From firewalls-owner Tue Oct 1 01:26:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA17916 for firewalls-outgoing; Tue, 1 Oct 1996 00:49:37 -0700 (PDT) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id AAA17905 for firewalls@greatcircle.com; Tue, 1 Oct 1996 00:49:30 -0700 (PDT) Received: from ren.netconnect.com.au (ren.netconnect.com.au [203.7.198.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id VAA02419 for ; Mon, 30 Sep 1996 21:24:27 -0700 (PDT) Received: (from kaw@localhost) by ren.netconnect.com.au (8.7.6/8.7.6) id OAA23029; Tue, 1 Oct 1996 14:24:46 +1000 Date: Tue, 1 Oct 1996 14:24:46 +1000 (EST) From: Kylie Winnell To: firewalls@greatcircle.com Subject: Help with ipfwadm Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I'm trying to implement a firewall using ipfwadm and desperately require some help. Is there any examples/documentation for ipfwadm anywher? Or could someone who has managed to get a firewall working please contact me? Thanks in advance for any help! Regards, Kylie From firewalls-owner Tue Oct 1 01:41:37 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA22258 for firewalls-outgoing; Tue, 1 Oct 1996 01:31:43 -0700 (PDT) Received: from gate.lcn.nl (mail.lcn.nl [195.108.51.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id BAA22240 for ; Tue, 1 Oct 1996 01:31:33 -0700 (PDT) Received: from ge (d1.lcn.nl [195.108.51.129]) by gate.lcn.nl (8.6.12/8.6.12) with SMTP id JAA13313 for ; Tue, 1 Oct 1996 09:23:14 +0100 Message-Id: <1.5.4.32.19961001083157.0090cad8@mail.lcn.nl> X-Sender: gedigest@mail.lcn.nl X-Mailer: Windows Eudora Light Version 1.5.4 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 01 Oct 1996 10:31:57 +0200 To: firewalls@greatcircle.com From: "Ge' Weijers" Subject: Re: SOLARIS x86 as firewall platform? - summary so far. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk As ever it's a case of 'you get what you pay for'. I've got an NT server sitting here built by Intel Ireland, Pentium 166 with 64Mb, pipeline burst cache and 12.5 GB net RAID 5 disk configuration. It's quite a bit faster than our SS5, but then it cost more, about $15K. A SS5 that has a similar disk configuration would be a lot more expensive, though. Ge' ---------------------------------------------------- Ge' Weijers E-mail: g.weijers@lcn.nl LCN Tel. +31-24-3238130 P.O. Box 1408 Fax. +31-24-3238074 6501 BK Nijmegen the Netherlands From firewalls-owner Tue Oct 1 02:27:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA29728 for firewalls-outgoing; Tue, 1 Oct 1996 02:13:57 -0700 (PDT) Received: from rauteg.rau.ac.za (rauteg.rau.ac.za [152.106.1.53]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id CAA29687 for ; Tue, 1 Oct 1996 02:13:34 -0700 (PDT) Received: from ing1.rau.ac.za (ing1.rau.ac.za [152.106.20.241]) by rauteg.rau.ac.za (8.6.11/8.6.9) with ESMTP id LAA15822 for ; Tue, 1 Oct 1996 11:32:22 +0200 Received: from ING1/SpoolDir by ing1.rau.ac.za (Mercury 1.21); 1 Oct 96 11:14:19 GMT+2 Received: from SpoolDir by ING1 (Mercury 1.21); 1 Oct 96 11:13:53 GMT+2 Received: from tetonka.rau.ac.za by ing1.rau.ac.za (Mercury 1.21); 1 Oct 96 11:13:46 GMT+2 From: "Marius Groenewald" To: "firewalls@greatcircle.com" Date: Tue, 01 Oct 96 11:14:09 Reply-To: "Marius Groenewald" X-Mailer: Sloet Sloet's Registered PMMail 1.5 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Subject: Mailing list Message-ID: <15366E50B9@ing1.rau.ac.za> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Could someone please remove mlg@ing1.rau.ac.za and mlg@eng.rau.ac.za from the mailing list. I don't want to receive any more news from firewalls@greatcircle.com Thanks From firewalls-owner Tue Oct 1 03:25:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA04733 for firewalls-outgoing; Tue, 1 Oct 1996 03:23:30 -0700 (PDT) Received: from lexicon.ins.com (lexicon.ins.com [199.0.193.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id DAA04717 for ; Tue, 1 Oct 1996 03:23:22 -0700 (PDT) Received: from martin_d.ins.com ([206.98.131.200]) by lexicon.ins.com (8.7.5/8.7.3) with SMTP id DAA13923; Tue, 1 Oct 1996 03:22:28 -0700 (PDT) Message-Id: <2.2.32.19961001102234.00693350@lexicon.ins.com> X-Sender: martin_d@lexicon.ins.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 01 Oct 1996 06:22:34 -0400 To: Kogulapalan From: Darwin Martinez Subject: Re: Checkpoint Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Earlier versions of FW-1 were not VPN/DES compatible. Later versions (2.0c and later) are available with VPN/DES. From at least 2.0, NAT is available. At 10:01 AM 10/1/96 -0800, you wrote: >Folks, > > A quick questions ;) Hope to get answers :) > > 1) Does the Checkpoint Firewall-1 that comes with SUN has the >capabilies of doing VPN ??? > > 2) Does the Checkpoint Firewall-1 that comes with SUN has the >capabilies of doing NAT ??? > > Thats all. Thanks. > >Regards, >PaLaN >palan@mailhost.net > >" Hack From The Rich and Download To The Poor " > > > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Darwin L. Martinez, NSE Email: darwin_martinez@ins.com Atlanta Office Client: 404-843-5954 International Network Services Pager: 1-800-INS-1-INS "Providing the power of operable networks" ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ From firewalls-owner Tue Oct 1 03:56:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA05582 for firewalls-outgoing; Tue, 1 Oct 1996 03:40:59 -0700 (PDT) Received: from ibmmail.COM (ibmmail.com [199.171.26.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id DAA05537 for ; Tue, 1 Oct 1996 03:40:42 -0700 (PDT) From: dehtpnmk@ibmmail.com Message-Id: <199610011040.DAA05537@miles.greatcircle.com> Received: from ibmmail by ibmmail.COM (IBM VM SMTP V2R3) with BSMTP id 3526; Tue, 01 Oct 96 06:19:49 EDT Date: Tue, 01 Oct 1996 05:07:22 EDT To: FIREWALLS@GREATCIRCLE.COM MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From: Amadeus Forums AT MUCVM1 Organization: AMADEUS Global travel - Erding - DE Subject: FW-1 accounting. Amadeus FORUMS for DAVID BLACK : private replies to: We wish to install the NETSCAPE proxy server with FW-1, both for caching and accounting.We also want to use CLIENT AUTHENTICATION and NAT.Will our accouting data be able give us records showing complete connections, ie: can we account from a users PC all the way to an INTERNET host, or does NAT interfere with the IP packets in such a way as to disable this?? Thanks, Dave Black System Programmer, Amadeus Global Travel, Munich, Germany osg023@mucvm1, dehtpz79@ibmmail.com, (49) 8122-43-5795 fax(3260) From firewalls-owner Tue Oct 1 04:11:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA05752 for firewalls-outgoing; Tue, 1 Oct 1996 03:43:12 -0700 (PDT) Received: from diablo.cisco.com (diablo.cisco.com [171.68.223.106]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id DAA05723 for ; Tue, 1 Oct 1996 03:42:55 -0700 (PDT) Received: from pferguso-pc.cisco.com (dhcp-restontel-84.cisco.com [171.68.52.84]) by diablo.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id DAA21907; Tue, 1 Oct 1996 03:42:23 -0700 Message-Id: <2.2.32.19961001104224.007629f0@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 01 Oct 1996 06:42:24 -0400 To: Kim Sung Ro From: Paul Ferguson Subject: Re: Subnetting Class C Network Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Actually, point your web browser instead at: http://cio.cisco.com/warp/public/105/11.html You can use IP subnet 0 if you use the global command 'ip subnet zero' within a cisco router. Use of the all-1's subnet has always been permissible. - paul At 02:11 PM 10/1/96 +0900, Kim Sung Ro wrote: > >In http://cio.cisco.com/warp/public/701/3.html, All 0's or 1's in >network part can't be used. >So if you subnet C class with 255.255.255.192, the number of effective >network is 2 I think. >In default network, We can't use 0 and 255 number as network number. >For example for A class, the first byte of IP address can't be 0 or 255. >So if you subnet C class with 255.255.255.192 (use 2 bits), 00 and 11 >can't be used for subnetting bits. > -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Tue Oct 1 04:25:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA07552 for firewalls-outgoing; Tue, 1 Oct 1996 04:06:44 -0700 (PDT) Received: from dax.sai.com (dax.sai.com [207.95.117.66]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id EAA07505 for ; Tue, 1 Oct 1996 04:06:30 -0700 (PDT) Received: from dax.sai.com by dax.sai.com with smtp (Smail3.1.29.1 #2) id m0v82eA-003pMVC; Tue, 1 Oct 96 07:05 EDT Date: Tue, 1 Oct 1996 07:05:54 -0400 (EDT) From: Darryl Wagoner To: Kim Sung Ro cc: Harry Feltsadas , firewalls@GreatCircle.COM Subject: Re: Subnetting Class C Network In-Reply-To: <3250A81A.58E8@164.124.1.108> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 1 Oct 1996, Kim Sung Ro wrote: > Harry Feltsadas wrote: > > > > > In http://cio.cisco.com/warp/public/701/3.html, All 0's or 1's in > network part can't be used. > So if you subnet C class with 255.255.255.192, the number of effective > network is 2 I think. > In default network, We can't use 0 and 255 number as network number. > For example for A class, the first byte of IP address can't be 0 or 255. > So if you subnet C class with 255.255.255.192 (use 2 bits), 00 and 11 > can't be used for subnetting bits. That is the way that I understood it myself, but I have seen provides use all the networks. It really surprised me. -- Darryl Wagoner darryl@sai.com http://www.sai.com/ Office: 603.672.0736 Fax: 603-672-4846 Beware of self-styled experts: an ex is a has-been, and a spurt is a drip under pressure. From firewalls-owner Tue Oct 1 04:56:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA09597 for firewalls-outgoing; Tue, 1 Oct 1996 04:39:22 -0700 (PDT) Received: from eci-esyst.com (callisto.eci-esyst.com [205.129.215.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id EAA09572 for ; Tue, 1 Oct 1996 04:38:56 -0700 (PDT) Received: by eci-esyst.com (4.1/SMI-4.1) id AA22327; Tue, 1 Oct 96 07:35:52 EDT Received: from www.eci-esyst.com(198.135.69.2) by callisto.eci-esyst.com via smap (V1.3) id sma022318; Tue Oct 1 07:35:30 1996 Received: from callisto (rodney.eci.esys.com) by eci.esys.com (4.1/SMI-4.1) id AA11017; Tue, 1 Oct 96 07:33:14 EDT Received: from qmgate.eci-esyst.com by callisto (4.1/SMI-4.1) id AA23415; Tue, 1 Oct 96 07:35:32 EDT Message-Id: Date: 1 Oct 1996 07:35:37 -0400 From: "Jerry Edmiston" Subject: FTP and TELNET Authenticati To: "firewalls greatcircle" X-Mailer: Mail*Link SMTP-QM 3.0.2 Mime-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1"; Name="Message Body" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Subject: Time: 7:13 = AM OFFICE MEMO FTP and TELNET Authentication Date: = 10/1/96 I have a CyberGuard firewall. I run Telnet and FTP proxies that = authenticate the request at the firewall and then passes it through. My = Sun station have no problem, but our FTP/TELNET clients on our MACs and = PCs do not support this authentication...ie multiple passwords to reach = its' destination.( A password at the f/w and again at the server in = question). Does anyone have any suggestions for a Telnet/FTP client on MACs and = PCs that will support authentication through our f/w...thanks in = advace...Jerry...jle9@eci-esyst.com From firewalls-owner Tue Oct 1 05:27:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA12577 for firewalls-outgoing; Tue, 1 Oct 1996 05:11:02 -0700 (PDT) Received: from rssi.rssi.com (RSSI.COM [198.3.220.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id FAA12520 for ; Tue, 1 Oct 1996 05:10:43 -0700 (PDT) Received: from rapid.rssi.com (rapid [198.3.220.2]) by rssi.rssi.com (8.7.6/8.7.3) with ESMTP id IAA17595 for ; Tue, 1 Oct 1996 08:12:07 -0400 (EDT) From: Brad VanOrden Received: (from bvvanor@localhost) by rapid.rssi.com (8.7.6/8.7.3) id IAA07614 for firewalls@GreatCircle.COM; Tue, 1 Oct 1996 08:11:15 -0400 (EDT) Date: Tue, 1 Oct 1996 08:11:15 -0400 (EDT) Message-Id: <199610011211.IAA07614@rapid.rssi.com> To: firewalls@GreatCircle.COM Subject: RE: NT Security Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I think you are missing the point of C2. It is not meant that if a box is rated C2 that it is invulnerable. Rather, it is a philosophy of how you are going to administer the system. The main points of C2 is that there are not any group logins allowed and that all transactions are logged. No group logins means you do not share your password. The system can't enforce that. It's a people thing. Will your users abide by it? The fact that all transactions are logged allows an administrator to find out who did what to the system (again, assuming the users aren't sharing their passwords). C2 is simply an accountability measure. It does not prevent anything. I would rather have a system that has been certified C2 compliant because it gives me better assurance I can find out what happened on my system (if something does happen). My $0.02 worth. Brad Van Orden Rapid Systems Solutions, a BSG company >C2 security seems basically worthless. You can't have any network, and if >a perpetrator has physical access to the machine, he/she can just boot >off a floppy to read your files. > >So, if you can't use it with a network as a file server, and if it's >easily compromised with physical access to the machine, what is a >practical example of where C2 is actually useful? > >Keith McCammon >Asymetrix Corp >*Opinions my own* > > >On Wed, 25 Sep 1996, Joseph S. D. Yao wrote: > >> Much has been made of NT's "C2" certification. I've heard that it was >> certified without the standard NT file system; and with that file >> system, it can't be certified. Beware. > > It will only comply with C2 standards if you are using the NTFS file >system (not FAT or HPFS) and, of course, as a stand-alone machine after >service pack X (7?) is applied with some other holes closed. From firewalls-owner Tue Oct 1 05:41:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA15005 for firewalls-outgoing; Tue, 1 Oct 1996 05:31:03 -0700 (PDT) Received: from trex.netrex.com (trex.netrex.com [206.253.226.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id FAA14961 for ; Tue, 1 Oct 1996 05:30:48 -0700 (PDT) Received: from foghorn.netrex.com (foghorn [206.253.226.10]) by trex.netrex.com (8.7.6/8.7.3) with SMTP id IAA28301; Tue, 1 Oct 1996 08:29:59 -0400 (EDT) Message-Id: <3.0b28.32.19961001082525.006e77d8@trex.netrex.com> X-Sender: richards@trex.netrex.com X-Mailer: Windows Eudora Pro Version 3.0b28 (32) Date: Tue, 01 Oct 1996 08:25:27 -0400 To: Greg Whalin From: Richard Stiennon Subject: Re: 'secure' intranet mailreading? Cc: firewalls@GreatCircle.COM Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 10:05 AM 9/27/96 -0500, Greg Whalin wrote: >I have been lookingfor the same exact thing. Netscae does offer a mail >server, but it does not use SSL in any way. It does use a little less >secure encryption scheme. I would assume that you have to use Netscape >Navigator's mail reader. Has anyone seen anything a little more secure? >Greg My understanding is that Netscape *does* use SSL with its mail server. ---------------------------------------------------------------------------- Richard Stiennon richards@netrex.com Director, Business Development http://www.netrex.com Netrex, Inc. Voice: 810-352-9643 Southfield, Michigan Fax: 810-352-2375 ----------------------------------------------------------------------------- Providing businesses and organizations with secure Internet solutions. From firewalls-owner Tue Oct 1 05:56:17 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA14320 for firewalls-outgoing; Tue, 1 Oct 1996 05:26:02 -0700 (PDT) Received: from trex.netrex.com (trex.netrex.com [206.253.226.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id FAA14284 for ; Tue, 1 Oct 1996 05:25:46 -0700 (PDT) Received: from foghorn.netrex.com (foghorn [206.253.226.10]) by trex.netrex.com (8.7.6/8.7.3) with SMTP id IAA28272; Tue, 1 Oct 1996 08:24:55 -0400 (EDT) Message-Id: <3.0b28.32.19961001082022.0070e39c@trex.netrex.com> X-Sender: richards@trex.netrex.com X-Mailer: Windows Eudora Pro Version 3.0b28 (32) Date: Tue, 01 Oct 1996 08:20:27 -0400 To: Kogulapalan From: Richard Stiennon Subject: Re: Checkpoint Cc: firewalls@GreatCircle.COM Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At10:01 AM 10/1/96 -0800,Kogulapalan doth say: >Folks, > > A quick questions ;) Hope to get answers :) > > 1) Does the Checkpoint Firewall-1 that comes with SUN has the >capabilies of doing VPN ??? Yes. > > 2) Does the Checkpoint Firewall-1 that comes with SUN has the >capabilies of doing NAT ??? > No problem. The only draw back to Sun's version is that it takes 3-6 months to come out with the new revisions for the Solarized FireWall-1. ---------------------------------------------------------------------------- Richard Stiennon richards@netrex.com Director, Business Development http://www.netrex.com Netrex, Inc. Voice: 810-352-9643 Southfield, Michigan Fax: 810-352-2375 ----------------------------------------------------------------------------- Providing businesses and organizations with secure Internet solutions. From firewalls-owner Tue Oct 1 06:10:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA15921 for firewalls-outgoing; Tue, 1 Oct 1996 05:38:37 -0700 (PDT) Received: from syr.edu (syr.edu [128.230.1.49]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id FAA15912; Tue, 1 Oct 1996 05:38:25 -0700 (PDT) Received: from peterm.syr.edu by syr.edu (8.7.5/CNS) id IAA27348; Tue, 1 Oct 1996 08:39:41 -0400 (EDT) Message-ID: <32513AF7.269E@syr.edu> Date: Tue, 01 Oct 1996 08:38:31 -0700 From: Peter Morrissey Organization: Syracuse University X-Mailer: Mozilla 2.0 (Win95; I; 16bit) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM, firewalls-digest@GreatCircle.COM Subject: Policy Templates Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I recently found a place that sold security templates, but have forgotten the URL. Anybody know the URL? _Pete Morrissey _Syracus University From firewalls-owner Tue Oct 1 06:27:10 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA17125 for firewalls-outgoing; Tue, 1 Oct 1996 05:50:18 -0700 (PDT) Received: from gw.iai.com (gw.iai.com [206.64.157.62]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id FAA17107 for ; Tue, 1 Oct 1996 05:50:09 -0700 (PDT) Received: by gw.iai.com; id UAA00150; Mon, 30 Sep 1996 20:32:03 -0400 (EDT) Received: from milford.iai.com(192.206.185.2) by gw.iai.com via smap (V3.1.1) id xma000148; Mon, 30 Sep 96 20:31:54 -0400 Received: by milford.iai.com (AIX 3.2/UCB 5.64/4.03) id AA29812; Mon, 30 Sep 1996 20:33:13 -0400 From: jegan@iai.com (James P. Egan) Message-Id: <9610010033.AA29812@milford.iai.com> Subject: Re: Subnetting Class C Network To: jfjohnm@ca-online.com (John McColley @ J F Engineering) Date: Mon, 30 Sep 1996 20:33:13 -2800 (EDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <9609301308.aa12861@cktassy.ca-online.com> from "John McColley @ J F Engineering" at Sep 30, 96 01:08:09 pm Reply-To: jegan@iai.com Organization: Integrated Architectures, Inc. Pgp-Fingerprint: 64 47 DC 51 D9 11 1D FF 31 43 9C 4C E2 A1 FC 04 Pgp-Public-Key: public-key-server@martigny.ai.mit.edu (subject: GET jegan) X-Mailer: ELM [version 2.4 PL24 ME5a] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What I would do is ask my ISP to give me 1 address from his range for the outside interface on my firewall and keep all of my Class C for inside. John McColley @ J F Engineering recently wrote: > > Let's see if I understand subnetting correctly. > If I want to split a class C network to setup a firewall I would > take the existing network, say a.b.c.0 with a netmask of > 255.255.255.0 and instead I would end up with 2 usable networks > if I use a netmask of 255.255.255.192. I would end up with > network a.b.c.64 with a netmask of 255.255.255.192 and network > a.b.c.128 with a netmask of 255.255.255.192. Therefore, I would > have available addresses of a.b.c.65 (netmask 255.255.255.192) > through a.b.c.126, broadcast address would be a.b.c.127 and > a.b.c.129 (netmask 255.255.255.192) through a.b.c.191, broadcast > address would be a.b.c.192. > I can't use a.b.c.0 through a.b.c.63 and a.b.c.193 through > a.b.c.255. > Does this sound right? /Jim/ -- James P. Egan | jegan@iai.com Integrated Architectures, Inc. | http://www.iai.com 300 East Main Street, Suite 207 | Tel: 508-634-3200 x209 Milford, MA 01757 | Fax: 508-634-8381 Use PGP for more secure email From firewalls-owner Tue Oct 1 06:54:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA18398 for firewalls-outgoing; Tue, 1 Oct 1996 06:06:45 -0700 (PDT) Received: from Aptech.com (joshua.aptech.com [199.29.185.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA18390 for ; Tue, 1 Oct 1996 06:06:30 -0700 (PDT) Received: by Aptech.com (SMI-8.6/SMI-SVR4) id GAA02315; Tue, 1 Oct 1996 06:02:50 -0700 Received: from naomi(199.29.185.132) by joshua via smap (V1.3) id sma002313; Tue Oct 1 06:02:43 1996 Received: from amos.Aptech.com by naomi.Aptech.com (SMI-8.6/SMI-SVR4) id GAA08424; Tue, 1 Oct 1996 06:03:08 -0700 Received: by amos.Aptech.com (SMI-8.6/SMI-SVR4) id GAA03789; Tue, 1 Oct 1996 06:03:07 -0700 Date: Tue, 1 Oct 1996 06:03:07 -0700 From: sjones@Aptech.com (Samuel D. Jones) Message-Id: <199610011303.GAA03789@amos.Aptech.com> To: Charles_Ragan@INS.COM, pferguso@cisco.com Subject: Re: Subnetting Class C Network Cc: harry@ns.fdc.nl, jfjohnm@ca-online.com, firewalls@GreatCircle.COM X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I find the little C program included at the end useful. Sam > From firewalls-owner@GreatCircle.COM Mon Sep 30 22:03 PDT 1996 > X-Sender: pferguso@lint.cisco.com > Mime-Version: 1.0 > Date: Tue, 01 Oct 1996 00:29:49 -0400 > To: "Charles_Ragan@ins.com" > From: Paul Ferguson > Subject: Re: Subnetting Class C Network > Cc: "Harry Feltsadas" , > jfjohnm@ca-online.com (John McColley @ J F Engineering), > firewalls@GreatCircle.COM > > Also, it goes without saying that classful routing protocols have outlived > their usefulness, and should be abandoned at one's earliest convenience. > > In fact, RIPv1 has been declared historical (or, rather, hysterical). > > - paul > > At 08:53 PM 9/30/96 -0500, Charles_Ragan@ins.com wrote: > > >One other note, rfc 1878's recommendation allows for the usage of the first > >and last subnet. Routing protocols that carry subnet information in its > >updates allow for this. Ones that don't (igrp, static, ripv1, etc.). The > >practice I follow is to use them last, if needed. > > > >Charles > > > > -- > Paul Ferguson || || > Consulting Engineering || || > Reston, Virginia USA |||| |||| > tel: +1.703.716.9538 ..:||||||:..:||||||:.. > e-mail: pferguso@cisco.com c i s c o S y s t e m s > > #include #include #include #include #include #define A 1 #define B 2 #define C 3 /* NOTE: Only class C is currently supported */ void dump_class_C(int b1, int b2, int b3, int b4, int sb) { int s, h, sd, hd; sd = 2; for (s = 1; s < sb; s++) sd *= 2; hd = 2; for (h = 1; h < (8 - sb); h++) hd *= 2; printf("Network: %d.%d.%d.%d/%d\n", b1, b2, b3, b4, 24 + sb); printf("Netmask: %d.%d.%d.%d\n", 255, 255, 255, (sd - 1) << (8 - sb)); for (s = 1; s < sd - 1; s++) { printf("\fSubnet: %d", s); printf("\nNetwork: %d.%d.%d.%d/%d", b1, b2, b3, s << (8 - sb), 24 + sb); printf("\nBroadcast: %d.%d.%d.%d\n\n", b1, b2, b3, (s << (8 - sb)) + (hd - 1)); for (h = 1; h < hd - 1; h++) { printf(" %d.%d.%d.%d\n", b1, b2, b3, (s << (8 - sb)) + h); } } } int main(int argc, char *argv[]) { char address[256], *cp; int class, sb, b1, b2, b3, b4; if (argc != 3) { printf("Usage: subnet address subnet_bits\n\n"); printf("Example: subnet 197.34.16.0 3\n"); return 1; } strcpy(address, argv[1]); cp = address; b1 = atoi(cp); while (isdigit(*cp)) ++cp; if (*cp == '.') ++cp; else { printf("Bad address: %s\n", argv[1]); return 1; } b2 = atoi(cp); while (isdigit(*cp)) ++cp; if (*cp == '.') ++cp; else { printf("Bad address: %s\n", argv[1]); return 1; } b3 = atoi(cp); while (isdigit(*cp)) ++cp; if (*cp == '.') ++cp; else { printf("Bad address: %s\n", argv[1]); return 1; } b4 = atoi(cp); sb = atoi(argv[2]); if (b1 < 128) class = A; else if (b1 < 192) class = B; else if (b1 < 224) class = C; else { printf("Bad address (class out of range): %s\n", argv[1]); return 1; } switch (class) { case A: if (sb > 24) { printf("Too many subnet bits\n"); return 1; } break; case B: if (sb > 16) { printf("Too many subnet bits\n"); return 1; } break; case C: if (sb > 8) { printf("Too many subnet bits\n"); return 1; } dump_class_C(b1, b2, b3, b4, sb); break; } return 0; } From firewalls-owner Tue Oct 1 07:33:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA23484 for firewalls-outgoing; Tue, 1 Oct 1996 06:43:25 -0700 (PDT) Received: from insync.net (vellocet.insync.net [204.253.208.