering none of the viruses none of the time. 4. Encrypted data and self-extracting binaries complicates/confounds the filtering process. 5. User education, desktop and NOS based virus checking are still required, because many (the majority?) viruses come from floppies and the filtering of network data is imperfect. Other comments/opinions/experiences? -Todd From firewalls-owner Wed Oct 9 07:27:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA18538 for firewalls-outgoing; Wed, 9 Oct 1996 07:22:28 -0700 (PDT) Received: from ctss02.telecom.hydro.qc.ca (ctss02.telecom.hydro.qc.ca [131.195.64.12]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA18475 for ; Wed, 9 Oct 1996 07:22:02 -0700 (PDT) Received: from neptune (neptune.telecom.hydro.qc.ca [131.195.237.170]) by ctss02.telecom.hydro.qc.ca (8.7.5/8.7.1) with SMTP id KAA29389; Wed, 9 Oct 1996 10:18:14 -0400 (EDT) Message-ID: <325BB49E.777D@telecom.hydro.qc.ca> Date: Wed, 09 Oct 1996 10:20:14 -0400 From: "bettez@telecom.hydro.qc.ca" Organization: Hydro-Québec X-Mailer: Mozilla 3.0Gold (X11; I; SunOS 5.4 sun4m) MIME-Version: 1.0 To: James Grimm CC: firewalls@greatcircle.com Subject: Re: Any thoughts on these firewalls? References: <2.2.32.19961008150449.00708a40@pop.trusted.com> <325A78A6.1145@telecom.hydro.qc.ca> <325ACFFC.5C0E@credence.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk James Grimm wrote: > > bettez@telecom.hydro.qc.ca wrote: > > > > Frederick M Avolio wrote: > > > > > > > - generic udp proxy(!) > > > >We evaluate FW/1, but we didn't find it enough secure. > > > >wander why everybody is talking about it(?) > Jean-Sebastien, > Quick question: What Linux firewall are you referring to? > I'm talking about firewall features built-in in the linux kernel (since 1.3.x (I think)) You can manage it with ipfwadm ( http://www.xos.nl/linux/ipfwadm ). _______________________________ Jean-Sebastien Bettez E:bettez@telecom.hydro.qc.ca From firewalls-owner Wed Oct 9 07:45:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA17639 for firewalls-outgoing; Wed, 9 Oct 1996 07:11:55 -0700 (PDT) Received: from humerus.whin.net (humerus.whin.net [156.46.32.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA17543 for ; Wed, 9 Oct 1996 07:11:27 -0700 (PDT) Received: (from chuck@localhost) by humerus.whin.net (8.6.9/8.6.9) id JAA10553; Wed, 9 Oct 1996 09:03:25 -0500 From: Chuck Hill Message-Id: <199610091403.JAA10553@humerus.whin.net> Subject: Re: Subnet Routing To: palan@dataprep.com.my (Kogulapalan) Date: Wed, 9 Oct 1996 09:03:25 -0500 (CDT) Cc: firewalls@greatcircle.com In-Reply-To: <199610100144.RAA17728@snet> from "Kogulapalan" at Oct 9, 96 05:44:51 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The Sun's route command doesn't understand subnet masks , just like RIP doesn't carry subnet masks. The Sun will only pickup the subnet mask if you bind that address to one of its interfaces. The only solution I know of is to add route info into both routers for all 4 networks . Point the Sun at one of them , then the routers will send ICMP host redirects to the Sun. This will build the route table up slowly as traffic is routed to individual hosts. It can make for a large route table on th eSun , but its the only solution I know of outside redesigning the Network Regards, Chuck > > Hi, > > I have very long story down here, please read it and reply me a solution. > Ooppps, its not a Firewall question ;) sorry, desperate for solution. > > I'm using Sun Sparc i5 to do a routing for our internal packets. I have > problem in routing the subnet of Class C address. I break the Class C > address into 4 networks which means it has mask of 255.255.255.192 and I got > the following network numbers (correct me if I'm wrong): > > 1.2.3.0 > 1.2.3.64 > 1.2.3.128 > 1.2.3.192 > > The first network (1.2.3.0) used for WAN between ROUTER A and ROUTER B. > * The routing table on Sun shows : > > Network Gateway > 1.2.3.0 1.1.1.1 (which is ROUTER A's LAN) > (no problem at this moment) > > I add the second network (1.2.3.64) which is also a WAN connection > between ROUTER C and ROUTER D. > * The routing table on Sun shows : > > Network Gateway > 1.2.3.0 1.1.1.1 (which is ROUTER A's LAN) > 1.2.3.64 1.1.1.2 (which is ROUTER C's LAN) > (I have problem over here...) > > I can't PING the WAN interface on ROUTER C and ROUTER D. > I get a reply ICMP from ROUTER A sayinh host unreachable. > But I can ping the LAN on ROUTER C. > > --> All the four routers are on the same LAN (1.1.1.0). > --> Edited etc/networks and etc/netmasks approriately. > --> Flushed routing table, rebooted Sun. > --> Removed the first route 1.2.3.0 -- 1.1.1.1 from table. > > I did all the above and still can't reach the WAN of ROUTER C. > > I remove all the route, and added this : > > Network Gateway > 1.2.3.0 1.1.1.2 (which is ROUTER C's LAN) > > Guess what ? It works :) I can ping ROUTER C and ROUTER D. > But I can't reach ROUTER A and ROUTER B :( now. > > I beleive this is because the Sun doesn't seems to understand the subnet > and assumes the 1.2.3.64 as a HOST and not as a NETWORK address. > (Am I missing anothing over here and Am I correct ?) > > I need some advice and suggestions and reasons why is this doesn't work. > If any of you had experience this, please let me know whats the solution. > > > regards, > PaLaN > palan@mailhost.net > "If you can reach them, They can reach you" > > > > From firewalls-owner Wed Oct 9 07:50:09 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA14445 for firewalls-outgoing; Wed, 9 Oct 1996 06:44:18 -0700 (PDT) Received: from habanero.jmu.edu (habanero.jmu.edu [134.126.71.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA13932; Wed, 9 Oct 1996 06:44:01 -0700 (PDT) Message-Id: <199610091344.GAA13932@miles.greatcircle.com> Received: by habanero.jmu.edu (1.37.109.16/16.2) id AA018957957; Wed, 9 Oct 1996 09:32:37 -0400 Date: Wed, 9 Oct 1996 09:32:37 -0400 From: gary flynn To: firewalls-owner@GreatCircle.COM, firewalls@GreatCircle.COM Subject: Re: FW: RE: Sniffer detection. Cc: gary@habanero.jmu.edu Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > --- On Tue, 8 Oct 96 18:06:22 PDT Ed Young wrote: > > Use a sniffer to find a sniffer.A Distributed sniffer can monitor the network for any new devices and send an alarm to a pager or NMS station. Additionaly, on Token Ring, devices will send out a trace tool present packet on the network letting the Lan Manager station know that it is there.configure the Lan Manager to not allow trace tools. For FDDI, ATM and WAN protocols the link must be broken. > > Again, use a sniffer to find a sniffer. Nothing is going to find a node that is passively listening. Sniffers, intelligent hubs, and other detection devices all depend on the sniffing device sending out packets to detect them. A PC based sniffer won't be sending stuff unless you tell it to. Now there are some exceptions to that. Two sniffers that I'm aware of send packets to ensure license compliance. If they see each other, one of them shuts down. I don't know how many sniffer packages have this feature but I surely wouldn't depend on that feature for security. Anyone that seriously wants to sniff packets can make their own sniffer if the government or any other self-styled mandate body should decree that all packet sniffers have "disclosure" features or some other such nonsense. Sniffers that sit on top of operating systems that act as just another application are a slightly different matter. Sniffers that run on top of unix and Windows95/NT would fall into this catagory. First, you can detect the node with a simple ping or other protocol check. Second, the other applications or the operating system itself is likely to send packets that can tip you off. Third, as others have pointed out, if you can get into the machine, you may be able to detect signs that a promiscuous mode network adapter is being used. Its conceivable that you could detect a node on a coaxial network using TDR technology but coaxial networks are rapidly fading in favor of star wired twisted pair networks. If someone loads a DOS based, passive sniffer on a "legal" PC on a 10-Base-T network, you cannot see it, you won't know it, and your data better be encrypted if its vital to your business. Whats the risk of someone internal doing this? Thats the question you have to answer. As already mentioned, an option to encryption is the use of "secure hubs" like those sold by 3com and HP. The HP hubs remember the MAC address of the attached device and scramble the data field of any packets on that port with a destination address different from the "registered" one. The registered address can be entered manually, be the first one seen, or learned on the fly depending upon configuration options. Broadcast and multicast addresses pass through untouched. Ports that are used to cascade hubs must have this feature disabled or bad things happen to performance as the hub continually switches the learned MAC address. A protocol analyzer on a secure port sees packets addressed to the registered node, broadcasts, multicasts, and a gazillion CRC errors and unidentified ethernet types :-). You can tell intelligent hubs not to allow unregistered MAC addresses and, in fact, notify you when they're seen. However, this feature won't protect you from someone using one of your sanctioned nodes. LANs are shared. Like societies, they depend upon the cooperation of their members to remain operational. If you fix the data visibility problem, there will always be the denial of service problem on a shared network. Anyone can load software that fills the network pipe. Anyone can load software that sends SYNS. Anyone can reconfigure their IP address to match the critical router or host. etc., etc., etc. My worst nightmare is a virus that learns about the network and silently trashes it intermitently. You won't find it unless you've got protocol analyzers running constantly. I've got to quit reading this list. Its encouraging my cynical, paranoid, curmudgeonly nature. :-) Gary Flynn Network (chaos) Manager James Madison University All opinions expressed, such as they are, are my personal ones. From firewalls-owner Wed Oct 9 07:57:54 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA15918 for firewalls-outgoing; Wed, 9 Oct 1996 06:53:38 -0700 (PDT) Received: from gatekeep.us.landisgyr.com (gatekeep.us.landisgyr.com [206.175.68.122]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA15891 for ; Wed, 9 Oct 1996 06:53:27 -0700 (PDT) Received: by gatekeep.us.landisgyr.com; id FAA02893; Wed, 9 Oct 1996 05:48:34 -0400 Received: from unknown(204.207.110.148) by gatekeep.us.landisgyr.com via smap (V3.1) id xma002890; Wed, 9 Oct 96 05:48:16 -0400 Received: from mailrelay.us.landisgyr.com by pmdf.us.landisgyr.com (PMDF V5.0-4 #10101) id <01IAFLVVTXQO000DHF@pmdf.us.landisgyr.com> for firewalls@greatcircle.com; Wed, 09 Oct 1996 08:52:23 -0500 (CDT) Received: with PMDF-MR; Wed, 09 Oct 1996 08:51:21 -0500 (CDT) MR-Received: by mta PFMSV1.MUAS; Relayed; Wed, 09 Oct 1996 08:51:21 -0500 MR-Received: by mta PFMSV1; Relayed; Wed, 09 Oct 1996 08:51:21 -0500 MR-Received: by mta PFMMRX; Relayed; Wed, 09 Oct 1996 08:51:51 -0500 Disclose-recipients: prohibited Date: Wed, 09 Oct 1996 08:51:21 -0500 (CDT) From: Joav Kohn Subject: HTTPS & Gauntlet To: Firewalls Message-id: <6921510809101996/A01239/PFMSV1/11AA4A331500*@MHS.us.landisgyr.com> Autoforwarded: false MIME-version: 1.0 Content-type: TEXT/PLAIN; CHARSET=US-ASCII Content-transfer-encoding: 7BIT Importance: normal Sensitivity: Company-Confidential UA-content-id: 11AA4A331500 X400-MTS-identifier: [;6921510809101996/A01239/PFMSV1] Hop-count: 2 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Quick Question (I hope) I'm trying to let https access through my firewall (a TIS Gauntlet) and what I've done is this: In my /etc/services i've added the line https 443 ssl and in my /etc/rc.local i've added http-gw -daemon https & (that may not be the exact syntax, but I'm doing this from memory. Is everyone's firewall two buildings over?) Anyway, the point of this story is that when a client now tries to hit an https server, it just hangs forever. The packet seems to go out (i.e. "host contacted, waiting for reply") but a timeout never occurs and no data ever comes back. Anyone know what I'm doing wrong? TIA -joav From firewalls-owner Wed Oct 9 08:13:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA16882 for firewalls-outgoing; Wed, 9 Oct 1996 07:03:12 -0700 (PDT) Received: from phoenix.iss.net (phoenix.iss.net [204.241.60.5]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA16846 for ; Wed, 9 Oct 1996 07:03:01 -0700 (PDT) Received: from localhost (davem@localhost) by phoenix.iss.net (8.6.13/8.6.12) with SMTP id KAA05987; Wed, 9 Oct 1996 10:02:33 -0400 Date: Wed, 9 Oct 1996 10:02:33 -0400 (EDT) From: "David J. Meltzer" To: Michael Jarvis cc: firewalls@GreatCircle.COM Subject: Re: smtp and auth In-Reply-To: <199610071622.LAA00592@burrito.insource.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 7 Oct 1996, Michael Jarvis wrote: > Sendmail 8.x and several other popular SMTP servers attempt to do an > "ident" lookup for all SMTP connections. (See RFC-1413 for more > information.) > > Since ident replies are easily faked, this information is of dubious use. > If you'd like, just add a firewall rule to drop or reject all tcp/113 > traffic. If you're running wu-ftpd or Sendmail or some sort of service > that likes to make ident queries, then permit outbound tcp/113 packets > and the appropriate replies. Although you certainly can not rely on ident information as an authoritative source of the user on a machine, that does not mean that it does not provide useful information in many cases. If you may at some point in the future want to trace back the origin of a connection, having ident information is certainly a better option than not having ident information; of course it is only one piece in the puzzle. You can make the assumption that one of the following is true if you obtain an auth response (listed in my estimate of the order of probability): 1. The user returned by the ident query is responsible for the connection. 2. Another person has gained privileges to make connections as that user (either directly to that user, or has gained root access to the machine and su'd to that user). 3. The ident daemon on the source machine has been tampered with to provide false user information. 4. Your machine has been compromised to return false responses to ident queries. 5. A network between your machine and the source machine has been compromised and the query was subject to a MITM hijacking attack. If you are going to follow-up with the administrator of the remote machine, being able to provide them with the ident response allows them a much easier time in handling the situation with that user's account, and certainly the easier it is for them to resolve the situation, the more cooperative they will be. >From the opposite perspective, if someone was to approach me with a report of suspicious activity from a machine I administered, being able to go directly to a single user as a starting point as opposed to looking through logs and possibly only narrowing the search down to several dozen potential users is a significant help in my job. Dave --------------------------------+--------------------- David J. Meltzer | Email: davem@iss.net Systems Engineer | Web: www.iss.net Internet Security Systems, Inc. | Fax: (770)395-1972 From firewalls-owner Wed Oct 9 08:27:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA14559 for firewalls-outgoing; Wed, 9 Oct 1996 06:45:38 -0700 (PDT) Received: from ndhm06.ndhm.gtegsc.com (ndhm06.ndhm.gtegsc.com [155.95.162.156]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA14538 for ; Wed, 9 Oct 1996 06:45:24 -0700 (PDT) Received: by ndhm06.ndhm.gtegsc.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.24) id <01BBB5C6.6E279320@ndhm06.ndhm.gtegsc.com>; Wed, 9 Oct 1996 09:44:13 -0400 Message-ID: From: "Hoffman, Mort" To: "'firewalls@greatcircle.com'" , "'dharris@kcp.com'" Cc: "Button, Dave" Subject: RE: Financial transactions and firewalls. Date: Wed, 9 Oct 1996 09:47:50 -0400 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.24 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Delmar is almost entirely correct. SET was designed to ride atop application protocols, primarily HTTP and SMTP (by wrapping SET messages in MIME). The design team wanted to ensure that the protocol would be protected from firewall issues. This should ensure that no direct interaction between SET and firewalls occurs, and that SET will work through any firewall that can support HTTP and/or SMTP. Mort > >---------- >From: dharris@kcp.com[SMTP:dharris@kcp.com] >Sent: Friday, October 04, 1996 4:25 PM >To: firewalls@greatcircle.com; Colin Campbell >Subject: Re: Financial transactions and firewalls. > >Colin/list: > >The "gentleman" in question has many brothers and sisters in other fields. I >have only been at this firewall stuff for about three years and I have >already > >had to fight off three requests for "just a tiny hole" in my firewall so we >could use the latest "firewalls unaware" application that we just _had_ to >have. >In each case the application developer was aghast when I suggested that the >product would be much more useful if it was firewall aware _and_ based on a >standard ("well understood") protocol like telnet, http, or ftp. > >Keep fighting the good fight. If it isn't firewalls aware it probably isn't >security aware either. > >BTW: From a class I took at Interop I got the impression that SET is not >incompatible with firewalls because it rides on top of other protocols which >firewalls can handle. Is this impression correct? > > Delmer D. Harris > dharris@kcp.com > > >______________________________ Reply Separator >_________________________________ >Subject: Financial transactions and firewalls. >Author: Colin Campbell at >INTERNET-MAIL >Date: 10/3/96 4:14 PM > > >Hi, > >I recently spent several hours (yes hours!) on the phone discussing the >relative merits of my "stupid firewall philosophy" with a gentleman >representing a company implementing secure financial services on the >Internet. His service, if I understood correctly, was based on >(something like?) SWIFT which has been in use in Europe for 15-20 years >by many large financial institutions and therefore was not going to be >changed quickly if at all. > >My firewall was stupid (based on fwtk) because it put proxies in bewteen >my inside hosts and external servers. Furthermore, any firewall that did >any sort of network address translation or proxying was brain-dead. (My >interpretation of his statements). > >Why? Because his software passed an identifying "ticket" with every >packet. This ticket comprised an encrypted date+time, the IP address of >the client machine and some other stuff. When the server saw a packet >from a host whose IP address did not match that in the ticket, alarm >bells would sound and the fraud squad would be on the door step within >minutes. > >When I suggested to him that 80% (just guessing, so be nice to me) of >the firewalls outside of the financial world use NAT and or proxies he >scoffed at the prospect, suggesting that people using such stupid >technologies were going to miss out on the upcoming revolution about to >hit the Internet with secure financial transactions that would not work >through such firewalls. He also mentioned the "new Microsoft software" >several times (anyone know which?). > >Does anyone have any comments on this guy's philosophy, or mine for that >matter? I would especially like to hear from anyone who's been following >the development of secure financial transactions (SET comes to mind, >right track?) and how these systems are expected to operate through >"stupid firewalls" like mine. > >Colin > > > From firewalls-owner Wed Oct 9 08:57:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA22027 for firewalls-outgoing; Wed, 9 Oct 1996 07:51:24 -0700 (PDT) Received: from edelweb.fr (edelweb.fr [193.51.12.16]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA21964 for ; Wed, 9 Oct 1996 07:50:59 -0700 (PDT) Received: from champagne.edelweb.fr (champagne.edelweb.fr [193.51.14.161]) by edelweb.fr (8.7.5/8.6.9) with ESMTP id PAA13017; Wed, 9 Oct 1996 15:48:45 +0100 (MET) Received: from mercier.gctech.edelweb.fr (mercier.gctech.edelweb.fr [193.51.14.7]) by champagne.edelweb.fr (8.6.10/8.6.6) with ESMTP id PAA05956; Wed, 9 Oct 1996 15:48:44 +0100 Received: from localhost (ben@localhost) by mercier.gctech.edelweb.fr (8.6.10/8.6.6) with SMTP id QAA04206; Wed, 9 Oct 1996 16:48:44 +0200 Date: Wed, 9 Oct 1996 16:48:43 +0200 (MET DST) From: Ben X-Sender: ben@mercier.gctech.edelweb.fr To: Todd Graham Lewis cc: Chris Kostick , "'Alejandro Motta'" , Majordomo Subject: RE: Virus on Internet In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Can someone tell me, if there are commercial firewalls, who can > > recognize and eliminate virus on internet, before entering in the > > private net ? > > I'd be, umm, interested in seeing how this is done in reliable and > consistent manner; I have yet to see one that works, and many (including > myself) think they are impossible. Yes, the Halting problem comes to mind. And even if it were possible we would start seeing the beginning of social engineering attacks to the effect of, "Download this binary! It slices, dices and chops, and for your protection we have encrypted it with PGP to protect against the bad nasty Internet" Ben. ____ Ben Samman.................................................ben@edelweb.fr Paris, France Illudium Q36 Explosive Space Modulator From firewalls-owner Wed Oct 9 09:12:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA27431 for firewalls-outgoing; Wed, 9 Oct 1996 08:30:28 -0700 (PDT) Received: from sf-ptg-ss.pactel.com (sf-ptg-ss.pactel.com [198.95.241.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id IAA27393 for ; Wed, 9 Oct 1996 08:30:12 -0700 (PDT) Received: from farpoint.pactel.com (isdn55.pactel.com [198.95.241.155]) by sf-ptg-ss.pactel.com (8.6.10/8.6.10) with SMTP id IAA29728; Wed, 9 Oct 1996 08:27:36 -0700 Message-ID: <325BC465.114C@tear.com> Date: Wed, 09 Oct 1996 08:27:35 -0700 From: Marc Mosko Organization: Forte Systems X-Mailer: Mozilla 3.0 (Win95; U) MIME-Version: 1.0 To: Michael Richardson CC: firewalls@GreatCircle.COM, Dick Mosher Subject: Re: firewall hot backup References: <199610082101.RAA29485@amaterasu.sandelman.ottawa.on.ca> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Has anyone tried the "server-mirroring" packages, such as the Veritas packages for Solaris? Michael Richardson wrote: [snip] > > Actually, I'm lying about "fault tolerance" --- from the user's > point of view, it is really high reliability. Connections that are > established are lost. This means that users have to push "reload" on > their web server when they get caught by a fault. The other nice thing > about hot backup is that one can upgrade or test patches without > taking everyone offline. [snip] > I did something about how to build fault tolerant application layer > firewalls, and came to the conclusion that they'd be very, very, very > slow. -- Marc Mosko Email: marc@tear.com Web: http://www.tear.com/ "If anyone knocks out another's eye, he shall pay him sixty-six shillings, six pence, and a third of a penny." -- Leges Henrici Primi (13th century) PGP Key available via Public Servers and http://www.tear.com/pgp-key.html From firewalls-owner Wed Oct 9 09:28:30 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA04893 for firewalls-outgoing; Wed, 9 Oct 1996 09:13:30 -0700 (PDT) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id JAA04694 for ; Wed, 9 Oct 1996 09:12:33 -0700 (PDT) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id LAA09645; Wed, 9 Oct 1996 11:03:44 -0400 Date: Wed, 9 Oct 1996 11:03:39 -0400 (EDT) From: Rabid Wombat To: R cc: firewalls@GreatCircle.COM, Rob Adams Subject: Re: your mail In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 8 Oct 1996, R wrote: > > > All this does is slow the intruder down! Even with a switch or a "secure > hub", you still have to worry about point-to-point sniffing. An intruder > who gets into Box A can sniff any connections made from or to it. Once > someone telnets from A to B, now the intruder has access to Box B, gets > root on it, and now he/she has two sniffers running. From there, it > snowballs. True, it's slower than sniffing a shared physical medium, but > you're still going down. > I doubt I'll be going down. No single piece of technology is going to secure the network; security requires a number of well integrated components, systems, policies, and the occaisional voodoo sacrifice of a rubber chicken. The idea is to harden the target as much as possible, increasing the level of effort required by the intruder, increasing the time it take the intruder to get what they are after, increasing the chances that the intruder will make a mistake, and giving your monitoring systems a fighting chance at catching them. Putting a really big lock on the front door won't keep someone from crawling in through the back window. Locking all the doors and windows, and putting in an alarm system and a b.f.d. won't keep out someone with a blowtorch and an UZI, but you'll sure as hell know they're there. I still think a secure hub is a good, cheap investment for a bastion segment, and not a bad addition to your internal network, either. Many of the major hub vendors offer this feature - you just need to turn it on. -r.w. From firewalls-owner Wed Oct 9 09:45:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA06420 for firewalls-outgoing; Wed, 9 Oct 1996 09:25:07 -0700 (PDT) Received: from lexicon.ins.com (lexicon.ins.com [199.0.193.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id JAA06379 for ; Wed, 9 Oct 1996 09:24:53 -0700 (PDT) Received: from llbpc.ins.com (mtv2-dynamic224.ins.com [199.0.193.224]) by lexicon.ins.com (8.7.5/8.7.3) with SMTP id JAA01210; Wed, 9 Oct 1996 09:22:45 -0700 (PDT) Message-Id: <2.2.32.19961009172225.006be880@lexicon.ins.com> X-Sender: bostic@lexicon.ins.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 09 Oct 1996 11:22:25 -0600 To: Jonathan Arcilla From: Laurie Bostic Subject: Re: HTML password configuration Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 12:02 PM 10/9/96 +1000, Jonathan Arcilla wrote: >This is my current configuration: > >".htaccess" > >AuthType Basic >AuthName Access Permission >AuthUserFile .htpasswd > >require valid-user surfer > > >".htpasswd" > >surfer:gwScJuFIZkCJY > > >Am i missing something here? Or do i need to modify other configuration >files as well? Hi Jonathan, I am using NCSA HTTPD, so YMMV, but here are some things you might want to look at. - In your .htaccess file, apparently your .htpasswd file is in the same directory as the files you are trying to restrict access to, i.e., there is no path to .htpasswd . I would move that .htpasswd file to a less accessible area than your HTML doc directory, and away from prying eyes. Even though the password is encrypted, it gives potential evil-doers too much information. - NCSA requires a AuthGroupFile directive in the .htaccess file. It can be /dev/null if you are not using groups. I do not know if Apache requires this. - Does your localhost_srm.conf (or equivalent file in Apache) have the entry AccessFileName .htaccess defined and un-uncommented out, i.e., no # in column 1? - In the .htaccess file, you use "require valid-user surfer". In my working config, it is "require user surfer", but again this may be a difference between NCSA and Apache. Other than those three possibilities, your configs look good. Below are the working configs I am using, with names modified to match yours (I am using a group, you can insert /dev/null instead): ".htaccess" AuthUserFile /home/usr/local/etc/httpd/conf/.htpasswd AuthGroupFile /home/usr/local/etc/httpd/conf/.htgroup AuthName web access AuthType Basic require group testgroup "/home/user/local/etc/httpd/conf/.htgroup" testgroup: testteam testregion "/home/usr/local/etc/httpd/conf/.htpasswd" testteam: testregion: "localhost_srm.conf" snippet . . . # directory if a ~user request is recieved. UserDir / # DirectoryIndex: Name of the file to use as a pre-written HTML # directory index DirectoryIndex index.html DefaultIcon /icons/unknown.xbm AccessFileName .htaccess # DefaultType is the default MIME type for documents which the server # cannot find the type of from filename extensions. DefaultType text/plain . . . LASTLY, there is a good explanation of the NCSA User Authentication at http://hoohoo.ncsa.uiuc.edu/docs/tutorials/user.html#Basic Hope this helps. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Laurie Bostic E-Mail : INS Dallas Pager : 1-888-897-2430 http://www.ins.com V-Mail : (214) 392-0144 x176 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From firewalls-owner Wed Oct 9 10:29:50 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA12162 for firewalls-outgoing; Wed, 9 Oct 1996 10:01:32 -0700 (PDT) Received: from skyrr.is (janus.skyrr.is [193.4.232.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA11952 for ; Wed, 9 Oct 1996 10:00:42 -0700 (PDT) Received: from gremlin.skyrr.is ([172.16.3.19]) by janus.skyrr.is with ESMTP id <18433>; Wed, 9 Oct 1996 17:01:40 +0000 Received: from k97176 (k97176.skyrr.is) by gremlin.skyrr.is (1.40.112.4/ISnet/11-02-92); Wed, 9 Oct 1996 16:59:19 GMT Message-Id: <199610091659.AA157010359@gremlin.skyrr.is> From: "Ingvar Olafsson" To: , Cc: Subject: Re: Protocol Jumping Date: Wed, 9 Oct 1996 16:59:22 +0000 X-Msmail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Traditionally attacks have focused on the IP protocol, although successful attempts have been made against the IPX protocol. The RELATIVE safety of your proposed mail gateway depends several things e.g. the configuration of the IP stack and services using it, ability to use the IPX stack if intruder gains access to the gateway and the credibility the gateway has regarding resources behind the firewall. Sorry if this seems vague, but the is no ABSOLUTLY correct answer. Regards Ingvar ---------- > From: bhowell@snlnet.com > To: k97176@gremlin.skyrr.is > Cc: firewalls@GreatCircle.COM > Subject: Protocol Jumping > Date: 8. október 1996 16:43 > > If I set up a dual homed PC such as a mail gateway in my DMZ and run > IP on the "external" interface, IPX on the other, would it be > relatively safe to allow the IPX traffic to bypass the firewall? From firewalls-owner Wed Oct 9 10:49:27 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA16582 for firewalls-outgoing; Wed, 9 Oct 1996 10:28:31 -0700 (PDT) Received: from cet.cet.com (cet.cet.com [206.96.91.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA16511 for ; Wed, 9 Oct 1996 10:28:11 -0700 (PDT) Received: from cet.cet.com (roberth@cet.cet.com [206.96.91.1]) by cet.cet.com (8.6.12/8.6.12) with SMTP id KAA18176; Wed, 9 Oct 1996 10:27:44 -0700 Date: Wed, 9 Oct 1996 10:27:44 -0700 (PDT) From: Robert Hanson To: Rabid Wombat cc: firewalls@GreatCircle.COM Subject: Re: your mail In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk specific brands and models that define the secure hubs you are communicating about sire? ---> Robert H. Hanson Cutting Edge Communications, Inc. - blah,blah Otis Orchards, Wa. Regional Commercial Internet Service Provider (509) 927-9541 email: roberth@cet.com - http://www.cet.com/ > > I still think a secure hub is a good, cheap investment for a bastion > segment, and not a bad addition to your internal network, either. Many of > the major hub vendors offer this feature - you just need to turn it on. > > -r.w. > From firewalls-owner Wed Oct 9 10:57:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA11175 for firewalls-outgoing; Wed, 9 Oct 1996 09:56:49 -0700 (PDT) Received: from archimedes.inoc.sj.nec.com (archimedes.inoc.sj.nec.com [131.241.31.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id JAA10807 for ; Wed, 9 Oct 1996 09:55:22 -0700 (PDT) Received: by inoc.sj.nec.com (8.7.3/YDL1.7-930126.17) id JAA11207(archimedes.inoc.sj.nec.com); Wed, 9 Oct 1996 09:56:25 -0700 (PDT) Received: by sj.nec.com (8.7.3/YDL1.7-940623.1) id JAA24590(netkeeper.sj.nec.com); Wed, 9 Oct 1996 09:56:24 -0700 (PDT) Received: (from smtp@localhost) by firenode2.ibu.sj.nec.com (8.7.5/8.7.3) id JAA04519; Wed, 9 Oct 1996 09:53:49 -0700 (PDT) Received: from vegas.ibu.sj.nec.com (vegas.ibu.sj.nec.com [131.241.70.2]) by firenode2.ibu.sj.nec.com id rfJAA04508; Wed Oct 9 09:49:10 1996 Received: by vegas.ibu.sj.nec.com (8.6.9/YDL1.9-9507101400) id JAA14018(vegas.ibu.sj.nec.com); Wed, 9 Oct 1996 09:50:09 -0700 From: sazah@ibu.sj.nec.com (Sunny Azah) Message-Id: <199610091650.JAA14018@vegas.ibu.sj.nec.com> Subject: Re: Protocol Jumping To: bhowell@snlnet.com Date: Wed, 9 Oct 1996 09:50:09 -0700 (PDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <25a84c00@snlnet.com> from "bhowell@snlnet.com" at Oct 8, 96 12:43:16 pm X-Mailer: ELM [version 2.4 PL23beta] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > If I set up a dual homed PC such as a mail gateway in my DMZ and run > IP on the "external" interface, IPX on the other, would it be > relatively safe to allow the IPX traffic to bypass the firewall? > Why not encapsulate IPX in IP and let everything go through the firewall? There are products out there that would allow you do this. -- sa. -------------------------------------------------------------------------- Sunny Azah - sazah@ibu.sj.nec.com Internet Business Unit, Home of the PrivateNet NEC Technologies, Inc. 110 Rio Robles San Jose, CA 95134 Tel:(408) 433-2161 FAX:(408) 433-1230 http://www.privatenet.nec.com -------------------------------------------------------------------------- From firewalls-owner Wed Oct 9 11:28:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA16043 for firewalls-outgoing; Wed, 9 Oct 1996 10:24:50 -0700 (PDT) Received: from amdext.amd.com (amdext.amd.com [139.95.251.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA16004 for ; Wed, 9 Oct 1996 10:24:36 -0700 (PDT) From: Geoff.Lisk@amd.com Received: from amdint.amd.com by amdext.amd.com with SMTP id AA17171 (5.67a/IDA-1.5+AMD for ); Wed, 9 Oct 1996 10:23:39 -0700 Received: from camta4.amd.com by amdint.amd.com with SMTP id AA12809 (5.67a/IDA-1.5+AMD); Wed, 9 Oct 1996 10:23:39 -0700 Received: by camta4.amd.com (8.6.12+AMD3/AMDSD-1.20+ISO2) id KAA24836; Wed, 9 Oct 1996 10:23:36 -0700 X400-Received: by mta CAMTA4 in /PRMD=AMD/ADMD=ATTMAIL/C=US; Relayed; 09 Oct 96 10:23:34 -0700 X400-Received: by mta CAMTA4-2 in /PRMD=AMD/ADMD=ATTMAIL/C=US; Relayed; 09 Oct 96 10:23:34 -0700 Date: 09 Oct 96 10:23:34 -0700 Delivery-Date: 09 Oct 96 10:23:36 -0700 Message-Type: Multiple Part X400-Originator: Geoff.Lisk@camta4.amd.com X400-Mts-Identifier: [/PRMD=AMD/ADMD=ATTMAIL/C=US;ISOCOR-3242d7bf-CAMTA4-2] X400-Recipients: matkoski@dreamscape.com, Firewalls@GreatCircle.COM Original-Encoded-Information-Types: IA5-Text X400-Content-Type: P2-1984 Message-Id: <"ISOPRO-1.60.052::DH-NO::4DFD::325BDBD2"*/G=Geoff/S=Lisk/O=camta4/PRMD=AMD/ADMD=ATTMAIL/C=US@MHS> Importance: normal Subject: RE(2): cisco 2511 file transfer through firewall. Autoforwarded: FALSE To: matkoski@dreamscape.com (Non Receipt Notification Requested) (IPM Return Requested) Cc: Firewalls@GreatCircle.COM (Non Receipt Notification Requested) (IPM Return Requested) In-Reply-To: <"1004204631-Re: cisco 2511 file transfer through firewall."* @MHS> Conversion: Allowed Conversion-With-Loss: Allowed Alternate-Recipient: Prohibited Content-Identifier: RE(2): cisco 25 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7Bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I am trying to set up a dial-in service for our company and would like > to know how to handle file transfers between a terminal server and the > firewall. Here is the layout: I have 4 cisco 2511's connected to the > perimeter network (ethernet), which is attached to my firewall. TS1 TS2 TS3 TS4 RTR-To-World | | | | | ====================================== | Firewall | Internal_Network > I have > to support async file transfers (X,Y,Z modem) to a ftp server within > the secure network, how do terminal servers handle such transfers? Steve, Is the need for transfer of data to an internal server hard and fast? Can it be a server on the unsecure network? Depending on how many people you will have dialing in, you could probably save yourself a bit of money by placing a server on the unsecure network and have the server internally mirror the directory. It could even be set up so that the router to world would be made not to talk to this server directly. However, if you have another router to play with, you can set up something like the following: TS1 TS2 TS3 TS4 Server (to be mirrored internally) | | | | | ================================ | Router w/packet filters. | Internal network. All of this assumes due diligence with regard to server security and the proper packet filters. ================================================================================ Geoff Lisk Senior Network Engineer Advanced Micro Devices 1 AMD Place, Sunnyvale CA 94088 Voice:-(408)749-4597 Fax:-(408)774-7387 Opinions do not necessarily reflect those of my employer. ================================================================================ From firewalls-owner Wed Oct 9 11:28:17 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA17650 for firewalls-outgoing; Wed, 9 Oct 1996 10:36:39 -0700 (PDT) Received: from intfw.bear.com (intfw.bear.com [206.25.172.66]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA17591 for ; Wed, 9 Oct 1996 10:36:19 -0700 (PDT) Received: by intfw.bear.com (4.1/SMI-4.1) id AA14410; Wed, 9 Oct 96 13:35:44 EDT Received: from fastbear(165.168.74.3) by intfw via smap (V1.3) id sma013459; Wed Oct 9 13:25:52 1996 Received: from ursa2.bear.com by fastbear.bear.com (4.1/SMI-4.1/1.0 AMR 12/15/94) id AA18316; Wed, 9 Oct 96 13:30:56 EDT Received: from whip_xfr.bear.com (whip-xfr) by ursa2.bear.com (4.1/SMI-4.1/AMR+DJMS(2)) id AA02494; Wed, 9 Oct 96 13:26:54 EDT Received: from wizard.bsnet by whip_xfr.bear.com (SMI-8.6/SMI-SVR4) id NAA07060; Wed, 9 Oct 1996 13:25:50 -0400 Received: from neptune by wizard.bsnet (SMI-8.6/SMI-SVR4) id NAA02251; Wed, 9 Oct 1996 13:25:49 -0400 Message-Id: <325BE01B.6DF8@bear.com> Date: Wed, 09 Oct 1996 13:25:47 -0400 From: Shahryar Jahangir Organization: Bear Stearns X-Mailer: Mozilla 3.0Gold (X11; I; SunOS 5.5 sun4m) Mime-Version: 1.0 To: Marc Mosko Cc: Michael Richardson , firewalls@GreatCircle.COM, Dick Mosher Subject: Re: firewall hot backup References: <199610082101.RAA29485@amaterasu.sandelman.ottawa.on.ca> <325BC465.114C@tear.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Server mirroring w/ Veritas or ODS adds a disk-level of fault-tolerance to the firewall. If, however, the machine dies ... well .... May I suggest trying Openvisions HA product. With a little configuration, you can have a hot backup takeover in a matter of seconds. luck sj Marc Mosko wrote: > > Has anyone tried the "server-mirroring" packages, such as the Veritas > packages for Solaris? > > Michael Richardson wrote: > [snip] > > > > Actually, I'm lying about "fault tolerance" --- from the user's > > point of view, it is really high reliability. Connections that are > > established are lost. This means that users have to push "reload" on > > their web server when they get caught by a fault. The other nice thing > > about hot backup is that one can upgrade or test patches without > > taking everyone offline. > [snip] > > I did something about how to build fault tolerant application layer > > firewalls, and came to the conclusion that they'd be very, very, very > > slow. > > -- > Marc Mosko Email: marc@tear.com > Web: http://www.tear.com/ > > "If anyone knocks out another's eye, he shall pay him > sixty-six shillings, six pence, and a third of a penny." > -- Leges Henrici Primi (13th century) > > PGP Key available via Public Servers and > http://www.tear.com/pgp-key.html -- ........................................... " Is there a God ? I don't know, the computer is down !" Shahryar Jahangir Information Services Bear Stearns & Co. Inc. 245 Park Avenue New York, NY 10167 email: sj@bear.com Tel: 212 272 7764 Fax : 212 499 6977 ........................................... -- ******************************************************************************* Bear Stearns is not responsible for any recommendation, solicitation, offer or agreement or any information about any transaction, customer account or account activity contained in this communication. ******************************************************************************* From firewalls-owner Wed Oct 9 11:41:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA22662 for firewalls-outgoing; Wed, 9 Oct 1996 11:23:42 -0700 (PDT) Received: from tuna.wang.com (TUNA.wang.com [150.124.136.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id LAA22650 for ; Wed, 9 Oct 1996 11:23:31 -0700 (PDT) Received: from mars.wangfed.com (mars.Wangfed.COM [159.94.10.1]) by tuna.wang.com (8.6.12/8.6.12tf1) with SMTP id OAA16200; Wed, 9 Oct 1996 14:23:07 -0400 Received: from uc0009.wangfed.com (uc0009 [159.94.10.15]) by mars.wangfed.com (8.7.5/3.8) with SMTP id OAA12398; Wed, 9 Oct 1996 14:29:00 -0400 (EDT) Received: from [159.94.14.48] by uc0009.wangfed.com (BULL 5.61++/B.O.S 02.01) id AA27831; Wed, 9 Oct 96 14:14:41 -0400 Date: Wed, 9 Oct 96 14:14:41 -0400 Message-Id: <9610091814.AA27831@uc0009.wangfed.com> From: "K.M. Goertzel" Reply-To: "K.M. Goertzel" To: ben@edelweb.fr, firewalls@greatcircle.com Subject: Re: Virus on Internet Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message Ben writes: > > > Can someone tell me, if there are commercial firewalls, who can > > > recognize and eliminate virus on internet, before entering in the > > > private net ? > > > > I'd be, umm, interested in seeing how this is done in reliable and > > consistent manner; I have yet to see one that works, and many (including > > myself) think they are impossible. > > Yes, the Halting problem comes to mind. > > And even if it were possible we would start seeing the beginning of > social engineering attacks to the effect of, "Download this binary! It > slices, dices and chops, and for your protection we have encrypted it with > PGP to protect against the bad nasty Internet" Can anyone comment on Norman's claim that their firewall includes virus scanning between the inside and outside proxies? And even if this does work, has anyone had so good an experience with Norman's anti-virus software that they'd want it on their firewall? ===== K.M. Goertzel * Manager, Business Development Secure Systems & Services Operation * WANG FEDERAL, Inc. tel (703)827 3914 * fax (703)827 3161 * email goertzek@wangfed.com "An elephant: a mouse built to government specifications" - Robert Heinlein From firewalls-owner Wed Oct 9 11:48:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA20511 for firewalls-outgoing; Wed, 9 Oct 1996 11:02:43 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id LAA20502 for ; Wed, 9 Oct 1996 11:02:36 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id LAA02874; Wed, 9 Oct 1996 11:00:56 -0700 From: jsluzewski@dna.com Received: from fiji.dna.com(198.135.17.204) by mycroft via smap (V1.3mjr) id sma002871; Wed Oct 9 11:00:26 1996 Received: (uucp@localhost) by fiji.dna.com (8.6.9/8.6.5) id NAA15966 for ; Wed, 9 Oct 1996 13:58:51 -0400 Received: from dnanycsmtp.dna.com(198.135.16.205) by fiji.dna.com via smap (V1.3) id sma015964; Wed Oct 9 13:58:35 1996 Received: by dnanycsmtp.dna.com with Network-Courier id <325BE7F9@dnanycsmtp.dna.com>; Wed, 09 Oct 96 13:59:21 EDT Subject: Re: Subnet Routing To: Date: Wed, 09 Oct 96 13:59:00 EDT Message-ID: <325BE7F9@dnanycsmtp.dna.com> X-Mailer: Network Courier V2.1b Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The key issue in subnet routing is to have all subnets connected into a contigiuos network. If subnet 1.2.3.0 is connected to router A and subnet 1.2.3.64 is connected to router B, and the only connection between both routers is through common network 1.1.1.0 neither router running RIP will ever send ICMP redirect. Jarek jsluzewski@dna.com ---------- From: firewalls-owner To: jsluzewski; palan Cc: firewalls Subject: Re: Subnet Routing Date: Wednesday, October 09, 1996 9:03AM Return-path: From: Chuck Hill Message-Id: <199610091403.JAA10553@humerus.whin.net> Subject: Re: Subnet Routing To: palan@dataprep.com.my (Kogulapalan) Date: Wed, 9 Oct 1996 09:03:25 -0500 (CDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <199610100144.RAA17728@snet> from "Kogulapalan" at Oct 9, 96 05:44:51 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ---------------------------------------------------------------------------- -- The Sun's route command doesn't understand subnet masks , just like RIP doesn't carry subnet masks. The Sun will only pickup the subnet mask if you bind that address to one of its interfaces. The only solution I know of is to add route info into both routers for all 4 networks . Point the Sun at one of them , then the routers will send ICMP host redirects to the Sun. This will build the route table up slowly as traffic is routed to individual hosts. It can make for a large route table on th eSun , but its the only solution I know of outside redesigning the Network Regards, Chuck > > Hi, > > I have very long story down here, please read it and reply me a solution. > Ooppps, its not a Firewall question ;) sorry, desperate for solution. > > I'm using Sun Sparc i5 to do a routing for our internal packets. I have > problem in routing the subnet of Class C address. I break the Class C > address into 4 networks which means it has mask of 255.255.255.192 and I got > the following network numbers (correct me if I'm wrong): > > 1.2.3.0 > 1.2.3.64 > 1.2.3.128 > 1.2.3.192 > > The first network (1.2.3.0) used for WAN between ROUTER A and ROUTER B. > * The routing table on Sun shows : > > Network Gateway > 1.2.3.0 1.1.1.1 (which is ROUTER A's LAN) > (no problem at this moment) > > I add the second network (1.2.3.64) which is also a WAN connection > between ROUTER C and ROUTER D. > * The routing table on Sun shows : > > Network Gateway > 1.2.3.0 1.1.1.1 (which is ROUTER A's LAN) > 1.2.3.64 1.1.1.2 (which is ROUTER C's LAN) > (I have problem over here...) > > I can't PING the WAN interface on ROUTER C and ROUTER D. > I get a reply ICMP from ROUTER A sayinh host unreachable. > But I can ping the LAN on ROUTER C. > > --> All the four routers are on the same LAN (1.1.1.0). > --> Edited etc/networks and etc/netmasks approriately. > --> Flushed routing table, rebooted Sun. > --> Removed the first route 1.2.3.0 -- 1.1.1.1 from table. > > I did all the above and still can't reach the WAN of ROUTER C. > > I remove all the route, and added this : > > Network Gateway > 1.2.3.0 1.1.1.2 (which is ROUTER C's LAN) > > Guess what ? It works :) I can ping ROUTER C and ROUTER D. > But I can't reach ROUTER A and ROUTER B :( now. > > I beleive this is because the Sun doesn't seems to understand the subnet > and assumes the 1.2.3.64 as a HOST and not as a NETWORK address. > (Am I missing anothing over here and Am I correct ?) > > I need some advice and suggestions and reasons why is this doesn't work. > If any of you had experience this, please let me know whats the solution. > > > regards, > PaLaN > palan@mailhost.net > "If you can reach them, They can reach you" > > > > From firewalls-owner Wed Oct 9 12:51:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA24287 for firewalls-outgoing; Wed, 9 Oct 1996 11:40:38 -0700 (PDT) Received: from burrito.insource.com (burrito.insource.com [206.97.167.190]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA24224 for ; Wed, 9 Oct 1996 11:40:20 -0700 (PDT) Received: (from michaelj@localhost) by burrito.insource.com (8.7.5/8.7.3) id NAA19250; Wed, 9 Oct 1996 13:43:51 -0500 (CDT) From: Michael Jarvis Message-Id: <199610091843.NAA19250@burrito.insource.com> Subject: Re: smtp and auth To: davem@iss.net (David J. Meltzer) Date: Wed, 9 Oct 1996 13:43:50 -0500 (CDT) Cc: firewalls@greatcircle.com In-Reply-To: from "David J. Meltzer" at Oct 9, 96 10:02:33 am X-Mailer: ELM [version 2.4 PL24 PGP3 *ALPHA*] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Although you certainly can not rely on ident information as an > authoritative source of the user on a machine, that does not mean that > it does not provide useful information in many cases. I agree wholeheartedly that it is useful, especially dealing with Unix systems. However, if your internal network consists of primarily Win95 machines (or something similar), it doesn't make much sense to support incoming ident requests. All of the Win95 ident daemons I have seen are hacks, which allow you to type in any name you wish. In this case knowing the IP address would be sufficient for tracking down incidents. You SHOULD, if any of your software supports it, enable and support outgoing ident requests. However, I haven't seen very many NT or Win95 products that support ident. (Which is one reason I prefer UN*X.) Anyway, my point was that ident/auth is not "critical" (ie your network will continue to work just fine if you drop those packets). -michael -- Michael A. Jarvis Technology Consultant, Internet Solutions Group Insource Technology, Houston, TX michaelj@insource.com 713.955.3672 From firewalls-owner Wed Oct 9 13:19:40 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA25050 for firewalls-outgoing; Wed, 9 Oct 1996 11:47:33 -0700 (PDT) Received: from fiji.dna.com (fiji.dna.com [198.135.17.204]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id LAA25021 for ; Wed, 9 Oct 1996 11:47:19 -0700 (PDT) From: jsluzewski@dna.com Received: (uucp@localhost) by fiji.dna.com (8.6.9/8.6.5) id OAA16074 for ; Wed, 9 Oct 1996 14:46:24 -0400 Received: from dnanycsmtp.dna.com(198.135.16.205) by fiji.dna.com via smap (V1.3) id sma016072; Wed Oct 9 14:46:17 1996 Received: by dnanycsmtp.dna.com with Network-Courier id <325BF327@dnanycsmtp.dna.com>; Wed, 09 Oct 96 14:47:03 EDT To: Date: Wed, 09 Oct 96 14:47:00 EDT Message-ID: <325BF327@dnanycsmtp.dna.com> X-Mailer: Network Courier V2.1b Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am looking for a telnet encryption solution between RS6000 and Macintosh clients. Thaks for any input. Jarek jsluzewski@dna.com From firewalls-owner Wed Oct 9 13:28:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA08088 for firewalls-outgoing; Wed, 9 Oct 1996 13:13:27 -0700 (PDT) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id NAA07979 for ; Wed, 9 Oct 1996 13:12:59 -0700 (PDT) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id PAA10199; Wed, 9 Oct 1996 15:04:02 -0400 Date: Wed, 9 Oct 1996 15:03:58 -0400 (EDT) From: Rabid Wombat To: Sunny Azah cc: bhowell@snlnet.com, firewalls@GreatCircle.COM Subject: Re: Protocol Jumping In-Reply-To: <199610091650.JAA14018@vegas.ibu.sj.nec.