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA23222 for ; Tue, 1 Oct 1996 06:42:27 -0700 (PDT) Received: (from uurtamo@localhost) by insync.net (8.7.1/8.7.1) id IAA01114 for firewalls@greatcircle.com; Tue, 1 Oct 1996 08:32:13 -0500 (CDT) From: Steve Uurtamo Message-Id: <199610011332.IAA01114@insync.net> Subject: CyberGuard. (fwd) To: firewalls@greatcircle.com Date: Tue, 1 Oct 1996 08:32:13 -0500 (CDT) X-Mailer: ELM [version 2.4 PL22] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Having some joy with the CyberGuard. In particular, I need to proxy a service that after making its first connection through the firewall will need to establish connections through exactly 2 future ports for the remainder of the service. These ports are in the "free zone" (>1024). I have to do NAT on all of the packets as the internal machine has a non-routable address. (10.x.x.x) Given that I can parse the packets well enough to figure out what those future ports are going to be (yes this is a proprietary service), what is a good place to start as far as writing my own proxy using the proxy source code on the CyberGuard. Should I be looking at the way FTP handles future connections for data? Or maybe I'm doing this all wrong. Thanks for any help anyone can give in advance. Steve Uurtamo From firewalls-owner Tue Oct 1 07:41:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA21897 for firewalls-outgoing; Tue, 1 Oct 1996 06:37:05 -0700 (PDT) Received: from mail.comm.hq.af.mil (mail.comm.hq.af.mil [134.205.80.6]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA21887 for ; Tue, 1 Oct 1996 06:36:57 -0700 (PDT) Received: from MSSMTPOUT.COMM.HQ.AF.MIL (mssmtpout.comm.hq.af.mil [134.205.80.21]) by mail.comm.hq.af.mil (8.6.5/8.6.5) with SMTP id JAA23421 for < Firewalls@GreatCircle.COM>; Tue, 1 Oct 1996 09:01:08 -0400 Received: by MSSMTPOUT.COMM.HQ.AF.MIL with Microsoft Mail id <325149EB@MSSMTPOUT.COMM.HQ.AF.MIL>; Tue, 01 Oct 96 09:42:19 PDT From: "Bouchard, Alexis, 2Lt,SAM/GNCP" To: Firewall Discussion Subject: Gauntlet vs. Sidewinder Date: Tue, 01 Oct 96 09:34:00 PDT Message-ID: <325149EB@MSSMTPOUT.COMM.HQ.AF.MIL> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have to choose between Gauntlet and Sidewinder as a Firewall solution. Both products meet my laundry list requirements. Both can do the job of securing my network, but which one is better? What I'm looking for is which one is better then the other as far as easy of use, overall security and support from the vender. I have all the general vender info, but I'm looking for strong technical reasons why I should go with one or the other. I'm a new kid on the block. This is my first Firewall experience. I haven't had the luxury of seeing many Firewalls in use, or being able to play and fiddle with them. I'm open to all input and all advise. I need to take advantage of someone else's experiences. Alexis Bouchard From firewalls-owner Tue Oct 1 07:45:54 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA24211 for firewalls-outgoing; Tue, 1 Oct 1996 06:46:56 -0700 (PDT) Received: from relay.ashton.csc.com (relay.ashton.csc.com [20.2.54.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA23988 for ; Tue, 1 Oct 1996 06:46:02 -0700 (PDT) Received: by relay.ashton.csc.com; id JAA15354; Tue, 1 Oct 1996 09:46:54 -0400 Received: from mccoy.ashton.csc.com(20.2.51.2) by relay.ashton.csc.com via smap (g3.0.1) id sma015348; Tue, 1 Oct 96 09:46:25 -0400 Received: (from jhkerr@localhost) by mccoy.ashton.csc.com (8.6.12/8.6.9) id JAA26971; Tue, 1 Oct 1996 09:54:05 -0400 Date: Tue, 1 Oct 1996 09:54:04 -0400 (EDT) From: "John H. Kerr" To: Kogulapalan cc: firewalls@GreatCircle.COM Subject: Re: Checkpoint In-Reply-To: <199610011801.KAA28685@snet> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The encryption module must be purchased seperately. The NAT does come with some if not all of there versions of the Firewall. I believe that if you go to their home page at WWW.Checkpoint.com you could find a listing of all their products. On Tue, 1 Oct 1996, Kogulapalan wrote: > Folks, > > A quick questions ;) Hope to get answers :) > > 1) Does the Checkpoint Firewall-1 that comes with SUN has the > capabilies of doing VPN ??? > > 2) Does the Checkpoint Firewall-1 that comes with SUN has the > capabilies of doing NAT ??? > > Thats all. Thanks. > > Regards, > PaLaN > palan@mailhost.net > > " Hack From The Rich and Download To The Poor " > From firewalls-owner Tue Oct 1 08:10:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA27182 for firewalls-outgoing; Tue, 1 Oct 1996 07:02:14 -0700 (PDT) Received: from ic.net (falcon.ic.net [152.160.101.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA27168 for ; Tue, 1 Oct 1996 07:02:08 -0700 (PDT) Received: from CimInc.com by ic.net with smtp (Smail3.1.28.1 #6) id m0v85OF-003Ib4C; Tue, 1 Oct 96 10:01 WET DST Received: by CimInc.com from localhost (router,SLmail95 V1.2,beta 1); Tue, 01 Oct 1996 10:05:50 Received: by CimInc.com from bill (152.160.211.243::mail daemon; unverified,SLmail95 V1.2,beta 1); Tue, 01 Oct 1996 10:05:49 Message-ID: <3251259B.65C9@ciminc.com> Date: Tue, 01 Oct 1996 10:07:23 -0400 From: "bill" Organization: Center for Information Management X-Mailer: Mozilla 2.01 (Win95; I) MIME-Version: 1.0 To: Firewalls@GreatCircle.com Subject: Checkpoint's Firewall-1 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please let me know about your experiences with Checkpoint's Firewall-1 product. Does anyone know if you can run this product on the machine you are trying to protect? From firewalls-owner Tue Oct 1 08:26:10 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA27513 for firewalls-outgoing; Tue, 1 Oct 1996 07:04:50 -0700 (PDT) Received: from ic.net (falcon.ic.net [152.160.101.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA27479 for ; Tue, 1 Oct 1996 07:04:29 -0700 (PDT) Received: from CimInc.com by ic.net with smtp (Smail3.1.28.1 #6) id m0v85QV-003Ib5C; Tue, 1 Oct 96 10:03 WET DST Received: by CimInc.com from localhost (router,SLmail95 V1.2,beta 1); Tue, 01 Oct 1996 10:08:10 Received: by CimInc.com from bill (152.160.211.243::mail daemon; unverified,SLmail95 V1.2,beta 1); Tue, 01 Oct 1996 10:08:09 Message-ID: <32512627.284E@ciminc.com> Date: Tue, 01 Oct 1996 10:09:43 -0400 From: "bill" Organization: Center for Information Management X-Mailer: Mozilla 2.01 (Win95; I) MIME-Version: 1.0 To: Firewalls@GreatCircle.com Subject: TIS Gauntlet Firewall product Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please let me know about your experiences with TIS' Gauntlet Firewall product. Also, does anyone know if you can run this product on the machine you are trying to protect. From firewalls-owner Tue Oct 1 08:27:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA29011 for firewalls-outgoing; Tue, 1 Oct 1996 07:20:07 -0700 (PDT) Received: from garrison.com (gw.garrison.com [205.241.58.147]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA28994 for ; Tue, 1 Oct 1996 07:19:59 -0700 (PDT) Received: by garrison.com; id DAA15676; Mon, 30 Sep 1996 03:37:22 -0500 Received: from unknown(10.0.0.2) by gw.garrison.com via smap (V3.1.1) id xma015654; Mon, 30 Sep 96 03:37:12 -0500 Received: by ukn0.garrison.com. (4.1/Nutered Mailer) id AA03250; Tue, 1 Oct 96 09:12:53 CDT Date: Tue, 1 Oct 96 09:12:53 CDT From: jeromie@garrison.com (Hmm) Message-Id: <9610011412.AA03250@ukn0.garrison.com.> To: smith@sctc.com, msmith@quix.robins.af.mil Subject: Re: Newbie question Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > At 3:25 PM 9/17/96, Chris Garrigues wrote about Mark's picture > > of a "triple homed" firewall: > > > > >I see maps like yours all the time, but I'm uneasy about real > > >routing happening on my firewall. It just seems to me like > > >there's potential risk in running routing software on a firewall. > > > > Quite so. Correct packet flow must be enforced by something more than IP > > level routing. The picture only makes sense if you've set up a firewall > > proxy to enforce the flow. All web server accesses should be sent to the > > isolated subnet containing the Web server and no incoming Internet > > connections should be allowed to flow directly into the database server's > > net. The "routing" in this case isn't handled by the IP layer, it's handled > > by socket layer proxies. > > > > Rick. > Also, in the above mentioned configuration, if the web server is compromised, it doesn't automatically give it the ability to go into promiscuous mode and read all traffic passing between the firewall & the outside. It also give you the ability to use the firewall audit utilities in order to log data. Centralization, and potentially better reporting mechanisms than you would have elsewhere. Jeromie Jackson Garrison Technologies jeromie@garrison.com From firewalls-owner Tue Oct 1 08:47:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA05429 for firewalls-outgoing; Tue, 1 Oct 1996 08:17:37 -0700 (PDT) Received: from franklin.seas.gwu.edu (franklin.seas.gwu.edu [128.164.9.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA05413 for ; Tue, 1 Oct 1996 08:17:24 -0700 (PDT) Received: from seas.gwu.edu (root@felix.seas.gwu.edu [128.164.9.3]) by franklin.seas.gwu.edu (8.7.1/8.7.1) with ESMTP id LAA23683 for ; Tue, 1 Oct 1996 11:16:34 -0400 (EDT) Received: from reto.seas.gwu.edu (reto@felix [128.164.9.3]) by seas.gwu.edu (8.7.1/8.7.1) with SMTP id LAA17878 for ; Tue, 1 Oct 1996 11:16:29 -0400 (EDT) Message-Id: <199610011516.LAA17878@seas.gwu.edu> X-Sender: reto@seas.gwu.edu X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 01 Oct 1996 11:17:16 -0400 To: firewalls@greatcircle.com From: Reto Haeni Subject: Introduction Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I recently joined this group and would like to shortly introduce myself. My name is Reto Haeni and I am since a year at The George Washington University in Washington DC where I plan to get my MSc in Telecommunications and Computers in December. Before I came to the US, I was working at R&D of Swiss Telecom (I am from Switzerland) in the communications group. Besides my studies, I am a Teaching Assistant in Computer Security and a Research Assistant at the Cyberspace Policy Institute. My knowledge of firewalls is somewhat limited (to the theory) but I am writing a paper on testing/penetration of firewalls and hope to get some insight knowledge out of it. greetings and I am looking forward to an interesting participation Reto Haeni _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ Reto E. Haeni Cyberspace Policy Institute The George Washington University 2033 K Str. NW Suite 340N School of Engineering and Applied Science Washington DC 20006 ph (202) 994-5512 (We, Th) http://www.cpi.seas.gwu.edu/ reto@seas.gwu.edu http://www.seas.gwu.edu/student/reto/ _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ From firewalls-owner Tue Oct 1 08:58:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA07484 for firewalls-outgoing; Tue, 1 Oct 1996 08:34:36 -0700 (PDT) Received: from ALABAMA.CF.CS.YALE.EDU (RT-GW.CS.YALE.EDU [128.36.0.13]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA07459 for ; Tue, 1 Oct 1996 08:34:28 -0700 (PDT) From: long-morrow@CS.YALE.EDU Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU (8.7.1/res.host.cf-4.0) with ESMTP id LAA16547; Tue, 1 Oct 1996 11:33:50 -0400 (EDT) sender long-morrow@CS.YALE.EDU for Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-8.7.1/res.client.cf-4.0) id LAA09888; Tue, 1 Oct 1996 11:33:47 -0400 (EDT) Date: Tue, 1 Oct 1996 11:33:47 -0400 (EDT) Message-Id: <199610011533.LAA09888@SPARKY.CF.CS.YALE.EDU> To: pferguso@cisco.com Subject: Re: Subnetting Class C Network Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Paul Ferguson >You can use IP subnet 0 if you use the global command 'ip subnet zero' >within a cisco router. Use of the all-1's subnet has always been >permissible. Yes. We use a subnet with all zeros (128.36.0.0, where our subnet mask is 255.255.255.0) for legacy reasons. Whenever we bring up a new CISCO router on the 128.36.0 subnet we run the router through the EZ config with a terminal --- and then after it refuses to talk to the zero subnet we enter the advanced configuration command 'service subnet-zero' or 'ip subnet-zero' (depending on the CISCO IOS release). - Morrow From firewalls-owner Tue Oct 1 09:12:40 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA09579 for firewalls-outgoing; Tue, 1 Oct 1996 08:47:00 -0700 (PDT) Received: from gauntlet-1.trusted.com (gauntlet-1.trusted.com [204.254.155.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id IAA09541 for ; Tue, 1 Oct 1996 08:46:46 -0700 (PDT) Received: by gauntlet-1.trusted.com; id LAA17119; Tue, 1 Oct 1996 11:50:21 -0400 Received: from hilo.trusted.com(10.0.1.126) by gauntlet-1.trusted.com via smap (V3.1.1) id xma017116; Tue, 1 Oct 96 11:49:59 -0400 Received: from metro.trusted.com by hilo.trusted.com with SMTP (1.37.109.4/16.2) id AA16362; Tue, 1 Oct 96 11:48:24 -0400 Message-Id: <32513C32.13728473@tis.com> Date: Tue, 01 Oct 1996 11:43:46 -0400 From: John J McMahon Organization: Trusted Information Systems - Rockville, MD X-Mailer: Mozilla 3.0 (X11; I; BSD/OS 2.0 i386) Mime-Version: 1.0 To: firewalls@GreatCircle.COM Subject: Re: ATM Firewalls References: <26860.20243.1996Sep24@tis.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dr. Bill Hancock wrote: > (edited) > FYI, there were two refereed papers on high-speed firewalls > delivered at the April 1996 InterOP show in Las Vegas... FYI - The Firewall in the NOC at Interop Las Vegas and Atlanta this year was partially on ATM. I can't speak for the Las Vegas design (I didn't build it), but the Atlanta design was a three interface system consisting of: - 10 Mbps Ethernet - Inside Interface 1 - 155 Mbps ATM (LANE) - Inside Interface 2 - 100 Mbps FDDI - Outside Interface The base system was a Sun SparcStation 20, running SunOS 4.1.4 and TIS Gauntlet 3.1.1. The FDDI and ATM boards came from Interphase. Cheers, John -- John "FuzzFace" McMahon Gauntlet Internet Firewall Technical Support Support: gauntlet-support@trusted.com, 301-527-9555, 301-527-0482 (fax) Pennsic XXV: Cry Havoc... And let slip the golf carts of War... From firewalls-owner Tue Oct 1 09:46:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA16825 for firewalls-outgoing; Tue, 1 Oct 1996 09:33:37 -0700 (PDT) Received: from pa0016c1.kpmg.com (pa0016c1.kpmg.com [199.207.255.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id JAA16789 for ; Tue, 1 Oct 1996 09:33:26 -0700 (PDT) Received: by pa0016c1.kpmg.com; id MAA26341; Tue, 1 Oct 1996 12:32:58 -0400 Received: from unknown(199.207.255.5) by pa0016c1.kpmg.com via smap (V3.1) id xmai26186; Tue, 1 Oct 96 12:32:33 -0400 Received: from ccMail by mailgate2.kpmg.com (IMA Internet Exchange 2.01 Enterprise) id 25146C00; Tue, 1 Oct 96 12:28:48 -0400 Mime-Version: 1.0 Date: Tue, 1 Oct 1996 11:28:35 -0400 Message-ID: <25146C00.@kpmg.com> From: kenng@kpmg.com (Ken Ng) Subject: Gauntlet FW in big environments. To: firewalls@greatcircle.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone here have any experience with running Gauntlet Firewalls in a "large" environment? By large, I mean about 500 ip sites a day, 1.2 gig of http traffic a day, 100 meg of email, and 200 meg of ftp traffic a day. I've got the TIS HP Vectra pc running BSD 2.0 with TIS 3.1. The machine has 48 meg of ram. The problem I'm having is that the machine typically either reboots itself or it crashes until I reboot it manually. I thought I fixed it by having it reboot from cron once a week in the early morning. But now it starting to crash on day 6. Will more memory help this thing? Are other people having similar problems? What's everyone else using? From firewalls-owner Tue Oct 1 09:58:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA19047 for firewalls-outgoing; Tue, 1 Oct 1996 09:51:47 -0700 (PDT) Received: from us.checkpoint.com (us.checkpoint.com [206.86.35.130]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id JAA19023 for ; Tue, 1 Oct 1996 09:51:38 -0700 (PDT) Received: from Barbara's HP.us.checkpoint.com (barbara-pc) by us.checkpoint.com (5.x/SMI-SVR4) id AA19375; Tue, 1 Oct 1996 09:51:48 -0700 Message-Id: <32514C1F.1BD3@us.checkpoint.com> Date: Tue, 01 Oct 1996 09:51:43 -0700 From: "Barbara W. Jaarsma" Reply-To: barbara@us.checkpoint.com Organization: Checkpoint US Technical Support X-Mailer: Mozilla 3.0 (Win95; I) Mime-Version: 1.0 To: "Bouchard, Alexis, 2Lt,SAM/GNCP" Cc: Firewall Discussion Subject: Re: Gauntlet vs. Sidewinder References: <325149EB@MSSMTPOUT.COMM.HQ.AF.MIL> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bouchard, Alexis, 2Lt,SAM/GNCP wrote: > > I have to choose between Gauntlet and Sidewinder as a Firewall solution. Personally, I'd go with FireWall-1... :-) -Barb From firewalls-owner Tue Oct 1 10:31:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA21123 for firewalls-outgoing; Tue, 1 Oct 1996 10:07:39 -0700 (PDT) Received: from tango.lightech.com.ar (spy.lightech.com.ar [200.0.253.134]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA21108 for ; Tue, 1 Oct 1996 10:07:31 -0700 (PDT) Received: from salsa (router1-p14.pccp.com.ar [200.0.253.30]) by tango.lightech.com.ar (8.6.8.1/SCA-6.6) with SMTP id RAA02098 for ; Tue, 1 Oct 1996 17:02:37 GMT Message-ID: <32514D90.7B61@lightech.com.ar> Date: Tue, 01 Oct 1996 13:57:52 -0300 From: Adrian Setton Reply-To: asetton@lightech.com.ar Organization: LighTech X-Mailer: Mozilla 3.0 (Win95; I) MIME-Version: 1.0 To: Firewalls@greatcircle.com Subject: Firewall-1 Light Restrictions Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anybody know which are the restrictions of Firewall-1 Light? In the Qualix FAQ it says 50 internal nodes and 50 concurrent sessions. I've seen in a Sun White Paper that it is 50 outbound sessions. In our customer we expect to have more than 50 inbound connections, but no more than 10 outbound connections, so this is really important. Thanks in advance. -- Adrian F. Setton LighTech Voice: (54-1) 420-4110 Ayacucho 563. Piso 13 Dto "A" FAX: (54-1) 315-1343 Buenos Aires e-mail: asetton@lightech.com.ar Argentina URL: http://www.lightech.com.ar From firewalls-owner Tue Oct 1 10:41:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA24451 for firewalls-outgoing; Tue, 1 Oct 1996 10:28:06 -0700 (PDT) Received: from ncar.UCAR.EDU (ncar.ucar.edu [192.52.106.6]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA24379 for ; Tue, 1 Oct 1996 10:27:49 -0700 (PDT) Message-Id: <199610011726.LAA23872@ncar.ucar.EDU> Received: by ncar.ucar.EDU (NCAR Local/ NCAR Central Post Office 03/11/93) id LAA23872; Tue, 1 Oct 1996 11:26:58 -0600 (MDT) Subject: Re: ATM Firewalls To: firewalls@GreatCircle.COM Date: Tue, 1 Oct 96 11:26:57 MDT In-Reply-To: <32513C32.13728473@tis.com>; from "John J McMahon" at Oct 1, 96 11:43 am From: woods@ucar.edu (Greg Woods) X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > a three interface system consisting of: > > - 10 Mbps Ethernet - Inside Interface 1 > - 155 Mbps ATM (LANE) - Inside Interface 2 > - 100 Mbps FDDI - Outside Interface For most of us that I've heard use the term, this is not an "ATM firewall". Although I cannot speak for anyone else, I think that to call something like this an ATM firewall is deceptive. What *I* mean when I use that term is something that can act as a firewall while passing packets *at ATM speed*. While I would agree that something that can at least pass packets at or close to FDDI speed is worthy of note, this is not an "ATM firewall" by any reasonable definition. --Greg From firewalls-owner Tue Oct 1 11:12:00 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA22123 for firewalls-outgoing; Tue, 1 Oct 1996 10:13:19 -0700 (PDT) Received: from ereapp.erenj.com (ereapp.ERENJ.COM [159.70.31.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA22058 for ; Tue, 1 Oct 1996 10:13:00 -0700 (PDT) Received: (from smap@localhost) by ereapp.erenj.com (8.7.4/8.7.3) id NAA09426 for ; Tue, 1 Oct 1996 13:12:29 -0400 Received: from eredns.erenj.com(159.70.1.252) by ereapp.erenj.com via smap (V1.3) id sma009419; Tue Oct 1 13:12:09 1996 Received: from stargate.erenj.com (stargate.erenj.com [159.70.1.8]) by eredns.erenj.com (8.7.4/8.7.3) with SMTP id NAA27401 for ; Tue, 1 Oct 1996 13:12:06 -0400 Message-ID: <325150E6.52BF@erenj.com> Date: Tue, 01 Oct 1996 13:12:06 -0400 From: "Bryan D. Boyle" Organization: Exxon Research and Engineering Co. X-Mailer: Mozilla 3.0 (X11; I; OSF1 V4.0 alpha) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: Re: Gauntlet vs. Sidewinder References: <325149EB@MSSMTPOUT.COMM.HQ.AF.MIL> <32514C1F.1BD3@us.checkpoint.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Barbara W. Jaarsma wrote: > > Bouchard, Alexis, 2Lt,SAM/GNCP wrote: > > > > I have to choose between Gauntlet and Sidewinder as a Firewall solution. > > Personally, I'd go with FireWall-1... :-) > -Barb Not an unbiased opinion, from your return address. -- Bryan D. Boyle | EMAIL: bdboyle@erenj.com 908-730-3338 #include | http://www.access.digex.net/~bdboyle/index.html "They that can give up liberty to obtain a little temporary safety deserve neither liberty nor safety." - Benjamin Franklin, Historical Review of Pennsylvania From firewalls-owner Tue Oct 1 11:16:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA27318 for firewalls-outgoing; Tue, 1 Oct 1996 10:48:20 -0700 (PDT) Received: from dorian.cybersmith.net (dorian.cybersmith.net [198.164.20.20]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA27301 for ; Tue, 1 Oct 1996 10:48:13 -0700 (PDT) Received: from localhost (agrant@localhost) by dorian.cybersmith.net (8.7.5/8.7.3) with SMTP id OAA00278 for ; Tue, 1 Oct 1996 14:47:42 -0300 Date: Tue, 1 Oct 1996 14:47:42 -0300 (ADT) From: Andrew Grant To: Firewalls@GreatCircle.COM Subject: TIS Toolkit (plug-gw) In-Reply-To: <32512627.284E@ciminc.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk How does one use the plug-gw program, once you've got it compiled! There doesn't seem to be any information on this. Also can someone explain the logic behind "ipfwadm", I've read the HOW-TO, but I'm still in the dark. I'm also running socks5, would ipfwadm (once setup right) take over its job. Thanks, --Andrew From firewalls-owner Tue Oct 1 11:22:17 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA21945 for firewalls-outgoing; Tue, 1 Oct 1996 10:12:01 -0700 (PDT) Received: from anka.mindvision.com (anka.mindvision.com [198.247.220.254]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA21902 for ; Tue, 1 Oct 1996 10:11:44 -0700 (PDT) Received: (from alan@localhost) by anka.mindvision.com (8.6.11/8.6.9) id LAA12291; Tue, 1 Oct 1996 11:58:00 -0500 Message-Id: <199610011658.LAA12291@anka.mindvision.com> Subject: Re: Gauntlet FW in big environments. To: kenng@kpmg.com (Ken Ng) Date: Tue, 1 Oct 1996 11:57:59 -0500 (CDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <25146C00.@kpmg.com> from "Ken Ng" at Oct 1, 96 11:28:35 am From: alan@mindvision.com (Alan Hannan) Reply-To: alan@mindvision.com (Alan Hannan) X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have worked with system larger than the one you describe. By upgrading to the current blessed set of patches, and going to Gauntlet 1.1.1 with appropo patches, I was consistently able to create a working system. Good luck! -alan > > Does anyone here have any experience with running Gauntlet Firewalls > in a "large" environment? By large, I mean about 500 ip sites a day, > 1.2 gig of http traffic a day, 100 meg of email, and 200 meg of ftp > traffic a day. I've got the TIS HP Vectra pc running BSD 2.0 with TIS > 3.1. The machine has 48 meg of ram. > > The problem I'm having is that the machine typically either reboots > itself or it crashes until I reboot it manually. I thought I fixed it > by having it reboot from cron once a week in the early morning. But > now it starting to crash on day 6. Will more memory help this thing? > Are other people having similar problems? What's everyone else using? > -- Alan Hannan Not Employed Networking, Ltd. email: alan@mindvision.com. phone: 402/488-0238 From firewalls-owner Tue Oct 1 11:26:10 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA28523 for firewalls-outgoing; Tue, 1 Oct 1996 10:55:02 -0700 (PDT) Received: from maddie.atlantic.com (maddie.atlantic.com [198.252.200.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA28466 for ; Tue, 1 Oct 1996 10:54:44 -0700 (PDT) Received: (from pokey@localhost) by maddie.atlantic.com (8.7.6/8.7.3) id NAA22325; Tue, 1 Oct 1996 13:38:42 -0400 From: Rick Romkey Message-Id: <199610011738.NAA22325@maddie.atlantic.com> Subject: Re: Firewall-1 Light Restrictions To: asetton@lightech.com.ar Date: Tue, 1 Oct 1996 13:38:42 -0400 (EDT) Cc: Firewalls@GreatCircle.COM In-Reply-To: <32514D90.7B61@lightech.com.ar> from "Adrian Setton" at Oct 1, 96 01:57:52 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Does anybody know which are the restrictions of Firewall-1 Light? > In the Qualix FAQ it says 50 internal nodes and 50 concurrent sessions. > I've seen in a Sun White Paper that it is 50 outbound sessions. > In our customer we expect to have more than 50 inbound connections, > but no more than 10 outbound connections, so this is really important. Firewall-1 maintains a flat file of the IP addresses of internal hosts it detects. Concurrent useage was dropped as a licensing criteria and it is strictly host based now. -Rick ---------------------------------------------------------------------------- Rick E Romkey | A T L A N T I C | Internet pokey@atlantic.com | Computing Technology Corporation | Specialists (860) 667-9596 | http://www.atlantic.com/ | ----------------------------------------------------------------------------- From firewalls-owner Tue Oct 1 12:00:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA00365 for firewalls-outgoing; Tue, 1 Oct 1996 11:05:03 -0700 (PDT) Received: from diablo.cisco.com (diablo.cisco.com [171.68.223.106]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id LAA00324 for ; Tue, 1 Oct 1996 11:04:51 -0700 (PDT) Received: from pferguso-pc.cisco.com (dhcp-restontel-84.cisco.com [171.68.52.84]) by diablo.