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 9 Oct 1996, Sunny Azah wrote: > > > > If I set up a dual homed PC such as a mail gateway in my DMZ and run > > IP on the "external" interface, IPX on the other, would it be > > relatively safe to allow the IPX traffic to bypass the firewall? > > > > Why not encapsulate IPX in IP and let everything go through the firewall? There > are products out there that would allow you do this. > Yikes! Now you've built half the tunnel for an attacker. If you are running Groupwise, look into using the DMZ gateway IP-to-IP, then through the firewall (still via IP) to another post office. I've been told this is supported, though I have not had a chance to set it up yet. Anyone have more info on this config? -r.w. From firewalls-owner Wed Oct 9 14:05:53 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA10240 for firewalls-outgoing; Wed, 9 Oct 1996 13:30:14 -0700 (PDT) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id NAA10102 for ; Wed, 9 Oct 1996 13:29:36 -0700 (PDT) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id PAA10236; Wed, 9 Oct 1996 15:20:53 -0400 Date: Wed, 9 Oct 1996 15:20:49 -0400 (EDT) From: Rabid Wombat To: "Paul D. Robertson" cc: Ed Young , firewalls@GreatCircle.COM Subject: Re: FW: RE: Sniffer detection. In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 9 Oct 1996, Paul D. Robertson wrote: > On Tue, 8 Oct 1996, Ed Young wrote: > > > Use a sniffer to find a sniffer.A Distributed sniffer can monitor the > > network for any new devices and send an alarm to a pager or NMS station. And the alarm will go off every time someone plugs a laptop into the wrong port, etc. etc., which means that the alarm will probably not be investigated promptly, if at all. > > Which doesn't solve the probelm of an ethernet adapter already on the net > going into promiscuous mode. Nor does it find a device that is added and > doesn't send any packets. It also doesn't find MAC spoofed addresses that > come on-line with an existing address. The last two can, and should be > solved with physical security. > > Then there's the fun of managing adapter changes, and laptop users while > seeding the database. > Yes, this can be a big hassle. > > Additionaly, on Token Ring, devices will send out a trace tool present > ^^^^ > That's "should", not "will", I've seen Token Ring sniffers that can be > configured not to send that packet. Fortunately, for those on Token Ring > networks, most cards won't go into promiscuous mode, reducing the existing > machine threat. Correct. However, many sniffer software vendors use off-the-shelf NICs, and you can get a list of adapters that support promiscuous mode, often with drivers, from many of them. > > > packet on the network letting the Lan Manager station know that it is > > there.configure the Lan Manager to not allow trace tools. For FDDI, ATM > How do you "not allow" something that does not even need to be physically attached to your cable, in extreme cases??? > Not sure if FDDI needs to be broken if there's a hub, and not an adapter > to adapter ring, perhaps someone knows for sure? > You will get a ring insertion (most FDDI hubs have additional MACs to handle this with minimal interruption to the ring). This could be monitored, but in a large environment, especially a dual-homed one, ring insertions may be fairly routine, and not reacted to on a regular basis. > > and WAN protocols the link must be broken. > > Not necessarily true. Not-intrusive sniffing exists (even on fiber, I'm told). Besides - WAN links do go down for a second or two from time to time. This happens enough to be routine, and I doubt many sites run through the closets and tunnels doing a physical inspection all the way to the demarc every time they log a few errored seconds. > > Again, use a sniffer to find a sniffer. > > The point is, you CAN'T count on finding a sniffer with a sniffer. You can only find SOME sniffers with a sniffer. This is why "need to know" masking, MAC address restrictions, and possibly encryption are necessary defenses, depending on your threat model. > > Which is weak at best, and rather expensive if you're relying on something > like a DSS for this protection. I *like* the DSS', and have four or five > of them, but in this case, I don't think it's the propper tool. Certainly not THE solution, in any case. Just my $.02 -r.w. From firewalls-owner Wed Oct 9 14:06:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA12989 for firewalls-outgoing; Wed, 9 Oct 1996 13:48:27 -0700 (PDT) Received: from humerus.whin.net (humerus.whin.net [156.46.32.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id NAA12276 for ; Wed, 9 Oct 1996 13:43:56 -0700 (PDT) Received: (from chuck@localhost) by humerus.whin.net (8.6.9/8.6.9) id PAA17380; Wed, 9 Oct 1996 15:36:13 -0500 From: Chuck Hill Message-Id: <199610092036.PAA17380@humerus.whin.net> Subject: Re: Subnet Routing To: jsluzewski@dna.com Date: Wed, 9 Oct 1996 15:36:13 -0500 (CDT) Cc: firewalls@GreatCircle.com In-Reply-To: <325BE7F9@dnanycsmtp.dna.com> from "jsluzewski@dna.com" at Oct 9, 96 01:59:00 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jarek wrote: > > > The key issue in subnet routing is to have all subnets connected into a > contigiuos network. Agreed , redesign the network > If subnet 1.2.3.0 is connected to router A and subnet 1.2.3.64 is connected > to router B, > and the only connection between both routers is through common network > 1.1.1.0 neither router running RIP will ever send ICMP redirect. On a Baynetworks router , add a static route in router A for 1.2.3.64 next hop router B. When the router sees that it sends the packet back out the same interface , it will trigger an ICMP redirect for router B for that destination HOST. If you must run RIP , then make sure you setup your static routes to be higher precedence than RIP (the defaultI think) I lived with this setup for 6 months using a Class B until I redesigned it. Actually , bought a bigger router with more interfaces. Now , back to firewalls Chuck > > Jarek > jsluzewski@dna.com > ---------- > From: firewalls-owner > To: jsluzewski; palan > Cc: firewalls > Subject: Re: Subnet Routing > Date: Wednesday, October 09, 1996 9:03AM > > Return-path: > From: Chuck Hill > Message-Id: <199610091403.JAA10553@humerus.whin.net> > Subject: Re: Subnet Routing > To: palan@dataprep.com.my (Kogulapalan) > Date: Wed, 9 Oct 1996 09:03:25 -0500 (CDT) > Cc: firewalls@GreatCircle.COM > In-Reply-To: <199610100144.RAA17728@snet> from "Kogulapalan" at Oct 9, 96 > 05:44:51 pm > X-Mailer: ELM [version 2.4 PL23] > MIME-Version: 1.0 > Content-Type: text/plain; charset=US-ASCII > Content-Transfer-Encoding: 7bit > Sender: firewalls-owner@GreatCircle.COM > Precedence: bulk > ---------------------------------------------------------------------------- > -- > > The Sun's route command doesn't understand subnet masks , just like RIP > doesn't carry subnet masks. The Sun will only pickup the subnet mask > if you bind that address to one of its interfaces. > The only solution I know of is to add route info into both routers > for all 4 networks . Point the Sun at one of them , then the routers > will send ICMP host redirects to the Sun. This will build the route > table up slowly as traffic is routed to individual hosts. It can make > for a large route table on th eSun , but its the only solution I know > of outside redesigning the Network > Regards, > Chuck > > > > Hi, > > > > I have very long story down here, please read it and reply me a solution. > > Ooppps, its not a Firewall question ;) sorry, desperate for solution. > > > > I'm using Sun Sparc i5 to do a routing for our internal packets. I have > > problem in routing the subnet of Class C address. I break the Class C > > address into 4 networks which means it has mask of 255.255.255.192 and I > got > > the following network numbers (correct me if I'm wrong): > > > > 1.2.3.0 > > 1.2.3.64 > > 1.2.3.128 > > 1.2.3.192 > > > > The first network (1.2.3.0) used for WAN between ROUTER A and ROUTER B. > > * The routing table on Sun shows : > > > > Network Gateway > > 1.2.3.0 1.1.1.1 (which is ROUTER A's LAN) > > (no problem at this moment) > > > > I add the second network (1.2.3.64) which is also a WAN connection > > between ROUTER C and ROUTER D. > > * The routing table on Sun shows : > > > > Network Gateway > > 1.2.3.0 1.1.1.1 (which is ROUTER A's LAN) > > 1.2.3.64 1.1.1.2 (which is ROUTER C's LAN) > > (I have problem over here...) > > > > I can't PING the WAN interface on ROUTER C and ROUTER D. > > I get a reply ICMP from ROUTER A sayinh host unreachable. > > But I can ping the LAN on ROUTER C. > > > > --> All the four routers are on the same LAN (1.1.1.0). > > --> Edited etc/networks and etc/netmasks approriately. > > --> Flushed routing table, rebooted Sun. > > --> Removed the first route 1.2.3.0 -- 1.1.1.1 from table. > > > > I did all the above and still can't reach the WAN of ROUTER C. > > > > I remove all the route, and added this : > > > > Network Gateway > > 1.2.3.0 1.1.1.2 (which is ROUTER C's LAN) > > > > Guess what ? It works :) I can ping ROUTER C and ROUTER D. > > But I can't reach ROUTER A and ROUTER B :( now. > > > > I beleive this is because the Sun doesn't seems to understand the subnet > > and assumes the 1.2.3.64 as a HOST and not as a NETWORK address. > > (Am I missing anothing over here and Am I correct ?) > > > > I need some advice and suggestions and reasons why is this doesn't work. > > If any of you had experience this, please let me know whats the solution. > > > > > > regards, > > PaLaN > > palan@mailhost.net > > "If you can reach them, They can reach you" > > > > > > > > > > From firewalls-owner Wed Oct 9 14:42:50 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA15172 for firewalls-outgoing; Wed, 9 Oct 1996 14:03:07 -0700 (PDT) Received: from snlmail.snlnet.com (mail.snlnet.com [208.203.57.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id OAA15093 for ; Wed, 9 Oct 1996 14:02:44 -0700 (PDT) From: bhowell@snlnet.com Received: from ccMail by snlmail.snlnet.com (IMA Internet Exchange 1.04b) id 25c11aa0; Wed, 9 Oct 96 16:57:14 -0400 Mime-Version: 1.0 Date: Wed, 9 Oct 1996 16:57:23 -0400 Message-ID: <25c11aa0@snlnet.com> To: sazah@ibu.sj.nec.com, Rabid Wombat Cc: firewalls@GreatCircle.COM Subject: Re[2]: Protocol Jumping Content-Type: multipart/mixed; boundary="IMA.Boundary.436498448" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is a Mime message, which your current mail reader may not understand. Parts of the message will appear as text. To process the remainder, you will need to use a Mime compatible mail reader. Contact your vendor for details. --IMA.Boundary.436498448 Content-Type: text/plain; charset=US-ASCII; name="RFC822 message headers" Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Received: from mcfeely.bsfs.org by snlmail.snlnet.com with SMTP (IMA Internet Exchange 1.04b) id 25c08360; Wed, 9 Oct 96 16:16:55 -0400 Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id PAA10199 ; Wed, 9 Oct 1996 15:04:02 -0400 Date: Wed, 9 Oct 1996 15:03:58 -0400 (EDT) From: Rabid Wombat To: Sunny Azah cc: bhowell@snlnet.com, firewalls@GreatCircle.COM Subject: Re: Protocol Jumping In-Reply-To: <199610091650.JAA14018@vegas.ibu.sj.nec.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII --IMA.Boundary.436498448 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Thanks for the reply. We thought about IP to IP through a "hole" in the firewall, but we are running cc:Mail on a Novell server running only IPX. The gateway runs on NT using commercial software. Since we need to make the jump to IPX somewhere along the way, it seems like the mail gateway PC is a good place to do that. Rather than punch an IPX hole in the firewall (which might be more obvious to exploit) we figured we could just sneak around it. I'm just curious to know if anyone actually COULD make the protocol and network jump on a dual homed NT 4.0 server. I'm guessing it would be pretty tough. I think we will move the cc:Mail post office to an NT server running IP and resolve the problem. ______________________________ Reply Separator _________________________________ Subject: Re: Protocol Jumping Author: Rabid Wombat at Internet Date: 10/9/96 3:03 PM On Wed, 9 Oct 1996, Sunny Azah wrote: > > > > If I set up a dual homed PC such as a mail gateway in my DMZ and run > > IP on the "external" interface, IPX on the other, would it be > > relatively safe to allow the IPX traffic to bypass the firewall? > > > > Why not encapsulate IPX in IP and let everything go through the firewall? There > are products out there that would allow you do this. > Yikes! Now you've built half the tunnel for an attacker. If you are running Groupwise, look into using the DMZ gateway IP-to-IP, then through the firewall (still via IP) to another post office. I've been told this is supported, though I have not had a chance to set it up yet. Anyone have more info on this config? -r.w. --IMA.Boundary.436498448-- From firewalls-owner Wed Oct 9 14:47:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA25717 for firewalls-outgoing; Wed, 9 Oct 1996 11:52:25 -0700 (PDT) Received: from habanero.jmu.edu (habanero.jmu.edu [134.126.71.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA25425; Wed, 9 Oct 1996 11:51:18 -0700 (PDT) Message-Id: <199610091851.LAA25425@miles.greatcircle.com> Received: by habanero.jmu.edu (1.37.109.16/16.2) id AA085986796; Wed, 9 Oct 1996 14:46:36 -0400 Date: Wed, 9 Oct 1996 14:46:36 -0400 From: gary flynn To: firewalls-owner@GreatCircle.COM, wombat@mcfeely.bsfs.org Subject: Re: your mail Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: Robert Hanson > > specific brands and models that define the secure hubs you are > communicating about sire? The entire HP AdvanceStack line except for a couple of their unmanaged low end devices have the features that have been discussed. You can find information at http://www.hp.com/rnd/products/10thubs/10thubs.htm They're sold through resellers at prices competitive to anything on the market. We've been using them here since they came out a couple years ago and the Ethertwist line before that. From firewalls-owner Wed Oct 9 14:50:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA26410 for firewalls-outgoing; Wed, 9 Oct 1996 11:57:42 -0700 (PDT) Received: from intfw.bear.com (intfw.bear.com [206.25.172.66]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id LAA26231 for ; Wed, 9 Oct 1996 11:56:47 -0700 (PDT) Received: by intfw.bear.com (4.1/SMI-4.1) id AA23679; Wed, 9 Oct 96 14:55:57 EDT Received: from fastbear(165.168.74.3) by intfw via smap (V1.3) id sma022624; Wed Oct 9 14:49:35 1996 Received: from ursa2.bear.com by fastbear.bear.com (4.1/SMI-4.1/1.0 AMR 12/15/94) id AA19520; Wed, 9 Oct 96 14:54:36 EDT Received: from whip_xfr.bear.com (whip-xfr) by ursa2.bear.com (4.1/SMI-4.1/AMR+DJMS(2)) id AA03014; Wed, 9 Oct 96 14:50:34 EDT Received: from wizard.bsnet by whip_xfr.bear.com (SMI-8.6/SMI-SVR4) id OAA16867; Wed, 9 Oct 1996 14:49:30 -0400 Received: from neptune by wizard.bsnet (SMI-8.6/SMI-SVR4) id OAA08264; Wed, 9 Oct 1996 14:49:29 -0400 Message-Id: <325BF3B7.7091@bear.com> Date: Wed, 09 Oct 1996 14:49:27 -0400 From: Shahryar Jahangir Organization: Bear Stearns X-Mailer: Mozilla 3.0Gold (X11; I; SunOS 5.5 sun4m) Mime-Version: 1.0 To: firewalls@GreatCircle.COM Subject: fwtk for Sol 5.5 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello everyone, I am trying to compile fwtk for Sol 5.5. but to no avail. I have a number of errors. Any of you dudes/dudettes have hints/tip/files for me ? all help appreciated. sj -- ........................................... " Is there a God ? I don't know, the computer is down !" Shahryar Jahangir Information Services Bear Stearns & Co. Inc. 245 Park Avenue New York, NY 10167 email: sj@bear.com Tel: 212 272 7764 Fax : 212 499 6977 ........................................... -- ******************************************************************************* Bear Stearns is not responsible for any recommendation, solicitation, offer or agreement or any information about any transaction, customer account or account activity contained in this communication. ******************************************************************************* From firewalls-owner Wed Oct 9 15:01:37 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA27137 for firewalls-outgoing; Wed, 9 Oct 1996 12:01:43 -0700 (PDT) Received: from gatekeep.us.landisgyr.com (gatekeep.us.landisgyr.com [206.175.68.122]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id MAA27056 for ; Wed, 9 Oct 1996 12:01:11 -0700 (PDT) Received: by gatekeep.us.landisgyr.com; id KAA17018; Wed, 9 Oct 1996 10:53:40 -0400 Received: from unknown(204.207.110.148) by gatekeep.us.landisgyr.com via smap (V3.1) id xmaa16987; Wed, 9 Oct 96 10:53:12 -0400 Received: from mailrelay.us.landisgyr.com by pmdf.us.landisgyr.com (PMDF V5.0-4 #10101) id <01IAFWISBRY8000DZW@pmdf.us.landisgyr.com> for firewalls@greatcircle.com; Wed, 09 Oct 1996 13:56:36 -0500 (CDT) Received: with PMDF-MR; Wed, 09 Oct 1996 13:54:19 -0500 (CDT) MR-Received: by mta PFMSV1.MUAS; Relayed; Wed, 09 Oct 1996 13:54:19 -0500 MR-Received: by mta PFMSV1; Relayed; Wed, 09 Oct 1996 13:54:21 -0500 MR-Received: by mta PFMMRX; Relayed; Wed, 09 Oct 1996 13:54:59 -0500 Disclose-recipients: prohibited Date: Wed, 09 Oct 1996 13:54:19 -0500 (CDT) From: Joav Kohn Subject: Re: HTTPS & Gauntlet In-reply-to: <25BEE230.1689@turner.com> To: Firewalls Message-id: <8919541309101996/A03775/PFMSV1/11AA4B761100*@MHS.us.landisgyr.com> Autoforwarded: false MIME-version: 1.0 Content-type: TEXT/PLAIN; CHARSET=US-ASCII Content-transfer-encoding: 7BIT Importance: normal Sensitivity: Company-Confidential UA-content-id: 11AA4B761100 X400-MTS-identifier: [;8919541309101996/A03775/PFMSV1] Hop-count: 2 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > What version are you using? You may need to edit your netperms table > and hyour inetd.conf files. The way I'm used to running the deamons > is that the http-gw is called from inetd when a connection is made on > that specific port number. I'm using Gauntlet v.3.1. I'd rather run http-gw in daemon mode as opposed to standalone for performance reasons, but if anyone thinks I'm mistaken, or that that is impossible, I'd be willing to change. It looks as though the firewall itself is at least accepting the connections, because if I explicity type in a port (i.e. https://secure.server:440/) other than the standard 443, I'll get the standard TCP: broken pipe error, while https:// or https://server:443 just hangs. (which I think is a good thing). If it's a net-perm problem, I would think http-gw would respond with a server error, not nothing. Desperation is slowly setting in. -joav From firewalls-owner Wed Oct 9 17:00:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA09326 for firewalls-outgoing; Wed, 9 Oct 1996 16:20:44 -0700 (PDT) Received: from amaterasu.sandelman.ottawa.on.ca (amaterasu.sandelman.ottawa.on.ca [205.233.54.134]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id QAA09295 for ; Wed, 9 Oct 1996 16:20:23 -0700 (PDT) Received: from amaterasu.sandelman.ocunix.on.ca (LOCALHOST [127.0.0.1]) by amaterasu.sandelman.ottawa.on.ca (8.7.5/8.6.12) with ESMTP id TAA01984; Wed, 9 Oct 1996 19:20:18 -0400 (EDT) Message-Id: <199610092320.TAA01984@amaterasu.sandelman.ottawa.on.ca> CC: Marc Mosko To: firewalls@greatcircle.com Subject: Re: firewall hot backup In-reply-to: Your message of "Wed, 09 Oct 1996 08:27:35 PDT." <325BC465.114C@tear.com> Date: Wed, 09 Oct 1996 19:20:07 -0400 From: Michael Richardson Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm not familliar with Veritas per se, but I know of some of the redundant server stuff for Solaris. It isn't a question of mirror'ing what's on the disk (although that helps wrt policy, logs, etc...), but of mirroring the state of the TCP/IP connections. The redundant NFS server solution works because NFS is stateless. TCP isn't stateless, and you can not recover the packets that have already been acknowledged by the gateway, but not yet delivered to the other side. Thus, you can not send an acknowledgement for data until you've received an acknowledgement from the other side. The funny thing about actually doing this, is that is yet another step closer to the stateful inspection methods. Was it Bellovin that said that the two technologies would meet in the middle? :!mcr!: | Network security consulting and Michael Richardson | contract programming WWW: mcr@sandelman.ottawa.on.ca. PGP key available. From firewalls-owner Wed Oct 9 17:01:50 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA08624 for firewalls-outgoing; Wed, 9 Oct 1996 16:13:01 -0700 (PDT) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id QAA08397 for firewalls@greatcircle.com; Wed, 9 Oct 1996 16:12:17 -0700 (PDT) Received: from gatekeeper.panasonic.com (gatekeeper.panasonic.com [140.212.2.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id FAA01909 for ; Wed, 9 Oct 1996 05:20:58 -0700 (PDT) Received: from mecamail.panasonic.com by gatekeeper.panasonic.com (AIX 4.1/UCB 5.64/4.03) id AA29806; Wed, 9 Oct 1996 08:10:56 -0400 Received: from Microsoft Mail (PU Serial #1486) by mecamail.panasonic.com (PostalUnion/SMTP(tm) v2.1.8d for Windows NT(tm)) id AA-1996Oct09.082100.1486.197272; Wed, 09 Oct 1996 08:21:40 -0400 From: gelbe@panasonic.com (Gelb, Ed) To: firewalls@GreatCircle.COM ('firewalls') Cc: Richard.Ford@fujitsu.com.au (Richard Ford) Message-Id: <1996Oct09.082100.1486.197272@mecamail.panasonic.com> X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Date: Wed, 09 Oct 1996 08:21:40 -0400 Subject: RE: IPX-TCP/IP Firewall Support Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Richard, Your message brings to the surface a "real" world scenario. Many business in the Microsoft and Novell world have both IP and IPX running on their private networks and would like to set up a proxy firewall to the internet. You have many solutions available to you .. one being a Unix based firewall . but your message leads me to believe that you would entertain a solution using existing network operating systems within your company, thereby, avoiding the associated costs in setting up a Unix environment. Although you do not address using the firewall to do "double duty" as a Web and FTP server .. you may wish to investigate some other solutions. One such solution would be to consider an IPX-IP gateway solution .. for this solution II would recommend a new book by James E. Gaskin .. the title escapes me .. but it is something like "Netware to IPX-IP gateways". I believe the publisher is Riders. The book addresses many commercial products available with using this solution and also addresses some the pitfalls that could nullify this solutions firewall capabilities. Another danger of using an IPX-IP proxy gateway not only as firewall but also doubling as a Web and FTP server are addressed in the October 7th article by Jamie Lewis in PC Week on page 53. It expresses the concerns when Novell Directory Services Users login via a HTML browser. Another solution is to use one of your Microsoft or Novell File Servers to set up an IP(IPX2)IP proxy firewall. In this scenario you could use your existing private network client workstations and not care whether they are using IP(IPX), IPX or IP protocols. Regards, Ed ------------------------------------------------- Ed Gelb Director Strategic Information Systems gelbe@panasonic.com Matsushita Electric Corporation of America Panasonic Communications & Systems Company 2 Panasonic Way Mailstop 7F-6 Secaucus, New Jersey, 07094 Voice: (201)-348-7292 Fax: (201)-348-7031 Father Creator of the "8000# Gorilla" (TM) and "PanaLOK" (TM) Firewalls ------------------------------------------------- From: Richard.Ford To: firewalls Subject: IPX-TCP/IP Firewall Support Date: Tuesday, October 08, 1996 19:59EDT Hello all. Most of the talk on the list is about TCP/IP based Firewalls. Our network is primarily TCP/IP but we also have Novell's IPX. Do current Firewall systems support protocols such as these? If so, how? Otherwise how do you work around this. Thanks, Richard From firewalls-owner Wed Oct 9 17:03:29 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA10255 for firewalls-outgoing; Wed, 9 Oct 1996 16:32:11 -0700 (PDT) Received: from xyzzy.plugh.edmonton.ab.ca (xyzzy.plugh.edmonton.ab.ca [198.161.22.