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id LAA20495; Tue, 1 Oct 1996 11:03:46 -0700 Message-Id: <2.2.32.19961001180346.00677a14@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 01 Oct 1996 14:03:46 -0400 To: long-morrow@CS.YALE.EDU From: Paul Ferguson Subject: Re: Subnetting Class C Network Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 11:33 AM 10/1/96 -0400, long-morrow@CS.YALE.EDU wrote: > >Yes. We use a subnet with all zeros (128.36.0.0, where our subnet mask >is 255.255.255.0) for legacy reasons. > >Whenever we bring up a new CISCO router on the 128.36.0 subnet we run the >router through the EZ config with a terminal --- and then after it refuses >to talk to the zero subnet we enter the advanced configuration command >'service subnet-zero' or 'ip subnet-zero' (depending on the CISCO IOS >release). > >- Morrow > It also depends on the routing protocol; classful routing protocols cannot distinguish IP subnet 0 from a network address. Subnetting with a subnet address of zero generally is not allowed with classful routing protocols because of the confusion inherent in having a network and a subnet with indistinguishable addresses. For example, if network 128.36.0.0 is subnetted as 255.255.255.0, subnet zero would be written as 128.36.0.0 -- which is identical to the network address. - paul -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Tue Oct 1 12:01:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA04511 for firewalls-outgoing; Tue, 1 Oct 1996 11:33:28 -0700 (PDT) Received: from litle.net ([205.139.20.20]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id LAA04222 for ; Tue, 1 Oct 1996 11:32:10 -0700 (PDT) Received: from s_khan.litle.net by litle.net (SMI-8.6/SMI-SVR4) id OAA12276; Tue, 1 Oct 1996 14:33:54 -0400 Message-Id: <2.2.32.19961001183426.00ab0e9c@litle.net> X-Sender: s_khan@litle.net X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 01 Oct 1996 14:34:26 -0400 To: kenng@kpmg.com (Ken Ng) From: "Saqib A. Khan" Subject: Re: Gauntlet FW in big environments. Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Definetly more memory, like 128 Mb RAM. If you have control over the OS then also check your swap space, try to double it as compared to the memory or more (i.e. swap should be >= 256 Mb). BTW what does TIS say about this issue? At 11:28 AM 10/1/96 -0400, you wrote: > Does anyone here have any experience with running Gauntlet Firewalls > in a "large" environment? By large, I mean about 500 ip sites a day, > 1.2 gig of http traffic a day, 100 meg of email, and 200 meg of ftp > traffic a day. I've got the TIS HP Vectra pc running BSD 2.0 with TIS > 3.1. The machine has 48 meg of ram. > > The problem I'm having is that the machine typically either reboots > itself or it crashes until I reboot it manually. I thought I fixed it > by having it reboot from cron once a week in the early morning. But > now it starting to crash on day 6. Will more memory help this thing? > Are other people having similar problems? What's everyone else using? > > PS: Pls CC all mail to me @ - Saqib.A.Khan@worldnet.att.net --------------------------------------------------- Saqib A. Khan, Principal Architect, Information Security Strategic Network Consulting Voice: 617.433.7117 Saqib.A.Khan@worldnet.att.net --------------------------------------------------- "Sed quis custodiet ipsos custodes?" -Juvenal, c. 100 C.E. From firewalls-owner Tue Oct 1 12:14:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA01335 for firewalls-outgoing; Tue, 1 Oct 1996 11:11:53 -0700 (PDT) Received: from mm1 (mm1.sprynet.com [165.121.2.50]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA01317 for ; Tue, 1 Oct 1996 11:11:43 -0700 (PDT) Received: from stoico ([204.146.159.225]) by mm1.sprynet.com with SMTP id <148107-3174>; Tue, 1 Oct 1996 11:05:15 -0700 Message-Id: <3.0b19.32.19961001140637.009f6da0@hqmail.metlife.com> X-Sender: mstoico%hqmail.metlife.com@hqmail.metlife.com X-Mailer: Windows Eudora Pro Version 3.0b19 (32) Date: Tue, 01 Oct 1996 14:06:39 -0400 To: firewalls@Greatcircle.com From: Mike Stoico Subject: msn and firewalls Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Are there any specific ports that need to authorized through a firewall to allow a user to connect to msn? ========================================================================= Mike Stoico, I/S Security Consultant * Phone: (518)285-2567 MetLife * Fax: (518)285-2542 500 Jordan Rd * E-Mail: mstoico@metlife.com Troy, NY 12180 * URL: www.metlife.com ========================================================================= The opinions expressed here are my own and may not be those of my employer. ========================================================================= From firewalls-owner Tue Oct 1 12:36:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA10325 for firewalls-outgoing; Tue, 1 Oct 1996 12:03:07 -0700 (PDT) Received: from abraham.cs.berkeley.edu (abraham.CS.Berkeley.EDU [128.32.37.121]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id MAA10115 for ; Tue, 1 Oct 1996 12:02:23 -0700 (PDT) Received: (from daemon@localhost) by abraham.cs.berkeley.edu (8.7.5/local) id LAA00292 for firewalls@greatcircle.com; Tue, 1 Oct 1996 11:50:24 -0700 Date: Tue, 1 Oct 1996 11:50:24 -0700 Message-Id: <199610011850.LAA00292@abraham.cs.berkeley.edu> Content-Type: text/plain; charset="us-ascii" Subject: Information Seeking To: firewalls@greatcircle.com From: nobody@cypherpunks.ca (John Anonymous MacDonald) Comments: There is no way to determine the originator of this message. If you wish to be blocked from receiving all anonymous mail, send your request to the mailing list. The operator of this particular remailer can be reached at . Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello: Can anyone on this list recommend a reputable and professional group that can perform security (both network and host; Internet related) audits at a medium sized company located in the United States? My interest is in the background of these organizations; who to stay away from; who to take a look at; etc. From firewalls-owner Tue Oct 1 12:58:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA16887 for firewalls-outgoing; Tue, 1 Oct 1996 12:52:14 -0700 (PDT) Received: from gauntlet-1.trusted.com (gauntlet-1.trusted.com [204.254.155.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id MAA16763 for ; Tue, 1 Oct 1996 12:51:48 -0700 (PDT) Received: by gauntlet-1.trusted.com; id PAA22478; Tue, 1 Oct 1996 15:55:22 -0400 Received: from dhcp7.hq.tis.com(192.94.214.127) by gauntlet-1.trusted.com via smap (V3.1.1) id xmad22445; Tue, 1 Oct 96 15:55:00 -0400 Message-Id: <2.2.32.19961001194913.00af840c@pop.trusted.com> X-Sender: avolio@pop.trusted.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 01 Oct 1996 15:49:13 -0400 To: kenng@kpmg.com (Ken Ng), firewalls@GreatCircle.COM From: Frederick M Avolio Subject: Re: Gauntlet FW in big environments. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ken: We'd be happy to put you in touch with customers who are running Gauntlet Internet Firewalls in environments such as you describe here, and in even larger environments. I suppose you've worked with customer support, but it certainly sounds like a disk or memory hardware problem. More memory should not fix this because lack of memory should not cause system crashes on any UNIX machine. Fred At 11:28 AM 10/1/96 -0400, Ken Ng wrote: > Does anyone here have any experience with running Gauntlet Firewalls > in a "large" environment? By large, I mean about 500 ip sites a day, > 1.2 gig of http traffic a day, 100 meg of email, and 200 meg of ftp > traffic a day. I've got the TIS HP Vectra pc running BSD 2.0 with TIS > 3.1. The machine has 48 meg of ram. > > The problem I'm having is that the machine typically either reboots > itself or it crashes until I reboot it manually. I thought I fixed it > by having it reboot from cron once a week in the early morning. But > now it starting to crash on day 6. Will more memory help this thing? > Are other people having similar problems? What's everyone else using? > > From firewalls-owner Tue Oct 1 13:14:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA18590 for firewalls-outgoing; Tue, 1 Oct 1996 13:01:29 -0700 (PDT) Received: from mail2.webspan.net (mail2.webspan.net [206.154.70.7]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id NAA18461 for ; Tue, 1 Oct 1996 13:00:56 -0700 (PDT) Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.18]) by mail2.webspan.net (8.7.5/8.7.3) with ESMTP id PAA29878; Tue, 1 Oct 1996 15:48:54 -0400 (EDT) Received: (from jmb@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id MAA19812; Tue, 1 Oct 1996 12:48:49 -0700 (PDT) From: "Jonathan M. Bresler" Message-Id: <199610011948.MAA19812@freefall.freebsd.org> Subject: Re: Gauntlet FW in big environments. To: kenng@kpmg.com (Ken Ng) Date: Tue, 1 Oct 1996 12:48:49 -0700 (PDT) Cc: "Saqib A. Khan"@freefall.freebsd.org, , firewalls@greatcircle.com X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk we use a Gauntlet (at work not at FreeBSD.org) to support telnet, ftp, and http for ~1500 people. its a 586-90 w/ 64MB yesterday's usage: ftp inbound 188MB httpd inbound 854MB nntp inbound 3176MB (not a typo) the box is busy. it does *not* swap. swapping will kill you outbound usages is not significant. jmb -- Jonathan M. Bresler FreeBSD Postmaster jmb@FreeBSD.ORG FreeBSD--4.4BSD Unix for PC clones, source included. http://www.freebsd.org/ PGP 2.6.2 Fingerprint: 31 57 41 56 06 C1 40 13 C5 1C E3 E5 DC 62 0E FB From firewalls-owner Tue Oct 1 13:34:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA19033 for firewalls-outgoing; Tue, 1 Oct 1996 13:04:27 -0700 (PDT) Received: from anchorsteam (anchorsteam.unifiedtech.com [38.251.136.100]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id NAA19004 for ; Tue, 1 Oct 1996 13:04:12 -0700 (PDT) Received: from bass.com. by anchorsteam (SMI-8.6/SMI-SVR4) id QAA01039; Tue, 1 Oct 1996 16:04:32 -0400 Received: by bass.com. (SMI-8.6/SMI-SVR4) id QAA16337; Tue, 1 Oct 1996 16:01:47 -0400 Date: Tue, 1 Oct 1996 16:01:47 -0400 From: jonesmd@unifiedtech.com (Mike Jones) Message-Id: <199610012001.QAA16337@bass.com.> To: Firewalls@GreatCircle.COM, klynn@cyberspace.com Subject: Re: SOLARIS x86 as firewall platform Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-MD5: ypZuzpa3ij+O++mJvUNftg== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I believe your options in this aspect is either Sun Microsystems > Firewall-1 (which they're really just licensing from checkpoint), or from > what I understand Trusted Information Systems (TIS) is working on a > Solaris version of Gauntlet. I have run FW-1 on a Solaris X86 system (P90, no less) with one DMZ network and have had no problems (except with unreliable cheap PC hardware). > In my experience I'd favor gauntlet as it is a true application level > proxy gateway. Firewall-1 which is supposed to perform as the fastest > firewall around is unfortunately a hybrid packet filtering firewall > therefore it is somewhat less secure (depending on how you setup your > site of course). Therefore? Could you point out a couple of specific ways FW-1 is less secure? I understand that basic packet filtering (such as is found in most routers) has some shortcomings, particularly in lack of flexibility, but I've never been clear on exactly what sort of attacks a FW-1 would be susceptible to that, say, Gauntlet wouldn't. Mike Jones Sr. Network Computing Advisor UNIFIED Technologies From firewalls-owner Tue Oct 1 13:56:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA20087 for firewalls-outgoing; Tue, 1 Oct 1996 13:11:36 -0700 (PDT) Received: from news.be.innet.net (news.be.innet.net [194.7.1.5]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id NAA20068 for ; Tue, 1 Oct 1996 13:11:23 -0700 (PDT) Received: from pool011-7.innet.be (pool011-7.innet.be [194.7.12.38]) by news.be.innet.net (8.7.6/8.7.3) with SMTP id WAA18500; Tue, 1 Oct 1996 22:09:49 +0200 (MET DST) Message-Id: <199610012009.WAA18500@news.be.innet.net> X-Sender: fdehert@pophost.innet.be X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 01 Oct 1996 22:20:47 -0100 To: keithm@asymetrix.com From: fdehert@innet.be (Frank J.J. De Hert) Subject: RE: NT Security Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 30 Sep 96 , Keith McCammon wrote: > >C2 security seems basically worthless. You can't have any network, and if >a perpetrator has physical access to the machine, he/she can just boot >off a floppy to read your files. > >So, if you can't use it with a network as a file server, and if it's >easily compromised with physical access to the machine, what is a >practical example of where C2 is actually useful? > The issue is how the developer/vendor interprets the C2 requirements. If he/she 's fishing for the certificate to fill a segment of the market, chances are that he/she will comply to the letter of the requirements (it shall be possible to...) In many respects Win NT complies to the C2 requirements (probably to all of them), but once you try to implement them to set up a secure system, nothing works anymore. It's all very well to be able to protect system executables from the users, but if you have to give RWXD permissions to Everybody to allow the user(s) to actually use the system, there goes any confidence in such a certificate. It is true that in the C2 requirements there is no mention of networking, and that, to my knowledge, no networked system has been granted any certicates (yet). There are, on the other hand, a few operating systems around that have been written more to the idea behind the requirements than to the letter. But, you already guessed it, they're in a somewhat higher pricerange than WinNt. A while back there was mention of recipes to set up permissions on NT 3.51 in a more or less decent way, could someone point me in the right direction where I can find those, it would be much appreciated. Thx in advance, Frank De Hert System/Security Manager NATO Programming Centre From firewalls-owner Tue Oct 1 14:11:09 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA26099 for firewalls-outgoing; Tue, 1 Oct 1996 13:56:45 -0700 (PDT) Received: from intfw.bear.com (intfw.bear.com [206.25.172.66]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id NAA26071 for ; Tue, 1 Oct 1996 13:56:27 -0700 (PDT) Received: by intfw.bear.com (4.1/SMI-4.1) id AA08871; Tue, 1 Oct 96 16:55:39 EDT Received: from fastbear(165.168.74.3) by intfw via smap (V1.3) id sma007817; Tue Oct 1 16:51:01 1996 Received: from ursa2.bear.com by fastbear.bear.com (4.1/SMI-4.1/1.0 AMR 12/15/94) id AA27776; Tue, 1 Oct 96 16:55:29 EDT Received: from whip_xfr.bear.com (whip-xfr) by ursa2.bear.com (4.1/SMI-4.1/AMR+DJMS(2)) id AA22581; Tue, 1 Oct 96 16:52:04 EDT Received: from wizard.bsnet by whip_xfr.bear.com (SMI-8.6/SMI-SVR4) id QAA04378; Tue, 1 Oct 1996 16:51:05 -0400 Received: from neptune by wizard.bsnet (SMI-8.6/SMI-SVR4) id QAA15978; Tue, 1 Oct 1996 16:51:04 -0400 Message-Id: <32518438.1CA5@bear.com> Date: Tue, 01 Oct 1996 16:51:04 -0400 From: Shahryar Jahangir Organization: Bear Stearns X-Mailer: Mozilla 3.0Gold (X11; I; SunOS 5.5 sun4m) Mime-Version: 1.0 To: John Anonymous MacDonald Cc: firewalls@greatcircle.com, tcrimenti@iconnet.com, smassaro@iconnet.com Subject: Re: Information Seeking References: <199610011850.LAA00292@abraham.cs.berkeley.edu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk John, I highly recommend Integration Consortium CMT. They are located in Weehawken NJ. Tele# 1800 572-4266. You can checkout their website : www.iconnet.net and one of their online mags: www.word.com. If you woudl like any further information, please contact me. luck sj John Anonymous MacDonald wrote: > > Hello: > > Can anyone on this list recommend a reputable and professional group that > can perform security (both network and host; Internet related) audits at a > medium sized company located in the United States? > > My interest is in the background of these organizations; who to stay away > from; who to take a look at; etc. -- ........................................... " Is there a God ? I don't know, the computer is down !" Shahryar Jahangir Information Services Bear Stearns & Co. Inc. 245 Park Avenue New York, NY 10167 email: sj@bear.com Tel: 212 272 7764 Fax : 212 499 6977 ........................................... -- ******************************************************************************* Bear Stearns is not responsible for any recommendation, solicitation, offer or agreement or any information about any transaction, customer account or account activity contained in this communication. ******************************************************************************* From firewalls-owner Tue Oct 1 14:26:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA27022 for firewalls-outgoing; Tue, 1 Oct 1996 14:06:35 -0700 (PDT) Received: from cedar.cic.net ([192.131.22.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id OAA27006 for ; Tue, 1 Oct 1996 14:06:27 -0700 (PDT) Received: from 170.217.20.154 (i11gate3.ca.us.advantis.net [198.133.30.42]) by cedar.cic.net (8.8.0/8.6.9) with SMTP id RAA02684 for ; Tue, 1 Oct 1996 17:05:51 -0400 (EDT) Message-ID: <3251871E.1ECF@novusnet.com> Date: Tue, 01 Oct 1996 16:03:26 -0500 From: Brad Shively Reply-To: bshive1@novusnet.com Organization: Novus Services X-Mailer: Mozilla 3.0Gold (Win95; I) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: SSL Browsers Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I know this is the wrong group to ask this but, Does anyone know how to tell if a broswer is SSL enabled? I am checking the http_user_agent for Mozzilla 2.0 and above. It checked the Internet Explorer and Netscape 2.0 + and they both have Mozzila in this field. Is there a better way to check other than this? I know I can check if they are coming in on the secure port but I want to send them to a page if their browser is not complient. Thanks, Brad Shively From firewalls-owner Tue Oct 1 14:40:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA27438 for firewalls-outgoing; Tue, 1 Oct 1996 14:10:37 -0700 (PDT) Received: from www.steldyn.com (www.steldyn.com [198.68.45.121]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id OAA27407 for ; Tue, 1 Oct 1996 14:10:12 -0700 (PDT) Received: from juneau.steldyn.com (172.16.31.1) by www.steldyn.com (EMWAC SMTPRS 0.81) with SMTP id ; Tue, 01 Oct 1996 15:15:52 -0600 Received: by juneau.steldyn.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5) id <01BBAFAA.B0CAC340@juneau.steldyn.com>; Tue, 1 Oct 1996 15:10:32 -0600 Message-ID: From: Chris Pugrud To: "'Stewart Shinewald'" , "'Leonard Miyata'" Cc: Firewalls Mailing list Subject: RE: NT Security Date: Tue, 1 Oct 1996 15:10:30 -0600 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This can be done fairly simply from an administrative workstation, across the network. Every NT machine automatically shares all of it's drives under \\computername\c$ or d$ etc. These shares can only be accessed by an administrator (possibly a backup operator). This will allow you to scan the machine across the network without the users knowledge. I use it regularly to do virus scans on users machines across the network. Chris >-----Original Message----- From: Stewart Shinewald [SMTP:stewarts@cul.ca] Sent: Thursday, September 26, 1996 5:38 PM To: Leonard Miyata Cc: Firewalls Mailing list Subject: Re: NT Security > >Our company is just moving to NT. In the past, when we audited workstations, it was relatively easy to review the users hard drive for unsupported software or non company use of resources by using DOS utilities such as PC TOOLS or NORTON. Now that a workstation can be secured with a password and NTFS I had presumed that booting from a floppy and using DOS utilities to scan the hard drive would not work. Occasionally, we would audit a pc without the knowledge of the user thus we would not know the password. What utility programs would permit an auditor to scan and view in text format, an entire hard drive including NT File Systems? Will these also permit the restoration and viewing of deleted files. If files are password protected or NT encrypted, are you aware of any utilities that will permit the viewing of the contents of these files? Stewart Shinewald From firewalls-owner Tue Oct 1 14:58:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA27107 for firewalls-outgoing; Tue, 1 Oct 1996 14:07:17 -0700 (PDT) Received: from www.steldyn.com (www.steldyn.com [198.68.45.121]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id OAA27068 for ; Tue, 1 Oct 1996 14:06:57 -0700 (PDT) Received: from juneau.steldyn.com (172.16.31.1) by www.steldyn.com (EMWAC SMTPRS 0.81) with SMTP id ; Tue, 01 Oct 1996 15:12:33 -0600 Received: by juneau.steldyn.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5) id <01BBAFAA.3A207F50@juneau.steldyn.com>; Tue, 1 Oct 1996 15:07:13 -0600 Message-ID: From: Chris Pugrud To: "'Per-Henning Valderhaug'" , Firewalls Mailing list Subject: RE: Firewall for NT networks with transparent authentication Date: Tue, 1 Oct 1996 15:07:11 -0600 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk To my knowledge Microsoft Proxy Server (formerly Catapult) is the only package that does this. MSP is not a firewall in and of itself, but can be a major part of a complete firewall. Raptor's EagleNT is supposed to have NT Domain authentication added, although I am not aware of how it is implemented or if it is transparent. MSP is only transparent for users of MSIE 3.0 or greater. Chris >-----Original Message----- From: Per-Henning Valderhaug [SMTP:valper@nodeca.mil.no] Sent: Thursday, September 26, 1996 11:54 AM To: Firewalls Mailing list Subject: Firewall for NT networks with transparent authentication Hi all! I need a firewall that is able to transparently authenticate the users placed at the inside of the firewall (in the LAN). Inside users should be granted access to spesific external hosts based upon their username in the Windows NT network. Any such products out there? What would you recommend? Best regards Per-Henning __________________________________ | Per-Henning Valderhaug | | Forsvarets Tele- og Datatjeneste | | Oslo mil/Akershus | | N-0015 OSLO | | NORWAY | | | | Phone: +47 22 40 24 00 | | Direct line: +47 22 40 26 88 | | Telefax: +47 22 40 29 97 | /) (\ / ) e-mail: valper@nodeca.mil.no( \ _( (|___________________________________) ) /> (((\ \) / ) / ) / //))/ (\\\\ \_/ / \ \_/ ///// \ / \ / \ _/ \_ / - ----/ /--------------------------------\ \---- / / \ \ From firewalls-owner Tue Oct 1 15:19:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA27918 for firewalls-outgoing; Tue, 1 Oct 1996 14:14:16 -0700 (PDT) Received: from www.steldyn.com (www.steldyn.com [198.68.45.121]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id OAA27847 for ; Tue, 1 Oct 1996 14:13:40 -0700 (PDT) Received: from juneau.steldyn.com (172.16.31.1) by www.steldyn.com (EMWAC SMTPRS 0.81) with SMTP id ; Tue, 01 Oct 1996 15:19:14 -0600 Received: by juneau.steldyn.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5) id <01BBAFAB.28BD65B0@juneau.steldyn.com>; Tue, 1 Oct 1996 15:13:54 -0600 Message-ID: From: Chris Pugrud To: "'fdehert@innet.be'" , "'Anthony D. Thomas'" Cc: Firewalls Mailing list Subject: RE: netbeui & tcp Date: Tue, 1 Oct 1996 15:13:52 -0600 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk NetBEUI and TCP/IP are network protocols. There is no need to run one with the other (other than interesting security based decisions involving the non-routability of NetBEUI). I believe what was in question is NetBIOS which is essential for all windows networking. NetBIOS can run over NetBEUI, TCP/IP, or even IPX/SPX. Chris >-----Original Message----- From: fdehert@innet.be [SMTP:fdehert@innet.be] Sent: Friday, September 27, 1996 6:29 PM To: Anthony D. Thomas Cc: Firewalls Mailing list Subject: RE: netbeui & tcp >Yep... that is what it is for..... For many reasons you might >not want to run netbuei without TCP/IP.... > Could you elaborate on that? Somehow I was convinced that NetBEUI and TCP/IP were two separate stacks/protocols that don't need each other to run. >-------------------------------------------------- >Anthony Thomas, Network Engineer, TASC Inc >E-mail: adthomas@tasc.com >http://www.tasc.com >Phone : 617 - 942 - 2000 >Fax : 617 - 942 - 7100 >-------------------------------------------------- > >---------- >From: Andy Watts[SMTP:andywatt@loxinfo.co.th] >Sent: Tuesday, September 24, 1996 6:58 AM >To: firewalls@greatcircle.com >Subject: netbeui & tcp > >Hi, > >While playing with FW-1 on NT I saw that it can allow the service NetBEUI. > > >What is this for? > >Does this allow people to connect and become part of a microsoft network >across TCP/IP? > >Is there anyway users can become share MS network files & directories >accross TCP/IP > >Thanks > >Andy > > > > > -- While re-installing the newest version of The Operating System for the umpteenth time, it struck me that I would spend the better part of my active life sitting around, staring at a computer screen, waiting for The System to show some sign of life... \\ // O O | O Aaaaahhhhhh From firewalls-owner Tue Oct 1 15:26:10 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA04839 for firewalls-outgoing; Tue, 1 Oct 1996 14:57:00 -0700 (PDT) Received: from inroma.roma.it (srv.caspur.it [193.204.5.75]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id OAA04709 for ; Tue, 1 Oct 1996 14:56:34 -0700 (PDT) Received: from esquilino13.inroma.roma.it by inroma.roma.it (AIX 4.1/UCB 5.64/4.03) id AA29024; Tue, 1 Oct 1996 23:19:35 +0100 Date: Tue, 1 Oct 1996 23:19:35 +0100 Message-Id: <9610012219.AA29024@inroma.roma.it> X-Sender: anfus@inroma.roma.it (Unverified) X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: anfus@inroma.roma.it (Franco Pizzuto) Subject: info Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm writing for University of Rome a thesis about Net sicurity (firewalls ...) I'm looking for some documents to begin my research (I've just seen firewalls FAQ) Can anybody help me to find books or Net documents introducing the argument "security + firewalls + ....." ? Thanks in advance Franco Pizzuto From firewalls-owner Tue Oct 1 15:56:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA06635 for firewalls-outgoing; Tue, 1 Oct 1996 15:07:37 -0700 (PDT) Received: from home.nexus.net.mx ([167.114.25.165]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id PAA06612 for ; Tue, 1 Oct 1996 15:07:27 -0700 (PDT) Received: (from jdelgado@localhost) by home.nexus.net.mx (8.7/8.7.2) id RAA12398; Tue, 1 Oct 1996 17:12:09 -0500 (CDT) Date: Tue, 1 Oct 1996 17:12:08 -0500 (CDT) From: Jose Luis Delgado To: firewalls@GreatCircle.COM Subject: Netscape & Firewall help!! Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi everybody!!!! I have a question: I work in two distincts companies, the first have no a firewall... but, the second... have a firewall (Eagle Raptor). then I have in the Intranet an Oracle Web Server 2.0 for AIX 3.2.5... and in the other part, I have an OWS 1.0 in NT... my question is: How I can, WITH NETSCAPE, access the OWS and the database inside the firewall from an external machine? I hope somebody can help me. Thanks. _/_/_/_/_/_/ AT LESS... TRY! _/_/ _/_/ _/_/_/_/ _/_/_/_/_/ _/_/_/_/_/_/ _/_/_/_/ _/_/_/_/_/ _/ _/ _/ _/ _/ _/ _/_/ _/ _/ _/ _/ _/_/_/ _/ _/_/ _/_/_/ _/ _/ _/ _/ _/ _/_/ _/ _/ _/_/_/_/_/_/ _/_/_/_/ _/_/_/_/_/_/ _/_/ _/_/_/_/_/ _/_/_/_/_/_/ Jose Luis Delgado Solano (Base de Datos) jdelgado@nexus.net.mx From firewalls-owner Tue Oct 1 16:11:26 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA15356 for firewalls-outgoing; Tue, 1 Oct 1996 15:57:19 -0700 (PDT) Received: from intfw.bear.com (intfw.bear.com [206.25.172.66]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id PAA15293 for ; Tue, 1 Oct 1996 15:56:53 -0700 (PDT) Received: by intfw.bear.com (4.1/SMI-4.1) id AA19427; Tue, 1 Oct 96 18:55:36 EDT Received: from fastbear(165.168.74.3) by intfw via smap (V1.3) id sma018702; Tue Oct 1 18:54:40 1996 Received: from ursa2.bear.com by fastbear.bear.com (4.1/SMI-4.1/1.0 AMR 12/15/94) id AA29140; Tue, 1 Oct 96 18:59:09 EDT Received: from whip_xfr.bear.com (whip-xfr) by ursa2.bear.com (4.1/SMI-4.1/AMR+DJMS(2)) id AA23217; Tue, 1 Oct 96 18:55:44 EDT Received: from wizard.bsnet by whip_xfr.bear.com (SMI-8.6/SMI-SVR4) id SAA16916; Tue, 1 Oct 1996 18:54:46 -0400 Received: from neptune by wizard.bsnet (SMI-8.6/SMI-SVR4) id SAA19244; Tue, 1 Oct 1996 18:54:45 -0400 Message-Id: <3251A135.48FB@bear.com> Date: Tue, 01 Oct 1996 18:54:45 -0400 From: Shahryar Jahangir Organization: Bear Stearns X-Mailer: Mozilla 3.0Gold (X11; I; SunOS 5.5 sun4m) Mime-Version: 1.0 To: Mike Jones Cc: Firewalls@GreatCircle.COM, klynn@cyberspace.com Subject: Re: SOLARIS x86 as firewall platform References: <199610012001.QAA16337@bass.com.> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I should add to all that I have gone through heaven and earth to setup an x86 machine w. Sol 2.4 & FW-1 w/ an Ethernet NIC and a token ring NIC. The result: It didn't work !! Contacted SUN /Checkpoint/ Compaq - nothing ! luck sj Mike Jones wrote: > > > I believe your options in this aspect is either Sun Microsystems > > Firewall-1 (which they're really just licensing from checkpoint), or from > > what I understand Trusted Information Systems (TIS) is working on a > > Solaris version of Gauntlet. > > I have run FW-1 on a Solaris X86 system (P90, no less) with one DMZ > network and have had no problems (except with unreliable cheap PC > hardware). > > > In my experience I'd favor gauntlet as it is a true application level > > proxy gateway. Firewall-1 which is supposed to perform as the fastest > > firewall around is unfortunately a hybrid packet filtering firewall > > therefore it is somewhat less secure (depending on how you setup your > > site of course). > > Therefore? Could you point out a couple of specific ways FW-1 is less > secure? I understand that basic packet filtering (such as is found in > most routers) has some shortcomings, particularly in lack of flexibility, > but I've never been clear on exactly what sort of attacks a FW-1 would > be susceptible to that, say, Gauntlet wouldn't. > > Mike Jones > Sr. Network Computing Advisor > UNIFIED Technologies -- ........................................... " Is there a God ? I don't know, the computer is down !" Shahryar Jahangir Information Services Bear Stearns & Co. Inc. 245 Park Avenue New York, NY 10167 email: sj@bear.com Tel: 212 272 7764 Fax : 212 499 6977 ........................................... -- ******************************************************************************* Bear Stearns is not responsible for any recommendation, solicitation, offer or agreement or any information about any transaction, customer account or account activity contained in this communication. ******************************************************************************* From firewalls-owner Tue Oct 1 17:28:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA23615 for firewalls-outgoing; Tue, 1 Oct 1996 17:13:23 -0700 (PDT) Received: from snet (dataprep.com.my [202.190.57.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id RAA23580 for ; Tue, 1 Oct 1996 17:13:12 -0700 (PDT) Received: from palan-net by snet (SMI-8.6/SMI-SVR4) id IAA01408; Wed, 2 Oct 1996 08:18:56 -0800 Date: Wed, 2 Oct 1996 08:18:56 -0800 Message-Id: <199610021618.IAA01408@snet> X-Sender: palan@dataprep.com.my X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: Kogulapalan Subject: Re: info Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 11:19 PM 10/1/96 +0100, you wrote: >I'm writing for University of Rome a thesis about Net sicurity (firewalls ...) >I'm looking for some documents to begin my research (I've just seen >firewalls FAQ) >Can anybody help me to find books or Net documents introducing the argument >"security + firewalls + ....." ? Checkout Internet Security - Building Internet FIREWALLS by D.Brent Chapman & Elizabeth D.Zwicky (O'Reilly & Associates, Inc) >Thanks in advance >Franco Pizzuto > > From firewalls-owner Tue Oct 1 17:40:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA25237 for firewalls-outgoing; Tue, 1 Oct 1996 17:35:51 -0700 (PDT) Received: from sparky. (sparky.flashpoint.com [205.214.59.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id RAA25220 for ; Tue, 1 Oct 1996 17:35:44 -0700 (PDT) Received: from cktassy.ca-online.com by sparky. (SMI-8.6/SMI-SVR4) id RAA08979; Tue, 1 Oct 1996 17:38:30 -0700 From: "John McColley @ J F Engineering" To: firewalls@greatcircle.com Subject: Class C Subnetting X-Mailer: SCO Portfolio 2.0 Date: Tue, 1 Oct 1996 17:19:14 -0700 (PDT) Message-ID: <9610011719.aa22417@cktassy.ca-online.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thanks for all the information on Class C Subnetting. It answered all of my questions. John From firewalls-owner Tue Oct 1 17:55:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA24445 for firewalls-outgoing; Tue, 1 Oct 1996 17:22:57 -0700 (PDT) Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id RAA24405 for ; Tue, 1 Oct 1996 17:22:43 -0700 (PDT) Received: by mercury.Sun.COM (Sun.COM) id RAA03871; Tue, 1 Oct 1996 17:21:36 -0700 Received: from topsun.West.Sun.COM by West.Sun.COM (5.0/SMI-5.3) id AA06074; Tue, 1 Oct 1996 17:21:34 -0700 Received: from plato.West.Sun.COM by topsun.West.Sun.COM (SMI-8.6/SMI-SVR4) id RAA16607; Tue, 1 Oct 1996 17:20:20 -0700 Received: by plato.West.Sun.COM (SMI-8.6/SMI-SVR4) id RAA01541; Tue, 1 Oct 1996 17:22:57 -0700 Date: Tue, 1 Oct 1996 17:22:57 -0700 From: Matthew.Archibald@West.Sun.COM (Matthew Archibald) Message-Id: <199610020022.RAA01541@plato.West.Sun.COM> To: nobody@cypherpunks.ca, sj@bear.com Subject: Re: Information Seeking Cc: firewalls@greatcircle.com, tcrimenti@iconnet.com, smassaro@iconnet.com X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sun Professional Services provides all of this as well.... You can contact Brad.Powell@Sun.COM or myself... ----- Begin Included Message ----- From sj@bear.com Tue Oct 1 15:31:49 1996 Date: Tue, 01 Oct 1996 16:51:04 -0400 From: Shahryar Jahangir Mime-Version: 1.0 To: John Anonymous MacDonald Cc: firewalls@greatcircle.com, tcrimenti@iconnet.com, smassaro@iconnet.com Subject: Re: Information Seeking Content-Transfer-Encoding: 7bit John, I highly recommend Integration Consortium CMT. They are located in Weehawken NJ. Tele# 1800 572-4266. You can checkout their website : www.iconnet.net and one of their online mags: www.word.com. If you woudl like any further information, please contact me. luck sj John Anonymous MacDonald wrote: > > Hello: > > Can anyone on this list recommend a reputable and professional group that > can perform security (both network and host; Internet related) audits at a > medium sized company located in the United States? > > My interest is in the background of these organizations; who to stay away > from; who to take a look at; etc. -- ........................................... " Is there a God ? I don't know, the computer is down !" Shahryar Jahangir Information Services Bear Stearns & Co. Inc. 245 Park Avenue New York, NY 10167 email: sj@bear.com Tel: 212 272 7764 Fax : 212 499 6977 ........................................... -- ******************************************************************************* Bear Stearns is not responsible for any recommendation, solicitation, offer or agreement or any information about any transaction, customer account or account activity contained in this communication. ******************************************************************************* ----- End Included Message ----- From firewalls-owner Tue Oct 1 18:27:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA29653 for firewalls-outgoing; Tue, 1 Oct 1996 18:20:40 -0700 (PDT) Received: from snet (dataprep.com.my [202.190.57.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id SAA29591 for ; Tue, 1 Oct 1996 18:20:21 -0700 (PDT) Received: from palan-net by snet (SMI-8.6/SMI-SVR4) id JAA01537; Wed, 2 Oct 1996 09:24:56 -0800 Date: Wed, 2 Oct 1996 09:24:56 -0800 Message-Id: <199610021724.JAA01537@snet> X-Sender: palan@dataprep.com.my X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: bshive1@novusnet.com From: Kogulapalan Subject: Re: SSL Browsers Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 04:03 PM 10/1/96 -0500, you wrote: >I know this is the wrong group to ask this but, > >Does anyone know how to tell if a broswer is SSL enabled? I am checking >the http_user_agent for Mozzilla 2.0 and above. It checked the Internet >Explorer and Netscape 2.0 + and they both have Mozzila in this field. Is >there a better way to check other than this? I know I can check if they >are coming in on the secure port but I want to send them to a page if >their browser is not complient. If your browser can support https:// than yours is SSL enabled. > >Thanks, no problem :) >Brad Shively > From firewalls-owner Tue Oct 1 18:41:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA29409 for firewalls-outgoing; Tue, 1 Oct 1996 18:19:04 -0700 (PDT) Received: from esperosun.chungnam.ac.kr (esperosun.chungnam.ac.kr [168.188.66.84]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id SAA29380 for ; Tue, 1 Oct 1996 18:18:52 -0700 (PDT) Received: from esperosun.chungnam.ac.kr (espero.chungnam.ac.kr [168.188.66.89]) by esperosun.chungnam.ac.kr (8.6.12h2/8.6.9) with SMTP id KAA04043 for ; Wed, 2 Oct 1996 10:17:33 +0900 Message-ID: <3251C259.5A73@esperosun.chungnam.ac.kr> Date: Wed, 02 Oct 1996 10:16:09 +0900 From: jcryou X-Mailer: Mozilla 3.0Gold (Win95; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: info References: <9610012219.AA29024@inroma.roma.it> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Can anybody help me to find documents introducing security requirements or evaulation criteria for firewalls ? So far, I have found the following two documents: 1. "Security requirements for MISSI-Compliant Firewalls Protecting Sensitive But Unclassified Environments", ver1.0, March 1996. 2. "Common Criteria for Information Technology Security Evaluation- Part4 Predefined Protection Profiles for Network/Transport Layer Packet Filter Firewall", CCEB-96/014 Thanks in advance. Jae-Cheol Ryou Department of Computer Science Chungnam National University Daejeon, South Korea 305-764 From firewalls-owner Tue Oct 1 20:41:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA10634 for firewalls-outgoing; Tue, 1 Oct 1996 20:35:16 -0700 (PDT) Received: from cohiba.predictive.com (cohiba.predictive.com [204.243.240.5]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id UAA10627 for ; Tue, 1 Oct 1996 20:35:07 -0700 (PDT) Received: from starfury.shadow.net (ip55.indianapolis.in.interramp.com [38.11.127.55]) by cohiba.predictive.com (8.6.11/8.6.12) with SMTP id WAA11981 for ; Tue, 1 Oct 1996 22:47:26 -0400 Message-Id: <3.0b24.32.19961001233423.0067b8b0@204.243.240.5> X-Sender: starfury@204.243.240.5 X-Mailer: Windows Eudora Pro Version 3.0b24 (32) Date: Tue, 01 Oct 1996 23:34:30 -0400 To: firewalls@greatcircle.com From: PCA Subject: Compuserve and AOL ports Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk FW's, I hate to ask this, but the ports for Compuserve and AOL, can someone repost them... Thanks... From firewalls-owner Tue Oct 1 21:55:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA15090 for firewalls-outgoing; Tue, 1 Oct 1996 21:40:49 -0700 (PDT) Received: from diablo.cisco.com (diablo.cisco.com [171.68.223.106]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id VAA15075 for ; Tue, 1 Oct 1996 21:40:42 -0700 (PDT) Received: from clonvick-pc.cisco.com (c4robo2.cisco.com [171.68.13.98]) by diablo.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id VAA27565; Tue, 1 Oct 1996 21:39:06 -0700 Message-Id: <2.2.32.19961002063303.006b06f0@diablo.cisco.com> X-Sender: clonvick@diablo.cisco.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 01 Oct 1996 23:33:03 -0700 To: jcryou , firewalls@GreatCircle.COM From: Chris Lonvick Subject: Re: info Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello Jae-Cheol Ryou, Could you please post the URLs to those documents if they're on the Web? You may also want to look at the firewall evaluation from the National Computer Security Association at http://www.ncsa.com They list their criteria for "passing" a firewall. Beyond this, they have a large listing of books about computer security. Hope this helps, Chris Lonvick Cisco Systems Consulting Engineering Houston, TX, USA +1-713-778-5663 At 10:16 AM 10/2/96 +0900, jcryou wrote: >Can anybody help me to find documents introducing security >requirements or evaulation criteria for firewalls ? > >So far, I have found the following two documents: > > 1. "Security requirements for MISSI-Compliant Firewalls Protecting > Sensitive But Unclassified Environments", ver1.0, March 1996. > > 2. "Common Criteria for Information Technology Security Evaluation- > Part4 Predefined Protection Profiles for Network/Transport Layer > Packet Filter Firewall", CCEB-96/014 > >Thanks in advance. > >Jae-Cheol Ryou >Department of Computer Science >Chungnam National University >Daejeon, South Korea 305-764 > > From firewalls-owner Tue Oct 1 23:55:54 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA20929 for firewalls-outgoing; Tue, 1 Oct 1996 23:44:12 -0700 (PDT) Received: from mailout01.btx.dtag.de (mailout01.btx.dtag.de [194.25.2.149]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id XAA20922 for ; Tue, 1 Oct 1996 23:44:03 -0700 (PDT) Received: from mailto00.btx.dtag.de ([172.16.2.1]) by mailout01.btx.dtag.de with smtp (S3.1.29.1) id ; Wed, 2 Oct 96 07:34 MET Received: from funnel02.btx.dtag.de (022157600012-0002(btxid)@[194.25.2.3]) by mailto00.btx.dtag.de with smtp (S3.1.29.1) id ; Wed, 2 Oct 96 08:34 MET DST Message-ID: <325228DA.57FF@t-online.de> Date: Wed, 02 Oct 1996 08:33:30 +0000 Organization: Siemens AG X-Mailer: Mozilla 3.0b6 (Win95; I; 16bit) MIME-Version: 1.0 To: Franco Pizzuto CC: firewalls@greatcircle.com Subject: Re: info References: <9610012219.AA29024@inroma.roma.it> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Sender: 022157600012-0002@t-online.de (Krauss Siemens AG) From: Krauss.SiemensAG@t-online.de (Dietmar Krauss) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Franco Pizzuto wrote: > > I'm writing for University of Rome a thesis about Net sicurity (firewalls ...) > I'm looking for some documents to begin my research (I've just seen > firewalls FAQ) > Can anybody help me to find books or Net documents introducing the argument > "security + firewalls + ....." ? > Thanks in advance > Franco Pizzuto I dont' know if you've already checked out THE book on Internet and firewall security. It is considered to be a handbook for both sysadmins and hackers. 'Firewalls & Internet Security Repelling the Wily Hacker' by William R. Cheswick and Steven M. Bellovin Addison-Wesley Professional Computing Series 0-201-63357-4 * Paperback * 320 pages * ©1994 http://www.aw.com/cp/Ches.html Good luck, Dietmar -- +-------------------------------------------------------------------+ | Krauss.SiemensAG@t-online.de | | Dietmar Krauss | | Consulting Communication | | Siemens AG, Germany (www.siemens.de/pn) | +-------------------------------------------------------------------+ From firewalls-owner Wed Oct 2 00:42:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA24245 for firewalls-outgoing; Wed, 2 Oct 1996 00:35:13 -0700 (PDT) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id AAA24220 for firewalls@greatcircle.com; Wed, 2 Oct 1996 00:34:48 -0700 (PDT) Received: from 1ADTFREAR.1AD.ARMY.MIL (tfrear.1ad.army.mil [206.39.32.254]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id BAA19491 for ; Tue, 1 Oct 1996 01:10:26 -0700 (PDT) Received: from Microsoft Mail (PU Serial #1851) by 1ADTFREAR.1AD.ARMY.MIL (PostalUnion/SMTP(tm) v2.1.9a for Windows NT(tm)) id AA-1996Oct01.095200.1851.32442; Tue, 01 Oct 1996 10:12:27 +0200 From: g6amsib@1ADTFREAR.1AD.ARMY.MIL (G6 CPT Bates) To: Firewalls@GreatCircle.COM (Firewalls) Message-ID: <1996Oct01.095200.1851.32442@1ADTFREAR.1AD.ARMY.MIL> X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable Organization: 1AD G6 Automation Date: Tue, 01 Oct 1996 10:12:27 +0200 Subject: RE: NT Security Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >On Wed, 25 Sep 1996, Joseph S. D. Yao wrote: > Much has been made of NT's "C2" certification. I've heard that it was > certified without the standard NT file system; and with that file > system, it can't be certified. Beware. > It will only comply with C2 standards if you are using the NTFS file >system (not FAT or HPFS) and, of course, as a stand-alone machine after >service pack X (7?) is applied with some other holes closed Greetings, fellow automators. First post to Firewalls from here in the = Balkans. The U.S. Army (1st Armored Division) in Bosnia has come out = of the Iron Age (no pun intended) and into the information age. We are = currently utilizing Windows NT networks, and have introduced unclassified = = data connectivity to the field soldier primarily to support automated = logisitics data requirements. However, it appears more and more users = have discovered the convenience and utility of email, networks, and = shared files to conduct effective coordination and staffing. We use = two physically separate LAN/WAN's, one classified, and one unclassified. = Problem is, everyone wants to use their unclassified workstations, and = no one uses the classified, for obvious reasons, they like Web access, = email loved ones back home, and coordinate with government contractors = who do not have access to the secret LAN/WAN. However, we have run into speed bumps with individuals processing = classified information on unclassified PC's, and virus problems, mostly = those that affect the boot sector. Converting from WFW 3.11 and WIN 95 = to NT Workstation with no FAT partitions, strictly NTFS partitions seem = to be the optimal solution. We do not have the budget nor training to install expensive firewalls at = = the Division level. We think less, but more robust machines running NT = workstation on both the class and unclass LAN/WAN's, would offer what we = require in terms of processing power and NT's excellent = auditing/security. However, it is very expensive, both in terms of = equipment, and personnel, to maintain these two NT LAN's. While I have = yet to see someone hack an NTFS partition with permissions and other = holes plugged up (watched a couple of DISA's best guys try), the security = = goons still have conniption fits about placing classified data on an = unclassified NTFS partition. Any word on when NT will be network = certified?? We are also starting to use Iomega's Zip drive to = store/archive/use large amounts of data. Merely attempting to find a = solution that meets our needs, both from a function, security, and fiscal = = perspective. Thanks much in advance. Regards, Stephen E. Bates CPT, SC G6 Systems Integration g6amsib@1adtfrear.1ad.army.mil DSN 370-7179 MSE 551-3562 ---------- ). From firewalls-owner Wed Oct 2 01:41:31 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA29708 for firewalls-outgoing; Wed, 2 Oct 1996 01:30:52 -0700 (PDT) Received: from ecmwf.int ([136.156.22.68]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id BAA29678 for ; Wed, 2 Oct 1996 01:30:39 -0700 (PDT) Received: from barant by ecmwf.int (8.7.1/sendmail-8.7.1) id IAA11663; Wed, 2 Oct 1996 08:29:59 GMT for Received: by barant (950215.SGI.8.6.10/920502.SGI) id JAA28388; Wed, 2 Oct 1996 09:29:57 +0100 From: cgt@ecmwf.int (Tony Bakker) Message-Id: <9610020929.ZM28386@barant> Date: Wed, 2 Oct 1996 09:29:56 +0100 Organization: ECMWF (European Weather Centre) Address: Shinfield Park, Reading RG2 9AX, Berkshire, UK Phone: +44-1734-499378 Fax: +44-1734-869450 Reply-To: Tony.Bakker@ecmwf.int X-Mailer: Z-Mail (3.2.0 06sep94) To: sdadmin@jabberwocky.bbnplanet.com, Firewalls@greatcircle.com Subject: Gauntlet 3.1 on SGI IRIX and SecurID Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I just received version 3.1 of Gauntlet for SGI IRIX and am having problems getting SecurID to work. I get the following message in the SYSLOG: authsrv[23191]: ACM Error: Unable to locate ACE/Server host ; error Error 0 and the TELNET gateway says: TELNET Gateway. Authorized access only. Username: cgt Enter PASSCODE: ###### Cannot talk to ACE server Username: I know for sure that the firewall host can talk to the ACE server as I have verified thsi with running sdshell. Also traceroute and ping to the ACE server are successfull. In the netperm-table I have got the line: authsrv: securidhost isis I have monitored teh ethernet and do not see any packets from the firewall host fot the ACE server from the Gauntlet software. Any help would be appreciated. Thanks Tony Bakker -- ------------------------------------------------------------------ _/_/_/_/_/ _/_/_/ European Centre for Medium-Range _/ _/ _/ Weather Forecasts _/ _/_/_/ Shinfield Park, Reading _/ _/ _/ Berkshire RG2 9AX _/ O N Y _/_/_/_/ A K K E R United Kingdom http://www.ecmwf.int/ System Software Section tel: +44 118 9499378 WAN Group leader fax: +44 118 9869450 Email: Tony.Bakker@ecmwf.int tlx: +44 118 9847908 ------------------------------------------------------------------ From firewalls-owner Wed Oct 2 03:12:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA07026 for firewalls-outgoing; Wed, 2 Oct 1996 02:54:54 -0700 (PDT) Received: from pinelands.oldmutual.com (pinelands.oldmutual.com [196.22.118.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id CAA07018 for ; Wed, 2 Oct 1996 02:54:40 -0700 (PDT) Received: by pinelands.oldmutual.com; id AA04197; Wed, 2 Oct 96 11:51:48+020 Received: from unknown(160.123.45.3) by pinelands.oldmutual.com via smap (V3.1) id xma004170; Wed, 2 Oct 96 11:51:28 +0200 Received: from inv735524 ([160.123.1.81]) by box66.oldmutual.com (post.office MTA v2.0 0813 ID# 0-13494) with SMTP id AAA125 for ; Wed, 2 Oct 1996 11:45:56 +0200 Message-Id: <32523B05.3FAE@oldmutual.com> Date: Wed, 02 Oct 1996 11:51:01 +0200 From: jbarnes@oldmutual.com (Jay Barnes) Organization: Old Mutual X-Mailer: Mozilla 3.0Gold (WinNT; I) Mime-Version: 1.0 To: firewalls@greatcircle.com Subject: DHCP and Firewalls Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This subject was raised a while ago, but didn't really come to any conclusions, IMHO, so I'd like to try again. My problem is as follows. We have several thousand workstations, which need to be moved quite frequently (because of building, etc) and our PC people want (need) to use DHCP to allocate IP addresses. They have a problem with locking down addresses (permanent lease) because all that that does is move the administration problem somewhere else. We are using Gauntlet as our firewall, and thus (apparently) need fixed IP addresses - either that or permit all addresses access to the Internet and manage the end user, which I am told we can't do yet and anyway is against our policy. So, how do I integrate the very real need for DHCP with the very real need to operate and mange a secure (firewalled) connection to the Internet? We are going to look at Microsoft's Catapult - we use Microsoft products extensively - but I am uncomfortable with what I hear about the product on this list. Are there any other products around that can help us? PS - please don't turn this into another "MS vs Unix" debate. The product set is not the issue, the technology is. -- Jay Barnes WebMaster at "http://www.oldmutual.com" Email jbarnes@oldmutual.com Phone +27 21 509 5464 Cell 082 452 5939 Fax +27 21 509 5619 From firewalls-owner Wed Oct 2 03:44:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA08116 for firewalls-outgoing; Wed, 2 Oct 1996 03:27:42 -0700 (PDT) Received: from lexicon.ins.com (lexicon.ins.com [199.0.193.