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id QAA10238 for ; Wed, 9 Oct 1996 16:31:57 -0700 (PDT) Received: (from uucp@localhost) by xyzzy.plugh.edmonton.ab.ca (8.6.12/8.6.9) id RAA26754; Wed, 9 Oct 1996 17:31:33 -0600 Received: from beckio.precise.ab.ca(192.168.30.61), claiming to be "snouts.obtuse.com" via SMTP by mailhost.Plugh.edmonton.ab.ca, id smtpd26752aaa; Wed Oct 9 17:31:22 1996 Received: (from beck@localhost) by snouts.obtuse.com (8.7.5/8.7.3) id RAA09279; Wed, 9 Oct 1996 17:31:16 -0600 From: Bob Beck Message-Id: <199610092331.RAA09279@snouts.obtuse.com> Subject: Re: smtp and auth To: michaelj@burrito.insource.com (Michael Jarvis) Date: Wed, 9 Oct 1996 17:31:14 -0600 (MDT) Cc: davem@iss.net, firewalls@GreatCircle.COM In-Reply-To: <199610091843.NAA19250@burrito.insource.com> from "Michael Jarvis" at Oct 9, 96 01:43:50 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > You SHOULD, if any of your software supports it, enable and support > outgoing ident requests. However, I haven't seen very many NT or Win95 > products that support ident. (Which is one reason I prefer UN*X.) > I've never seen one for NT/Win that was the "real thing", I.E. Not just an app the user runs and puts whatever they want in for the userid. Doesn't matter for Windows, but for NT it could be very useful. I do agree that having daemons ask ident can be useful, and I have stuff doing it in a lot of places, However I will agree to disagree slightly with you above. or at least change it to "You SHOULD IF you think you need it". If you're likely to care enough about tracking a connection to tell the remote admin what his identd supposedly returned, then yes, enable it. But remember it it is an additional complication to your daemon. There has been well known software that hasn't done the ident lookup right, allowing an overrun of a buffer on the reply, enabling the fact you have the daemon doing ident lookups n to be used as an attack against you. No, this isn't a "problem" with ident, just with that implentation, and yes that could happen with any other part of the daemon. Sure, I usually have such things enabled in most of my environemnts (Because I do use it), but for some people the added complexity and something else to go wrong man not be for them. I'm a firm believer in "if you don't use it, don't run it". -Bob From firewalls-owner Wed Oct 9 17:15:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA08577 for firewalls-outgoing; Wed, 9 Oct 1996 16:12:52 -0700 (PDT) Received: from allison.clark.net (allison.clark.net [168.143.0.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id QAA08302 for ; Wed, 9 Oct 1996 16:11:52 -0700 (PDT) Received: from clark.net (proberts@clark.net [168.143.0.7]) by allison.clark.net (8.6.12/8.6.5) with ESMTP id TAA13032; Wed, 9 Oct 1996 19:11:21 -0400 Received: from localhost (proberts@localhost) by clark.net (8.7.1/8.7.1) with SMTP id TAA20286; Wed, 9 Oct 1996 19:08:02 -0400 (EDT) X-Authentication-Warning: clark.net: proberts owned process doing -bs Date: Wed, 9 Oct 1996 19:08:01 -0400 (EDT) From: "Paul D. Robertson" Reply-To: "Paul D. Robertson" To: Ed Young cc: "Paul D. Robertson" , firewalls@greatcircle.com Subject: Re: FW: RE: Sniffer detection. In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 9 Oct 1996, Ed Young wrote: > True, physical security should solve most of this. Especially with switched hubs. > > >Then there's the fun of managing adapter changes, and laptop users while > >seeding the database. > > This is not as bad as you may think. The address and name are > automatically stored. Some management may be involved but it is not that > bad. > No, it is most definitely as bad as I think. I've got more than 800 users and probably another 100 or so servers/hosts on my local networks. If you take your original idea of alerting on a new instance of a MAC address, I'll have to co-ordinate all laptops, new computers, adapter changes (to include deleting adapters no longer used), and that doesn't even count the initial seeding of the database. > > > Additionaly, on Token Ring, devices will send out a trace tool present > ^^^^ > >That's "should", not "will", I've seen Token Ring sniffers that can be > >configured not to send that packet. Fortunately, for those on Token Ring > >networks, most cards won't go into promiscuous mode, reducing the existing > >machine threat. > > On Token Ring the station still has to perform several steps before it > gets on the ring, such as duplicate address test. And then there is > participation in ring poll. > Only if it's engaged in working on the ring. I've seen trace tools that *don't* do this. I don't profess to know how it gets the MAU to open the port relay, but I've seen it. As a matter of fact, there was a Network General DSS on that ring at the time, and other than the Ring error when the MAU opened, it didn't see a thing. Since we were tracking down ring problems that was a moot point. > >>> Again, use a sniffer to find a sniffer. > >>>> Which is weak at best, and rather expensive if you're relying on > >>>> something like a DSS for this protection. I *like* the DSS', and have > >>>> four or five of them, but in this case, I don't think it's the > >>>> propper tool. > > I would not call it weak. Granted not the best solution, but I am not > >sure of anything that is better. Just like 40 bit SSL is weak encryption, this is weak protection for the threat being discussed. Switched hubs will protect segments from already installed machines going in promiscuous mode, and physical security of the switches will protect from people connecting new devices. That negates the sniffing threat to a much better extent than relying on a DSS, especially in a large multi-segmented network environment. In a smaller environment, it's actually more easily verified as well. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@clark.net which may have no basis whatsoever in fact." PSB#9280 From firewalls-owner Wed Oct 9 17:37:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA08763 for firewalls-outgoing; Wed, 9 Oct 1996 16:13:51 -0700 (PDT) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id QAA08696 for firewalls@greatcircle.com; Wed, 9 Oct 1996 16:13:23 -0700 (PDT) Received: from fw2.turner.com (ilock.turner.com [198.81.230.32]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id LAA22889 for ; Wed, 9 Oct 1996 11:26:30 -0700 (PDT) From: Michael.Cullen@turner.com Received: from smap@localhost by fw2.turner.com via smapdV1.3 id OAA18029; Wed, 9 Oct 1996 14:26:07 -0400 Received: from ccmailout.turner.com by interlock.turner.com for via SMTP (smap V1.3) id smaa17887; Wed Oct 9 14:25:48 1996 Received: from ccMail by ccmailout.turner.com (IMA Internet Exchange 2.02 Enterprise) id 25BEE230; Wed, 9 Oct 96 14:25:39 -0400 Mime-Version: 1.0 Date: Wed, 9 Oct 1996 11:13:27 -0400 Message-ID: <25BEE230.1689@turner.com> To: Firewalls , Joav Kohn Subject: Re: HTTPS & Gauntlet Content-Type: multipart/mixed; boundary="IMA.Boundary.935588448" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk --IMA.Boundary.935588448 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part What version are you using? You may need to edit your netperms table and hyour inetd.conf files. The way I'm used to running the deamons is that the http-gw is called from inetd when a connection is made on that specific port number. Michael ______________________________ Reply Separator _________________________________ Subject: HTTPS & Gauntlet Author: Joav Kohn at Internet Date: 10/9/96 8:51 AM Quick Question (I hope) I'm trying to let https access through my firewall (a TIS Gauntlet) and what I've done is this: In my /etc/services i've added the line https 443 ssl and in my /etc/rc.local i've added http-gw -daemon https & (that may not be the exact syntax, but I'm doing this from memory. Is everyone's firewall two buildings over?) Anyway, the point of this story is that when a client now tries to hit an https server, it just hangs forever. The packet seems to go out (i.e. "host contacted, waiting for reply") but a timeout never occurs and no data ever comes back. Anyone know what I'm doing wrong? TIA -joav --IMA.Boundary.935588448 Content-Type: text/plain; charset=US-ASCII; name="RFC822 message headers" Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Content-Disposition: attachment; filename="RFC822 message headers" Received: from internet.turner.com by ccmail.turner.com with SMTP (IMA Internet Exchange 2.02 Enterprise) id 25BCFCC0; Wed, 9 Oct 96 12:16:12 -0400 Received: from smap@localhost by internet.turner.com for via smapdV1.3 id MAA17891; Wed, 9 Oct 1996 12:15:11 -0400 Received: from relay5.uu.net by interlock.turner.com for via SMTP (smap V1.3) id sma017745; Wed Oct 9 12:14:40 1996 Received: from miles.greatcircle.com by relay5.UU.NET with ESMTP (peer crosschecked as: miles.greatcircle.com [198.102.244.34]) id QQbkrw15638; Wed, 9 Oct 1996 12:09:44 -0400 (EDT) Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA15918 for firewalls-outgoing; Wed, 9 Oct 1996 06:53:38 -0700 (PDT) Received: from gatekeep.us.landisgyr.com (gatekeep.us.landisgyr.com [206.175.68.122]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA15891 for ; Wed, 9 Oct 1996 06:53:27 -0700 (PDT) Received: by gatekeep.us.landisgyr.com; id FAA02893; Wed, 9 Oct 1996 05:48:34 -0400 Received: from unknown(204.207.110.148) by gatekeep.us.landisgyr.com via smap (V3.1) id xma002890; Wed, 9 Oct 96 05:48:16 -0400 Received: from mailrelay.us.landisgyr.com by pmdf.us.landisgyr.com (PMDF V5.0-4 #10101) id <01IAFLVVTXQO000DHF@pmdf.us.landisgyr.com> for firewalls@greatcircle.com; Wed, 09 Oct 1996 08:52:23 -0500 (CDT) Received: with PMDF-MR; Wed, 09 Oct 1996 08:51:21 -0500 (CDT) MR-Received: by mta PFMSV1.MUAS; Relayed; Wed, 09 Oct 1996 08:51:21 -0500 MR-Received: by mta PFMSV1; Relayed; Wed, 09 Oct 1996 08:51:21 -0500 MR-Received: by mta PFMMRX; Relayed; Wed, 09 Oct 1996 08:51:51 -0500 Disclose-recipients: prohibited Date: Wed, 09 Oct 1996 08:51:21 -0500 (CDT) From: Joav Kohn Subject: HTTPS & Gauntlet To: Firewalls Message-id: <6921510809101996/A01239/PFMSV1/11AA4A331500*@MHS.us.landisgyr.com> Autoforwarded: false MIME-version: 1.0 Content-type: TEXT/PLAIN; CHARSET=US-ASCII Content-transfer-encoding: 7BIT Importance: normal Sensitivity: Company-Confidential UA-content-id: 11AA4A331500 X400-MTS-identifier: [;6921510809101996/A01239/PFMSV1] Hop-count: 2 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk --IMA.Boundary.935588448-- From firewalls-owner Wed Oct 9 17:52:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA29599 for firewalls-outgoing; Wed, 9 Oct 1996 15:27:35 -0700 (PDT) Received: from challenger.atc.fhda.edu (challenger.atc.fhda.edu [153.18.32.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id PAA24156 for ; Wed, 9 Oct 1996 15:00:34 -0700 (PDT) Received: from localhost (manek@localhost) by challenger.atc.fhda.edu (8.8.0/8.7.3) with SMTP id VAA29439 for ; Wed, 9 Oct 1996 21:59:18 GMT Date: Wed, 9 Oct 1996 14:59:18 -0700 (PDT) From: Sameer R Manek To: firewalls@GreatCircle.COM Subject: Re: Protocol Jumping In-Reply-To: <199610091650.JAA14018@vegas.ibu.sj.nec.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk One program you may consider for tunneling ipx over ip connections using is kali, while its not really designed for security stuff, its really designed for playing ipx games over the internet. But what the heck give it a try the shareware version is crippled and only allows 15 min of playing time. The registered version doesn't have the cripple and for $20 you can't really go wrong (oh god i sound a comercial) anyways its at it think ftp/www.kali.net Sameer -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Sameer Manek manek@challenger.atc.fhda.edu "A mind once streched by a new idea never regains its original dimentions" -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- From firewalls-owner Wed Oct 9 17:53:17 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA01927 for firewalls-outgoing; Wed, 9 Oct 1996 15:40:12 -0700 (PDT) Received: from state.ut.us (email.state.ut.us [168.180.96.41]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id PAA24726 for ; Wed, 9 Oct 1996 15:03:17 -0700 (PDT) Received: from STATE-DOMAIN-Message_Server by state.ut.us with Novell_GroupWise; Wed, 09 Oct 1996 09:54:41 -0600 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Wed, 09 Oct 1996 09:53:31 -0600 From: Mike Rogers To: firewalls@greatcircle.com Subject: CiscoSecure Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've watching the list for about a year, and decided to jump into the "fray"..... Anyone have much experience with CisoSecure as a TACACS+ Central Authentication Server. I'm currently using a combination of packet screening and application proxies for network security. I want a central auth database for dial-up/ISDN and other remote services to access our backbone. CiscoSecure is a little pricey (more than $100 per concurrent user). I'm wondering if there are any similar COTS products for TACACS+... or should I just "grow my own"? Any suggestions for a better way for centralized control for access to routers, dial-up, ISDN, etc? Also, any arguments for or against putting the Auth server on a DMZ, (third leg off a dual homed gateway)? --------------------------------------------------------------- "There were a helluva lot of things they didn't tell me when I hired on with this outfit." - anonymous member of Gen. Custer's cavalry unit Mike Rogers DP Security Analyst State of Utah From firewalls-owner Wed Oct 9 17:59:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA02693 for firewalls-outgoing; Wed, 9 Oct 1996 15:43:57 -0700 (PDT) Received: from service.esys.ca (service.esys.ca [141.118.1.124]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id PAA02392 for ; Wed, 9 Oct 1996 15:42:36 -0700 (PDT) Received: from monet.esys.ca by service.esys.ca with smtp (Smail3.1.28.1 #1) id m0vB7Iv-000UmhC; Wed, 9 Oct 96 16:40 MDT Received: from cezanne.esys.ca by monet.esys.ca with smtp (Smail3.1.28.1 #6) id m0vB7LL-000RWgC; Wed, 9 Oct 96 16:43 MDT Date: Wed, 9 Oct 1996 16:43:11 -0600 (MDT) From: Lyndon Nerenberg Reply-To: Lyndon Nerenberg To: Michael Jarvis cc: "David J. Meltzer" , firewalls@greatcircle.com Subject: Re: smtp and auth In-Reply-To: <199610091843.NAA19250@burrito.insource.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 9 Oct 1996, Michael Jarvis wrote: [ Re policy on identd packets ] > Anyway, my point was that ident/auth is not "critical" (ie your network > will continue to work just fine if you drop those packets). However, dropping the packets on the floor has an impact on the sending systems mailer, which will sit around for 15 seconds or so waiting for a response that won't come back. It might retry the request a couple of time, increasing the delay even more. It's a lot more "user friendly" if you can configure your filewall to immediately send back an ICMP port unreachable on behalf of the destination host. Most software will abort an ident query after receiving on of these. (This can *really* help busy mail servers.) --lyndon From firewalls-owner Wed Oct 9 18:15:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA29401 for firewalls-outgoing; Wed, 9 Oct 1996 15:26:42 -0700 (PDT) Received: from interramp.com (pop3.interramp.com [38.8.32.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id PAA29154 for ; Wed, 9 Oct 1996 15:25:24 -0700 (PDT) Received: from .interramp.com by interramp.com (8.6.12/SMI-4.1.3-PSI-pop-local) id SAA17199; Wed, 9 Oct 1996 18:24:52 -0400 Date: Wed, 9 Oct 96 18:03:25 PDT From: Ed Young Subject: Re: FW: RE: Sniffer detection. To: "Paul D. Robertson" , firewalls@greatcircle.com X-PRIORITY: 3 (Normal) X-Mailer: Chameleon 4.6.3, TCP/IP for Windows, NetManage Inc. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 8 Oct 1996, Ed Young wrote: > Use a sniffer to find a sniffer.A Distributed sniffer can monitor the > network for any new devices and send an alarm to a pager or NMS station. >Which doesn't solve the probelm of an ethernet adapter already on the net >going into promiscuous mode. Nor does it find a device that is added and >doesn't send any packets. It also doesn't find MAC spoofed addresses that >come on-line with an existing address. The last two can, and should be >solved with physical security. True, physical security should solve most of this. >Then there's the fun of managing adapter changes, and laptop users while >seeding the database. This is not as bad as you may think. The address and name are automatically stored. Some management may be involved but it is not that bad. > Additionaly, on Token Ring, devices will send out a trace tool present ^^^^ >That's "should", not "will", I've seen Token Ring sniffers that can be >configured not to send that packet. Fortunately, for those on Token Ring >networks, most cards won't go into promiscuous mode, reducing the existing >machine threat. On Token Ring the station still has to perform several steps before it gets on the ring, such as duplicate address test. And then there is participation in ring poll. > packet on the network letting the Lan Manager station know that it is > there.configure the Lan Manager to not allow trace tools. For FDDI, ATM >Not sure if FDDI needs to be broken if there's a hub, and not an adapter >to adapter ring, perhaps someone knows for sure? Still needs to participate in ring management unless you use some sort of relay. > and WAN protocols the link must be broken. > > Again, use a sniffer to find a sniffer. > >Which is weak at best, and rather expensive if you're relying on something >like a DSS for this protection. I *like* the DSS', and have four or five >of them, but in this case, I don't think it's the propper tool. I would not call it weak. Granted not the best solution, but I am not sure of anything that is better. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@clark.net which may have no basis whatsoever in fact." PSB#9280 -----------------End of Original Message----------------- ------------------------------------- Name: Edward Young E-mail: us002628@pop3.interramp.com (Edward Young) Date: 03/06/95 Time: 04:01:07 ------------------------------------- From firewalls-owner Wed Oct 9 18:47:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA29059 for firewalls-outgoing; Wed, 9 Oct 1996 15:24:42 -0700 (PDT) Received: from challenger.atc.fhda.edu (challenger.atc.fhda.edu [153.18.32.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id PAA28893 for ; Wed, 9 Oct 1996 15:23:55 -0700 (PDT) Received: from localhost (manek@localhost) by challenger.atc.fhda.edu (8.8.0/8.7.3) with SMTP id WAA00757; Wed, 9 Oct 1996 22:23:30 GMT Date: Wed, 9 Oct 1996 15:23:30 -0700 (PDT) From: Sameer R Manek To: jsluzewski@dna.com cc: firewalls@GreatCircle.COM Subject: Re: your mail In-Reply-To: <325BF327@dnanycsmtp.dna.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Its not telnet but consider looking at ssh? i'm not sure if the mac version of the client has been released yet or not. the comercial version is www.datafellows.com and the share/freeware version is ftp.cs.hut.fi It uses port 22, not 23 -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Sameer Manek manek@challenger.atc.fhda.edu "A mind once streched by a new idea never regains its original dimentions" -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- On Wed, 9 Oct 1996 jsluzewski@dna.com wrote: > > I am looking for a telnet encryption solution between RS6000 and Macintosh > clients. > Thaks for any input. > Jarek > jsluzewski@dna.com > From firewalls-owner Wed Oct 9 18:57:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA13524 for firewalls-outgoing; Wed, 9 Oct 1996 17:01:26 -0700 (PDT) Received: from archimedes.inoc.sj.nec.com (archimedes.inoc.sj.nec.com [131.241.31.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id RAA13511 for ; Wed, 9 Oct 1996 17:01:13 -0700 (PDT) Received: by inoc.sj.nec.com (8.7.3/YDL1.7-930126.17) id RAA00265(archimedes.inoc.sj.nec.com); Wed, 9 Oct 1996 17:01:36 -0700 (PDT) Received: by sj.nec.com (8.7.3/YDL1.7-940623.1) id QAA08569(netkeeper.sj.nec.com); Wed, 9 Oct 1996 16:56:34 -0700 (PDT) Received: (from smtp@localhost) by firenode2.ibu.sj.nec.com (8.7.5/8.7.3) id QAA07771; Wed, 9 Oct 1996 16:53:58 -0700 (PDT) Received: from vegas.ibu.sj.nec.com (vegas.ibu.sj.nec.com [131.241.70.2]) by firenode2.ibu.sj.nec.com id rfQAA07756; Wed Oct 9 16:51:54 1996 Received: by vegas.ibu.sj.nec.com (8.6.9/YDL1.9-9507101400) id QAA19598(vegas.ibu.sj.nec.com); Wed, 9 Oct 1996 16:52:49 -0700 From: sazah@ibu.sj.nec.com (Sunny Azah) Message-Id: <199610092352.QAA19598@vegas.ibu.sj.nec.com> Subject: Re: Protocol Jumping To: wombat@mcfeely.bsfs.org (Rabid Wombat) Date: Wed, 9 Oct 1996 16:52:49 -0700 (PDT) Cc: sazah@ibu.sj.nec.com, bhowell@snlnet.com, firewalls@GreatCircle.COM In-Reply-To: from "Rabid Wombat" at Oct 9, 96 03:03:58 pm X-Mailer: ELM [version 2.4 PL23beta] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > > On Wed, 9 Oct 1996, Sunny Azah wrote: > > > > > > > If I set up a dual homed PC such as a mail gateway in my DMZ and run > > > IP on the "external" interface, IPX on the other, would it be > > > relatively safe to allow the IPX traffic to bypass the firewall? > > > > > > > Why not encapsulate IPX in IP and let everything go through the firewall? There > > are products out there that would allow you do this. > > > > Yikes! Now you've built half the tunnel for an attacker. If you are > running Groupwise, look into using the DMZ gateway IP-to-IP, then through > the firewall (still via IP) to another post office. I've been told this > is supported, though I have not had a chance to set it up yet. > > Anyone have more info on this config? > > -r.w. > And how do you account for the IPX traffic without having an IPX-to-IP and versa gateway? -- sa. -------------------------------------------------------------------------- Sunny Azah - sazah@ibu.sj.nec.com Internet Business Unit, Home of the PrivateNet NEC Technologies, Inc. 110 Rio Robles San Jose, CA 95134 Tel:(408) 433-2161 FAX:(408) 433-1230 http://www.privatenet.nec.com -------------------------------------------------------------------------- From firewalls-owner Wed Oct 9 19:27:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA26297 for firewalls-outgoing; Wed, 9 Oct 1996 15:11:57 -0700 (PDT) Received: from orac.early.com ([204.170.83.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id PAA26215 for ; Wed, 9 Oct 1996 15:11:29 -0700 (PDT) Received: (from josh@localhost) by orac.early.com (8.6.12/8.6.12) id SAA09258; Wed, 9 Oct 1996 18:10:54 -0400 From: Josh Message-Id: <199610092210.SAA09258@orac.early.com> Subject: Re: Virus on Internet To: ben@edelweb.fr (Ben) Date: Wed, 9 Oct 1996 18:10:53 -0400 (EDT) Cc: lists@reflections.mindspring.com, ckostick@csc.com, amotta@ifi.unizh.ch, firewalls@GreatCircle.COM In-Reply-To: from "Ben" at Oct 9, 96 04:48:43 pm X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In a general sense, I agree, its near impossible. Howver, for HTTP and FTP type transactions, a number of commercial proxy servers ( for use on a firewall or wherever) can scan incoming content for viruses. I hate to plug, but ours ( netscape) proxy 2.1 does that.. I beleive TrendMicro's viruswall does a similar thing.. According to Ben, > > > > Can someone tell me, if there are commercial firewalls, who can > > > recognize and eliminate virus on internet, before entering in the > > > private net ? > > > > I'd be, umm, interested in seeing how this is done in reliable and > > consistent manner; I have yet to see one that works, and many (including > > myself) think they are impossible. > > Yes, the Halting problem comes to mind. > > And even if it were possible we would start seeing the beginning of > social engineering attacks to the effect of, "Download this binary! It > slices, dices and chops, and for your protection we have encrypted it with > PGP to protect against the bad nasty Internet" > > Ben. > ____ > Ben Samman.................................................ben@edelweb.fr > Paris, France Illudium Q36 Explosive Space Modulator > > -- ----------------------------------------------------------------------------- Josh R Cohen /Server Engineer josh@early.com Netscape Communications Corp. (This message is sent from my private email account to reach me for business related issues, mailto:josh@netscape.com ) ----------------------------------------------------------------------------- From firewalls-owner Wed Oct 9 19:57:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA03101 for firewalls-outgoing; Wed, 9 Oct 1996 18:52:46 -0700 (PDT) Received: from relay7.UU.NET (relay7.UU.NET [192.48.96.17]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id SAA03031 for ; Wed, 9 Oct 1996 18:52:26 -0700 (PDT) Received: from credence.com by relay7.UU.NET with ESMTP (peer crosschecked as: stargate.credence.com [206.169.1.51]) id QQbktj26897; Wed, 9 Oct 1996 21:52:03 -0400 (EDT) Received: (from uucp@localhost) by credence.com (8.6.12/CSC 1.4 96/06/17) id SAA19152; Wed, 9 Oct 1996 18:53:08 -0700 Received: from mailvon.credence.com(10.1.1.15) by stargate.credence.com via smap (V1.3) id sma019149; Wed Oct 9 18:52:39 1996 Received: from ca.credence.com (eagle.ca.credence.com [10.2.2.235]) by mailhub.credence.com (8.6.12/INFO 1.5 96/05/29) with ESMTP id SAA24526; Wed, 9 Oct 1996 18:45:31 -0700 Received: from honolulu ([10.2.2.179]) by ca.credence.com (8.6.12/CA 1.15 96/10/02) with SMTP id SAA20004; Wed, 9 Oct 1996 18:50:02 -0700 Message-ID: <325C5593.76F5@credence.com> Date: Wed, 09 Oct 1996 18:46:59 -0700 From: James Grimm X-Mailer: Mozilla 2.0 (X11; I; SunOS 5.5 sun4m) MIME-Version: 1.0 To: Rabid Wombat CC: firewalls@GreatCircle.COM Subject: Re: your mail References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk So what's the cost of a secure hub? -James From firewalls-owner Wed Oct 9 20:03:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA07505 for firewalls-outgoing; Wed, 9 Oct 1996 19:19:11 -0700 (PDT) Received: from myall.awadi.com.au (myall.awadi.com.AU [150.207.2.65]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id TAA07461 for ; Wed, 9 Oct 1996 19:18:58 -0700 (PDT) Received: from bunya.awadi ([150.207.2.63]) by myall.awadi.com.au (8.7.5/8.7.3) with SMTP id LAA18303; Thu, 10 Oct 1996 11:47:01 +0930 (CST) Received: from mallee.awadi by bunya.awadi (5.x/SMI-SVR4) id AA10238; Thu, 10 Oct 1996 11:46:58 +0930 Received: by mallee.awadi (SMI-8.6/SMI-SVR4) id LAA00895; Thu, 10 Oct 1996 11:46:57 +0930 From: blymn@awadi.com.au (Brett Lymn) Message-Id: <199610100216.LAA00895@mallee.awadi> Subject: Re: Protocol Jumping To: sazah@ibu.sj.nec.com (Sunny Azah) Date: Thu, 10 Oct 1996 11:46:56 +0930 (CST) Cc: firewalls@greatcircle.com In-Reply-To: <199610092352.QAA19598@vegas.ibu.sj.nec.com> from "Sunny Azah" at Oct 9, 96 04:52:49 pm X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk According to Sunny Azah: > >And how do you account for the IPX traffic without having an IPX-to-IP and >versa gateway? > If we are talking groupwise (aka groupwoes ;-) then you can configure the message servers to connect via tcp/ip even on the NLM version, as long as the novell machines have the tcp/ip stuff loaded. Also, there is no need to restrict yourself to a novell machine. The groupwise message server does run under unix and the smtp gateway seems fairly robust. -- Brett Lymn, Computer Systems Administrator, AWA Defence Industries =============================================================================== "Upgrading your memory gives you MORE RAM!" - ad in MacWAREHOUSE catalogue. From firewalls-owner Wed Oct 9 20:12:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA07563 for firewalls-outgoing; Wed, 9 Oct 1996 19:19:41 -0700 (PDT) Received: from ns1.inet.net (ns1.inet.net [199.233.93.51]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id TAA07508 for ; Wed, 9 Oct 1996 19:19:18 -0700 (PDT) Received: from bahu (bahu [199.233.93.16]) by ns1.inet.net (8.7.5/8.6.12) with SMTP id WAA28115; Wed, 9 Oct 1996 22:18:51 -0400 (EDT) Date: Wed, 9 Oct 1996 22:18:50 -0400 (EDT) From: Brian Harvell X-Sender: harvell@bahu To: Mike Rogers cc: firewalls@GreatCircle.COM Subject: Re: CiscoSecure In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I've watching the list for about a year, and decided > to jump into the "fray"..... > > Anyone have much experience with CisoSecure as > a TACACS+ Central Authentication Server. I'm > currently using a combination of packet screening > and application proxies for network security. I want > a central auth database for dial-up/ISDN and other > remote services to access our backbone. > CiscoSecure is a little pricey (more than $100 per > concurrent user). I'm wondering if there are any > similar COTS products for TACACS+... or should I > just "grow my own"? > > Any suggestions for a better way for centralized > control for access to routers, dial-up, ISDN, etc? > > Also, any arguments for or against putting the Auth > server on a DMZ, (third leg off a dual homed > gateway)? > A lot of people are going RADIUS now, I like it but haven't used anything else You can get a server from ftp.merit.edu (I think) Brian Brian Harvell harvell@iNet.net http://www.iNet.net/~harvell echo '[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq'|dc From firewalls-owner Wed Oct 9 20:33:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA06159 for firewalls-outgoing; Wed, 9 Oct 1996 19:10:53 -0700 (PDT) Received: from durian.7-Eleven.com.hk ([202.84.231.82]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id TAA06085 for ; Wed, 9 Oct 1996 19:10:31 -0700 (PDT) Received: by durian.7-Eleven.com.hk (Smail3.1.29.1 #1) id m0vBARL-00026BC; Thu, 10 Oct 96 10:01 +0800 Received: from mango.7-eleven.com.hk(202.83.0.59) by durian via smap (V2.0beta) id xma010217; Thu, 10 Oct 96 10:01:34 +0800 Received: from ft_aclay_pc.7-Eleven.com.hk by mango with smtp (Smail3.1.29.1 #1) id m0vBAZg-00002gC; Thu, 10 Oct 96 10:10 +0800 Received: by ft_aclay_pc.7-Eleven.com.hk with Microsoft Mail id <01BBB693.3464F560@ft_aclay_pc.7-Eleven.com.hk>; Thu, 10 Oct 1996 10:10:03 +-800 Message-ID: <01BBB693.3464F560@ft_aclay_pc.7-Eleven.com.hk> From: Alistair Clay To: "'Joav Kohn'" , "'Firewalls'" Subject: RE: HTTPS & Gauntlet Date: Thu, 10 Oct 1996 10:10:02 +-800 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I run the fwtk 2.0b (which is pretty much the same as the gauntlet it = think) and i didnt have to do anything to allow https, i dont have a = services entry or anything. I just run the httpgw in daemon mode and = everythings fine. Alistair. ---------- From: Joav Kohn[SMTP:joav.kohn@us.landisstaefa.com] Sent: Wednesday, October 09, 1996 4:51 PM To: Firewalls Subject: HTTPS & Gauntlet Quick Question (I hope) I'm trying to let https access through my firewall (a TIS Gauntlet) and = what I've done is this: In my /etc/services i've added the line https 443 ssl and in my /etc/rc.local i've added http-gw -daemon https & =09 (that may not be the exact syntax, but I'm doing this from memory. Is everyone's firewall two buildings over?) Anyway, the point of this story is that when a client now tries to hit = an https server, it just hangs forever. The packet seems to go out (i.e. "host contacted, waiting for reply") but a timeout never occurs and no data = ever comes back. Anyone know what I'm doing wrong? TIA -joav From firewalls-owner Wed Oct 9 21:20:50 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA20072 for firewalls-outgoing; Wed, 9 Oct 1996 20:38:31 -0700 (PDT) Received: from mars.planet.net.au (mars.planet.net.au [203.15.90.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id UAA19967 for ; Wed, 9 Oct 1996 20:38:05 -0700 (PDT) Received: (from neale@localhost) by mars.planet.net.au (8.6.12/8.6.12) id NAA24221; Thu, 10 Oct 1996 13:38:48 +1000 Date: Thu, 10 Oct 1996 13:38:47 +1000 (EST) From: Neale Banks To: firewalls list Subject: Re: Virus on Internet In-Reply-To: <199610092210.SAA09258@orac.early.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Can someone tell me, if there are commercial firewalls, who can > recognize and eliminate virus on internet, before entering in the > private net ? On a general level, any thoughts on the (dis)advantages of embedding virus scanning hooks in ftp/mail/http/etc *client* software. The idea is to have the client software invoke a virus checker and either release or wipe the new file based on the scan result. Pluses: 1. can be done post PGP/etc decoding 2. can be client-platform specific 3. utilises the virus scanner that all PCs etc have already ;-) Minus: 1. relies on users client configuration to do the right thing 2. lots of scanning software copies to maintain Neale. From firewalls-owner Wed Oct 9 21:31:00 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA23047 for firewalls-outgoing; Wed, 9 Oct 1996 20:54:49 -0700 (PDT) Received: from millenium.texas.net (millenium.texas.net [206.127.0.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id UAA22847 for ; Wed, 9 Oct 1996 20:54:11 -0700 (PDT) Received: from localhost (rtadams@localhost) by millenium.texas.net (8.7.6/TXNet) with SMTP id WAA19041 for ; Wed, 9 Oct 1996 22:53:52 -0500 (CDT) X-Authentication-Warning: millenium.texas.net: rtadams owned process doing -bs Date: Wed, 9 Oct 1996 22:53:51 -0500 (CDT) From: R To: firewalls@greatcircle.com Subject: Re: Switches and Secure Hubs In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > If this is a bastion system, why let anyone telnet between two boxes in > the first place? A *lot* of bastion systems have telnet (mistakenly) enabled and a *lot* of (inexperienced) DMZ administrators telnet around the DMZ. On the other hand, if it's an *internal* system, you have *not* made it much more difficult for the intruder. You will slow him down, definitely. But so what if it takes the attacker a week instead of a day to get to something sensitive? The intruder's activity is still completely passive, except for a couple of extra telnets and a couple of extra shell commands. I do not believe this makes him that much more detectable. All this being said, I do agree that if your threat is not that sophisticated, and you are on a budget, switches or secure hubs do buy you some security. > On Tue, 8 Oct 1996, Rabid Wombat wrote: > > > If this is a bastion system, why let anyone telnet between two boxes in > the first place? > > If it is an internal system, you've at least made it much more difficult > for the attacker. You could couple the secure hub approach with encrypted > authentication systems for better host level security, but this probably > goes beyond the needs and budget of many. > > > On Tue, 8 Oct 1996, R wrote: > > > > > > > All this does is slow the intruder down! Even with a switch or a "secure > > hub", you still have to worry about point-to-point sniffing. An intruder > > who gets into Box A can sniff any connections made from or to it. Once > > someone telnets from A to B, now the intruder has access to Box B, gets > > root on it, and now he/she has two sniffers running. From there, it > > snowballs. True, it's slower than sniffing a shared physical medium, but > > you're still going down. > > > > > > > On 8 Oct 1996, Ryan Russell/SYBASE wrote: > > > > > > Just buy a switch. It would be cheaper, and give > > > you more functionality. > > > > > > I've never seen any info on a "secure hub." Do you > > > have the name of a manufacturer of one? > > From firewalls-owner Wed Oct 9 21:42:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA24720 for firewalls-outgoing; Wed, 9 Oct 1996 21:03:18 -0700 (PDT) Received: from millenium.texas.net (millenium.texas.net [206.127.0.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id VAA24669 for ; Wed, 9 Oct 1996 21:03:04 -0700 (PDT) Received: from localhost (rtadams@localhost) by millenium.texas.net (8.7.6/TXNet) with SMTP id XAA20229 for ; Wed, 9 Oct 1996 23:02:48 -0500 (CDT) X-Authentication-Warning: millenium.texas.net: rtadams owned process doing -bs Date: Wed, 9 Oct 1996 23:02:47 -0500 (CDT) From: R To: firewalls@greatcircle.com Subject: Re: your mail In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 9 Oct 1996, Rabid Wombat wrote: > > > On Tue, 8 Oct 1996, R wrote: > > > > > > > All this does is slow the intruder down! Even with a switch or a "secure > > hub", you still have to worry about point-to-point sniffing. An intruder > > who gets into Box A can sniff any connections made from or to it. Once > > someone telnets from A to B, now the intruder has access to Box B, gets > > root on it, and now he/she has two sniffers running. From there, it > > snowballs. True, it's slower than sniffing a shared physical medium, but > > you're still going down. > > > > I doubt I'll be going down. No single piece of technology is going to > secure the network; security requires a number of well integrated > components, systems, policies, and the occaisional voodoo sacrifice of a > rubber chicken. > > The idea is to harden the target as much as possible, increasing the > level of effort required by the intruder, increasing the time it take the > intruder to get what they are after, increasing the chances that the > intruder will make a mistake, and giving your monitoring systems a > fighting chance at catching them. > > Putting a really big lock on the front door won't keep someone from > crawling in through the back window. Locking all the doors and windows, > and putting in an alarm system and a b.f.d. won't keep out someone with a > blowtorch and an UZI, but you'll sure as hell know they're there. > > I still think a secure hub is a good, cheap investment for a bastion > segment, and not a bad addition to your internal network, either. Many of > the major hub vendors offer this feature - you just need to turn it on. > > -r.w. > Yes, multiple layers of security are key. But as for the secure hub per se, it is only adding a little bit to the whole defense. Unfortunately, the analogy to a house break-in is tenuous... If I use blowtorches etc. I make a lot of noise and leave a lot of damage. If I use sniffer software correctly, I will be very stealthy. I don't mean to come across as antagonistic -- I do agree with your conclusion that "a secure hub is a good, cheap investment for a bastion host." I am just leery of people overestimating what it buys them. -Rob From firewalls-owner Wed Oct 9 22:27:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA03651 for firewalls-outgoing; Wed, 9 Oct 1996 22:10:26 -0700 (PDT) Received: from zeus.oanet.com (zeus.oanet.com [204.209.13.16]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id WAA03403 for ; Wed, 9 Oct 1996 22:09:40 -0700 (PDT) Received: from localhost (iceman@localhost) by zeus.oanet.com (8.7.3/8.7.3) with SMTP id XAA17513; Wed, 9 Oct 1996 23:08:47 -0600 (MDT) Date: Wed, 9 Oct 1996 23:08:46 -0600 (MDT) From: iceman To: Alejandro Motta cc: Majordomo Subject: Re: Virus on Internet In-Reply-To: <325B6179.41C67EA6@ifi.unizh.ch> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk None that I know of. However, there are virus scanners made by Macaffe and Viruscan that will scan for word macro virus, other viruses, and ftp file transfers. Can be loaded on secure mail server sitting on a DMZ branch of your network. Nothing in the world is as powerful as an idea whose time has come. - Famous poet On Wed, 9 Oct 1996, Alejandro Motta wrote: > Can someone tell me, if there are commercial firewalls, who can > recognize and eliminate virus on internet, before entering in the > private net ? > I am doing an evaluation of commercial firewalls and I appreciate to > have some information from you. > > Thanks > > Alex > From firewalls-owner Wed Oct 9 22:45:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA03870 for firewalls-outgoing; Wed, 9 Oct 1996 22:11:36 -0700 (PDT) Received: from zeus.oanet.com (zeus.oanet.com [204.209.13.16]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id WAA03741 for ; Wed, 9 Oct 1996 22:11:08 -0700 (PDT) Received: from localhost (iceman@localhost) by zeus.oanet.com (8.7.3/8.7.3) with SMTP id XAA17521; Wed, 9 Oct 1996 23:10:42 -0600 (MDT) Date: Wed, 9 Oct 1996 23:10:42 -0600 (MDT) From: iceman To: Juan Carlos Canet Saixo cc: firewalls@GreatCircle.COM Subject: Re: NT Firewalls In-Reply-To: <325B7B88.3322B241@esegi.es> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I ahve worked with Raptor and Firewall-1 on an NT box. They work, but I would have my doubts as to whether the operating system can withstand a good beating. The firewall software seems quite well built, but if you want reliablity, you need that Unix thing. Nothing in the world is as powerful as an idea whose time has come. - Famous poet On Wed, 9 Oct 1996, Juan Carlos Canet Saixo wrote: > I'm looking for a firewall for a Intel based device and Windows NT > operating system. I've found information about these firewalls: > > o Altavista firewall > o Eagle (Raptor) > o Firewall-1 > o WatchGuard (??) > > I've read a lot of things about these firewalls, but I don't know > which of them I have to choose. Do you have any experience with > them?. I need advice. > > Thanks in advance > > > -- > > ---- Juan Carlos Canet Saixo > ---- > ---- SGI Soluciones Globales Internet > ---- e-mail: jccanet@esegi.es > From firewalls-owner Wed Oct 9 22:57:09 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA05227 for firewalls-outgoing; Wed, 9 Oct 1996 22:23:08 -0700 (PDT) Received: from mhinside.hcl.com (mhoutside.hcl.com [205.211.178.117]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id WAA05206 for ; Wed, 9 Oct 1996 22:22:59 -0700 (PDT) Received: from radix (ppp1.hcl.com [199.71.120.11]) by mhinside.hcl.com (8.7.5/8.7.3) with ESMTP id BAA17441; Thu, 10 Oct 1996 01:21:36 -0400 (EDT) Message-Id: <199610100521.BAA17441@mhinside.hcl.com> From: "Rudy Amid" To: "Jonathan Arcilla" , SFrom firewalls-owner Thu Oct 10 02:57:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA05160 for firewalls-outgoing; Thu, 10 Oct 1996 02:05:16 -0700 (PDT) Received: from sf-ptg-ss.pactel.com (sf-ptg-ss.pactel.com [198.95.241.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id CAA05079 for ; Thu, 10 Oct 1996 02:04:38 -0700 (PDT) Received: from farpoint.pactel.com (dhcp-2-marc.pactel.com [198.95.240.233]) by sf-ptg-ss.pactel.com (8.6.10/8.6.10) with SMTP id CAA08873; Thu, 10 Oct 1996 02:04:10 -0700 Message-ID: <325CBC08.38FB@tear.com> Date: Thu, 10 Oct 1996 02:04:09 -0700 From: Marc Mosko Organization: Forte Systems X-Mailer: Mozilla 3.0 (Win95; U) MIME-Version: 1.0 To: Shahryar Jahangir CC: firewalls@GreatCircle.COM Subject: Re: fwtk for Sol 5.5 References: <325BF3B7.7091@bear.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In the contrib section there should be patches from David Small to make it compile. If I remember right, I still had to make one or two more mods. I have modified source code that I've compiled on Solaris 2.5. It has a few new features, such as doing a reverse finger and sending email immediately when a netacl fails. I'm pretty sure the license allows me to give it to you for free. If anyone would like it, please let me know via private email (marc@tear.com) and I can put it up on my FTP site once I review the license. Shahryar Jahangir wrote: > > Hello everyone, > I am trying to compile fwtk for Sol 5.5. but to no avail. I have a > number of errors. > Any of you dudes/dudettes have hints/tip/files for me ? > > all help appreciated. > > sj > [snip] -- Marc Mosko Email: marc@tear.com Web: http://www.tear.com/ "If anyone knocks out another's eye, he shall pay him sixty-six shillings, six pence, and a third of a penny." -- Leges Henrici Primi (13th century) PGP Key available via Public Servers and http://www.tear.com/pgp-key.html From firewalls-owner Thu Oct 10 03:28:01 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA13017 for firewalls-outgoing; Thu, 10 Oct 1996 03:18:56 -0700 (PDT) Received: from msdos.vimcom.msk.ru (t500.vimcom.msk.ru [194.87.230.39]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id DAA12999 for ; Thu, 10 Oct 1996 03:18:44 -0700 (PDT) Received: (anry@localhost) by msdos.vimcom.msk.ru (8.6.8.1/SCA-6.6) id LAA25155; Thu, 10 Oct 1996 11:15:47 GMT Date: Thu, 10 Oct 1996 11:15:47 GMT Message-Id: <199610101115.LAA25155@msdos.vimcom.msk.ru> From: "Andrey Yu. Ruskol" To: rebecca@didahp1.deis.unibo.it CC: Firewalls@GreatCircle.COM In-reply-to: <199610100708.AAA17082@miles.greatcircle.com> (message from Rebecca Montanari - tesista Corradi on Thu, 10 Oct 96 9:08:01 MET) Subject: Re: logging with chroot? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi As I understand you should change starting script which starts 'syslogd' to use 'chroot'. And may be you have to copy some files into 'chrooted area', make some links and so on - it depends on your system type ... Best regards From firewalls-owner Thu Oct 10 04:42:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA18401 for firewalls-outgoing; Thu, 10 Oct 1996 04:23:32 -0700 (PDT) Received: from ford.gbnet.org (ford.gbnet.org [192.188.96.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id EAA18339 for ; Thu, 10 Oct 1996 04:22:50 -0700 (PDT) Received: (from steve@localhost) by ford.gbnet.org (8.7.1/8.6.12) id MAA28845; Thu, 10 Oct 1996 12:20:43 +0100 (BST) From: Steve Kennedy Message-Id: <199610101120.MAA28845@ford.gbnet.org> Subject: Re: CiscoSecure To: harvell@inet.net (Brian Harvell) Date: Thu, 10 Oct 1996 12:20:42 +0100 (BST) Cc: mprogers@state.ut.us, firewalls@GreatCircle.COM In-Reply-To: from "Brian Harvell" at Oct 9, 96 10:18:50 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk According to Brian Harvell > A lot of people are going RADIUS now, I like it but haven't used anything else > You can get a server from ftp.merit.edu (I think) Ther are various 'public' implementations of RADIUS servers including :- ftp.livingston.com ftp.ascend.com ftp.merit.edu The Ascend version is based upon the original Livingston code, I think Merit have done a complete re-write and made it more modular. I also happen to mirror these sites on :- ftp://ftp.gbnet.net/pub/radius/ Steve -- home steve@gbnet.org * Flat 2, 43 Howitt Road, Belsize Pk, London NW3 4LU work steve@demon.net * tel +44-(0)171 483 1169 FAX +44-(0)181 444 6103 www http://www.gbnet.net/ * 07010 707 838 should follow me (hopefully) bits steve@gbnet.net * Orange mobile +44-(0)973 600050 Euro firewall info - send mail to majordomo@gbnet.net (subscribe firewalls-uk) From firewalls-owner Thu Oct 10 04:57:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA19247 for firewalls-outgoing; Thu, 10 Oct 1996 04:43:25 -0700 (PDT) Received: from dialup.oar.net (dialup.oar.net [131.187.1.130]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id EAA19204 for ; Thu, 10 Oct 1996 04:43:02 -0700 (PDT) Received: from sun1plus.liebert.com for legg@sun1plus.liebert.com by dialup.oar.net (8.6.10/931123.1402) id HAA26112; Thu, 10 Oct 1996 07:42:46 -0400 Received: from td407 (td407.liebert.com) by sun1plus.liebert.com (5.0/SMI-SVR4) id AA08550; Thu, 10 Oct 1996 07:38:11 +0500 Message-Id: <325CE0CB.32AC@liebert.com> Date: Thu, 10 Oct 1996 07:40:59 -0400 From: Jim Legg Reply-To: legg@sun1plus.liebert.com Organization: Liebert Corp. X-Mailer: Mozilla 3.0 (WinNT; U) Mime-Version: 1.0 To: firewalls@greatcircle.com Subject: Re: Firewall-1 query References: <199610100601.HAA08669@server1.mountcomp.co.uk> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jon Whitton wrote: > > I have been looking at firewall-1 as a security solution and have one > major query. > > It appears to work at the IP layer and basically allows or denys packets > depending on certain rules. (This is only from the Checkpoint web site.) > > My question is how does this secure say sendmail since sendmail will be > running directly on the firewall machine and not a proxy. > Surely if sendmail is running on the firewall then when (not if!) a new > bug is found in sendmail, this bug can just be exploited on the firewall. > Don't run sendmail on the firewall machine. Run something else (like smapd) to grab incoming mail. -jim- From firewalls-owner Thu Oct 10 05:34:01 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA18816 for firewalls-outgoing; Thu, 10 Oct 1996 04:29:58 -0700 (PDT) Received: from Arbitrade.COM (iafsrv.arbitrade.com [204.242.156.130]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id EAA18808 for ; Thu, 10 Oct 1996 04:29:45 -0700 (PDT) Received: from gordon.Arbitrade.COM (gordon.arbitrade.com [204.242.156.138]) by Arbitrade.COM (8.7.5/8.6.9) with ESMTP id GAA27589; Thu, 10 Oct 1996 06:31:27 -0500 (CDT) Received: (from andrew@localhost) by gordon.Arbitrade.COM (SMI-8.6/8.6.9) id GAA27629; Thu, 10 Oct 1996 06:30:51 -0500 From: "Andrew A. Benson" Message-Id: <199610101130.GAA27629@gordon.Arbitrade.COM> Subject: Re: NT Firewalls To: iceman@zeus.oanet.com (iceman) Date: Thu, 10 Oct 1996 06:30:51 -0500 (CDT) Cc: jccanet@esegi.es, firewalls@GreatCircle.COM In-Reply-To: from "iceman" at Oct 9, 96 11:10:42 pm X-Mailer: ELM [version 2.4 PL25] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I ahve worked with Raptor and Firewall-1 on an NT box. They work, but I > would have my doubts as to whether the operating system can withstand a > good beating. The firewall software seems quite well built, but if you > want reliablity, you need that Unix thing. So then run Firewall-1 on UNIX. It IS available. Forget NT. :-) > Nothing in the world is as powerful as an idea whose time has come. > - Famous poet > > On Wed, 9 Oct 1996, Juan Carlos Canet Saixo wrote: > > > I'm looking for a firewall for a Intel based device and Windows NT > > operating system. I've found information about these firewalls: > > > > o Altavista firewall > > o Eagle (Raptor) > > o Firewall-1 > > o WatchGuard (??) > > > > I've read a lot of things about these firewalls, but I don't know > > which of them I have to choose. Do you have any experience with > > them?. I need advice. > > > > Thanks in advance > > > > > > -- > > > > ---- Juan Carlos Canet Saixo > > ---- > > ---- SGI Soluciones Globales Internet > > ---- e-mail: jccanet@esegi.es > > > > -- Andrew Benson System & Network Administrator andrew@arbitrade.com Arbitrade, LLC From firewalls-owner Thu Oct 10 05:46:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA22575 for firewalls-outgoing; Thu, 10 Oct 1996 05:22:59 -0700 (PDT) Received: from mailgate.lcii.com (mailgate.lcii.com [150.159.194.81]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id FAA22529 for ; Thu, 10 Oct 1996 05:22:37 -0700 (PDT) Received: from MSMAIL.LITEL.COM for china@dublin3.lci.litel.com by mailgate.lcii.com (8.6.12/960301.1044) id IAA19437; Thu, 10 Oct 1996 08:22:20 -0400 Received: by MSMAIL.LITEL.COM with Microsoft Mail id <325D150F@MSMAIL.LITEL.COM>; Thu, 10 Oct 96 08:23:59 PDT From: "Chin, Augustine" To: "'firewalls'" Subject: looking for firewall Date: Thu, 10 Oct 96 08:20:00 PDT Message-ID: <325D150F@MSMAIL.LITEL.COM> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all, I am looking for a firewall(proxy) that does ip and ipx routing. I have spoken to Checkpoint and tis, but they do not support ipx routing. I do not want to encapsulate ipx in ip packets because that slows things down and it is quite a CPU intensive process. The firewall is going to be sitting between 2 routers, so I would need something that does more than packet filtering. Any suggestions would be appreciated. Thank you. Augustine Chin china@lci.com From firewalls-owner Thu Oct 10 05:57:31 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA22976 for firewalls-outgoing; Thu, 10 Oct 1996 05:25:38 -0700 (PDT) Received: from gauntlet-1.trusted.com (gauntlet-1.trusted.com [204.254.155.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id FAA22902 for ; Thu, 10 Oct 1996 05:25:09 -0700 (PDT) Received: by gauntlet-1.trusted.com; id IAA19706; Thu, 10 Oct 1996 08:29:43 -0400 Received: from dhcp2.hq.tis.com(192.94.214.122) by gauntlet-1.trusted.com via smap (V3.1.1) id xma019689; Thu, 10 Oct 96 08:29:25 -0400 Message-Id: <2.2.32.19961010122231.006f7c8c@pop.trusted.com> X-Sender: avolio@pop.trusted.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 10 Oct 1996 08:22:31 -0400 To: Marc Mosko , Shahryar Jahangir From: Frederick M Avolio Subject: Re: fwtk for Sol 5.5 Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk FWTK things should probably go to the FWTK specific mailing list. If you have the FWTK you know what that list is. f At 02:04 AM 10/10/96 -0700, Marc Mosko wrote: >In the contrib section there should be patches from David Small to make >it compile. If I remember right, I still had to make one or two more >mods. > >I have modified source code that I've compiled on Solaris 2.5. It has a >few new features, such as doing a reverse finger and sending email >immediately when a netacl fails. > >I'm pretty sure the license allows me to give it to you for free. If >anyone would like it, please let me know via private email >(marc@tear.com) and I can put it up on my FTP site once I review the >license. > >Shahryar Jahangir wrote: >> >> Hello everyone, >> I am trying to compile fwtk for Sol 5.5. but to no avail. I have a >> number of errors. >> Any of you dudes/dudettes have hints/tip/files for me ? >> >> all help appreciated. >> >> sj >> >[snip] > >-- > Marc Mosko Email: marc@tear.com > Web: http://www.tear.com/ > > "If anyone knocks out another's eye, he shall pay him > sixty-six shillings, six pence, and a third of a penny." > -- Leges Henrici Primi (13th century) > > PGP Key available via Public Servers and > http://www.tear.com/pgp-key.html > > From firewalls-owner Thu Oct 10 06:27:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA26451 for firewalls-outgoing; Thu, 10 Oct 1996 05:59:10 -0700 (PDT) Received: from d20.furb.rct-sc.br (d20.furb.rct-sc.br [200.19.218.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id FAA26389 for ; Thu, 10 Oct 1996 05:58:47 -0700 (PDT) Received: from d20.furb.rct-sc.br (fabio@d20.furb.rct-sc.br [200.19.218.2]) by d20.furb.rct-sc.br (8.6.12/8.6.9) with SMTP id KAA11826 for ; Thu, 10 Oct 1996 10:14:24 -0300 Date: Thu, 10 Oct 1996 10:14:23 -0300 (EST) From: Fabio R II To: firewalls@greatcircle.com Subject: serurity from netscape mail In-Reply-To: <325CE0CB.32AC@liebert.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi list, There are how deny access to users that not especifys your password in the netscape mail? Ex: I do configure netscape to work with username "john", but not use him password and I can send emails in him name. _______________________________________________________________________________ _/ _/ _/ Fabio R II fabio@furb.rct-sc.br 329.0327 822.1417 _/ _/_/ _/ POP Internet - FURB 321.0371 _/_/ _/ _/ NI - Nucleo de Informatica 321.0367 _/ _/ _/ FURB - Universidade Regional de Blumenau 321.0200 From firewalls-owner Thu Oct 10 07:00:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA02512 for firewalls-outgoing; Thu, 10 Oct 1996 06:39:01 -0700 (PDT) Received: from d20.furb.rct-sc.br (d20.furb.rct-sc.br [200.19.218.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA02457 for ; Thu, 10 Oct 1996 06:38:43 -0700 (PDT) Received: from d20.furb.rct-sc.br (fabio@d20.furb.rct-sc.br [200.19.218.2]) by d20.furb.rct-sc.br (8.6.12/8.6.9) with SMTP id KAA12093 for ; Thu, 10 Oct 1996 10:54:29 -0300 Date: Thu, 10 Oct 1996 10:54:28 -0300 (EST) From: Fabio R II To: firewalls@GreatCircle.COM Subject: How do firewall In-Reply-To: <199610101147.EAA19333@miles.greatcircle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi list, What steps need I to configure a firewall in a Linux (configurations and programs)? Thank you. _______________________________________________________________________________ _/ _/ _/ Fabio R II fabio@furb.rct-sc.br 329.0327 822.1417 _/ _/_/ _/ POP Internet - FURB 321.0371 _/_/ _/ _/ NI - Nucleo de Informatica 321.0367 _/ _/ _/ FURB - Universidade Regional de Blumenau 321.0200 From firewalls-owner Thu Oct 10 07:18:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA28803 for firewalls-outgoing; Thu, 10 Oct 1996 06:14:15 -0700 (PDT) Received: from igate.mckinsey.com (igate.mckinsey.com [204.149.83.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA28731 for ; Thu, 10 Oct 1996 06:13:49 -0700 (PDT) Received: by igate.mckinsey.com id AA12851 (InterLock SMTP Gateway 3.0 for firewalls@greatcircle.com); Thu, 10 Oct 1996 09:13:28 -0400 Received: by igate.mckinsey.com (Internal Mail Agent-1); Thu, 10 Oct 1996 09:13:28 -0400 From: claman@copley.fi.mckinsey.com (Larry Claman) To: firewalls@greatcircle.com Subject: (fwd) Firewall-1 query Date: Thu, 10 Oct 1996 13:12:36 GMT Message-Id: <3260f4f5.1934095@copley.fi.mckinsey.com> X-Mailer: Forte Agent .99f/32.299 Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 10 Oct 1996 07:01:50 +0100 (BST), Jon Whitton wrote: > >I have been looking at firewall-1 as a security solution and have one >major query. > >It appears to work at the IP layer and basically allows or denys packets >depending on certain rules. (This is only from the Checkpoint web site.) > >My question is how does this secure say sendmail since sendmail will be >running directly on the firewall machine and not a proxy. >Surely if sendmail is running on the firewall then when (not if!) a new >bug is found in sendmail, this bug can just be exploited on the firewall. > >yours confused >jon Conceptually, couldn't one write a state-machine to be applied by the SMLI on inbound port 25 connections that filters out any "dangerous" SMTP commands? Or, is this how Firewall-1 works already? -Larry (confused as well) From firewalls-owner Thu Oct 10 07:28:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA05430 for firewalls-outgoing; Thu, 10 Oct 1996 07:08:29 -0700 (PDT) Received: from relay.ashton.csc.com (relay.ashton.csc.com [20.2.54.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA05410 for ; Thu, 10 Oct 1996 07:08:17 -0700 (PDT) Received: by relay.ashton.csc.com; id KAA25247; Thu, 10 Oct 1996 10:10:08 -0400 Received: from mccoy.ashton.csc.com(20.2.51.2) by relay.ashton.csc.com via smap (g3.0.1) id sma025241; Thu, 10 Oct 96 10:09:54 -0400 Received: (from jhkerr@localhost) by mccoy.ashton.csc.com (8.6.12/8.6.9) id KAA13701; Thu, 10 Oct 1996 10:18:58 -0400 Date: Thu, 10 Oct 1996 10:18:54 -0400 (EDT) From: "John H. Kerr" To: Alejandro Motta cc: Majordomo Subject: Re: Virus on Internet In-Reply-To: <325B6179.41C67EA6@ifi.unizh.ch> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I believe that the new version of Firewall-1 3.0 will support virus detection for FTP transactions. Take a look at the home page www.chekcpoint.com On Wed, 9 Oct 1996, Alejandro Motta wrote: > Can someone tell me, if there are commercial firewalls, who can > recognize and eliminate virus on internet, before entering in the > private net ? > I am doing an evaluation of commercial firewalls and I appreciate to > have some information from you. > > Thanks > > Alex > From firewalls-owner Thu Oct 10 07:42:50 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA02870 for firewalls-outgoing; Thu, 10 Oct 1996 06:41:29 -0700 (PDT) Received: from linda.if.is (linda.if.is [193.4.185.193]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA02804 for ; Thu, 10 Oct 1996 06:41:05 -0700 (PDT) Received: from ilmur.if.is by linda.if.is (Secure/IFnet/24-07-96); Thu, 10 Oct 1996 13:40:46 GMT Received: by ilmur.if.is (Secure/IFnet/07-10-96); Thu, 10 Oct 1996 13:43:09 GMT From: gunni@if.is (Gunnar Ingvi Thorisson) Message-Id: <199610101343.NAA08244@ilmur.if.is> Subject: Re: looking for firewall To: china@dublin3.lci.litel.com (Chin, Augustine) Date: Thu, 10 Oct 1996 13:43:09 +0000 (GMT) Cc: Firewalls@GreatCircle.COM In-Reply-To: <325D150F@MSMAIL.LITEL.COM> from "Chin, Augustine" at Oct 10, 96 08:20:00 am X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I am looking for a firewall(proxy) that does ip and ipx routing. I > have spoken to Checkpoint and tis, but they do not support ipx routing. I > do not want to encapsulate ipx in ip packets because that slows things down > and it is quite a CPU intensive process. The firewall is going to be > sitting between 2 routers, so I would need something that does more than > packet filtering. You could get something that is able to do IPX tunneling through TCP/IP with encryption and use the same thing to decrypt the packets at the other end. IPX is most often only used on local networks and not through the Internet. Can't figure out anything at the moment, sorry, home it helps. Best regards, Gunnar Gunnar Ingvi Thorisson System Administrator and programmer gunni@if.is From firewalls-owner Thu Oct 10 07:57:09 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA08819 for firewalls-outgoing; Thu, 10 Oct 1996 07:48:01 -0700 (PDT) Received: from home.nexus.net.mx ([167.114.25.165]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA08775 for ; Thu, 10 Oct 1996 07:47:31 -0700 (PDT) Received: (from jdelgado@localhost) by home.nexus.net.mx (8.7/8.7.2) id JAA04600; Thu, 10 Oct 1996 09:51:56 -0500 (CDT) Date: Thu, 10 Oct 1996 09:51:56 -0500 (CDT) From: Jose Luis Delgado To: iceman cc: Juan Carlos Canet Saixo , firewalls@GreatCircle.COM Subject: Re: NT Firewalls In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi folks!!! I'm looking for a Firewall trial version for NT ... Can anybody tell me, where I can find one?. Thanks in advance. _/_/_/_/_/_/ AT LESS... TRY! _/_/ _/_/ _/_/_/_/ _/_/_/_/_/ _/_/_/_/_/_/ _/_/_/_/ _/_/_/_/_/ _/ _/ _/ _/ _/ _/ _/_/ _/ _/ _/ _/ _/_/_/ _/ _/_/ _/_/_/ _/ _/ _/ _/ _/ _/_/ _/ _/ _/_/_/_/_/_/ _/_/_/_/ _/_/_/_/_/_/ _/_/ _/_/_/_/_/ _/_/_/_/_/_/ Jose Luis Delgado Solano (Base de Datos) jdelgado@nexus.net.mx From firewalls-owner Thu Oct 10 08:36:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA12236 for firewalls-outgoing; Thu, 10 Oct 1996 08:18:23 -0700 (PDT) Received: from twins.cftnet.com (twins.cftnet.com [163.125.1.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA12193 for ; Thu, 10 Oct 1996 08:18:02 -0700 (PDT) From: Kyle_Amon@jabil.com Received: from mail.jabil.com (mail.jabil.com [163.125.33.5]) by twins.cftnet.com (8.8.0/8.6.4) with SMTP id LAA02615; Thu, 10 Oct 1996 11:12:02 -0400 (EDT) Received: from [172.19.1.18] by mail.jabil.com id aa27288; 10 Oct 96 11:12 EDT Received: from ccMail by apollo.jabil.com (IMA Internet Exchange 2.03 (Beta 4) Enterprise) id 0000EF91; Thu, 10 Oct 96 11:11:53 -0400 Mime-Version: 1.0 Date: Thu, 10 Oct 1996 10:44:58 -0400 Message-ID: <0000EF91.1880@jabil.com> Subject: Re: Sniffer detection. To: firewalls@greatcircle.com, Esakov Dmitriy Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The quickest and easiest thing I know of is to use ifconfig to see if any of your NIC's are in promiscuous mode. Kyle ______________________________ Reply Separator _________________________________ Subject: Sniffer detection. Author: Esakov Dmitriy at IE_StPeteB1 Date: 10/7/96 8:32 PM Hi! Do someone knows how the ethernet sniffer can be detected. Any help is greatly appreciated! All ideas are welcome! ------------------------------------------- Have a nice day! Esakov Dmitriy RELCOM corp. esakov@relcom.eu.net Moscow, Russia From firewalls-owner Thu Oct 10 08:53:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA01281 for firewalls-outgoing; Thu, 10 Oct 1996 06:31:09 -0700 (PDT) Received: from ctss02.telecom.hydro.qc.ca (ctss02.telecom.hydro.qc.ca [131.195.64.12]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA00915 for ; Thu, 10 Oct 1996 06:29:58 -0700 (PDT) Received: from neptune (neptune.telecom.hydro.qc.ca [131.195.237.170]) by ctss02.telecom.hydro.qc.ca (8.7.5/8.7.1) with SMTP id JAA09851; Thu, 10 Oct 1996 09:29:40 -0400 (EDT) Message-ID: <325CFABD.1FDE@telecom.hydro.qc.ca> Date: Thu, 10 Oct 1996 09:31:41 -0400 From: "bettez@telecom.hydro.qc.ca" Organization: Hydro-Québec X-Mailer: Mozilla 3.0Gold (X11; I; SunOS 5.4 sun4m) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: Re: Firewall-1 query References: <199610100601.HAA08669@server1.mountcomp.co.uk> <325CE0CB.32AC@liebert.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jim Legg wrote: > > Jon Whitton wrote: > > > > I have been looking at firewall-1 as a security solution and have one > > major query. > > > > It appears to work at the IP layer and basically allows or denys packets > > depending on certain rules. (This is only from the Checkpoint web site.) > > > > My question is how does this secure say sendmail since sendmail will be > > running directly on the firewall machine and not a proxy. > > Surely if sendmail is running on the firewall then when (not if!) a new > > bug is found in sendmail, this bug can just be exploited on the firewall. > > > > Don't run sendmail on the firewall machine. Run something else (like > smapd) to grab incoming mail. > > -jim- Or don't run sendmail at all. Put sendmail -q in your crontab to flush queue mail. _______________________________ Jean-Sebastien Bettez E:bettez@telecom.hydro.qc.ca From firewalls-owner Thu Oct 10 09:17:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA09274 for firewalls-outgoing; Thu, 10 Oct 1996 07:53:13 -0700 (PDT) Received: from lshp1.fastnet.ch (lshp1.fastnet.ch [193.246.63.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA09246 for ; Thu, 10 Oct 1996 07:52:58 -0700 (PDT) Received: from [193.246.62.65] by lshp1.fastnet.ch with SMTP (1.37.109.4/16.2) id AA13666; Thu, 10 Oct 96 16:53:42 +0100 Received: from rsleiman by mail.gestronic.ch (SMI-8.6/SMI-SVR4) id PAA01604; Thu, 10 Oct 1996 15:49:49 +0100 Message-Id: <325D1D62.5E0F@gestronic.ch> Date: Thu, 10 Oct 1996 16:59:30 +0100 From: Raymond Sleiman-Gestronic Systems Integration Manager Reply-To: Raymond.Sleiman@mail.gestronic.ch Organization: Gestronic SA X-Mailer: Mozilla 3.0Gold (Win95; I) Mime-Version: 1.0 To: Olivier.Bondot@elftrad.com, firewalls@GreatCircle.COM Subject: Firewall 1 version 2 and nisplus Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, I'm using firewall 1 on Solaris 2.4 in order to isolate differents networks inside the same company. I have a group of Sun Workstations and Servers acting as nis+ or nis client. The firewall inspection module is installed on a Solaris 2.4 server and this server is the nis+ master server and nis compatible master server. I created a group of machines ( NIS+ and NIS client) they should be able to access the NIS+ server for all nisplus services. The problem is the nisplus services are not defined. Is there somebody who did this ?. Another question: What about the boot time of the nis+ client. It seems to broadcast something in order to find the nis+ server. Which port should be enabled in order to let the broadcast reach the nis+ server ? Thanks for your help. Raymond Sleiman -- _________________________________________________________ Raymond Sleiman Systems Integration Manager GESTRONIC S.A Phone # +41 22 342 71 50 25 rue jacques grosselin Fax # +41 22 343 91 16 1227 Carouge Geneve Mobile # +41 79 200 81 03 Switzerland Direct # +41 22 342 25 27 email: Raymond.Sleiman@gestronic.ch >>>> Visit us on the WEB http://www.gestronic.ch <<<< _________________________________________________________ From firewalls-owner Thu Oct 10 09:23:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA11982 for firewalls-outgoing; Thu, 10 Oct 1996 08:16:09 -0700 (PDT) Received: from xyzzy.plugh.edmonton.ab.ca (xyzzy.plugh.edmonton.ab.ca [198.161.22.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id IAA11941 for ; Thu, 10 Oct 1996 08:15:51 -0700 (PDT) Received: (from uucp@localhost) by xyzzy.plugh.edmonton.ab.ca (8.6.12/8.6.9) id JAA30909; Thu, 10 Oct 1996 09:15:35 -0600 Received: from beckio.precise.ab.ca(192.168.30.61), claiming to be "snouts.obtuse.com" via SMTP by mailhost.Plugh.edmonton.ab.ca, id smtpd30907aaa; Thu Oct 10 09:15:29 1996 Received: (from beck@localhost) by snouts.obtuse.com (8.7.5/8.7.3) id JAA10113; Thu, 10 Oct 1996 09:15:26 -0600 From: Bob Beck Message-Id: <199610101515.JAA10113@snouts.obtuse.com> Subject: Re: logging with chroot? To: rebecca@didahp1.deis.unibo.it (Rebecca Montanari - tesista Corradi) Date: Thu, 10 Oct 1996 09:15:24 -0600 (MDT) Cc: Firewalls@GreatCircle.COM In-Reply-To: <199610100708.AAA17082@miles.greatcircle.com> from "Rebecca Montanari - tesista Corradi" at Oct 10, 96 09:08:01 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Has anyone any suggestions on how to use syslogd > to log events with services using chroot? > If any changes to the default syslogd are made, the > logging doesn't work,for example ftp uses chroot > Thanks for any suggestion > The problem with using syslog to log events from a chrooted service is that the syslog() routing will send events to the /dev/log socket, which usually isn't in your chroot. We use a little critter called "holelogd" - meant for snarfing the logs out of the "chrooted holes" a chrooted service runs in. hollogd is a small daemon that works by creating a dev/log socket in your chroot, and passing everything from it to the regular /dev/log socket that your syslogd is listening on. When you run it correctly your systlogs will end up in the ususal place. It's in the utils package that we distribute as source, and it's free. See ftp://ftp.obtuse.com/pub/utils to grab a copy. -Bob --------------------------------------------------------------------------- Bob Beck Obtuse Systems Corporation beck@obtuse.com http://www.obtuse.com/ "Duct tape is like the force. It has a light side, and a dark side, and it holds the universe together" From firewalls-owner Thu Oct 10 10:22:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA16597 for firewalls-outgoing; Thu, 10 Oct 1996 08:48:07 -0700 (PDT) Received: from inbound.shepards.com ([192.104.69.8]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id IAA16496 for ; Thu, 10 Oct 1996 08:47:32 -0700 (PDT) From: jconnary@shepards.com Received: by inbound.shepards.com id AA13167 (InterLock SMTP Gateway 3.0 for firewalls@greatcircle.com); Thu, 10 Oct 1996 09:47:11 -0600 Message-Id: <199610101547.AA13167@inbound.shepards.com> Received: by inbound.shepards.com (Protected-side Proxy Mail Agent-1); Thu, 10 Oct 1996 09:47:11 -0600 Date: Thu, 10 Oct 96 09:46:52 MDT Subject: Solaris 2.5 To: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, Can anyone point me towards a good source on configuring Solaris 2.5 as a dual homed bastion host, i.e. setting up the second network interface etc. Thanks in adance, Julie Ann Connary Network Specialist Shepard's McGraw-Hill 719-481-7383 (FAX: 719-488-5135) From firewalls-owner Thu Oct 10 10:32:26 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA17788 for firewalls-outgoing; Thu, 10 Oct 1996 08:59:54 -0700 (PDT) Received: from d20.furb.rct-sc.br (d20.furb.rct-sc.br [200.19.218.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id IAA17760 for ; Thu, 10 Oct 1996 08:59:27 -0700 (PDT) Received: from d20.furb.rct-sc.br (fabio@d20.furb.rct-sc.br [200.19.218.2]) by d20.furb.rct-sc.br (8.6.12/8.6.9) with SMTP id NAA13317 for ; Thu, 10 Oct 1996 13:15:06 -0300 Date: Thu, 10 Oct 1996 13:15:06 -0300 (EST) From: Fabio R II To: firewalls@GreatCircle.COM Subject: serurity from netscape mail Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi list, There are how deny access to users that not especifys your password in the netscape mail? Ex: I do configure netscape to work with username "john", but not use him password and I can send emails in him name. _______________________________________________________________________________ _/ _/ _/ Fabio R II fabio@furb.rct-sc.br 329.0327 822.1417 _/ _/_/ _/ POP Internet - FURB 321.0371 _/_/ _/ _/ NI - Nucleo de Informatica 321.0367 _/ _/ _/ FURB - Universidade Regional de Blumenau 321.0200 From firewalls-owner Thu Oct 10 10:38:30 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA27192 for firewalls-outgoing; Thu, 10 Oct 1996 10:17:18 -0700 (PDT) Received: from lshp1.fastnet.ch (lshp1.fastnet.ch [193.246.63.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA27168 for ; Thu, 10 Oct 1996 10:17:02 -0700 (PDT) Received: from [193.246.62.65] by lshp1.fastnet.ch with SMTP (1.37.109.4/16.2) id AA15059; Thu, 10 Oct 96 19:17:57 +0100 Received: from rsleiman by mail.gestronic.ch (SMI-8.6/SMI-SVR4) id SAA01994; Thu, 10 Oct 1996 18:14:03 +0100 Message-Id: <325D3F30.46BB@gestronic.ch> Date: Thu, 10 Oct 1996 19:23:44 +0100 From: Raymond Sleiman-Gestronic Systems Integration Manager Reply-To: Raymond.Sleiman@mail.gestronic.ch Organization: Gestronic SA X-Mailer: Mozilla 3.0Gold (Win95; I) Mime-Version: 1.0 To: firewalls@greatcircle.com Subject: NISPLUS and FIREWALL Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, I'm using firewall 1 on Solaris 2.4 in order to isolate differents networks inside the same company. I have a group of Sun Workstations and Servers acting as nis+ or nis client. The firewall inspection module is installed on a Solaris 2.4 server and this server is the nis+ master server and nis compatible master server. I created a group of machines ( NIS+ and NIS client) they should be able to access the NIS+ server for all nisplus services. The problem is the nisplus services are not defined. Is there somebody who did this ?. Another question: What about the boot time of the nis+ client. It seems to broadcast something in order to find the nis+ server. Which port should be enabled in order to let the broadcast reach the nis+ server ? Thanks for your help. Raymond Sleiman -- _________________________________________________________ Raymond Sleiman Systems Integration Manager GESTRONIC S.A Phone # +41 22 342 71 50 25 rue jacques grosselin Fax # +41 22 343 91 16 1227 Carouge Geneve Mobile # +41 79 200 81 03 Switzerland Direct # +41 22 342 25 27 email: Raymond.Sleiman@gestronic.ch >>>> Visit us on the WEB http://www.gestronic.ch <<<< _________________________________________________________ From firewalls-owner Thu Oct 10 10:48:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA16306 for firewalls-outgoing; Thu, 10 Oct 1996 08:46:18 -0700 (PDT) Received: from us.checkpoint.com (us.checkpoint.com [206.86.35.130]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id IAA16137 for ; Thu, 10 Oct 1996 08:45:23 -0700 (PDT) Received: from Barbara's HP.us.checkpoint.com (barbara-pc) by us.checkpoint.com (5.x/SMI-SVR4) id AA21082; Thu, 10 Oct 1996 08:45:48 -0700 Message-Id: <325BC7BE.32C2@us.checkpoint.com> Date: Wed, 09 Oct 1996 08:41:50 -0700 From: "Barbara W. Jaarsma" Reply-To: barbara@us.checkpoint.com Organization: Checkpoint US Technical Support X-Mailer: Mozilla 3.0 (Win95; I) Mime-Version: 1.0 To: Steve Kennedy Cc: Brian Harvell , mprogers@state.ut.us, firewalls@GreatCircle.COM Subject: Re: CiscoSecure References: <199610101120.MAA28845@ford.gbnet.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Folks - Merit's Radius is a compilation of all the zillions of proprietary implementations of Radius authentication code. Livingston, of course, is the original creator of Radius. Ascend's implementation is a proprietary implementation that Merit has "folded" into their conglomeration. Remember, though - that if you are using Merit's Radius, then you cannot get support from Livingston, or Ascend, or Cisco, or Wellfleet, or Checkpoint (when Radius support is released this year). You will be sent back to Merit, because originating companies have no control over their code or keyword re-definitions. On the other hand, if you are using specific implementations provided by specific companies - NOT Merit - support is generally provided as a matter of course. Clear as mud? -Barb -Barb Steve Kennedy wrote: > > According to Brian Harvell > > > A lot of people are going RADIUS now, I like it but haven't used anything else > > You can get a server from ftp.merit.edu (I think) > > Ther are various 'public' implementations of RADIUS servers including :- > > ftp.livingston.com > ftp.ascend.com > ftp.merit.edu > > The Ascend version is based upon the original Livingston code, I think > Merit have done a complete re-write and made it more modular. > > I also happen to mirror these sites on :- > > ftp://ftp.gbnet.net/pub/radius/ > > Steve > > -- > home steve@gbnet.org * Flat 2, 43 Howitt Road, Belsize Pk, London NW3 4LU > work steve@demon.net * tel +44-(0)171 483 1169 FAX +44-(0)181 444 6103 > www http://www.gbnet.net/ * 07010 707 838 should follow me (hopefully) > bits steve@gbnet.net * Orange mobile +44-(0)973 600050 > Euro firewall info - send mail to majordomo@gbnet.net (subscribe firewalls-uk) From firewalls-owner Thu Oct 10 10:53:00 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA24388 for firewalls-outgoing; Thu, 10 Oct 1996 09:53:42 -0700 (PDT) Received: from josef.ifi.unizh.ch (josef.ifi.unizh.ch [130.60.48.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id JAA24285 for ; Thu, 10 Oct 1996 09:53:15 -0700 (PDT) Received: from alcatraz.ifi.unizh.ch by josef.ifi.unizh.ch with SMTP (PP) id <00619-0@josef.ifi.unizh.ch>; Thu, 10 Oct 1996 18:52:21 +0100 Message-ID: <325D37D4.2781E494@ifi.unizh.ch> Date: Thu, 10 Oct 1996 18:52:20 +0100 From: Alejandro Motta X-Mailer: Mozilla 3.0 (X11; I; SunOS 4.1.4 sun4m) MIME-Version: 1.0 To: Majordomo Subject: Dial-in connections Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello List, I have two questions: 1- If dial-in connections are directly established to an internal server, who has a modem, could a firewall control it or not ? 2- Does a Firewall support all computer operating system ? or does it depend on what a firewall solution prescribe ? Thanks for your comments. Alex. From firewalls-owner Thu Oct 10 10:54:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA27612 for firewalls-outgoing; Thu, 10 Oct 1996 10:22:24 -0700 (PDT) Received: from lshp1.fastnet.ch (lshp1.fastnet.ch [193.246.63.