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id DAA08109 for ; Wed, 2 Oct 1996 03:27:35 -0700 (PDT) Received: from martin_d.ins.com ([206.98.131.200]) by lexicon.ins.com (8.7.5/8.7.3) with SMTP id DAA14615; Wed, 2 Oct 1996 03:27:02 -0700 (PDT) Message-Id: <2.2.32.19961002102658.006a5460@lexicon.ins.com> X-Sender: martin_d@lexicon.ins.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 02 Oct 1996 06:26:58 -0400 To: PCA From: Darwin Martinez Subject: Re: Compuserve and AOL ports Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk AOL = 5190 (tcp/udp), Compuserve = 4144 (tcp) :) At 11:34 PM 10/1/96 -0400, you wrote: >FW's, > > I hate to ask this, but the ports for Compuserve and AOL, can someone >repost them... Thanks... > > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Darwin L. Martinez, NSE Email: darwin_martinez@ins.com Atlanta Office Client: 404-843-5954 International Network Services Pager: 1-800-INS-1-INS "Providing the power of operable networks" ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ From firewalls-owner Wed Oct 2 04:41:39 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA12975 for firewalls-outgoing; Wed, 2 Oct 1996 04:38:58 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id EAA12956 for ; Wed, 2 Oct 1996 04:38:48 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.6.9/8.6.9) id HAA25388; Wed, 2 Oct 1996 07:42:43 -0500 From: Adam Shostack Message-Id: <199610021242.HAA25388@homeport.org> Subject: Re: Gauntlet 3.1 on SGI IRIX and SecurID To: Tony.Bakker@ecmwf.int Date: Wed, 2 Oct 1996 07:42:43 -0500 (EST) Cc: sdadmin@jabberwocky.bbnplanet.com, Firewalls@GreatCircle.COM In-Reply-To: <9610020929.ZM28386@barant> from "Tony Bakker" at Oct 2, 96 09:29:56 am X-Mailer: ELM [version 2.4 PL24 ME8b] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What Ace/Server are you using? The Authserv was written long before v2 came out, and may be expecting version 1 files, message formats, etc. Adam Tony Bakker wrote: | I just received version 3.1 of Gauntlet for SGI IRIX and am having problems | getting SecurID to work. I get the following message in the SYSLOG: | | authsrv[23191]: ACM Error: Unable to locate ACE/Server host | ; error Error 0 | I know for sure that the firewall host can talk to the ACE server as I have | verified thsi with running sdshell. Also traceroute and ping to the | ACE server are successfull. | | In the netperm-table I have got the line: | | authsrv: securidhost isis | | I have monitored teh ethernet and do not see any packets from the firewall host | fot the ACE server from the Gauntlet software. | | Any help would be appreciated. | | Thanks | | Tony Bakker | | | -- | ------------------------------------------------------------------ | _/_/_/_/_/ _/_/_/ European Centre for Medium-Range | _/ _/ _/ Weather Forecasts | _/ _/_/_/ Shinfield Park, Reading | _/ _/ _/ Berkshire RG2 9AX | _/ O N Y _/_/_/_/ A K K E R United Kingdom | http://www.ecmwf.int/ | System Software Section tel: +44 118 9499378 | WAN Group leader fax: +44 118 9869450 | Email: Tony.Bakker@ecmwf.int tlx: +44 118 9847908 | ------------------------------------------------------------------ | -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Wed Oct 2 06:12:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA17243 for firewalls-outgoing; Wed, 2 Oct 1996 06:05:42 -0700 (PDT) Received: from ecmwf.int (scylla.ecmwf.int [136.156.22.68]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA17236 for ; Wed, 2 Oct 1996 06:05:32 -0700 (PDT) Received: from barant by ecmwf.int (8.7.1/sendmail-8.7.1) id NAA16282; Wed, 2 Oct 1996 13:04:52 GMT for Received: by barant (950215.SGI.8.6.10/920502.SGI) id OAA29471; Wed, 2 Oct 1996 14:04:43 +0100 From: cgt@ecmwf.int (Tony Bakker) Message-Id: <9610021404.ZM29469@barant> Date: Wed, 2 Oct 1996 14:04:42 +0100 In-Reply-To: Mikael Kuisma "Re: Gauntlet 3.1 on SGI IRIX and SecurID" (Oct 2, 10:40) References: <9610020929.ZM28386@barant> <32524675.480D@Nexus.SE> Organization: ECMWF (European Weather Centre) Address: Shinfield Park, Reading RG2 9AX, Berkshire, UK Phone: +44-1734-499378 Fax: +44-1734-869450 Reply-To: Tony.Bakker@ecmwf.int X-Mailer: Z-Mail (3.2.0 06sep94) To: Mikael Kuisma Subject: Re: Gauntlet 3.1 on SGI IRIX and SecurID Cc: sdadmin@jabberwocky.bbnplanet.com, Firewalls@greatcircle.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Oct 2, 10:40, Mikael Kuisma wrote: > Subject: Re: Gauntlet 3.1 on SGI IRIX and SecurID > Tony Bakker wrote: > > In the netperm-table I have got the line: > > > > authsrv: securidhost isis > > isis should be the name/address of the inside > interface on the Gauntlet, i.e. the host > that acts as the securid client. It should > not be the name of the ACE server. > Done that, but it still does not work! # grep secur /usr/gauntlet/config/netperm-table authsrv: securidhost 136.156.112.128 # ifconfig ec0 ec0: flags=c63 inet 136.156.112.128 netmask 0xfffffc00 broadcast 136.156.115.255 authsrv[24258]: ACM Error: Unable to locate ACE/Server host ; error Error 0 Tony From firewalls-owner Wed Oct 2 06:26:50 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA16889 for firewalls-outgoing; Wed, 2 Oct 1996 05:59:18 -0700 (PDT) Received: from gatekeep.us.landisgyr.com (gatekeep.us.landisgyr.com [206.175.68.122]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id FAA16882; Wed, 2 Oct 1996 05:59:09 -0700 (PDT) Received: by gatekeep.us.landisgyr.com; id EAA27940; Wed, 2 Oct 1996 04:54:23 -0400 Received: from unknown(204.207.110.148) by gatekeep.us.landisgyr.com via smap (V3.1) id xmaa27934; Wed, 2 Oct 96 04:54:14 -0400 Received: from mailrelay.us.landisgyr.com by pmdf.us.landisgyr.com (PMDF V5.0-4 #10101) id <01IA5RY2CV1S0001PL@pmdf.us.landisgyr.com>; Wed, 02 Oct 1996 07:58:07 -0500 (CDT) Received: with PMDF-MR; Wed, 02 Oct 1996 07:56:22 -0500 (CDT) MR-Received: by mta PFMSV1.MUAS; Relayed; Wed, 02 Oct 1996 07:56:22 -0500 MR-Received: by mta PFMSV1; Relayed; Wed, 02 Oct 1996 07:56:23 -0500 MR-Received: by mta PFMMRX; Relayed; Wed, 02 Oct 1996 07:57:38 -0500 Disclose-recipients: prohibited Date: Wed, 02 Oct 1996 07:56:22 -0500 (CDT) From: Joav Kohn Subject: Re: DHCP and Firewalls In-reply-to: <32523B05.3FAE@oldmutual.com> To: firewalls-owner , firewalls Message-id: <5322560702101996/A00649/PFMSV1/11AA11F81500*@MHS.us.landisgyr.com> Autoforwarded: false MIME-version: 1.0 Content-type: TEXT/PLAIN; CHARSET=US-ASCII Content-transfer-encoding: 7BIT Importance: normal Sensitivity: Company-Confidential UA-content-id: 11AA11F81500 X400-MTS-identifier: [;5322560702101996/A00649/PFMSV1] Hop-count: 2 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > My problem is as follows. We have several thousand workstations, which > need to be moved quite frequently (because of building, etc.) and our PC > people want (need) to use DHCP to allocate IP addresses. They have a > problem with locking down addresses (permanent lease) because all that > that does is move the administration problem somewhere else. We are > using Gauntlet as our firewall, and thus (apparently) need fixed IP > addresses - either that or permit all addresses access to the Internet > and manage the end user, which I am told we can't do yet and anyway is > against our policy. We had the same exact problem here. The solution I came up with was this: In the DHCP situation, you can never guarantee that an IP will be unique, but a NETBIOS name always will be. This meant that the main issue was how to map NETBIOS names to the IP that they were currently using. We were already running an internal DNS server, now we needed one that could do forward & reverse WINS lookups (for NETBIOS names). I looked at several NT DNS products, including Metainfo's DNS & NT4.0's, and Microsoft's proved to have the most stability (though the GUI is slightly buggy). This being done, the next trick was to get the firewall to look for reverse lookups on our internal machine, while allow all other reverse and forward lookups to take place on the outside. If you've gotten your IP's from InterNIC, just have the in-addr.arpa domain for your addresses point to your internal name server. If your on a public scheme, or lease your IP's from Sprint, MCI, CompuServe, etc..., (I had a mix of both), then you're going to have to dance through some extra hoops. I set the firewall's DNS as a primary server for the (.) domain. In the dB file for root, I left out an SOA record for . and listed the other primary root servers that would normally be in the cache file as secondary NS servers for (.). I then listed our internal name server as the primary NS for our in-addr.arpa domains. Once this was done, along with a restart of named, all that needed to be done was edit the netperm table in gauntlet. I simply deny everyone, and add NETBIOS names to the table for the services we allow those users to have. It's been working relatively problem free for several months now, if you have any more questions, feel free to ask. -joav From firewalls-owner Wed Oct 2 06:46:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA17844 for firewalls-outgoing; Wed, 2 Oct 1996 06:19:09 -0700 (PDT) Received: from igate2.pabs.com (igate2.pabs.com [38.246.96.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA17836 for ; Wed, 2 Oct 1996 06:19:01 -0700 (PDT) Received: from igate2.pabs.com (daemon@localhost) by igate2.pabs.com (8.7.2/8.7.2) with ESMTP id JAA02068 for ; Wed, 2 Oct 1996 09:21:15 -0400 (EDT) Received: from richey.pabs.com (richey.pabs.com [157.154.1.136]) by igate2.pabs.com (8.7.2/8.7.2) with ESMTP id JAA02062 for ; Wed, 2 Oct 1996 09:21:15 -0400 (EDT) Received: from richey (richey@richey.pabs.com [157.154.1.136]) by richey.pabs.com (8.7.5/8.6.9) with SMTP id JAA01738; Wed, 2 Oct 1996 09:18:30 -0400 Message-ID: <32526BA5.4A9D7C0@pabs.com> Date: Wed, 02 Oct 1996 09:18:29 -0400 From: Jim Richey X-Mailer: Mozilla 3.0Gold (X11; I; Linux 2.0.20 i586) MIME-Version: 1.0 To: barbara@us.checkpoint.com CC: Firewall Discussion Subject: Re: Gauntlet vs. Sidewinder References: <325149EB@MSSMTPOUT.COMM.HQ.AF.MIL> <32514C1F.1BD3@us.checkpoint.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What do you base this on? We are currently running Sidewinder and are pleased with its operation. Are there advantages to running FireWall-1 as opposed to Sidewinder? Barbara W. Jaarsma wrote: > > Bouchard, Alexis, 2Lt,SAM/GNCP wrote: > > > > I have to choose between Gauntlet and Sidewinder as a Firewall solution. > > Personally, I'd go with FireWall-1... :-) > -Barb -- Jim Richey jrichey@pabs.com http://www.cmagic.com/Pub/JLR/home.html From firewalls-owner Wed Oct 2 06:56:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA19238 for firewalls-outgoing; Wed, 2 Oct 1996 06:45:11 -0700 (PDT) Received: from mailhost.linkd.net (mailhost.linkd.net [204.191.68.50]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA19192 for ; Wed, 2 Oct 1996 06:44:59 -0700 (PDT) Received: from thor.kwic.com (thor.linkd.net [204.191.68.14]) by mailhost.linkd.net (8.7.3/8.7.3) with ESMTP id JAA02760 for ; Wed, 2 Oct 1996 09:49:15 -0400 (EDT) Message-Id: <199610021349.JAA02760@mailhost.linkd.net> Reply-To: From: "Rob M. VanHooren" To: Subject: Opinions/Experiences re: Sidewinder? Date: Wed, 2 Oct 1996 08:44:25 -0400 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greetings, all... Am evaluating high-end firewall implementations currently on the market = for deployment in large, complex WAN environments. Secure Computing's Sidewinder seems to be what I'm after, but if there = are any "gotchas", with their package, I'd sure like to know about = them. =20 Additionally, if there's a f/w out there other than Sidewinder that = happens to have a special place in your heart (or in your WAN :-), I'd = be grateful if you would share your opinions and experiences. Look forward hearing your varied kudos or gripes. w/thanks --Rob. ~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-.._..-= *~ Rob M. VanHooren Tel: +1 519 679-1155 = x28 Network Engineering Services 171 Queens Avenue, Suite = 320 Linkdata Communications, Inc. London, Ontario CANADA = N6A5J7 From firewalls-owner Wed Oct 2 07:11:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA19997 for firewalls-outgoing; Wed, 2 Oct 1996 06:54:59 -0700 (PDT) Received: from h003.bostonherald.com (h003.bostonherald.com [204.96.59.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA19981 for ; Wed, 2 Oct 1996 06:54:51 -0700 (PDT) Received: by h003.bostonherald.com (951211.SGI.8.6.12.PATCH1042/940406.SGI.AUTO) id JAA14839; Wed, 2 Oct 1996 09:45:48 -0400 Received: from unknown(198.99.20.188) by h003 via smap (3.1) id xma014831; Wed, 2 Oct 96 09:44:47 -0400 Message-Id: <2.2.32.19961002135405.006b04b8@mailhub.bostonherald.com> X-Sender: manny@mailhub.bostonherald.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 02 Oct 1996 09:54:05 -0400 To: PCA , firewalls@GreatCircle.COM From: Emmanuel Korkodilos Subject: Re: Compuserve and AOL ports Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 11:34 PM 10/1/96 -0400, you wrote: >FW's, > > I hate to ask this, but the ports for Compuserve and AOL, can someone >repost them... Thanks... > These are the values that I use for our plug-gw's in Gauntlet. Service Port# Host ------- ----- ---- AOL 5190 americaonline.aol.com Compuserve 4144 gateway.compuserve.com MSN 569 gateway.moswest.msn.net -------------------------------------------------------- Emmanuel Korkodilos Boston Herald, Inc. manny@bostonherald.com One Herald Square 1.617.426.3000 X354 (Voice) Boston, MA 02106-2096 1.617.338.4964 (Fax) -------------------------------------------------------- From firewalls-owner Wed Oct 2 07:26:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA21362 for firewalls-outgoing; Wed, 2 Oct 1996 07:10:04 -0700 (PDT) Received: from h003.bostonherald.com (h003.bostonherald.com [204.96.59.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA21323 for ; Wed, 2 Oct 1996 07:09:46 -0700 (PDT) Received: by h003.bostonherald.com (951211.SGI.8.6.12.PATCH1042/940406.SGI.AUTO) id KAA14869; Wed, 2 Oct 1996 10:00:19 -0400 Received: from unknown(198.99.20.188) by h003 via smap (3.1) id xma014867; Wed, 2 Oct 96 10:00:18 -0400 Message-Id: <2.2.32.19961002140935.006956c4@mailhub.bostonherald.com> X-Sender: manny@mailhub.bostonherald.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 02 Oct 1996 10:09:35 -0400 To: Skarban , firewalls@GreatCircle.COM From: Emmanuel Korkodilos Subject: Re: ifconfig Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 06:10 AM 10/1/96 +0100, you wrote: >Hi, >I am building virtual www server and i need to define multi IP address >over one physical interface of my SGI Challenge - S (Irix 5.3). >I am looking for parameter of Ifconfig command of SGI IRIX 5.3 >Hope to your kindly response. > >M. Skarban NH a.s. >Czech >mskarban@novahut.cz > Go to the www.sgi.com and search for the IP Aliases solution. This will allow one physical net interface such as ec0 to repsond to multiple IP Address. Alternately you could do a man page on "ipaliases" and try to figure it out yourself. Its much easier with the step by step SGI provides. -Manny -------------------------------------------------------- Emmanuel Korkodilos Boston Herald, Inc. manny@bostonherald.com One Herald Square 1.617.426.3000 X354 (Voice) Boston, MA 02106-2096 1.617.338.4964 (Fax) -------------------------------------------------------- From firewalls-owner Wed Oct 2 08:11:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA20731 for firewalls-outgoing; Wed, 2 Oct 1996 07:03:49 -0700 (PDT) Received: from h003.bostonherald.com (h003.bostonherald.com [204.96.59.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA20724 for ; Wed, 2 Oct 1996 07:03:41 -0700 (PDT) Received: by h003.bostonherald.com (951211.SGI.8.6.12.PATCH1042/940406.SGI.AUTO) id JAA14858; Wed, 2 Oct 1996 09:54:49 -0400 Received: from unknown(198.99.20.188) by h003 via smap (3.1) id xma014856; Wed, 2 Oct 96 09:54:32 -0400 Message-Id: <2.2.32.19961002140349.006c1ce8@mailhub.bostonherald.com> X-Sender: manny@mailhub.bostonherald.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 02 Oct 1996 10:03:49 -0400 To: "Jerry Edmiston" , firewalls@GreatCircle.COM From: Emmanuel Korkodilos Subject: Re: FTP and TELNET Authenticati Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 07:35 AM 10/1/96 -0400, you wrote: > Subject: Time: 7:13 AM > OFFICE MEMO FTP and TELNET Authentication Date: 10/1/96 > >I have a CyberGuard firewall. I run Telnet and FTP proxies that authenticate the request at the firewall and then passes it through. My Sun station have no problem, but our FTP/TELNET clients on our MACs and PCs do not support this authentication...ie multiple passwords to reach its' destination.( A password at the f/w and again at the server in question). > Does anyone have any suggestions for a Telnet/FTP client on MACs and PCs that will support authentication through our f/w...thanks in advace...Jerry...jle9@eci-esyst.com > > Gauntlet uses a the following method. Try it may work for CyberGuard. GUI FTP Tools 1. For the hostname supply the name of the firewall ie: firewall.abc.com 2. For the user name, supply the firewall authentication username, the FTP host username, and the name of the FTP host, in the form: firewall-authentication-username-@ftp-host-username@ftp-host ie: johndoe@jdoe@server1.abc.com 3. For the password, supply the firewall authentication password, the FTP host password fire-wall-authentication-password@ftp-host-password. ie: for SKey STAY GOLF LOGO MAN BOX TALL@myftphostpassword -------------------------------------------------------- Emmanuel Korkodilos Boston Herald, Inc. manny@bostonherald.com One Herald Square 1.617.426.3000 X354 (Voice) Boston, MA 02106-2096 1.617.338.4964 (Fax) -------------------------------------------------------- From firewalls-owner Wed Oct 2 08:13:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA23400 for firewalls-outgoing; Wed, 2 Oct 1996 07:31:50 -0700 (PDT) Received: from nsco.network.com (nsco.network.com [129.191.1.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA23387 for ; Wed, 2 Oct 1996 07:31:38 -0700 (PDT) Received: from anubis.network.com by nsco.network.com (4.1/1.34) id AA04299; Wed, 2 Oct 96 09:38:15 CDT Received: from blefscu.network.com by anubis.network.com (4.1/SMI-4.1) id AA04097; Wed, 2 Oct 96 09:30:54 CDT Date: Wed, 2 Oct 96 09:30:54 CDT From: amolitor@anubis.network.com (Andrew Molitor) Message-Id: <9610021430.AA04097@anubis.network.com> To: firewalls@greatcircle.com Subject: Re: Information Seeking Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We've got this service thing called, err, NetVestigator. It's something morally similar to the following: - a network audit from Wheel Group (wheelgroup.com, I think) - a physical security audit from Guidry Group - big ol' reports on what's wrong - presumably some sort of litany of things you could buy to help you fix what's wrong. I think it's quite a good deal, but it is intended as the high-end, fully-featured, big-ticket deal. Whether you want the full deal, and whether we offer any scaled back products which match customers who don't want the full deal, I don't know. If you only want the network audit, you could get in touch with wheel group, they might be willing and able to put together just what you want. I don't work for them, so I know even less about what they offer. Andrew Network Systems Corp. evil vendor slime From firewalls-owner Wed Oct 2 08:27:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA23365 for firewalls-outgoing; Wed, 2 Oct 1996 07:31:22 -0700 (PDT) Received: from m.bani.COM (m.bani.com [192.204.32.215]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA23314 for ; Wed, 2 Oct 1996 07:31:06 -0700 (PDT) Received: from bani.com (banigw2.bani.COM [192.204.32.210]) by m.bani.COM (8.7.1/8.7.1) with ESMTP id KAA09466; Wed, 2 Oct 1996 10:52:46 -0400 (EDT) Received: from crash (crash [204.170.160.143]) by bani.com (8.7.1/8.7.1) with SMTP id KAA23821; Wed, 2 Oct 1996 10:28:25 -0400 (EDT) Message-ID: <32527B2E.C92@bani.com> Date: Wed, 02 Oct 1996 10:24:46 -0400 From: Hani Bandi Organization: Bell Atlantic Network Integration X-Mailer: Mozilla 3.0b7Gold (X11; I; SunOS 5.5.1 sun4m) MIME-Version: 1.0 To: Jose Luis Delgado CC: firewalls@GreatCircle.COM Subject: Re: Netscape & Firewall help!! References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jose Luis Delgado wrote: > > Hi everybody!!!! > > I have a question: > I work in two distincts companies, the first have no a firewall... > but, the second... have a firewall (Eagle Raptor). > > then I have in the Intranet an Oracle Web Server 2.0 for AIX 3.2.5... > and in the other part, I have an OWS 1.0 in NT... > my question is: > > How I can, WITH NETSCAPE, access the OWS and the database inside the > firewall from an external machine? > Jose, What you would do is create a rule in the Eagle firewall makeing your external system a trusted host. If you have Eagle Remote installed on your external system you could also create a VPN tunnel, this would give you added security if your accessing the OWS from the internet. -- Hani Bandi Technical Research Center Bell Alantic Network Integration 52 East Swedesford Road Frazer PA, 19355 Voice: 610-407-2029 Or use pagenet's WWW site to send an alphanumeric message: http://www.pagenet.net/pagenet/page_inp.hmt; ID 0827858 Email- hani@bani.com WWW: http://www.bani.com From firewalls-owner Wed Oct 2 08:49:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA25280 for firewalls-outgoing; Wed, 2 Oct 1996 07:46:48 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA25246 for ; Wed, 2 Oct 1996 07:46:38 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id HAA19696; Wed, 2 Oct 1996 07:44:54 -0700 Received: from lighthouse.homeport.org(205.136.65.198) by mycroft via smap (V1.3mjr) id sma019686; Wed Oct 2 07:44:34 1996 Received: (adam@localhost) by homeport.org (8.6.9/8.6.9) id KAA25767; Wed, 2 Oct 1996 10:05:42 -0500 From: Adam Shostack Message-Id: <199610021505.KAA25767@homeport.org> Subject: Re: CyberGuard. (fwd) To: uurtamo@insync.net (Steve Uurtamo) Date: Wed, 2 Oct 1996 10:05:42 -0500 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: <199610011332.IAA01114@insync.net> from "Steve Uurtamo" at Oct 1, 96 08:32:13 am X-Mailer: ELM [version 2.4 PL24 ME8b] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk First off, theres clearly programming work to be done. You need to write code to handle this protocol. My first question would be can you move some of that complexity off the firewall by modifying the proprietary protocol? I'd still suggest using a real proxy to ensure that all the packets look right. As far as what code to base it on, you could consider using plug (modulo licensing requirements). There are also a couple of tcp redirectors in the hacker world which are small & modular. Also, Freestone has bsrelay. Adam Steve Uurtamo wrote: | In particular, I need to proxy a service that after | making its first connection through the firewall will | need to establish connections through exactly 2 future | ports for the remainder of the service. These ports | are in the "free zone" (>1024). | Given that I can parse the packets well enough to figure out | what those future ports are going to be (yes this is a proprietary | service), what is a good place to start as far as writing my own | proxy using the proxy source code on the CyberGuard. Should I | be looking at the way FTP handles future connections for data? -- "Every year the Republicans campaign like Libertarians, and then go to Wasthington and spend like Democrats." Vote Harry Browne for President. http://www.harrybrowne96.org From firewalls-owner Wed Oct 2 09:00:19 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA25691 for firewalls-outgoing; Wed, 2 Oct 1996 07:51:40 -0700 (PDT) Received: from quix.robins.af.mil (quix.robins.af.mil [137.244.193.103]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA25651 for ; Wed, 2 Oct 1996 07:51:17 -0700 (PDT) Received: by quix.robins.af.mil; (5.65v3.2/1.1.8.2/01Nov95-0110PM) id AA07335; Wed, 2 Oct 1996 10:50:05 -0400 From: "Mr. Jolt Cola" Message-Id: <9610021450.AA07335@quix.robins.af.mil> Subject: Re: SSL Browsers To: palan@dataprep.com.my (Kogulapalan) Date: Wed, 2 Oct 1996 10:50:04 -0400 (EDT) Cc: bshive1@novusnet.com, firewalls@greatcircle.com In-Reply-To: <199610021724.JAA01537@snet> from "Kogulapalan" at Oct 2, 96 09:24:56 am X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >I know this is the wrong group to ask this but, > > > >Does anyone know how to tell if a broswer is SSL enabled? I am checking > >the http_user_agent for Mozzilla 2.0 and above. It checked the Internet > >Explorer and Netscape 2.0 + and they both have Mozzila in this field. Is > >there a better way to check other than this? I know I can check if they > >are coming in on the secure port but I want to send them to a page if > >their browser is not complient. > > If your browser can support https:// than yours is SSL enabled. One thing to consider for browser choice in Intranet environments is the fact that Netscape allows you to add RSA keys from an unknown authority, whereas M$ Explorer just refuses to connect. Then again, the cost of your browsers may outweight the cost of paying Verisign their 290$. We signed our own digital key and used Netscape for SSL but now clients are complaining that Explorer wont connect so we have requested a key from the Verisign CA. Its a racket. :P Melvin From firewalls-owner Wed Oct 2 09:13:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA25954 for firewalls-outgoing; Wed, 2 Oct 1996 07:54:36 -0700 (PDT) Received: from us.checkpoint.com (us.checkpoint.com [206.86.35.130]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA25884 for ; Wed, 2 Oct 1996 07:54:19 -0700 (PDT) Received: from Barbara's HP.us.checkpoint.com (barbara-pc) by us.checkpoint.com (5.x/SMI-SVR4) id AA27561; Wed, 2 Oct 1996 07:54:59 -0700 Message-Id: <3252823E.7D53@us.checkpoint.com> Date: Wed, 02 Oct 1996 07:54:54 -0700 From: "Barbara W. Jaarsma" Reply-To: barbara@us.checkpoint.com Organization: Checkpoint US Technical Support X-Mailer: Mozilla 3.0 (Win95; I) Mime-Version: 1.0 To: "Bryan D. Boyle" Cc: firewalls@greatcircle.com Subject: Re: Gauntlet vs. Sidewinder References: <325149EB@MSSMTPOUT.COMM.HQ.AF.MIL> <32514C1F.1BD3@us.checkpoint.com> <325150E6.52BF@erenj.