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA27585 for ; Thu, 10 Oct 1996 10:22:04 -0700 (PDT) Received: from [193.246.62.65] by lshp1.fastnet.ch with SMTP (1.37.109.4/16.2) id AA15051; Thu, 10 Oct 96 19:16:46 +0100 Received: from rsleiman by mail.gestronic.ch (SMI-8.6/SMI-SVR4) id SAA01989; Thu, 10 Oct 1996 18:12:52 +0100 Message-Id: <325D3EE9.4142@gestronic.ch> Date: Thu, 10 Oct 1996 19:22:33 +0100 From: Raymond Sleiman-Gestronic Systems Integration Manager Reply-To: Raymond.Sleiman@mail.gestronic.ch Organization: Gestronic SA X-Mailer: Mozilla 3.0Gold (Win95; I) Mime-Version: 1.0 To: firewalls@GreatCircle.COM Subject: NISPLUS and FIREWALL 1 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, I'm using firewall 1 on Solaris 2.4 in order to isolate differents networks inside the same company. I have a group of Sun Workstations and Servers acting as nis+ or nis client. The firewall inspection module is installed on a Solaris 2.4 server and this server is the nis+ master server and nis compatible master server. I created a group of machines ( NIS+ and NIS client) they should be able to access the NIS+ server for all nisplus services. The problem is the nisplus services are not defined. Is there somebody who did this ?. Another question: What about the boot time of the nis+ client. It seems to broadcast something in order to find the nis+ server. Which port should be enabled in order to let the broadcast reach the nis+ server ? Thanks for your help. Raymond Sleiman -- _________________________________________________________ Raymond Sleiman Systems Integration Manager GESTRONIC S.A Phone # +41 22 342 71 50 25 rue jacques grosselin Fax # +41 22 343 91 16 1227 Carouge Geneve Mobile # +41 79 200 81 03 Switzerland Direct # +41 22 342 25 27 email: Raymond.Sleiman@gestronic.ch >>>> Visit us on the WEB http://www.gestronic.ch <<<< _________________________________________________________ From firewalls-owner Thu Oct 10 11:43:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA00621 for firewalls-outgoing; Thu, 10 Oct 1996 11:01:09 -0700 (PDT) Received: from vespucci.iquest.com (vespucci.iquest.com [199.170.120.42]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA00562 for ; Thu, 10 Oct 1996 11:00:37 -0700 (PDT) Received: from localhost (b@localhost) by vespucci.iquest.com (8.7.5/8.6.9 Secure) with SMTP id MAA06006; Thu, 10 Oct 1996 12:53:50 -0500 (CDT) Date: Thu, 10 Oct 1996 12:53:49 -0500 (CDT) From: b To: Kyle_Amon@jabil.com cc: firewalls@GreatCircle.COM, Esakov Dmitriy Subject: Re: Sniffer detection. In-Reply-To: <0000EF91.1880@jabil.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 10 Oct 1996 Kyle_Amon@jabil.com wrote: > The quickest and easiest thing I know of is to use ifconfig to see if > any of your NIC's are in promiscuous mode. > > Kyle If someone is going to have the ability to place your NIC into promiscuous mode, they are not going to have much trouble patching ifconfig. b From firewalls-owner Thu Oct 10 11:45:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA00154 for firewalls-outgoing; Thu, 10 Oct 1996 10:56:14 -0700 (PDT) Received: from archimedes.inoc.sj.nec.com (archimedes.inoc.sj.nec.com [131.241.31.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA29996 for ; Thu, 10 Oct 1996 10:55:45 -0700 (PDT) Received: by inoc.sj.nec.com (8.7.3/YDL1.7-930126.17) id KAA13619(archimedes.inoc.sj.nec.com); Thu, 10 Oct 1996 10:55:15 -0700 (PDT) Received: by sj.nec.com (8.7.3/YDL1.7-940623.1) id KAA25913(netkeeper.sj.nec.com); Thu, 10 Oct 1996 10:55:15 -0700 (PDT) Received: (from smtp@localhost) by firenode2.ibu.sj.nec.com (8.7.5/8.7.3) id KAA10063; Thu, 10 Oct 1996 10:54:07 -0700 (PDT) Received: from vegas.ibu.sj.nec.com (vegas.ibu.sj.nec.com [131.241.70.2]) by firenode2.ibu.sj.nec.com id rfKAA10054; Thu Oct 10 10:51:48 1996 Received: by vegas.ibu.sj.nec.com (8.6.9/YDL1.9-9507101400) id KAA24979(vegas.ibu.sj.nec.com); Thu, 10 Oct 1996 10:52:48 -0700 From: sazah@ibu.sj.nec.com (Sunny Azah) Message-Id: <199610101752.KAA24979@vegas.ibu.sj.nec.com> Subject: Re: Re[2]: Protocol Jumping To: bhowell@snlnet.com Date: Thu, 10 Oct 1996 10:52:48 -0700 (PDT) Cc: sazah@ibu.sj.nec.com, wombat@mcfeely.bsfs.org, firewalls@GreatCircle.COM In-Reply-To: <25c11aa0@snlnet.com> from "bhowell@snlnet.com" at Oct 9, 96 04:57:23 pm X-Mailer: ELM [version 2.4 PL23beta] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Thanks for the reply. > > We thought about IP to IP through a "hole" in the firewall, but we are > running cc:Mail on a Novell server running only IPX. The gateway runs > on NT using commercial software. Since we need to make the jump to IPX > somewhere along the way, it seems like the mail gateway PC is a good > place to do that. Rather than punch an IPX hole in the firewall (which > might be more obvious to exploit) we figured we could just sneak > around it. > > I'm just curious to know if anyone actually COULD make the protocol > and network jump on a dual homed NT 4.0 server. I'm guessing it would > be pretty tough. The NT 4.0 server would have to have software to make the translation from IPX to IP. I do not know if there is such a beast for NT. > > I think we will move the cc:Mail post office to an NT server running > IP and resolve the problem. > > -- sa. -------------------------------------------------------------------------- Sunny Azah - sazah@ibu.sj.nec.com Internet Business Unit, Home of the PrivateNet NEC Technologies, Inc. 110 Rio Robles San Jose, CA 95134 Tel:(408) 433-2161 FAX:(408) 433-1230 http://www.privatenet.nec.com -------------------------------------------------------------------------- From firewalls-owner Thu Oct 10 12:02:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA20759 for firewalls-outgoing; Thu, 10 Oct 1996 09:26:04 -0700 (PDT) Received: from hermes.cu-online.com (hermes.cu-online.com [205.198.248.82]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id JAA20740 for ; Thu, 10 Oct 1996 09:25:39 -0700 (PDT) Received: from babba.cu-online.com (jwthomp@babba.cu-online.com [205.198.248.21]) by hermes.cu-online.com (8.7.5/8.7.5-cuo-s6) with SMTP id LAA11342; Thu, 10 Oct 1996 11:33:56 -0500 (CDT) Date: Thu, 10 Oct 1996 11:20:28 -0500 (CDT) From: Jeff Thompson To: Kyle_Amon@jabil.com cc: firewalls@GreatCircle.COM, Esakov Dmitriy Subject: Re: Sniffer detection. In-Reply-To: <0000EF91.1880@jabil.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 10 Oct 1996 Kyle_Amon@jabil.com wrote: > The quickest and easiest thing I know of is to use ifconfig to see if > any of your NIC's are in promiscuous mode. > Actually, you should maintain a "trusted" copy of ifconfig and other system utilities for that matter off line. When you want to check you copy them to the system and then check. ifconfig is often one of the first binaries to be patched. Statically linked binaries or also preferable as it is also possible that your libraries have been patched. Jeff Thompson(jwthomp@cu-online.com) Argus Systems Group http://www.cu-online.com/~jwthomp/ - Trusted Network Kernel "Tiruvan i rembre." - Developer From firewalls-owner Thu Oct 10 12:12:39 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA04210 for firewalls-outgoing; Thu, 10 Oct 1996 11:45:10 -0700 (PDT) Received: from tmoon.com (tmoon.com [206.42.247.209]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id LAA04173 for ; Thu, 10 Oct 1996 11:44:44 -0700 (PDT) From: west@tmoon.com Message-Id: <199610101844.LAA04173@miles.greatcircle.com> To: firewalls-digest@GreatCircle.COM Date: 10 Oct 1996 12:47:50 mst Subject: Checkpoint's LIE (was Re: ha firewalls) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I guess I lost a little bit of the text on that last message. Here it is again. Way back on 7 October david.helms@checkpoint.com said: > I swear this is not an ad! > Take a look at the new announcement for FW-1 V3.0. It's on our web > site and was just released this morning. > http://www.checkpoint.com > V3.0 provides state-sharing, which allows multiple firewalls to > support the same connection. Fixes the Asymmetrical routing issue > and provides a high-availability solution as well. I just found out why Checkpoint has preannounced "state sharing" (it won't be available 'til the end of the year at best) ... Up until Firewall-1 2.0, it wasn't really a stateful packet filter. It maintained some state for UDP but for TCP connections IT DID NOTHING MORE THAN CHECK FOR THE ACK BIT BEING SET ON INBOUND CONNECTIONS!!!!! Anyone running Firewall-1 1.2 has no better protection for TCP connections than a simple packet filter checking ACK bits for inbound packets. Checkpoint has been lying about it's true functionality and capabilities!!! In version 2 they FINALLY seem to have added state for tcp connections. The reason I found this was because I had been running 2 Firewall-1 systems in parallel using version 1.2 and everything worked just fine. I upgraded to verion 2.0 and suddenly it stopped working. After doing some investigation I found out that it worked with version 1.2 because all of the inbound packets had the ACK bit set and were therefore not checked and just passed on. In 2.0 there seems to be some added checking and therefore these packets don't get passed on. I was told that in order for my set up to work I need to have state sharing and to wait for version 3.0, which may or may not be out by the end of the year. NO THANKS! I'm dumping my Firewall-1. Any company that can blatantly lie about providing some security mechanism (stateful packet filtering - patent pending no less) and actually not provide it is not a company who I want to depend on to secure my network. To reiterate, if you are running anything earlier than 2.0 you have only the ACK bit protecting your network. All this stuff about stateful packet filtering is baloney. Lastly, a financial institution here in my parts has also dumped Firewall-1. Seems that a consultant hired to dissassemble the binary found some suspicious code and upon further investigation believes that it is a backdoor for specially formatted packets! Can anyone recommend a "good" firewall? Eric From firewalls-owner Thu Oct 10 12:28:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA04308 for firewalls-outgoing; Thu, 10 Oct 1996 11:46:22 -0700 (PDT) Received: from archimedes.inoc.sj.nec.com (archimedes.inoc.sj.nec.com [131.241.31.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA04226 for ; Thu, 10 Oct 1996 11:45:41 -0700 (PDT) Received: by inoc.sj.nec.com (8.7.3/YDL1.7-930126.17) id LAA15481(archimedes.inoc.sj.nec.com); Thu, 10 Oct 1996 11:40:15 -0700 (PDT) Received: by sj.nec.com (8.7.3/YDL1.7-940623.1) id LAA27457(netkeeper.sj.nec.com); Thu, 10 Oct 1996 11:40:15 -0700 (PDT) Received: (from smtp@localhost) by firenode2.ibu.sj.nec.com (8.7.5/8.7.3) id LAA10247; Thu, 10 Oct 1996 11:39:07 -0700 (PDT) Received: from vegas.ibu.sj.nec.com (vegas.ibu.sj.nec.com [131.241.70.2]) by firenode2.ibu.sj.nec.com id rfLAA10241; Thu Oct 10 11:37:45 1996 Received: by vegas.ibu.sj.nec.com (8.6.9/YDL1.9-9507101400) id LAA25350(vegas.ibu.sj.nec.com); Thu, 10 Oct 1996 11:38:46 -0700 From: sazah@ibu.sj.nec.com (Sunny Azah) Message-Id: <199610101838.LAA25350@vegas.ibu.sj.nec.com> Subject: Re: Firewall-1 query To: jonw@mountcomp.co.uk (Jon Whitton) Date: Thu, 10 Oct 1996 11:38:45 -0700 (PDT) Cc: firewalls@GreatCircle.COM, mikel@ibu.sj.nec.com (Mikel Lechner), zen@ibu.sj.nec.com (zen), sales@ibu.sj.nec.com, sam@ibu.sj.nec.com, eric@ibu.sj.nec.com (Eric Lunow) In-Reply-To: <199610100601.HAA08669@server1.mountcomp.co.uk> from "Jon Whitton" at Oct 10, 96 07:01:50 am X-Mailer: ELM [version 2.4 PL23beta] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > From: Jon Whitton > > I have been looking at firewall-1 as a security solution and have one > > major query. > > > > It appears to work at the IP layer and basically allows or denys packets > > depending on certain rules. (This is only from the Checkpoint web site.) > > > > My question is how does this secure say sendmail since sendmail will be > > running directly on the firewall machine and not a proxy. > > Surely if sendmail is running on the firewall then when (not if!) a new > > bug is found in sendmail, this bug can just be exploited on the firewall. If you are not running a secure proxy for SMTP, then you are taking a great risk. Sendmail is especially bad, since it is well known for having a number of security problems. Any network service directly accessible from the Internet must be very secure, and passing the SMTP traffic through a packet filter to an internal mail server effectively makes that internal mail server part of the firewall. That means that it's SMTP server better be secure. It's much better to use a SMTP proxy. This proxy should be verifiably secure, run without privileges, run in a restricted environment, and have very limited capabilities. The NEC's PrivateNet SMTP proxy, and probably other vendors, meet all these requirements: Sendmail SMTPD Description > 40,000 < 2,000 Lines of code YES NO Runs with system privileges YES NO Access to all files on the system YES NO Runs other programs And in the worst case, if the PrivateNet SMTP proxy is compromised, the attacker has no access to other programs, nor can he install his own since all the programs are on CD-ROM. -- sa. -------------------------------------------------------------------------- Sunny Azah - sazah@ibu.sj.nec.com Internet Business Unit, Home of the PrivateNet NEC Technologies, Inc. 110 Rio Robles San Jose, CA 95134 Tel:(408) 433-2161 FAX:(408) 433-1230 http://www.privatenet.nec.com -------------------------------------------------------------------------- From firewalls-owner Thu Oct 10 13:43:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA07824 for firewalls-outgoing; Thu, 10 Oct 1996 12:33:11 -0700 (PDT) Received: from lists (alfalfa.sips.state.nc.us [149.168.11.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id MAA07795 for ; Thu, 10 Oct 1996 12:32:47 -0700 (PDT) Received: from everett.pitt.cc.nc.us by lists (SMI-8.6/SMI-SVR4) id PAA29719; Thu, 10 Oct 1996 15:24:21 -0400 Received: from EVERETT/SpoolDir by everett.pitt.cc.nc.us (Mercury 1.21); 10 Oct 96 15:42:34 EST5EDT Received: from SpoolDir by EVERETT (Mercury 1.30); 10 Oct 96 15:42:29 EST5EDT From: "Jim Leo" Organization: Pitt Community College To: firewalls@greatcircle.com Date: Thu, 10 Oct 1996 15:42:24 EST5EDT MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Private Confab Re: Comp. Awareness Day Reply-to: admin@everett.pitt.cc.nc.us X-mailer: Pegasus Mail for Windows (v2.01) Message-ID: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Could the individual that posted survey results for 'Computer Awareness Day' please contact me off-line. Jim Leo admin@everett.pitt.cc.nc.us From firewalls-owner Thu Oct 10 13:58:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA11097 for firewalls-outgoing; Thu, 10 Oct 1996 12:58:31 -0700 (PDT) Received: from csc.com (explorer.csc.com [20.1.10.27]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id MAA11020 for ; Thu, 10 Oct 1996 12:57:59 -0700 (PDT) Received: from tc24617 by csc.com with smtp (Smail3.1.29.1 #1) id m0vBREi-001AcvC; Thu, 10 Oct 96 15:57 EDT Message-ID: <325D54BA.53D3@csc.com> Date: Thu, 10 Oct 1996 15:55:38 -0400 From: Joe Loiacono Organization: Computer Sciences Corporation X-Mailer: Mozilla 3.0b7 (X11; I; SunOS 5.5 sun4m) MIME-Version: 1.0 To: iceman CC: firewalls@GreatCircle.COM Subject: Re: NT Firewalls References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk iceman wrote: > > I ahve worked with Raptor and Firewall-1 on an NT box. They work, but I > would have my doubts as to whether the operating system can withstand a > good beating. The firewall software seems quite well built, but if you > want reliablity, you need that Unix thing. > I've heard that M$ NT has passed US government accreditation at security level C2. Perhaps it _is_ a relatively secure OS.... From firewalls-owner Thu Oct 10 14:01:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA02630 for firewalls-outgoing; Thu, 10 Oct 1996 11:29:06 -0700 (PDT) Received: from tmoon.com (tmoon.com [206.42.247.209]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id LAA02581 for ; Thu, 10 Oct 1996 11:28:24 -0700 (PDT) From: west@tmoon.com Message-Id: <199610101828.LAA02581@miles.greatcircle.com> To: firewalls-digest@GreatCircle.COM Date: 10 Oct 1996 12:30:10 mst Subject: Checkpoint's LIE (was Re: ha firewalls) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Way back on 7 October david.helms@checkpoint.com said: > I swear this is not an ad! > Take a look at the new announcement for FW-1 V3.0. It's on our web > site and was just released this morning. > http://www.checkpoint.com > V3.0 provides state-sharing, which allows multiple firewalls to > support the same connection. Fixes the Asymmetrical routing issue > and provides a high-availability solution as well. I just found out why Checkpoint has preannounced "state sharing" (it won't be available 'til the end of the year at best) ... Up until Firewall-1 2.0, it wasn't really a stateful packet filter. It maintain some state for UDP but for TCP connections IT DID NOTHING MORE THAN CHECK FOR THE ACK BIT BEING SET ON INBOUND CONNECTIONS!!!!! Anyone running Firewall-1 1.2 has no better protection for TCP connections a simple packet filter checking ACK bits for inbound packets. Checkpoint has been lying about it's true functionality and capabilities!!! In version 2 they FINALLY seem to have added state for tcp connections. The reason I found this was because I had been running 2 Firewall-1 systems in parallel using version 1.2 and everything worked just fine. I upgraded to verion 2.0 and suddenly it s estigation I found out that it worked with version 1.2 because all of the inbound packets had the ACK bit set and were therefore not checked and just passed on. In 2.0 there seems to be some added checking and therefore these packets don't get passed on. I was told that in order for my set up to work I need to have state sharing and to wait for version 3.0, which may or may not be out by the end of the year. NO THANKS! I'm dumping my Firewall-1. Any company that can blatantly lie about providing some security mechanism (stateful packet filtering - patent pending no less) and actually not provide it is not a company who I want to depend on to secure my network. To reiterate, if you are running anything earlier than 2.0 you have only the ACK bit protecting your network. All this stuff about stateful packet filtering is baloney. Lastly, a financial institution here in my parts has also dumped Firewall-1. Seems that a consultant hired to dissassemble the binary found some suspicious code and upon further investigation believes that it is a backdoor for specially formatted packets! Can anyone recommend a "good" firewall? Eric From firewalls-owner Thu Oct 10 14:06:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA23273 for firewalls-outgoing; Thu, 10 Oct 1996 09:45:16 -0700 (PDT) Received: from ns1.inet.net (ns1.inet.net [199.233.93.51]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id JAA23237 for ; Thu, 10 Oct 1996 09:45:03 -0700 (PDT) Received: from bahu (bahu [199.233.93.16]) by ns1.inet.net (8.7.5/8.6.12) with SMTP id MAA14303; Thu, 10 Oct 1996 12:44:32 -0400 (EDT) Date: Thu, 10 Oct 1996 12:44:32 -0400 (EDT) From: Brian Harvell X-Sender: harvell@bahu To: "Barbara W. Jaarsma" cc: Steve Kennedy , mprogers@state.ut.us, firewalls@GreatCircle.COM Subject: Re: CiscoSecure In-Reply-To: <325BC7BE.32C2@us.checkpoint.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Folks - > Merit's Radius is a compilation of all the zillions of proprietary > implementations of Radius authentication code. > > Livingston, of course, is the original creator of Radius. > > Ascend's implementation is a proprietary implementation that Merit > has "folded" into their conglomeration. > > Remember, though - that if you are using Merit's Radius, then you cannot > get support from Livingston, or Ascend, or Cisco, or Wellfleet, or > Checkpoint (when Radius support is released this year). You will be > sent back to Merit, because originating companies have no control over > their code or keyword re-definitions. On the other hand, if you are > using specific implementations provided by specific companies - NOT > Merit - support is generally provided as a matter of course. > This is the part that pisses me off. They should all standardize. I heard that Shiva's radius has some stuff that you can't get at with other implementations. And the bad part is they sell this so you can't get the info from them. Brian Brian Harvell harvell@iNet.net http://www.iNet.net/~harvell echo '[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq'|dc From firewalls-owner Thu Oct 10 14:17:40 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA12085 for firewalls-outgoing; Thu, 10 Oct 1996 13:04:37 -0700 (PDT) Received: from gateway.mitre.org (gateway.mitre.org [128.29.31.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id NAA11894 for ; Thu, 10 Oct 1996 13:03:44 -0700 (PDT) From: lazear@gateway.mitre.org Received: from dockside.mitre.org (dockside.mitre.org [128.29.31.77]) by gateway.mitre.org (8.7.2/8.7.2) with ESMTP id QAA17197 for ; Thu, 10 Oct 1996 16:03:12 -0400 (EDT) Received: from localhost (lazear@localhost) by dockside.mitre.org (8.7.2/8.7.2) with SMTP id QAA24826 for ; Thu, 10 Oct 1996 16:07:17 -0400 (EDT) Message-Id: <199610102007.QAA24826@dockside.mitre.org> X-Authentication-Warning: dockside.mitre.org: lazear owned process doing -bs X-Authentication-Warning: dockside.mitre.org: Host lazear@localhost didn't use HELO protocol To: Firewalls@greatcircle.com Subject: Volcano firewall Date: Thu, 10 Oct 96 16:07:15 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've looked in the Firewalls archives, but haven't found any references to the Volcano Firewall product that is based on BSD Unix. I'd appreciate any pointers to the company or reviews of capabilities. It apparently has transparent proxies, which makes me think it's a Gauntlet variant. Thanks in advance. Walt From firewalls-owner Thu Oct 10 14:22:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA12232 for firewalls-outgoing; Thu, 10 Oct 1996 13:05:38 -0700 (PDT) Received: from vortexdata.com ([207.67.217.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id NAA12167 for ; Thu, 10 Oct 1996 13:05:14 -0700 (PDT) Received: from smtpgate.vortexdata.com (smtpgate.vortexdata.com [207.67.217.6]) by vortexdata.com (8.6.12/8.6.12) with SMTP id LAA05459 for ; Wed, 9 Oct 1996 11:33:49 -0700 Received: from VORTEX-Message_Server by smtpgate.vortexdata.com with Novell_GroupWise; Thu, 10 Oct 1996 13:01:23 -0700 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Thu, 10 Oct 1996 13:02:10 -0700 From: Richard Gilman To: china@dublin3.lci.litel.com, gunni@if.is Cc: Firewalls@GreatCircle.COM Subject: Re: looking for firewall -Reply Mime-Version: 1.0 Content-Type: text/plain Content-Disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You might take a look at OnGuard from On Technology. www.on.com And no I don't work there:-P Rich >>> Gunnar Ingvi Thorisson 10/10/96 06:43am >>> > I am looking for a firewall(proxy) that does ip and ipx routing. I > have spoken to Checkpoint and tis, but they do not support ipx routing. I > do not want to encapsulate ipx in ip packets because that slows things down > and it is quite a CPU intensive process. The firewall is going to be > sitting between 2 routers, so I would need something that does more than > packet filtering. You could get something that is able to do IPX tunneling through TCP/IP with encryption and use the same thing to decrypt the packets at the other end. IPX is most often only used on local networks and not through the Internet. Can't figure out anything at the moment, sorry, home it helps. Best regards, Gunnar Gunnar Ingvi Thorisson System Administrator and programmer gunni@if.is From firewalls-owner Thu Oct 10 14:29:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA08542 for firewalls-outgoing; Thu, 10 Oct 1996 12:38:43 -0700 (PDT) Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id MAA08478 for ; Thu, 10 Oct 1996 12:38:09 -0700 (PDT) Received: from smtp1.sybase.com (sybgate) by halon.sybase.com (5.x/SMI-SVR4/SybFW4.0) id AA11878; Thu, 10 Oct 1996 12:39:39 -0700 Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) id AA27915; Thu, 10 Oct 96 12:37:51 PDT Received: by notesgw2.sybase.com (5.x/SMI-4.1/SybEGW3.3) id AA22794; Thu, 10 Oct 1996 12:37:46 -0700 Message-Id: <9610101937.AA22794@notesgw2.sybase.com> Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id DA63335FE6BC179A882563BF00649C02; Thu, 10 Oct 96 12:37:45 EDT To: firewalls From: Ryan Russell/SYBASE Date: 10 Oct 96 12:39:11 EDT Subject: Re: Sniffer detection. X-Lotus-Type: Reply All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I took a look at the 3com stuff (Bay didn't seem to have any reference to it) and it does indeed appear to be based on repeater technology which should be cheaper, depending. The modules I saw go in their hub chassis, which might be more expensive than a small standalone switch depending on how many port you need. On some older switches I've seen, they could indeed fail in such a way as to flood packets. It depends on the type of switch. Switches with a baseband-style backplane could indeed do that, whereas crossbar- style switches would be unlikely to do so. I stil lmaintain that switches would be a much better solution, although it appears that I am wrong about them being cheaper in every case. A switch will have the added security advantage that you can not only not see the data portion of packets, but you won't see the source and destination (Not clear if the 3com boxes hide that or not) or have to contend for traffic on the line (strictly performance rather than security.) Ryan ---------- Previous Message ---------- To: Ryan.Russell cc: brads, genel, esakov, firewalls From: wombat @ mcfeely.bsfs.org (Rabid Wombat) @ smtp Date: 10/08/96 02:10:57 PM Subject: Re: Sniffer detection. On 8 Oct 1996, Ryan Russell/SYBASE wrote: > Just buy a switch. It would be cheaper, and give > you more functionality. Secure Hubs are cheaper than switches. Some switches also toss the packets out all ports when under heavy load. I have not ssen this myself, but it has been published in some test reports. > > I've never seen any info on a "secure hub." Do you > have the name of a manufacturer of one? 3Com, Bay Networks, etc. Most, if not all, of the major hub vendors have a secure option. -r.w. From firewalls-owner Thu Oct 10 14:39:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA07080 for firewalls-outgoing; Thu, 10 Oct 1996 12:26:48 -0700 (PDT) Received: from po-external.FCNBD.COM ([147.113.146.