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bryan - You're right - it's not an unbiased opinion. But after 25 years in the business, first as a programmer, and then as a consultant specializing in multi-protocol, multi-vendor, multi-application environments & security, and having worked for numerous firewall vendors, I can pick my own jobs and name my own price. And I'm here at Checkpoint. Think about it... -Barb P.S. Note the free SYNDefender upgrade on out web site (http://www.checkpoint.com). Know anyone else who has one? Bryan D. Boyle wrote: > > Barbara W. Jaarsma wrote: > > > > Bouchard, Alexis, 2Lt,SAM/GNCP wrote: > > > > > > I have to choose between Gauntlet and Sidewinder as a Firewall solution. > > > > Personally, I'd go with FireWall-1... :-) > > -Barb > > Not an unbiased opinion, from your return address. > > -- > Bryan D. Boyle | EMAIL: bdboyle@erenj.com 908-730-3338 > #include | http://www.access.digex.net/~bdboyle/index.html > "They that can give up liberty to obtain a little temporary safety > deserve neither liberty nor safety." - Benjamin Franklin, > Historical Review of Pennsylvania From firewalls-owner Wed Oct 2 09:30:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA28669 for firewalls-outgoing; Wed, 2 Oct 1996 08:15:50 -0700 (PDT) Received: from loki.asymetrix.com (loki.asymetrix.com [192.147.176.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA28595 for ; Wed, 2 Oct 1996 08:15:24 -0700 (PDT) Received: from mailgate.asymetrix.com (mailgate.asymetrix.com [192.220.170.13]) by loki.asymetrix.com (8.7.3/8.7.1) with SMTP id IAA20456 for ; Wed, 2 Oct 1996 08:00:27 -0700 (PDT) Received: by mailgate.asymetrix.com with Microsoft Mail id <32528762@mailgate.asymetrix.com>; Wed, 02 Oct 96 08:16:50 PDT From: Keith McCammon To: "'Firewalls'" Subject: RE: NT Security Date: Wed, 02 Oct 96 08:20:00 PDT Message-ID: <32528762@mailgate.asymetrix.com> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ---------- the Division level. We think less, but more robust machines running NT = workstation on both the class and unclass LAN/WAN's, would offer what we = require in terms of processing power and NT's excellent = auditing/security. Excuse me, but NT does NOT have excellent auditing/security. Internet hackers are just starting to wade into NT, and the more I talk to them the more gaping holes I find. However, it is very expensive, both in terms of = equipment, and personnel, to maintain these two NT LAN's. While I have = yet to see someone hack an NTFS partition with permissions and other = holes plugged up (watched a couple of DISA's best guys try), the security What??? NTFS is not encrypted! NTFS is not a secure file system! You can directly edit NTFS disk sectors from WITHIN NT! You can also boot to DOS and using the NTFS4DOS driver read any file regardless of encryption. You can also reinstall NT and Take Ownership of entire volumes! And if you physically transfer the hard disk to another NT box you can also take ownership, negating all file security! goons still have conniption fits about placing classified data on an = unclassified NTFS partition. Any word on when NT will be network = certified?? Probably in a year or so. Keith McCammon MIS Analyst Asymetrix Corp *Opinions Are My Own* From firewalls-owner Wed Oct 2 10:08:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA00750 for firewalls-outgoing; Wed, 2 Oct 1996 08:29:25 -0700 (PDT) Received: from litle.net (wizard.litle.com [205.139.20.20]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id IAA00722 for ; Wed, 2 Oct 1996 08:29:07 -0700 (PDT) Received: from s_khan.litle.net by litle.net (SMI-8.6/SMI-SVR4) id LAA06374; Wed, 2 Oct 1996 11:30:57 -0400 Message-Id: <2.2.32.19961002153127.0075ef98@litle.net> X-Sender: s_khan@litle.net X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Priority: 2 (High) Date: Wed, 02 Oct 1996 11:31:27 -0400 To: firewalls@greatcircle.com From: "Saqib A. Khan" Subject: TCP SYN attack possible SOLUTION: FW-1 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Heres a blurb from Checkpoint suggesting that Firewall-1 can prevent TCP SYN attacks, I have'nt personally verified it but it looks good. Surf to http://www.checkpoint.com/fw21/syndefender/index.html for the following page- CheckPoint SYNDefender Check Point's SYNDefender software, is the industry's first and only firewall to provide protection against this denial of service attack, which has crippled several Internet Service Providers (ISPs) in recent weeks. Integrated into existing FireWall-1 installations, SYNDefender protects against the TCP SYN (requests for connection establishment) flood attacks by intercepting all SYN packets and mediating the connection attempts before they reach the operating system. This prevents the target host from becoming flooded by these unresolved connection attempts, which causes the operating system, and the host, stop receiving new connections. As a result, the host system is effectively insulated from the SYN flood attack and denial of service condition that results. The SYNDefender white paper TCP SYN Flooding Attack and the FireWall-1 SYNDefender Also available in [MsWord DOC format]. CheckPoint's Press Release Announcing SYNDefender Download SYNDefender NOW! PS: Pls CC all mail to me @ - Saqib.A.Khan@worldnet.att.net --------------------------------------------------- Saqib A. Khan, Principal Architect, Information Security Strategic Network Consulting Voice: 617.433.7117 Saqib.A.Khan@worldnet.att.net --------------------------------------------------- "Sed quis custodiet ipsos custodes?" -Juvenal, c. 100 C.E. From firewalls-owner Wed Oct 2 10:11:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA08325 for firewalls-outgoing; Wed, 2 Oct 1996 09:21:06 -0700 (PDT) Received: from loki.asymetrix.com (loki.asymetrix.com [192.147.176.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id JAA08288 for ; Wed, 2 Oct 1996 09:20:54 -0700 (PDT) Received: from mailgate.asymetrix.com (mailgate.asymetrix.com [192.220.170.13]) by loki.asymetrix.com (8.7.3/8.7.1) with SMTP id JAA21209 for ; Wed, 2 Oct 1996 09:05:58 -0700 (PDT) Received: by mailgate.asymetrix.com with Microsoft Mail id <325296BD@mailgate.asymetrix.com>; Wed, 02 Oct 96 09:22:21 PDT From: Keith McCammon To: "'Firewalls'" Subject: RE: NT Security Date: Wed, 02 Oct 96 09:26:00 PDT Message-ID: <325296BD@mailgate.asymetrix.com> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Following along the lines of C2 orangebook being absolutely useless, there is an alleged security flaw with NT4 and possibly 3.5x that allows a remote user to change the administrator password with no authenticaction whatsoever. I don't have the details for this so don't ask, but you might want to look at RPC and the Win32 api... I am puzzled as to why Microsoft is keeping mum about this, but if you do find the problem and call them to confirm it, they will. Keith McCammon MIS Analyst Asymetrix Corp *Opinions Are My Own* From firewalls-owner Wed Oct 2 10:16:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA05339 for firewalls-outgoing; Wed, 2 Oct 1996 09:00:10 -0700 (PDT) Received: from dns.ottawa.net (dns.ottawa.net [205.211.4.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA05054 for ; Wed, 2 Oct 1996 08:59:04 -0700 (PDT) Received: from slip-ppp3.ottawa.net (slip-ppp3.ottawa.net [205.211.5.3]) by dns.ottawa.net (8.7.5/1.2) with SMTP id LAA23345; Wed, 2 Oct 1996 11:57:45 -0400 (EDT) Date: Wed, 2 Oct 1996 11:57:45 -0400 (EDT) Message-Id: <199610021557.LAA23345@dns.ottawa.net> X-Sender: bjm@ottawa.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: bdboyle@erenj.com, firewalls@GreatCircle.COM From: bjm@ottawa.net (Brian McIntosh) Subject: Re: Gauntlet vs. Sidewinder Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Geez Bryan, lighten up a little. Of course she has a biased opinion - that's why she followed the comment with a smiley face. Her personal opinion notwithstanding, it was (obviously) meant as a little bit of humor. At 01:12 PM 96/10/1 -0400, Bryan D. Boyle wrote: >Barbara W. Jaarsma wrote: >> >> Bouchard, Alexis, 2Lt,SAM/GNCP wrote: >> > >> > I have to choose between Gauntlet and Sidewinder as a Firewall solution. >> >> Personally, I'd go with FireWall-1... :-) >> -Barb > > >Not an unbiased opinion, from your return address. > >-- >Bryan D. Boyle | EMAIL: bdboyle@erenj.com 908-730-3338 >#include | http://www.access.digex.net/~bdboyle/index.html >"They that can give up liberty to obtain a little temporary safety >deserve neither liberty nor safety." - Benjamin Franklin, > Historical Review of Pennsylvania > > ======================================================== Brian J. McIntosh UniSol Inc. 53 Courtney Road Tel: 613 831 6373 Kanata, Ontario Fax: 613 831 4739 Canada, K2L 1M1 Email: bjm@ottawa.net ======================================================== From firewalls-owner Wed Oct 2 11:06:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA20995 for firewalls-outgoing; Wed, 2 Oct 1996 10:40:14 -0700 (PDT) Received: from twinds.com (eagle.twinds.com [206.153.22.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA20959 for ; Wed, 2 Oct 1996 10:40:04 -0700 (PDT) Received: by twinds.com; id NAA10159; Wed, 2 Oct 1996 13:37:39 -0400 (EDT) Received: from hawk.twinds.com(206.153.22.3) by eagle.twinds.com via smap (V3.1.1) id xma010157; Wed, 2 Oct 96 13:37:27 -0400 Date: Wed, 2 Oct 1996 13:44:07 -0400 (EDT") From: Arley Carter X-Sender: ac@hawk.twinds.com To: "Barbara W. Jaarsma" cc: "Bryan D. Boyle" , firewalls@GreatCircle.COM Subject: Re: Gauntlet vs. Sidewinder In-Reply-To: <3252823E.7D53@us.checkpoint.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 2 Oct 1996, Barbara W. Jaarsma wrote: [Propaganda] Barbara, Give it a rest. Less is more. :-) Arley Carter Tradewinds Technologies, Inc. email: ac@twinds.com www: http://www.twinds.com "Life is a journey to adventure and discovery, not a problem to be solved." -me From firewalls-owner Wed Oct 2 11:38:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA24407 for firewalls-outgoing; Wed, 2 Oct 1996 11:05:09 -0700 (PDT) Received: from h003.bostonherald.com (h003.bostonherald.com [204.96.59.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id LAA24349 for ; Wed, 2 Oct 1996 11:04:49 -0700 (PDT) Received: by h003.bostonherald.com (951211.SGI.8.6.12.PATCH1042/940406.SGI.AUTO) for id NAA16505; Wed, 2 Oct 1996 13:55:54 -0400 Received: from unknown(198.99.20.188) by h003 via smap (3.1) id xma016501; Wed, 2 Oct 96 13:55:51 -0400 Message-Id: <2.2.32.19961002180509.00699854@mailhub.bostonherald.com> X-Sender: manny@mailhub.bostonherald.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 02 Oct 1996 14:05:09 -0400 To: firewalls@GreatCircle.COM From: Emmanuel Korkodilos Subject: Re: Compuserve and AOL ports Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 11:34 PM 10/1/96 -0400, you wrote: >FW's, > > I hate to ask this, but the ports for Compuserve and AOL, can someone >repost them... Thanks... > These are the values that I use for our plug-gw's in Gauntlet. Service Port# Host ------- ----- ---- AOL 5190 americaonline.aol.com Compuserve 4144 gateway.compuserve.com MSN 569 gateway.moswest.msn.net -------------------------------------------------------- Emmanuel Korkodilos Boston Herald, Inc. manny@bostonherald.com One Herald Square 1.617.426.3000 X354 (Voice) Boston, MA 02106-2096 1.617.338.4964 (Fax) -------------------------------------------------------- From firewalls-owner Wed Oct 2 11:41:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA28982 for firewalls-outgoing; Wed, 2 Oct 1996 11:34:50 -0700 (PDT) Received: from news.be.innet.net (news.be.innet.net [194.7.1.5]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA28935 for ; Wed, 2 Oct 1996 11:34:33 -0700 (PDT) Received: from pool011-73.innet.be (pool011-73.innet.be [194.7.12.73]) by news.be.innet.net (8.7.6/8.7.3) with SMTP id UAA09340; Wed, 2 Oct 1996 20:33:40 +0200 (MET DST) Message-Id: <199610021833.UAA09340@news.be.innet.net> X-Sender: fdehert@pophost.innet.be X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 02 Oct 1996 20:44:45 -0100 To: ChrisP@steldyn.com From: fdehert@innet.be (Frank J.J. De Hert) Subject: RE: NT Security Cc: firewalls@GreatCircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 1 Oct 1996, Chris Pugrud wrote: >This can be done fairly simply from an administrative workstation, >across the network. Every NT machine automatically shares all of it's >drives under \\computername\c$ or d$ etc. These shares can only be >accessed by an administrator (possibly a backup operator). This will >allow you to scan the machine across the network without the users >knowledge. This is true if the user hasn't taken ownership of certain directories and set the permissions such that only the user has access. For even an administrator to look at these files, the admin has to take ownership and set appropriate permissions (unless I missed something somewhere). This, of course, throws a spanner in the works. Any suggestions? -- Frank De Hert System/Security Manager NATO Programming Centre. From firewalls-owner Wed Oct 2 12:06:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA24252 for firewalls-outgoing; Wed, 2 Oct 1996 11:04:01 -0700 (PDT) Received: from h003.bostonherald.com (h003.bostonherald.com [204.96.59.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id LAA24197 for ; Wed, 2 Oct 1996 11:03:47 -0700 (PDT) Received: by h003.bostonherald.com (951211.SGI.8.6.12.PATCH1042/940406.SGI.AUTO) for id NAA16492; Wed, 2 Oct 1996 13:54:53 -0400 Received: from unknown(198.99.20.188) by h003 via smap (3.1) id xma016489; Wed, 2 Oct 96 13:54:35 -0400 Message-Id: <2.2.32.19961002180353.006f47ec@mailhub.bostonherald.com> X-Sender: manny@mailhub.bostonherald.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 02 Oct 1996 14:03:53 -0400 To: firewalls@GreatCircle.COM From: Emmanuel Korkodilos Subject: Re: ifconfig Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 06:10 AM 10/1/96 +0100, you wrote: >Hi, >I am building virtual www server and i need to define multi IP address >over one physical interface of my SGI Challenge - S (Irix 5.3). >I am looking for parameter of Ifconfig command of SGI IRIX 5.3 >Hope to your kindly response. > >M. Skarban NH a.s. >Czech >mskarban@novahut.cz > Go to the www.sgi.com and search for the IP Aliases solution. This will allow one physical net interface such as ec0 to repsond to multiple IP Address. Alternately you could do a man page on "ipaliases" and try to figure it out yourself. Its much easier with the step by step SGI provides. -Manny -------------------------------------------------------- Emmanuel Korkodilos Boston Herald, Inc. manny@bostonherald.com One Herald Square 1.617.426.3000 X354 (Voice) Boston, MA 02106-2096 1.617.338.4964 (Fax) -------------------------------------------------------- From firewalls-owner Wed Oct 2 12:14:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA28920 for firewalls-outgoing; Wed, 2 Oct 1996 11:34:25 -0700 (PDT) Received: from ALABAMA.CF.CS.YALE.EDU (RT-GW.CS.YALE.EDU [128.36.0.13]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA28904 for ; Wed, 2 Oct 1996 11:34:17 -0700 (PDT) From: long-morrow@CS.YALE.EDU Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU (8.7.1/res.host.cf-4.0) with ESMTP id OAA02834; Wed, 2 Oct 1996 14:33:16 -0400 (EDT) sender long-morrow@CS.YALE.EDU for Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-8.7.1/res.client.cf-4.0) id OAA13330; Wed, 2 Oct 1996 14:33:13 -0400 (EDT) Date: Wed, 2 Oct 1996 14:33:13 -0400 (EDT) Message-Id: <199610021833.OAA13330@SPARKY.CF.CS.YALE.EDU> To: barbara@us.checkpoint.com, bdboyle@erenj.com Subject: SYN Flood defenses -- was Re: Gauntlet vs. Sidewinder Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk "Barbara W. Jaarsma" wrote: >P.S. Note the free SYNDefender upgrade on out web site >(http://www.checkpoint.com). Know anyone else who has one? There are others: ISS (Internet Security Systems) has an alpha software package called 'Real Secure' which goes around resetting 'waiting' half open connections to clear them out of th backlogged queue for a port. CISCO is mentioned in the CERT advisory on the SYN flood attack and a page on how they have worked with ISPs on solutions ( http://www.cisco.com/warp/public/146/917_security.html ) but they appear to be intentionally vague about their solution(s) so as not to give potential attackers any inside information. But I do think that the Checkpoint defenses regarding SYN flooding are truly clever/ingenious and made for very interesting reading. In addition to the white paper and press release there is a download (patches and installation scripts for FW 2.0c-e, 2.1 & 2.1a) available from Checkpoint's Web page for the Firewall-1 firewall: http://www.checkpoint.com/fw21/syndefender/index.html There is an interesting and technical description of how the Checkpoint Firewall-1 SYNDefender defenses (Relay and Gateway) work. Obviously both approaches are only feasible because Firewall-1 is a smart/intelligent dynamic packet filter (aka. "stateful inspection screening router') - the SYN flood attack is one of the strongest arguments to come around in favor of such firewalls, there will likely be future denial-of-service attacks to recommend their use. Basically the two SYNDefendor approaches are (based on my reading of them)... 1. The Relay approach tries to make sure that incoming TCP connections are valid by holding up the initial SYN from the outside host, answering on the behalf of the internal target with a SYN/ACK to the external initiator and then only passing on the initial SYN to the internal target, Firewall-1 then absorbs (captures and eats) the SYN/ACK sent out by the internal target and responds by forging an ACK as sent by the external host. In effect, the relay works by acting as a 'man-in-the-middle' to spoof the remote end of the 3-way handshake to both the initiator and the contacted. 2. The Gateway solution works instead by allowing through the initial SYN packet from the external initiator. After Firewall-1 intercepts the SYN/ACK packet sent from the internal target it (in a timely manner) supplies an 'ACK' to the internal target just as if the external initiator had sent it. This completes the three way handshake for the internal target and it moves the pending connection out of the backlog queue (the limited number of which is the basis of the D-O-S attack in the first place). The pros and cons of both approaches as a defense choice are discussed in the white paper (http://www.checkpoint.com/fw21/syndefender/syndefender-white.html). For more information on SYN Flooding and IP spoofing I recommend: The two excellent articles on SYN Flooding and IP Spoofing attacks (alone and in combination) in the latest Phrack ( V. 7, #48, September 1, 1996. ISSN 1068-1035 ). This description of how to, as well as the exploit code posted in this copy of Phrack are commonly held to be at least partially (and possibly primarily) responsible for the rash of D-O-S attacks on the Internet against hosts such as PANIX and the Internet Chess servers. They can be read at URLs : http://www.fc.net/phrack/files/p48/p48-13.html http://www.fc.net/phrack/files/p48/p48-14.html - Morrow From firewalls-owner Wed Oct 2 12:25:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA24949 for firewalls-outgoing; Wed, 2 Oct 1996 11:07:23 -0700 (PDT) Received: from diablo.cisco.com (diablo.cisco.com [171.68.223.106]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id LAA24751 for ; Wed, 2 Oct 1996 11:06:28 -0700 (PDT) Received: from pferguso-pc.cisco.com (dhcp-restontel-84.cisco.com [171.68.52.84]) by diablo.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id LAA00294; Wed, 2 Oct 1996 11:05:33 -0700 Message-Id: <2.2.32.19961002180532.006d8888@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Priority: 2 (High) Date: Wed, 02 Oct 1996 14:05:32 -0400 To: "Saqib A. Khan" From: Paul Ferguson Subject: Re: TCP SYN attack possible SOLUTION Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 11:31 AM 10/2/96 -0400, Saqib A. Khan wrote: >Heres a blurb from Checkpoint suggesting that Firewall-1 can prevent TCP SYN >attacks, I have'nt personally verified it but it looks good. Surf to >http://www.checkpoint.com/fw21/syndefender/index.html for the following page- > In the same vein, an I-D draft that I have submitted has been posted to the I-D drafts repository near you [below]. I would like to get some feedback prior to the *-01.txt revision; I would like for this document published as an RFC once the language has been polished, typos corrected, etc. FYI. - paul [snip] To: IETF-Announce:; Sender: ietf-announce-request@ietf.org From: Internet-Drafts@ietf.org Reply-to: Internet-Drafts@ietf.org Subject: I-D ACTION:draft-ferguson-ingress-filtering-00.txt Date: Wed, 02 Oct 1996 10:01:04 -0400 X-Orig-Sender: cclark@ietf.org A New Internet-Draft is available from the on-line Internet-Drafts directories. Title : Network Ingress Filtering Author(s) : P. Ferguson Filename : draft-ferguson-ingress-filtering-00.txt Pages : 6 Date : 10/01/1996 Recent occurrences of various Denial of Service attacks which have employed forged source addresses have proven to be a troublesome issue for Internet Service Providers and the Internet community overall. This paper discusses a simple, effective and straightforward method for using ingress traffic filtering to deny attacks which use "invalid" source addresses; prefixes which are not being legitimately advertized to the Internet via a particular service provider gateway. Internet-Drafts are available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-ferguson-ingress-filtering-00.txt". A URL for the Internet-Draft is: ftp://ds.internic.net/internet-drafts/draft-ferguson-ingress-filtering-00.txt Internet-Drafts directories are located at: o Africa: ftp.is.co.za o Europe: nic.nordu.net ftp.nis.garr.it o Pacific Rim: munnari.oz.a o US East Coast: ds.internic.net o US West Coast: ftp.isi.edu Internet-Drafts are also available by mail. Send a message to: mailserv@ds.internic.net. In the body type: "FILE /internet-drafts/draft-ferguson-ingress-filtering-00.txt". NOTE: The mail server at ds.internic.net can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e., documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. Content-Type: text/plain Content-ID: <19961001164609.I-D@ietf.org> ENCODING mime FILE /internet-drafts/draft-ferguson-ingress-filtering-00.txt Content-Type: text/plain Content-ID: <19961001164609.I-D@ietf.org> [snip] -- Paul Ferguson || || Consulting Engineering || || Reston, Virginia USA |||| |||| tel: +1.703.716.9538 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Wed Oct 2 12:42:27 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA05138 for firewalls-outgoing; Wed, 2 Oct 1996 12:26:21 -0700 (PDT) Received: from DOCKMASTER.NCSC.MIL ([198.26.55.74]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id MAA04974 for ; Wed, 2 Oct 1996 12:25:44 -0700 (PDT) Date: Wed, 2 Oct 96 15:21 EDT From: Wilner@DOCKMASTER.NCSC.MIL Subject: Re: NT Security To: firewalls@GREATCIRCLE.COM Message-ID: <961002192121.375426@DOCKMASTER.NCSC.MIL> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Much has been made of NT's "C2" certification. I've heard > that it was certified without . . . There is no need to speculate or to "have heard" about such things. You can order the NCSC's Final Evaluation Report on the product (FER-95/003) and feast on two hundred pages of technical meat and potatoes. Such documents can be obtained, free, from the U. S. Government by calling (410)766-8729 or, if their phones haven't caught up with them since the move, (410)691-2795. From firewalls-owner Wed Oct 2 13:07:31 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA04208 for firewalls-outgoing; Wed, 2 Oct 1996 12:19:36 -0700 (PDT) Received: from answerman.mindspring.com (answerman.mindspring.com [204.180.128.8]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id MAA04192 for ; Wed, 2 Oct 1996 12:19:29 -0700 (PDT) Received: from [168.121.206.219] (user-168-121-206-219.dialup.mindspring.com [168.121.206.219]) by answerman.mindspring.com (8.7.5/8.7.3) with SMTP id PAA24094; Wed, 2 Oct 1996 15:18:49 -0400 (EDT) Date: Wed, 2 Oct 1996 15:18:49 -0400 (EDT) Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: barbara@us.checkpoint.com From: pelicans@mindspring.com (BeachCruiser) Subject: Re: Gauntlet vs. Sidewinder Cc: Firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >You're right - it's not an unbiased opinion. But after 25 years in >the business, first as a programmer, and then as a consultant >specializing in multi-protocol, multi-vendor, multi-application >environments & security, and having worked for numerous firewall >vendors, I can pick my own jobs and name my own price. And I'm here >at Checkpoint. Think about it... Hummmmmm. Let see...twenty-five years in the business, and security (presumably USG INFOSEC experience?). Numerours firewall vendors huh? And you PICKED Checkpoint? Guess you're right...that indeed does make it's own statement. rmck From firewalls-owner Wed Oct 2 13:24:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA09452 for firewalls-outgoing; Wed, 2 Oct 1996 12:51:37 -0700 (PDT) Received: from wichita.fn.net ([204.233.71.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id MAA09418 for ; Wed, 2 Oct 1996 12:51:26 -0700 (PDT) Received: (from bkmarsh@localhost) by wichita.fn.net (8.7.6/8.6.9) id OAA17222; Wed, 2 Oct 1996 14:50:53 -0500 (CDT) Date: Wed, 2 Oct 1996 14:50:52 -0500 (CDT) From: "Bruce M." X-Sender: bkmarsh@wichita.fn.net To: firewalls@greatcircle.com Subject: Re: TCP SYN attack possible SOLUTION: FW-1 In-Reply-To: <2.2.32.19961002153127.0075ef98@litle.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 2 Oct 1996, Saqib A. Khan wrote: > (ISPs) in recent weeks. Integrated into > existing FireWall-1 installations, SYNDefender protects against the TCP SYN > (requests for connection > establishment) flood attacks by intercepting all SYN packets and mediating > the connection attempts before they > reach the operating system. This prevents the target host from becoming > flooded by these unresolved connection > attempts, which causes the operating system, and the host, stop receiving > new connections. As a result, the host > system is effectively insulated from the SYN flood attack and denial of > service condition that results. That is good for when you still want to be able to use your host for internal matters during an attack, but what about the effects to the firewall and any other potential Internet users trying to get to your site? ________________________________ [ Bruce M. - Feist Systems, Inc. ] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 'DISA information shows that computer attacks on the Department of Defense are successful 65 percent of the time. The DoD, despite its problems, probably has one of the strongest computer security programs in government.' -GAO/T-AIMD-96-108 From firewalls-owner Wed Oct 2 13:40:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA15170 for firewalls-outgoing; Wed, 2 Oct 1996 13:29:00 -0700 (PDT) Received: from bulldog.ca (indy.bulldog.ca [204.101.141.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id NAA15114 for ; Wed, 2 Oct 1996 13:28:41 -0700 (PDT) Received: from belgium.bulldog.ca by bulldog.ca via SMTP (940816.SGI.8.6.9/940406.SGI) for id QAA28975; Wed, 2 Oct 1996 16:30:28 -0400 Received: by belgium.bulldog.ca with Microsoft Mail id <01BBB07F.296F0F20@belgium.bulldog.ca>; Wed, 2 Oct 1996 16:31:28 -0400 Message-ID: <01BBB07F.296F0F20@belgium.bulldog.ca> From: Dan Tshin To: "firewalls@greatcircle.com" Subject: RE: SYN Flood defenses -- was Re: Gauntlet vs. Sidewinder Date: Wed, 2 Oct 1996 16:31:27 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wednesday, October 02, 1996 10:33 AM, long-morrow@CS.YALE.EDU wrote: > >"Barbara W. Jaarsma" wrote: >>P.S. Note the free SYNDefender upgrade on out web site >>(http://www.checkpoint.com). Know anyone else who has one? > >There are others: [snip] Yes, I know that Milkyway is going to address this issue in their next = release of BlackHole. Their implementation is similar to what someone = else mentioned a while back. I suppose you can contact Milkyway about = what their plans are. Dan _______________________________________________ Dan Tshin The Bulldog Group Inc. Research and Development 416.594.9207:252 http://www.bulldog.ca 416.594.1473 Fax _______________________________________________ A head is not merely a hat hangar. Just Use It. From firewalls-owner Wed Oct 2 14:11:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA16512 for firewalls-outgoing; Wed, 2 Oct 1996 13:40:13 -0700 (PDT) Received: from manukau.govt.nz ([202.14.82.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id NAA16485 for ; Wed, 2 Oct 1996 13:40:03 -0700 (PDT) Received: by kotuku.manukau.govt.nz id <35717>; Thu, 3 Oct 1996 09:17:12 +1200 Message-Id: <96Oct3.091712nzst.35717@kotuku.manukau.govt.nz> From: Matthew Thompson To: "'Firewalls'" , "'Keith McCammon'" Subject: RE: NT Security Date: Fri, 4 Oct 1996 08:37:41 +1200 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >What??? NTFS is not encrypted! NTFS is not a secure file system! You can >directly edit NTFS disk sectors from WITHIN NT! You can also boot to DOS >and using the NTFS4DOS driver read any file regardless of encryption. You >can also reinstall NT and Take Ownership of entire volumes! And if you >physically transfer the hard disk to another NT box you can also take >ownership, negating all file security! The same attacks apply to Unix and Netware. What do you recommend people do to extend/replace these 3 operating systems to solve this problem? From firewalls-owner Wed Oct 2 14:20:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA15126 for firewalls-outgoing; Wed, 2 Oct 1996 13:28:44 -0700 (PDT) Received: from gw.lsli.com (gw.lsli.com [206.50.87.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id NAA15066 for ; Wed, 2 Oct 1996 13:28:28 -0700 (PDT) From: firstcat@lsli.com Received: by gw.lsli.com id AA19213; Wed, 2 Oct 1996 15:26:43 -0500 Received: by lsli.com via smwrap Version 2.2 id smwrapOAsDiQ; Wed Oct 2 15:26:12 1996 Date: Wed, 2 Oct 96 15:23:29 Subject: ANNOUNCE: Livermore Solution for SYN FLOOD To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Livermore Software Labs. Announces Defense against SYN Flooding Attacks: N.O.A.H. Component Lets Firewall Rise Above SYN Floods HOUSTON, TX ( October, 1996) Livermore Software Laboratories, International announced its SYN flood defense for the PORTUS firewall, N.O.A.H.. PORTUS is the first application firewall to defend against the SYN flood attacks that have denied service to many systems on the Internet. The PORTUS monitor automatically detects SYN flood attacks, manages the partially completed connection queue, deletes old entries, and alerts the systems administrators. PORTUS performs queue management, adjusting queue lengths, high and low water marks based on system status. PORTUS has always prevented systems behind the firewall from receiving SYN attacks. With the new enhancement PORTUS also protects itself from denial of service attacks. Unlike other approaches taken by packet filter firewalls, PORTUS' N.O.A.H. never lets a system behind the firewall see a SYN flood attack. As a result, protected servers never see a invalid SYN and ACK. Thus the server does not have to respond by spawning a process to support a connection that will eventually timeout. This prevents the server from wasting cpu and memory resources responding to hundreds superfluous connection requests, which could cause other system problems(such as crashes). NOAH is a standard component in the PORTUS V2.2 release, and will ship October 5th to LSLI's existing customers, and enter general distribution the following week. PORTUS is available through standard distribution channels and LSLI directly. For more information contact LSLI at 713/ 974-3274. Livermore Software Labs http://www.lsli.com From firewalls-owner Wed Oct 2 15:11:37 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA28099 for firewalls-outgoing; Wed, 2 Oct 1996 14:56:16 -0700 (PDT) Received: from loki.asymetrix.com (loki.asymetrix.com [192.147.176.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id OAA28082 for ; Wed, 2 Oct 1996 14:56:08 -0700 (PDT) Received: from mailgate.asymetrix.com (mailgate.asymetrix.com [192.220.170.13]) by loki.asymetrix.com (8.7.3/8.7.1) with SMTP id OAA25115 for ; Wed, 2 Oct 1996 14:41:20 -0700 (PDT) Received: by mailgate.asymetrix.com with Microsoft Mail id <3252E556@mailgate.asymetrix.com>; Wed, 02 Oct 96 14:57:42 PDT From: Keith McCammon To: "'Firewalls'" Subject: RE: NT Security Date: Wed, 02 Oct 96 15:02:00 PDT Message-ID: <3252E556@mailgate.asymetrix.com> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Use an encrypted filesystem. ---------- The same attacks apply to Unix and Netware. What do you recommend people do to extend/replace these 3 operating systems to solve this problem? From firewalls-owner Wed Oct 2 15:25:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA01775 for firewalls-outgoing; Wed, 2 Oct 1996 15:20:57 -0700 (PDT) Received: from mailbox.neosoft.com (mailbox.neosoft.com [206.109.1.16]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id PAA01733 for ; Wed, 2 Oct 1996 15:20:45 -0700 (PDT) Received: from fw.nmti.com (fw.baileynm.com [206.109.159.11]) by mailbox.neosoft.com (8.7.5/8.7.3) with SMTP id RAA21353; Wed, 2 Oct 1996 17:20:11 -0500 (CDT) Received: from web.nmti.com(198.178.0.201) by fw.nmti.com via smap (V1.3) id sma004629; Wed Oct 2 17:18:19 1996 Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id RAA25055; Wed, 2 Oct 1996 17:18:18 -0500 Received: by sonic.nmti.com; id AA21250; Wed, 2 Oct 1996 17:18:11 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9610022218.AA21250@sonic.nmti.com.nmti.com> Subject: Re: NT Security To: mthomps1@kiwitech.co.nz (Matthew Thompson) Date: Wed, 2 Oct 1996 17:18:11 -0500 (CDT) Cc: firewalls@GreatCircle.COM, keithm@asymetrix.com In-Reply-To: <96Oct3.091712nzst.35717@kotuku.manukau.govt.nz> from "Matthew Thompson" at Oct 4, 96 08:37:41 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > The same attacks apply to Unix and Netware. What do you recommend people do > to extend/replace these 3 operating systems to solve this problem? I'd install CFS on UNIX. It's a cryptographic file system that is layered on top of the existing file system. Without the key, all the file names and contents are gibberish. From firewalls-owner Wed Oct 2 15:40:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA02864 for firewalls-outgoing; Wed, 2 Oct 1996 15:30:12 -0700 (PDT) Received: from suntan.tandem.com (suntan.tandem.com [192.216.221.8]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id PAA02849 for ; Wed, 2 Oct 1996 15:30:06 -0700 (PDT) Received: from adm.loc201.tandem.com by suntan.tandem.com (8.6.12/suntan5.960905) id PAA28315; Wed, 2 Oct 1996 15:29:34 -0700 Received: from vern.loc201.tandem.com by adm.loc201.tandem.com (4.1/6main.940209) id AA29557; Wed, 2 Oct 96 15:29:31 PDT Received: by vern.loc201.tandem.com (5.x/6leaf.940209) id AA01348; Wed, 2 Oct 1996 15:28:07 -0700 Date: Wed, 2 Oct 1996 15:28:07 -0700 Message-Id: <9610022228.AA01348@vern.loc201.tandem.com> To: firewalls@greatcircle.com Subject: RE: SYN Flood defenses, Firewall-1 Cc: barbara@us.checkpoint.com From: pat@tandem.com X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >"Barbara W. Jaarsma" wrote: >>P.S. Note the free SYNDefender upgrade on out web site >>(http://www.checkpoint.com). Know anyone else who has one? > How does this protect the firewall-1 host itself (if at all)?? -pat From firewalls-owner Wed Oct 2 15:56:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA03339 for firewalls-outgoing; Wed, 2 Oct 1996 15:33:32 -0700 (PDT) Received: from PACBELL.net (chumash.snfc21.pbi.net [206.13.28.17]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id PAA03286 for ; Wed, 2 Oct 1996 15:33:18 -0700 (PDT) Received: from ppp-206-170-2-31.sntc01.pacbell.net (ppp-206-170-24-134.sntc01.pacbell.net [206.170.24.134]) by PACBELL.net (8.7.6/8.7.1) with SMTP id PAA09012; Wed, 2 Oct 1996 15:32:46 -0700 (PDT) Received: by ppp-206-170-2-31.sntc01.pacbell.net with Microsoft Mail id <01BBB077.140DB4E0@ppp-206-170-2-31.sntc01.pacbell.net>; Wed, 2 Oct 1996 15:33:36 -0700 Message-ID: <01BBB077.140DB4E0@ppp-206-170-2-31.sntc01.pacbell.net> From: muzo To: "'Firewalls'" , "'Keith McCammon'" Subject: RE: NT Security Date: Wed, 2 Oct 1996 15:33:29 -0700 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > You can directly edit NTFS disk sectors from WITHIN NT! not on a properly secured system with the correct user rights. To be able to read sector off of a partition you need certain rights which your regular users shouldn't have. > You can also boot to DOS > and using the NTFS4DOS driver read any file regardless of encryption. Is there any PC OS which can prevent you from booting to DOS and doing the same ? muzo From firewalls-owner Wed Oct 2 16:11:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA29796 for firewalls-outgoing; Wed, 2 Oct 1996 15:07:29 -0700 (PDT) Received: from yeager.nmh.org (YEAGER.NMH.ORG [165.20.13.23]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id PAA29758 for ; Wed, 2 Oct 1996 15:07:17 -0700 (PDT) Received: from nmhnt.nmh.org (nmhnt.nmh.org [165.20.13.27]) by yeager.nmh.org (8.6.9/8.6.9) with SMTP id RAA03967 for ; Wed, 2 Oct 1996 17:10:05 -0500 Message-Id: <199610022210.RAA03967@yeager.nmh.org> Date: Wed, 2 Oct 1996 17:22:00 -0500 From: "Davidson, Clyde" Subject: RE: NT Security To: Firewalls X-Mailer: Worldtalk (NetConnex V4.00a)/MIME Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Don't forget that the "Orange Book" that defines C2 is not for any networked system. It defines government security requirements for stand-alone systems. That means that any UNIX system that is networked would loose whatever C2 certification that it might have, just like NT. Also remember that C2 is Discretionary Access Control. That means that "The discretionary access control mechanism shall, either by explicit user action or by default, provide that objects are protected from unauthorized access. These access controls shall be capable of including or excluding access to the granularity of a single user." The Orange Book. It looks to me that NT and any C2 UNIX both do this just fine. Of course, being discretionary means that NT and UNIX can be configured without any security at all. That is the requirement. If you want Mandatory Access Control you will have to make your system B1, B2, B3, or A1 level of security. However, you still can't network it. Then again, none of this discusses whether these are even worthwhile for commercial businesses. Clyde Davidson ---------- From firewalls-owner Wed Oct 2 16:31:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA00758 for firewalls-outgoing; Wed, 2 Oct 1996 15:11:59 -0700 (PDT) Received: from yeager.nmh.org (YEAGER.NMH.ORG [165.20.13.23]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id PAA00673 for ; Wed, 2 Oct 1996 15:11:38 -0700 (PDT) Received: from nmhnt.nmh.org (nmhnt.nmh.org [165.20.13.27]) by yeager.nmh.org (8.6.9/8.6.9) with SMTP id RAA03995; Wed, 2 Oct 1996 17:14:19 -0500 Message-Id: <199610022214.RAA03995@yeager.nmh.org> Date: Wed, 2 Oct 1996 17:22:00 -0500 From: "Davidson, Clyde" Subject: RE: Gauntlet vs. Sidewinder To: Firewalls , "'BOUCHARDA@comm.hq.af.mil'" X-Mailer: Worldtalk (NetConnex V4.00a)/MIME Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have Sidewinder and I love it, but I don't know anything about Gauntlet except that a lot of people love it and use it. Secure Computing sent me a printed interview with Peter Stephenson of InfoSEC Technologies. He is suppose to be an expert in security who does work for companies to see if he can crack their security, among other things. Peter claims that Sidewinder is the only firewall that he hasn't been able to break into or through. He used ISS and many other tools. Now you have to remember that the source of this interview was Secure Computing, but they have always play very straight with me. This may or may not help you. Clyde Davidson Data Security Coordinator NMH Alexis Bouchard wrote: ---------- I have to choose between Gauntlet and Sidewinder as a Firewall solution. Both products meet my laundry list requirements. Both can do the job of securing my network, but which one is better? What I'm looking for is which one is better then the other as far as easy of use, overall security and support from the vender. I have all the general vender info, but I'm looking for strong technical reasons why I should go with one or the other. I'm a new kid on the block. This is my first Firewall experience. I haven't had the luxury of seeing many Firewalls in use, or being able to play and fiddle with them. I'm open to all input and all advise. I need to take advantage of someone else's experiences. From firewalls-owner Wed Oct 2 16:41:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA10766 for firewalls-outgoing; Wed, 2 Oct 1996 16:22:45 -0700 (PDT) Received: from ns.rc.toronto.on.ca ([142.77.249.9]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id QAA10710 for ; Wed, 2 Oct 1996 16:22:20 -0700 (PDT) Received: by ns.rc.toronto.on.ca with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5) id <01BBB094.AB84B4F0@ns.rc.toronto.on.ca>; Wed, 2 Oct 1996 19:05:26 -0400 Message-ID: From: Russ To: "'keithm@asymetrix.com'" , "'fdehert@innet.be'" Cc: "'firewalls@greatcircle.com'" Subject: RE: NT Security Date: Wed, 2 Oct 1996 19:05:24 -0400 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk To use NT as a File and Print server, there are no directories/files which need to be set to RWXD for Everyone. In fact, the group Everyone does not need to have any access to anything. Given that access for some unknown/unqualified user (i.e. Everyone) is not necessary for an NT File and Print server, the idea of C2's accountability/auditing is of value, albeit limited value, but that's all that C2 provides. Part of the C2 requirements are that the system cannot be modified or accessed without record, and to comply in this area, Microsoft used Compaq and Digital equipment which could have the floppy boot disabled (in the case of Compaq they also disabled the CD boot). The boxes also required physical security (i.e. cabinet locks). This would be true of any system which does not employ a firmware-based tripwire system for the HD controller. The C2 Orange book requirements were meant to cover a stand-alone machine, but the C2 Red Book requirements were/are intended for network environments. Microsoft has never completed C2 Red Book testing (or if they have, they've never published the results). The main reason, IMO, is that in order to comply they would have to make significant modifications to their BackOffice products which might run on an NT Server. Microsoft is far more interested in selling less secure/more easily useable products to make that investment at this time. Although customer requirements are changing (look at some of the security features in MSExchange Server, like data encryption, encrypted sessions between site servers, integrated NT Domain authentication...), they still don't have a focus on security first. As for basic security precautions for NT, remove permissions for the group Everyone at the root of the HKEY_LOCAL_MACHINE hierarchy in the registry. You will be given the option to have this removal propogated down through the entire tree, DO NOT USE THIS OPTION. With that one change, accessing your registry from the network will be restricted only to logged on users of the Administrators group, and even members of this group can be restricted if they are not granted the right to "Log on from the Network". Of course, members of the Administrators group can change that right to give themselves access, but as C2 requires, this change would be recorded in the event logs. And if they were to delete the logs, the deletion would be recorded also...and so on... NT 4.0, by default, now restricts registry access for the group Everyone to read access of the following hives; System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\Windows NT\CurrentVersion NOTE: If you have your NT box set to auto-logon, the username and password get stored in a subkey of Software\Microsoft\Windows NT\CurrentVersion, and can therefore be seen by members of the group Everyone by default. Since enabling auto-logon is done by a registry hack (although a utility is included in the NT Resource Kit to enable it), and since it requires a user ID and password to be stored in clear text, its obviously a pretty bad idea to enable it. Reducing permissions on subkeys of this hive is a good idea since it contains some parameters that you might not want made known, usually removing the query permission is sufficient. Cheers, Russ "any sufficiently advanced technology is indistinguishable from magic"...Arthur C. Clarke > From firewalls-owner Wed Oct 2 17:00:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA09789 for firewalls-outgoing; Wed, 2 Oct 1996 16:17:19 -0700 (PDT) Received: from dns1.noc.best.net (dns1.noc.best.net [206.86.8.69]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id QAA09647 for ; Wed, 2 Oct 1996 16:16:39 -0700 (PDT) Received: from shellx.best.com (shellx.best.com [206.86.0.11]) by dns1.noc.best.net (8.6.12/8.6.5) with ESMTP id PAA23492 for ; Wed, 2 Oct 1996 15:48:12 -0700 Received: from [204.156.153.118] (mblakele.vip.best.com [204.156.153.118]) by shellx.best.com (8.6.12/8.6.5) with ESMTP id PAA01461 for ; Wed, 2 Oct 1996 15:48:00 -0700 Date: Wed, 2 Oct 1996 15:48:00 -0700 X-Sender: mblakele@pop (Unverified) Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: Camille Blakeley Subject: Re: Opinions/Experiences re: Sidewinder? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Greetings, all... > >Am evaluating high-end firewall implementations currently on the market >for deployment in large, complex WAN environments. > >Secure Computing's Sidewinder seems to be what I'm after, but if there are >any "gotchas", with their package, I'd sure like to know about them. > I have messed around with Sidewinder. The network I was on had an old version of TIS Toolkit running on an even older DEC station. It wasn't perfect, but it did get done what I needed. I was running a 2500 node campus network. Anyway, the old DEC station finally pooped out and someone lent us a Secure Computing Sidewider to use until we got a new firewall in. I must have spent an entire week configuring it, ugh. I then spent another two months babysitting the little beastie. My impression is,for a small network (100 nodes or less, one server, etc...) with very standard requirements for the internet (www,telnet,ftp,gopher, and maybe news), and little or no administration or expertise, this is the thing for you. However, for a large, diverse network that has some non standard requirements, for internet connections, a dynamic configuration, and a very busy mail system, this is your nightmare. My access list, for reasons I won't go into here, was very large, and the Sidewinder just couldn't handle the size or dynamic nature of my access requirements. I had several applications that needed access to the outside world that were using ports no already listed. The process for making customized proxies was long, problematic, and cryptic. There were times when either one proxy or the whole set of them just stopped working; their processes were still running, but they were rejecting connections, stating that the connection on the other end wasn't available (it was). Nothing short of rebooting the system could fix this. Its interface was kludgy, inflexible, and buggy. However, I believe this was due mainly to the fact I was stressing the system far beyond what it was expected to do. I also didn't like the fact that you could use it for a web server, anonymous ftp server, etc.. as well as a firewall. This made for some problems when configuring, and I believe is just generally insecure. You really want to use a seperate system for public access, I think. Despite the above info, I don't really think Sidewider is a bad system, it just wasn't able to handle my large, rather complicated network. >Additionally, if there's a f/w out there other than Sidewinder that >happens to have a special place in your heart (or in your WAN :-), I'd be >grateful if you would share your opinions and experiences. I much prefer any UNIX flavor you may like and Firewall-1. I've messed with several, and this is the one I enjoy working with most. Hope this helps. Camille Blakeley Camille Blakeley (camille@blakeley.com) From firewalls-owner Wed Oct 2 17:11:19 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA09244 for firewalls-outgoing; Wed, 2 Oct 1996 16:14:27 -0700 (PDT) Received: from hidata.com (hidata.com [205.158.61.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id QAA09205 for ; Wed, 2 Oct 1996 16:14:11 -0700 (PDT) Received: by hidata.com; id AA15211; Wed, 2 Oct 96 16:13:43 PDT Received: from osc.hidata.com(205.158.62.10) by hds-gw.hidata.com via smap (V3.1.1) id xma015209; Wed, 2 Oct 96 16:13:30 -0700 Received: from sysadmin by osc.osc.hidata.com (SMI-8.6/SMI-SVR4) id QAA11213; Wed, 2 Oct 1996 16:13:21 -0700 Message-Id: <2.2.32.19961002231123.00be35a8@osc.hidata.com> X-Sender: bstout@osc.hidata.