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id MAA07045 for ; Thu, 10 Oct 1996 12:26:27 -0700 (PDT) From: Joe_Lopez@em.fcnbd.com Received: from po-internal.FCNBD.COM (internalhost.FCNBD.COM [147.113.104.10]) by po-external.FCNBD.COM (8.7.5/fcnbd/domain/1.5.1) with ESMTP id OAA15515 for ; Thu, 10 Oct 1996 14:29:14 -0500 (CDT) Received: from em.fcnbd.com (ccintgat [147.113.229.37]) by po-internal.FCNBD.COM (8.7.5/fcnbd/internal-domain/1.4.1) with SMTP id OAA10171 for ; Thu, 10 Oct 1996 14:27:06 -0500 (CDT) Received: from ccMail by em.fcnbd.com (IMA Internet Exchange 2.03 (Beta 3) Enterprise) id 000188BD; Thu, 10 Oct 96 14:04:59 -0500 Mime-Version: 1.0 Date: Thu, 10 Oct 1996 13:41:59 -0500 Message-ID: <000188BD.1944@em.fcnbd.com> Subject: OSPF Routing on SunSparc To: firewalls@greatcircle.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk we are installing a SunSparc20 to function as an internal firewall. We are presently running OSPF on our WAN. I am trying to add a Sun Sparcstation to participate. We are running gated on our Sun machine. I am not receiving full routing table updates. We only have routes to certain parts of our OSPF cloud. I am receiving an error on our Sun as follows: OSPF RECV Area 0.0.3.242 10.10.1.1 224.0.0.5: HELLO: netmask mismatch task_get_proto: getprotobyname("ospf") failed, using proto 89 our gated.conf is: # page gated.conf #--------------------------------------------- # gated config for sap-fw-01 #--------------------------------------------- # le0: 192.168.31.0 Ext. ethernet # nf0: 10.10.1.0 SAP network (DMZ) # nf1: 192.168.38.0 Internal (trusted) network # #--------------------------------------------- #options noresolv interfaces { interface le0 preference 0 down preference 120; interface nf0 preference 0 down preference 120; interface nf1 preference 0 down preference 120; }; rip no; snmp no; ospf yes { defaults { }; area 1010 { networks { 192.168.0.0 mask 255.255.0.0; 10.10.0.0 mask 255.255.0.0; }; interface all { priority 2 ; }; }; }; we have defined an area 1010 on the Cisco config. Any help would be greatly appreciated. thanks joe lopez joe_lopez@em.fcnbd.com From firewalls-owner Thu Oct 10 14:45:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA15097 for firewalls-outgoing; Thu, 10 Oct 1996 13:25:37 -0700 (PDT) Received: from us.checkpoint.com (us.checkpoint.com [206.86.35.130]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id NAA15034 for ; Thu, 10 Oct 1996 13:25:16 -0700 (PDT) Received: from Barbara's HP.us.checkpoint.com (barbara-pc) by us.checkpoint.com (5.x/SMI-SVR4) id AA03222; Thu, 10 Oct 1996 13:26:04 -0700 Message-Id: <325C0969.839@us.checkpoint.com> Date: Wed, 09 Oct 1996 13:22:01 -0700 From: "Barbara W. Jaarsma" Reply-To: barbara@us.checkpoint.com Organization: Checkpoint US Technical Support X-Mailer: Mozilla 3.0 (Win95; I) Mime-Version: 1.0 To: "bettez@telecom.hydro.qc.ca" Cc: firewalls@greatcircle.com Subject: Re: Firewall-1 query References: <199610100601.HAA08669@server1.mountcomp.co.uk> <325CE0CB.32AC@liebert.com> <325CFABD.1FDE@telecom.hydro.qc.ca> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jon - I agree. A firewall should be a firewall, not a multi-application server. If users have - or can gain - access to applications by any means that bypass the firewall security policy, your protection goes down the drain. Put your mail server elsewhere unless you know *exactly* what you're doing... -Barb bettez@telecom.hydro.qc.ca wrote: > > Jim Legg wrote: > > > > Jon Whitton wrote: > > > > > > I have been looking at firewall-1 as a security solution and have one > > > major query. > > > > > > It appears to work at the IP layer and basically allows or denys packets > > > depending on certain rules. (This is only from the Checkpoint web site.) > > > > > > My question is how does this secure say sendmail since sendmail will be > > > running directly on the firewall machine and not a proxy. > > > Surely if sendmail is running on the firewall then when (not if!) a new > > > bug is found in sendmail, this bug can just be exploited on the firewall. > > > > > > > Don't run sendmail on the firewall machine. Run something else (like > > smapd) to grab incoming mail. > > > > -jim- > > Or don't run sendmail at all. Put sendmail -q in your crontab to flush > queue mail. > _______________________________ > Jean-Sebastien Bettez > E:bettez@telecom.hydro.qc.ca From firewalls-owner Thu Oct 10 16:28:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA13601 for firewalls-outgoing; Thu, 10 Oct 1996 13:15:12 -0700 (PDT) Received: from vortexdata.com ([207.67.217.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id NAA13577 for ; Thu, 10 Oct 1996 13:14:42 -0700 (PDT) Received: from smtpgate.vortexdata.com (smtpgate.vortexdata.com [207.67.217.6]) by vortexdata.com (8.6.12/8.6.12) with SMTP id LAA05473 for ; Wed, 9 Oct 1996 11:43:18 -0700 Received: from VORTEX-Message_Server by smtpgate.vortexdata.com with Novell_GroupWise; Thu, 10 Oct 1996 13:10:53 -0700 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Thu, 10 Oct 1996 13:11:38 -0700 From: Richard Gilman To: bhowell@snlnet.com Cc: firewalls@GreatCircle.COM, sazah@ibu.sj.nec.com, wombat@mcfeely.bsfs.org Subject: Re: Re[2]: Protocol Jumping -Reply Mime-Version: 1.0 Content-Type: text/plain Content-Disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You might try Novell's IPTUNNEL.NLM. It has some bugs but kinda works with some older NIC's. Don't try to sync your NDS with it though:-) Rich(running for cover) >>> Sunny Azah 10/10/96 10:52am >>> > > Thanks for the reply. > > We thought about IP to IP through a "hole" in the firewall, but we are > running cc:Mail on a Novell server running only IPX. The gateway runs > on NT using commercial software. Since we need to make the jump to IPX > somewhere along the way, it seems like the mail gateway PC is a good > place to do that. Rather than punch an IPX hole in the firewall (which > might be more obvious to exploit) we figured we could just sneak > around it. > > I'm just curious to know if anyone actually COULD make the protocol > and network jump on a dual homed NT 4.0 server. I'm guessing it would > be pretty tough. The NT 4.0 server would have to have software to make the translation from IPX to IP. I do not know if there is such a beast for NT. > > I think we will move the cc:Mail post office to an NT server running > IP and resolve the problem. > > -- sa. -------------------------------------------------------------------------- Sunny Azah - sazah@ibu.sj.nec.com Internet Business Unit, Home of the PrivateNet NEC Technologies, Inc. 110 Rio Robles San Jose, CA 95134 Tel:(408) 433-2161 FAX:(408) 433-1230 http://www.privatenet.nec.com -------------------------------------------------------------------------- From firewalls-owner Thu Oct 10 16:57:17 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA13734 for firewalls-outgoing; Thu, 10 Oct 1996 13:15:57 -0700 (PDT) Received: from us.checkpoint.com (us.checkpoint.com [206.86.35.130]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id NAA13588 for ; Thu, 10 Oct 1996 13:15:02 -0700 (PDT) Received: from Barbara's HP.us.checkpoint.com (barbara-pc) by us.checkpoint.com (5.x/SMI-SVR4) id AA02866; Thu, 10 Oct 1996 13:15:36 -0700 Message-Id: <325C06F5.7FAD@us.checkpoint.com> Date: Wed, 09 Oct 1996 13:11:33 -0700 From: "Barbara W. Jaarsma" Reply-To: barbara@us.checkpoint.com Organization: Checkpoint US Technical Support X-Mailer: Mozilla 3.0 (Win95; I) Mime-Version: 1.0 To: Brian Harvell Cc: Steve Kennedy , mprogers@state.ut.us, firewalls@GreatCircle.COM Subject: Re: CiscoSecure References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Brian - This is frustrating to everyone. But Merit chose to perform this function when no one else would tackle it because they found the logistics impossible - which, BTW, is extraordinarily valuable to a number of people. I know there's an RFC in the works - has been for a couple of years at least. Stand by, and we'll see standardization and/or certification as Merit-compliant. We may be a *lot* older, tho... :-) -Barb Brian Harvell wrote: > > > Folks - > > Merit's Radius is a compilation of all the zillions of proprietary > > implementations of Radius authentication code. > > > > Livingston, of course, is the original creator of Radius. > > > > Ascend's implementation is a proprietary implementation that Merit > > has "folded" into their conglomeration. > > > > Remember, though - that if you are using Merit's Radius, then you cannot > > get support from Livingston, or Ascend, or Cisco, or Wellfleet, or > > Checkpoint (when Radius support is released this year). You will be > > sent back to Merit, because originating companies have no control over > > their code or keyword re-definitions. On the other hand, if you are > > using specific implementations provided by specific companies - NOT > > Merit - support is generally provided as a matter of course. > > > > This is the part that pisses me off. They should all standardize. I heard that > Shiva's radius has some stuff that you can't get at with other > implementations. And the bad part is they sell this so you can't get the info > from them. > > Brian > > Brian Harvell harvell@iNet.net http://www.iNet.net/~harvell > echo '[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq'|dc From firewalls-owner Thu Oct 10 17:27:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA23144 for firewalls-outgoing; Thu, 10 Oct 1996 14:48:26 -0700 (PDT) Received: from Arbitrade.COM (iafsrv.arbitrade.com [204.242.156.130]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id OAA23134 for ; Thu, 10 Oct 1996 14:48:08 -0700 (PDT) Received: from gordon.Arbitrade.COM (gordon.arbitrade.com [204.242.156.138]) by Arbitrade.COM (8.7.5/8.6.9) with ESMTP id QAA32160; Thu, 10 Oct 1996 16:49:35 -0500 (CDT) Received: (from andrew@localhost) by gordon.Arbitrade.COM (SMI-8.6/8.6.9) id QAA02283; Thu, 10 Oct 1996 16:48:58 -0500 From: "Andrew A. Benson" Message-Id: <199610102148.QAA02283@gordon.Arbitrade.COM> Subject: Re: Checkpoint's LIE (was Re: ha firewalls) To: west@tmoon.com Date: Thu, 10 Oct 1996 16:48:58 -0500 (CDT) Cc: firewalls-digest@GreatCircle.COM In-Reply-To: <199610101844.LAA04173@miles.greatcircle.com> from "west@tmoon.com" at Oct 10, 96 12:47:50 pm X-Mailer: ELM [version 2.4 PL25] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > To reiterate, if you are running anything earlier than 2.0 you have only > the ACK bit protecting your network. All this stuff about stateful > packet filtering is baloney. > > Lastly, a financial institution here in my parts has also dumped > Firewall-1. Seems that a consultant hired to dissassemble the binary > found some suspicious code and upon further investigation believes that > it is a backdoor for specially formatted packets! Got any proof? -- other than "go ahead! Run your own tests!"? -- Andrew Benson System & Network Administrator andrew@arbitrade.com Arbitrade, LLC From firewalls-owner Thu Oct 10 17:42:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA26598 for firewalls-outgoing; Thu, 10 Oct 1996 15:10:32 -0700 (PDT) Received: from cheops.anu.edu.au ([150.203.76.24]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id PAA26376 for ; Thu, 10 Oct 1996 15:09:47 -0700 (PDT) Message-Id: <199610102209.PAA26376@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA191495342; Fri, 11 Oct 1996 08:09:02 +1000 From: Darren Reed Subject: Re: Checkpoint's LIE (was Re: ha firewalls) To: west@tmoon.com Date: Fri, 11 Oct 1996 08:09:02 +1000 (EST) Cc: Firewalls@GreatCircle.COM (Firewalls Mailing List) In-Reply-To: <199610101844.LAA04173@miles.greatcircle.com> from "west@tmoon.com" at Oct 10, 96 12:47:50 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from west@tmoon.com, sie said: [...] > Way back on 7 October david.helms@checkpoint.com said: > > I swear this is not an ad! > > > Take a look at the new announcement for FW-1 V3.0. It's on our web > > site and was just released this morning. > > > http://www.checkpoint.com > > > V3.0 provides state-sharing, which allows multiple firewalls to > > support the same connection. Fixes the Asymmetrical routing issue > > and provides a high-availability solution as well. > > I just found out why Checkpoint has preannounced "state sharing" (it > won't be available 'til the end of the year at best) ... [...] Seems like Checkpoint have joined in on the "vapourware" announcements. Wether by coincidence or not, all the "new items" that Checkpoint claim to be pioneering I've seen mentioned on various firewall related mailling lists, `recently'. Unless they're doing their transparent proxying correctly (which people using Gauntlet/FWTK with it found out they weren't) then all the talk about Content Vectoring and URL scanning is more balony. Makes you wonder just how worthwhile that "Certified Firewall" seal is (you know the $20000 and you can join the club and yes we'll certify your firewall too). From firewalls-owner Thu Oct 10 18:12:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA17187 for firewalls-outgoing; Thu, 10 Oct 1996 13:44:35 -0700 (PDT) Received: from twins.cftnet.com (twins.cftnet.com [163.125.1.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id NAA17169 for ; Thu, 10 Oct 1996 13:44:17 -0700 (PDT) From: Kyle_Amon@jabil.com Received: from mail.jabil.com (mail.jabil.com [163.125.33.5]) by twins.cftnet.com (8.8.0/8.6.4) with SMTP id QAA11250; Thu, 10 Oct 1996 16:38:56 -0400 (EDT) Received: from [172.19.1.18] by mail.jabil.com id aa06140; 10 Oct 96 16:39 EDT Received: from ccMail by apollo.jabil.com (IMA Internet Exchange 2.03 (Beta 4) Enterprise) id 0000F287; Thu, 10 Oct 96 16:39:50 -0400 Mime-Version: 1.0 Date: Thu, 10 Oct 1996 16:20:39 -0400 Message-ID: <0000F287.1880@jabil.com> Subject: Re[2]: Sniffer detection. To: vojin urosevic , firewalls@greatcircle.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Some Unix implementations allow arguments to the ifconfig command to alter the promiscuity of an interface, thus if you display the interface with ifconfig it will indicate weather it is in promiscuous mode or not. For example, here is a piece of the man page for ifconfig on Digital Unix (OSF/1): promisc Sets the interface into promiscuous mode. This directs the net- work interface to receive all packets off the network, rather than just those packets directed to the host. -promisc Disables the promiscuous mode of the interface. This is the default. I think Solaris is one of the flavors that doesn't offer this. Now, I know this isn't a "panecia, blah, blah..." but it's the fastest and easiest (as I originally said!) thing to check (when available). Hope this helps. :) Kyle ______________________________ Reply Separator _________________________________ Subject: Re: Sniffer detection. Author: vojin urosevic at IE_StPeteB1 Date: 10/10/96 8:19 PM Hello there! to this quetion > Hi! > Do someone knows how the ethernet sniffer can be detected. you answered > The quickest and easiest thing I know of is to use ifconfig to see if > any of your NIC's are in promiscuous mode. Could you please be more explicit' regards vojin From firewalls-owner Thu Oct 10 18:41:53 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA01732 for firewalls-outgoing; Thu, 10 Oct 1996 15:54:14 -0700 (PDT) Received: from pinky.junction.net ([199.166.227.12]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id PAA01615 for ; Thu, 10 Oct 1996 15:53:23 -0700 (PDT) Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by pinky.junction.net (8.6.12/8.6.12) with ESMTP id PAA23991; Thu, 10 Oct 1996 15:06:48 -0700 Received: from localhost (michael@localhost) by sidhe.memra.com (8.6.12/8.6.12) with SMTP id PAA22384; Thu, 10 Oct 1996 15:48:13 -0700 Date: Thu, 10 Oct 1996 15:48:12 -0700 (PDT) From: Michael Dillon To: west@tmoon.com cc: firewalls-digest@GreatCircle.COM Subject: Re: Checkpoint's LIE (was Re: ha firewalls) In-Reply-To: <199610101844.LAA04173@miles.greatcircle.com> Message-ID: Organization: Memra Software Inc. - Internet consulting MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On 10 Oct 1996 west@tmoon.com wrote: > I'm dumping my Firewall-1. Any company that can blatantly lie about > providing some security mechanism (stateful packet filtering - patent > pending no less) and actually not provide it is not a company who I want > to depend on to secure my network. > Lastly, a financial institution here in my parts has also dumped > Firewall-1. Seems that a consultant hired to dissassemble the binary > found some suspicious code and upon further investigation believes that > it is a backdoor for specially formatted packets! > > Can anyone recommend a "good" firewall? Yes. Source code. Just ask all vendors you are considering whether or not they supply source code. If they don't then they are a pack of liars, thieves, CIA double agents, evil hackers and vile disgusting dregs of humanity. TIS Gauntlet supplies source code http://www.tis.com/docs/products/gauntlet/index.html The TIS firewalls toolkit is also freely usable source code as long as you don't set it up for somebody else without contacting TIS about licencing. For a firewalls company, what are the cons against distributing source code? Well, the first one is that there are no secrets. Do you want to trust a security company that has secrets? Secrets can hide weaknesses you know. Well, another con is that some other company could steal the code and sell it as their own firewall software. Assuming this evil thief does not supply source code, how would you ever know anyway? But if everybody distributed source code then anyone who steals someone else's code is unable to hide the fact. Therefore if they don't supply source they are a pack of liars, thieves, CIA double agents, evil hackers and vile disgusting dregs of humanity. Hmmm... but the competition could steal the ideas and implement it in their own source! That's right, they could. Is this bad? If you know of a better way to secure systems are you going to keep this secret from everybody else so that their systems are not secure? This is a cynical vile and evil attack on those other people who think they are secure but really are not. Trust begins with openness. Trust begins with no secrets. If a company is not open and above board with you, don't give them your money. Note that I know nothing about Checkpoint and Firewall-1 and therefore have no opinion on the company or its products except that if they don't supply source code then they are a pack of liars, thieves, CIA double agents, evil hackers and vile disgusting dregs of humanity. Michael Dillon - ISP & Internet Consulting Memra Software Inc. - Fax: +1-604-546-3049 http://www.memra.com - E-mail: michael@memra.com From firewalls-owner Thu Oct 10 18:45:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA01252 for firewalls-outgoing; Thu, 10 Oct 1996 15:50:21 -0700 (PDT) Received: from isl.sri.com (sheffield.isl.SRI.COM [128.18.23.46]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id PAA01200 for ; Thu, 10 Oct 1996 15:49:55 -0700 (PDT) Received: from babylon by isl.sri.com (SMI-8.6/SMI-SVR4) id PAA20300; Thu, 10 Oct 1996 15:49:20 -0700 Received: from [128.18.23.66] by babylon (SMI-8.6/SMI-SVR4) id PAA23641; Thu, 10 Oct 1996 15:48:53 -0700 X-Sender: terry@128.18.23.46 Message-Id: In-Reply-To: <199610101844.LAA04173@miles.greatcircle.com> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Date: Thu, 10 Oct 1996 15:43:42 -0700 To: west@tmoon.com From: Terry Bernstein Subject: Re: Checkpoint's LIE (was Re: ha firewalls) Cc: firewalls-digest@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I don't know for sure, but I don't think Checkpoint lied about anything. In all the research I've done on firewalls and the market -- which is quite a lot BTW, I've never heard of anyone claiming to maintain the state of TCP connections. I'm not really sure I see why you even need to do that in most cases, except perhaps to avoid a DOS attack. At any rate, I believe Checkpoint simply claimed that they used the state machine feature to handle UDP packets. Do you have any literature from Checkpoint in which they claim to use state for TCP packet streams -- I've read almost everything they've put out and don't recall ever seeing this. -- terry -- At 12:47 PM -0700 10/10/96, west@tmoon.com wrote: >I guess I lost a little bit of the text on that last message. Here it >is again. > >Way back on 7 October david.helms@checkpoint.com said: >> I swear this is not an ad! > >> Take a look at the new announcement for FW-1 V3.0. It's on our web >> site and was just released this morning. > >> http://www.checkpoint.com > >> V3.0 provides state-sharing, which allows multiple firewalls to >> support the same connection. Fixes the Asymmetrical routing issue >> and provides a high-availability solution as well. > > >I just found out why Checkpoint has preannounced "state sharing" (it >won't be available 'til the end of the year at best) ... > >Up until Firewall-1 2.0, it wasn't really a stateful packet filter. >It maintained some state for UDP but for TCP connections IT DID NOTHING >MORE THAN CHECK FOR THE ACK BIT BEING SET ON INBOUND CONNECTIONS!!!!! > > >Anyone running Firewall-1 1.2 has no better protection for TCP >connections than a simple packet filter checking ACK bits for inbound >packets. Checkpoint has been lying about it's true functionality and >capabilities!!! > >In version 2 they FINALLY seem to have added state for tcp connections. > > >The reason I found this was because I had been running 2 Firewall-1 >systems in parallel using version 1.2 and everything worked just fine. >I upgraded to verion 2.0 and suddenly it stopped working. After doing >some investigation I found out that it worked with version 1.2 because >all of the inbound packets had the ACK bit set and were therefore not >checked and just passed on. > >In 2.0 there seems to be some added checking and therefore these packets >don't get passed on. I was told that in order for my set up to work I >need to have state sharing and to wait for version 3.0, which may or may >not be out by the end of the year. NO THANKS! > >I'm dumping my Firewall-1. Any company that can blatantly lie about >providing some security mechanism (stateful packet filtering - patent >pending no less) and actually not provide it is not a company who I want >to depend on to secure my network. > >To reiterate, if you are running anything earlier than 2.0 you have only >the ACK bit protecting your network. All this stuff about stateful >packet filtering is baloney. > >Lastly, a financial institution here in my parts has also dumped >Firewall-1. Seems that a consultant hired to dissassemble the binary >found some suspicious code and upon further investigation believes that >it is a backdoor for specially formatted packets! > >Can anyone recommend a "good" firewall? > >Eric ---------- Terry Bernstein SRI Consulting Consultant, Information Technology 333 Ravenswood Ave Menlo Park, CA 94025 terry_bernstein@sri.com http://www.ice.sri.com/~terry 415-859-4136 =46ax: 415-859-5092 From firewalls-owner Thu Oct 10 19:36:26 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA10268 for firewalls-outgoing; Thu, 10 Oct 1996 17:00:58 -0700 (PDT) Received: from reflections.mindspring.com (reflections.mindspring.com [204.180.142.192]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id RAA10049 for ; Thu, 10 Oct 1996 17:00:04 -0700 (PDT) Received: (from lists@localhost) by reflections.mindspring.com (8.7.1/8.7.1) id UAA04427; Thu, 10 Oct 1996 20:00:10 -0400 Date: Thu, 10 Oct 1996 20:00:09 -0400 (EDT) From: Todd Graham Lewis To: Joe Loiacono cc: iceman , firewalls@GreatCircle.COM Subject: Re: NT Firewalls In-Reply-To: <325D54BA.53D3@csc.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 10 Oct 1996, Joe Loiacono wrote: > I've heard that M$ NT has passed US government accreditation at security > level C2. Perhaps it _is_ a relatively secure OS.... I never understood the reasoning behind valuing Orange-Book certification. Why do you think a C2 rating to be important, pray tell? __ Todd Graham Lewis Linux! Core Engineering Mindspring Enterprises tlewis@minds