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 02 Oct 1996 16:11:23 -0700 To: Firewalls@GreatCircle.COM (Firewalls) From: Bill Stout Subject: RE: NT Security Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 10:12 AM 10/1/96 +0200, G6 CPT Bates wrote: ... >However, we have run into speed bumps with individuals processing classified information on unclassified >... >We do not have the budget nor training to install expensive firewalls at the Division level. We think less, but more robust machines running NT workstation on both the class and unclass LAN/WAN's, would offer what we require in terms of processing power and NT's excellent auditing/security. However, it is very expensive, both in terms of equipment, and personnel, to maintain these two NT LAN's. While I have yet to see someone hack an NTFS partition with permissions and other holes plugged up (watched a couple of DISA's best guys try), the security goons still have conniption fits about placing classified data on an unclassified NTFS partition. Any word on when NT will be network certified?? >... Ha ha ha ha ho ho he. As an ex-crypto (MOS 31S) and 'other duties as assigned' Army vet, good luck! I sure hope you're not really putting classified data on NT systems in unclassified nets! If you know of someone who has, get the S2 to have a nice long talk with them. I pay nose-bleed taxes to support god-knows-what covert and non-covert politicial and military actions which I may or may not agree with, and had put my own neck on the line in the insane live-fire environment of the Korean DMZ and other environments to 'protect our freedoms' (which keep diminishing thanks to our own Governments' occasional Socialist/Tyrannistic binges), and I'd hate to see my hard-earned tax dollars be blown so easily. NT is breakable. UNIX is breakable. Unless you know exactly what you are doing, I guaran'f-ing'tee you, you will leave security holes open. DISA's 'best' are not 'the best' hackers in the world by far. The best are out there in the private industry making the big bucks, talking to developers, comparing notes, and, hacking. NT will have Kerberos 5 authentication which is probably what you are thinking of. But even thought an O.S. may have strong internal security mechanisms, that security mechanism never leaves the local machine. Once a external connection is made into a machine, some service aliases what it authenticated, to some valid internal user. Your internal O.S. has process-to-process communciations that can be snooped, your client-to-server process can be spoofed, external sessions can be hijacked, and your external data can be sniffed. There is a biblical prophesy which talks about a statue of the great world empires made of gold, silver, copper, legs of iron etc. This great powerful statue collapsed because a stone was thrown at it's feet which were made of clay mixed with iron. Silcon and wires? Food for thought. Bill Stout _______________________________________________________________________________ Senior Systems Admin NT/Solaris/WWW/Firewalls/Routers/Mainframe_UNIX Hitachi Data Systems 408-970-4822 --- Disclaimer: I speak only for myself HDS Marketing ---> http://www.hdshq.com/ Freedom ---> http://www.libertarian.com/ Threats ---> http://www.ccnet.com/~suntzu75/resister.htm From firewalls-owner Wed Oct 2 17:26:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA15667 for firewalls-outgoing; Wed, 2 Oct 1996 16:48:05 -0700 (PDT) Received: from kyoko.mpx.com.au (new-kyoko.mpx.com.au [203.2.75.38]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id QAA15539 for ; Wed, 2 Oct 1996 16:47:30 -0700 (PDT) From: craigw@mac.ce.com.au Received: from enterprise.ce.com.au(really [203.23.60.2]) by kyoko.mpx.com.au via sendmail with esmtp id for ; Thu, 3 Oct 96 09:43:40 +1000 (EST) (/\##/\ Smail3.1.30.13 #30.8 built 5-oct-95) Received: from mac.ce.com.au by enterprise.ce.com.au with smtp (Smail3.1.30.13 #1) id m0v8b0E-001Tf3C; Thu, 3 Oct 96 09:46:58 +1000 (EST) Received: from craig.ce.com.au by mac.ce.com.au (8.6.13/200.8.1.3) id JAA20536; Thu, 3 Oct 1996 09:44:43 +1000 Message-Id: <199610022344.JAA20536@mac.ce.com.au> Comments: Authenticated sender is To: fdehert@innet.be (Frank J.J. De Hert) Date: Thu, 3 Oct 1996 09:46:02 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: RE: NT Security CC: firewalls@GreatCircle.com X-mailer: Pegasus Mail for Win32 (v2.42a) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Have a separate admin account on ALL machines. Users should have a maximum "Power User" access level. Never allow root access to the user...even on their own machine. As admin change all permisions back > > >This can be done fairly simply from an administrative workstation, > >across the network. Every NT machine automatically shares all of it's > >drives under \\computername\c$ or d$ etc. These shares can only be > >accessed by an administrator (possibly a backup operator). This will > >allow you to scan the machine across the network without the users > >knowledge. > > This is true if the user hasn't taken ownership of certain directories and > set the permissions such that only the user has access. For even an > administrator to look at these files, the admin has to take ownership and > set appropriate permissions (unless I missed something somewhere). This, of > course, throws a spanner in the works. Any suggestions? > > -- > Frank De Hert > System/Security Manager > NATO Programming Centre. > > ,'~``. \|/ ,'``~. (-o=o-) (@ @) ,(-o=o-), +--.oooO--(_)--Ooo-----oOO-(_)-OOo-------oooO--(_)--Oooo.------+ | | | Soon, we may all be staring at our computers, wondering | | whether they're staring back. | | | | [Network Admin For WPA Business Products. aka doshai >;-) ] | | .oooO http://pip.com.au/~doshai/ Oooo. | | ( ) Oooo. .oooO ( ) | +-----\ (----( )-------oooO-Oooo--------( )--- ) /---------+ \_) ) / \ ( (_/ (_/ \_) Key fingerprint = 2D F4 54 BB B4 EA F1 E7 B6 DE 48 92 FC 8D FF 49 Send a message with the subject "send pgp-key" for a copy of my key. (if I want to give it to you) From firewalls-owner Wed Oct 2 17:41:27 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA20768 for firewalls-outgoing; Wed, 2 Oct 1996 17:13:16 -0700 (PDT) Received: from nsco.network.com (nsco.network.com [129.191.1.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id RAA20730 for ; Wed, 2 Oct 1996 17:12:57 -0700 (PDT) Received: from anubis.network.com by nsco.network.com (4.1/1.34) id AA06965; Wed, 2 Oct 96 19:19:16 CDT Received: from blefscu.network.com by anubis.network.com (4.1/SMI-4.1) id AA13639; Wed, 2 Oct 96 19:12:04 CDT Date: Wed, 2 Oct 96 19:12:04 CDT From: amolitor@anubis.network.com (Andrew Molitor) Message-Id: <9610030012.AA13639@anubis.network.com> To: firewalls@greatcircle.com Subject: apologies - Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have been justly chastised for advertising NSC's audit products, in the guise of informing on this list. I apologise to all! In an attempt to atone, I will also urge all wanting a network audit to contact TIS. My feeble brain seems to recall that they occasionally do that sort of thing under at least some circumstances, and I deeply respect those TIS people I have any opinion on. As far as I know, NSC and TIS have no formal relationships at all. Andrew Molitor From firewalls-owner Wed Oct 2 17:56:40 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA23306 for firewalls-outgoing; Wed, 2 Oct 1996 17:29:59 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id RAA23232 for ; Wed, 2 Oct 1996 17:29:32 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id RAA22783; Wed, 2 Oct 1996 17:13:36 -0700 Received: from gw.garrison.com(205.241.58.147) by mycroft via smap (V1.3mjr) id sma022778; Wed Oct 2 17:12:56 1996 Received: by garrison.com; id NAA07672; Tue, 1 Oct 1996 13:30:27 -0500 Received: from unknown(10.0.0.2) by gw.garrison.com via smap (V3.1.1) id xma007613; Tue, 1 Oct 96 13:30:01 -0500 Received: by ukn0.garrison.com. (4.1/Nutered Mailer) id AA03411; Wed, 2 Oct 96 19:07:30 CDT Date: Wed, 2 Oct 96 19:07:30 CDT From: jeromie@garrison.com (Hmm) Message-Id: <9610030007.AA03411@ukn0.garrison.com.> To: bdboyle@erenj.com, barbara@us.checkpoint.com Subject: Re: Gauntlet vs. Sidewinder Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Bryan - > You're right - it's not an unbiased opinion. But after 25 years in > the business, first as a programmer, and then as a consultant > specializing in multi-protocol, multi-vendor, multi-application > environments & security, and having worked for numerous firewall > vendors, I can pick my own jobs and name my own price. And I'm here > at Checkpoint. Think about it... > -Barb > P.S. Note the free SYNDefender upgrade on out web site > (http://www.checkpoint.com). Know anyone else who has one? > > > Bryan D. Boyle wrote: > > > > Barbara W. Jaarsma wrote: > > > > > > Bouchard, Alexis, 2Lt,SAM/GNCP wrote: > > > > > > > > I have to choose between Gauntlet and Sidewinder as a Firewall solution. > > > > > > Personally, I'd go with FireWall-1... :-) > > > -Barb > > > > Not an unbiased opinion, from your return address. I would be interested in hearing how checkpoint is securing their customers from SMTP based attacks! From what I have seen, they simply pass it through to a mail machine... If that mail machine happends to be running Sendmail 4.1, the attacker can blow holes right through the perimiter....? Jeromie Jackson Garrison Technologies jeromie@garrison.com Keep the flames burning. From firewalls-owner Wed Oct 2 18:11:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA20687 for firewalls-outgoing; Wed, 2 Oct 1996 17:12:31 -0700 (PDT) Received: from kyoko.mpx.com.au (new-kyoko.mpx.com.au [203.2.75.38]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id RAA20613 for ; Wed, 2 Oct 1996 17:12:03 -0700 (PDT) From: craigw@mac.ce.com.au Received: from enterprise.ce.com.au(really [203.23.60.2]) by kyoko.mpx.com.au via sendmail with esmtp id for ; Thu, 3 Oct 96 10:08:07 +1000 (EST) (/\##/\ Smail3.1.30.13 #30.8 built 5-oct-95) Received: from mac.ce.com.au by enterprise.ce.com.au with smtp (Smail3.1.30.13 #1) id m0v8bNu-001Tf3C; Thu, 3 Oct 96 10:11:26 +1000 (EST) Received: from craig.ce.com.au by mac.ce.com.au (8.6.13/200.8.1.3) id KAA26474; Thu, 3 Oct 1996 10:09:12 +1000 Message-Id: <199610030009.KAA26474@mac.ce.com.au> Comments: Authenticated sender is To: muzo Date: Thu, 3 Oct 1996 10:10:31 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: RE: NT Security CC: "To: \"'Firewalls'\"" X-mailer: Pegasus Mail for Win32 (v2.42a) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is why there is the requirement that there is no removable boot device (floppy, cd, hard drive or chip) > You can directly edit NTFS disk sectors from WITHIN NT! not on a properly secured system with the correct user rights. To be able to read sector off of a partition you need certain rights which your regular users shouldn't have. > You can also boot to DOS > and using the NTFS4DOS driver read any file regardless of > encryption. ,'~``. \|/ ,'``~. (-o=o-) (@ @) ,(-o=o-), +--.oooO--(_)--Ooo-----oOO-(_)-OOo-------oooO--(_)--Oooo.------+ | | | Soon, we may all be staring at our computers, wondering | | whether they're staring back. | | | | [Network Admin For WPA Business Products. aka doshai >;-) ] | | .oooO http://pip.com.au/~doshai/ Oooo. | | ( ) Oooo. .oooO ( ) | +-----\ (----( )-------oooO-Oooo--------( )--- ) /---------+ \_) ) / \ ( (_/ (_/ \_) Key fingerprint = 2D F4 54 BB B4 EA F1 E7 B6 DE 48 92 FC 8D FF 49 Send a message with the subject "send pgp-key" for a copy of my key. (if I want to give it to you) From firewalls-owner Wed Oct 2 18:11:27 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA23160 for firewalls-outgoing; Wed, 2 Oct 1996 17:29:01 -0700 (PDT) Received: from main.geminisecure.com ([205.179.16.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id RAA23146 for ; Wed, 2 Oct 1996 17:28:50 -0700 (PDT) Received: (from leonard@localhost) by main.geminisecure.com (8.6.9/8.6.9) id RAA26545; Wed, 2 Oct 1996 17:31:20 -0700 Date: Wed, 2 Oct 1996 17:31:19 -0700 (PDT) From: Leonard Miyata To: "Davidson, Clyde" cc: Firewalls Subject: RE: NT Security In-Reply-To: <199610022210.RAA03967@yeager.nmh.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk That Right, If you want the Networking C2 requirments you have to look at the "Red Book" (TNI) which supplements the "Orange Book" for Network functionality. (The TNI also defines A1, B3, B2, B1 networking requirments as well) P.S. While checking the Orange Book, check the qualifications necessary to do a C2 evauluation. I bet that the majority of readers of this forem would qualify. And if you personally can't find a security bug in O.S. in two-three weeks, does this mean the O.S. is secure??? Personal Opinions provided by Leonard Miyata Gemini Computers Inc. On Wed, 2 Oct 1996, Davidson, Clyde wrote: > > > > Don't forget that the "Orange Book" that defines C2 is not for any > networked system. It defines government security requirements for > stand-alone systems. That means that any UNIX system that is networked > would loose whatever C2 certification that it might have, just like NT. > > Also remember that C2 is Discretionary Access Control. That means that > "The discretionary access control mechanism shall, either by explicit > user action or by default, provide that objects are protected from > unauthorized access. These access controls shall be capable of including > or excluding access to the granularity of a single user." The Orange > Book. It looks to me that NT and any C2 UNIX both do this just fine. Of > course, being discretionary means that NT and UNIX can be configured > without any security at all. That is the requirement. If you want > Mandatory Access Control you will have to make your system B1, B2, B3, or > A1 level of security. However, you still can't network it. > > Then again, none of this discusses whether these are even worthwhile for > commercial businesses. > > Clyde Davidson > > ---------- > From firewalls-owner Wed Oct 2 18:41:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA28582 for firewalls-outgoing; Wed, 2 Oct 1996 18:03:52 -0700 (PDT) Received: from ns.rc.toronto.on.ca ([142.77.249.9]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id SAA28537 for ; Wed, 2 Oct 1996 18:03:37 -0700 (PDT) Received: by ns.rc.toronto.on.ca with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5) id <01BBB0A5.015DFD90@ns.rc.toronto.on.ca>; Wed, 2 Oct 1996 21:02:22 -0400 Message-ID: From: Russ To: "'Keith McCammon'" Cc: "'Firewalls'" Subject: RE: NT Security Date: Wed, 2 Oct 1996 21:02:20 -0400 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Excuse me, but NT does NOT have excellent auditing/security. Internet >hackers are just starting to wade into NT, and the more I talk to them >the more gaping holes I find. Would you mind substantiating this claim a little. I mean, anyone can make this statement, but without some references to actual possible attacks, its hardly useful on the Firewalls list is it? I do this stuff for a living, and am very familiar with many past problems, some that have been addressed and some that have not. However, in all that, I'm unfamiliar with any GAPING HOLES in NT's security which cannot be rectified with the tools included in a basic NT Server package. That doesn't mean it prevents spoofing or session hijacking, but I don't consider its inability to deal with these things out of the box as GAPING HOLES. A GAPING HOLE would be your ability to connect to a secured network share without an appropriate user ID/password, or your ability to read/modify the contents of SAM hive of the registry. Got a hack for something like that? >What??? NTFS is not encrypted! NTFS is not a secure file system! You can >directly edit NTFS disk sectors from WITHIN NT! You can also boot to DOS >and using the NTFS4DOS driver read any file regardless of encryption. You >can also reinstall NT and Take Ownership of entire volumes! And if you >physically transfer the hard disk to another NT box you can also take >ownership, negating all file security! O.k., I give, where is there a disk sector editor that works on NTFS from WITHIN NT! I assume, by your emphasis on this supposed tool, that it bypasses NTFS security and can be run by a non-Administrator user ID. If, on the other hand, you are referring to the DIR command, or the TYPE command, used by the Administrator user who has permissions in the directory, and on the file in question, then obviously this is by no means news. As for the NTFS4DOS program(s), DOS and Linux versions exist, neither of these programs have any decryption capabilities (re: your statement "regardless of encryption"). As you pointed out already, NTFS is not encrypted. Both the DOS and Linux versions are simple sector editors which can understand the NTFS sector layouts. Whoop-ti-do! Sure, if you thought NTFS provided encryption or security when NT WASN'T running, then its news. Neither of these are "hacks" of NT, and neither should pose a threat to any "properly secured" NT box that has data that is meant to be confidential. I'm sure our friends at .MIL already know how to secure the hard disks of their boxes on the classified network (they've told me that over and over again during the first publication of the NTFS reader many, many months ago). Cheers, Russ "any sufficiently advanced technology is indistinguishable from magic"...Arthur C. Clarke > From firewalls-owner Wed Oct 2 18:48:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA28744 for firewalls-outgoing; Wed, 2 Oct 1996 18:05:10 -0700 (PDT) Received: from garrison.com (gw.garrison.com [205.241.58.147]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id SAA28722 for ; Wed, 2 Oct 1996 18:04:55 -0700 (PDT) Received: by garrison.com; id OAA14594; Tue, 1 Oct 1996 14:22:27 -0500 Received: from unknown(10.0.0.2) by gw.garrison.com via smap (V3.1.1) id xma014590; Tue, 1 Oct 96 14:22:24 -0500 Received: by ukn0.garrison.com. (4.1/Nutered Mailer) id AA03436; Wed, 2 Oct 96 20:00:04 CDT Date: Wed, 2 Oct 96 20:00:04 CDT From: jeromie@garrison.com (Hmm) Message-Id: <9610030100.AA03436@ukn0.garrison.com.> To: firewalls@greatcircle.com, camille@blakeley.com Subject: Re: Opinions/Experiences re: Sidewinder? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >Greetings, all... > > > >Am evaluating high-end firewall implementations currently on the market > >for deployment in large, complex WAN environments. > > > >Secure Computing's Sidewinder seems to be what I'm after, but if there are > >any "gotchas", with their package, I'd sure like to know about them. > > > > I have messed around with Sidewinder. The network I was on had an old > version of TIS Toolkit running on an even older DEC station. It wasn't > perfect, but it did get done what I needed. I was running a 2500 node > campus network. > > Anyway, the old DEC station finally pooped out and someone lent us a Secure > Computing Sidewider to use until we got a new firewall in. I must have > spent an entire week configuring it, ugh. I then spent another two months > babysitting the little beastie. > This I would definitely agree with.. They are VERY specific in the hardware requirements, and without buying the box directly from them, it is very hard to get all the pieces right. (even in the new 3.0) > My impression is,for a small network (100 nodes or less, one server, > etc...) with very standard requirements for the internet > (www,telnet,ftp,gopher, and maybe news), and little or no administration or > expertise, this is the thing for you. > > However, for a large, diverse network that has some non standard > requirements, for internet connections, a dynamic configuration, and a very > busy mail system, this is your nightmare. > > My access list, for reasons I won't go into here, was very large, and the > Sidewinder just couldn't handle the size or dynamic nature of my access > requirements. > > I had several applications that needed access to the outside world that > were using ports no already listed. The process for making customized > proxies was long, problematic, and cryptic. I cannot speak of earlier versions than 2.2, but 2.2 & 3.0 appear to be quite easy in order to add generic proxies. I was able to do so in a matter of 15 minutes my first time, following the manuals instructions. By the way, the manual for Sidewinder is much better than the documentation I have seen elsewhere, including Gauntlet. Have you found a good paper on custom configuration of the netperm-table!?!?@#? > > There were times when either one proxy or the whole set of them just > stopped working; their processes were still running, but they were > rejecting connections, stating that the connection on the other end wasn't > available (it was). Nothing short of rebooting the system could fix this. > > Its interface was kludgy, inflexible, and buggy. However, I believe this > was due mainly to the fact I was stressing the system far beyond what it > was expected to do. > > I also didn't like the fact that you could use it for a web server, > anonymous ftp server, etc.. as well as a firewall. This made for some > problems when configuring, and I believe is just generally insecure. You > really want to use a seperate system for public access, I think. > Here I would definitely have to agree with you. Reguardless of the security mechanisms in place, I do not feel safe running any server on the firewall. > Despite the above info, I don't really think Sidewider is a bad system, it > just wasn't able to handle my large, rather complicated network. > > >Additionally, if there's a f/w out there other than Sidewinder that > >happens to have a special place in your heart (or in your WAN :-), I'd be > >grateful if you would share your opinions and experiences. > > I much prefer any UNIX flavor you may like and Firewall-1. I've messed > with several, and this is the one I enjoy working with most. > Jeromie Jackson Garrison Technologies jeromie@garrison.com From firewalls-owner Wed Oct 2 19:15:50 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA03705 for firewalls-outgoing; Wed, 2 Oct 1996 18:32:27 -0700 (PDT) Received: from ns.rc.toronto.on.ca ([142.77.249.9]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id SAA03652 for ; Wed, 2 Oct 1996 18:32:13 -0700 (PDT) Received: by ns.rc.toronto.on.ca with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5) id <01BBB0A8.F888F4A0@ns.rc.toronto.on.ca>; Wed, 2 Oct 1996 21:30:45 -0400 Message-ID: From: Russ To: "'Firewalls@GreatCircle.COM'" , "'g6amsib@1ADTFREAR.1AD.ARMY.MIL'" Subject: RE: NT Security Date: Wed, 2 Oct 1996 21:30:43 -0400 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >However, we have run into speed bumps with individuals processing >classified information on unclassified PC's According to what I've been told, those hard disks should be brought into your classified network right away. Whether NT does or does not prevent retreival of data fragments from deleted or reused disk space is supposedly irrelevant to .mil security. If classified data has ever been on a drive, the drive stays in a machine on the classified network or becomes a spare for a machine on the classified network. Shortage of resources does not equal throwing your security policies and practices out with the bath water. >and virus problems, mostly those that affect the boot sector. Converting >from WFW 3.11 and WIN 95 to NT Workstation with no FAT partitions, strictly >NTFS partitions seem to be the optimal solution. Removing the floppy drives is the optimal solution. An NTFS boot partition will prevent the boot sector viruses. >We do not have the budget nor training to install expensive firewalls at >the Division level. We think less, but more robust machines running NT >workstation on both the class and unclass LAN/WAN's, would offer what we >require in terms of processing power and NT's excellent auditing/security. Ah, life on the road. If the boss says "get it done", you do it, right? I may be wrong here, but last I heard NT was not acceptable on the class net, I would strongly suggest you check that out. >While I have yet to see someone hack an NTFS partition with permissions and >other holes plugged up (watched a couple of DISA's best guys try), the >security goons still have conniption fits about placing classified data on an >unclassified NTFS partition. The "goons" are having conniptions more about putting classified data on an unclassified machine than they are about putting class stuff on NTFS. If its unclass, the physical security is different bud, so are access controls, management, auditing, (need I go on?). Putting class data "out in the wilds" is unnacceptable regardless of what you put on the drive in terms of an OS. If the machine is deemed a class machine, its a different animal. NTFS, or some file encryption mechanism you might get your hands on, employed on a UNCLASSIFIED machine, will never meet the specs for classified data storage. 'Cause it ain't just about how the data is stored on the drive or how the OS let's you get access to it. Security isn't a thing you stick on a box or load into memory, its a whole range of things from the lock on the door leading into the area to the size of the ventillation ducting venting the air out the other end, oh, and by the way, there's some software and hardware stuff somewhere inbetween. >Any word on when NT will be network certified?? For CLASSIFIED data? I don't think that MS is going to provide you with what you need. Even C2 Red Book certification ain't going to satisfy your goons. Look to Global Internet's TNT product (www.gi.net), or Nortel's Entrust products. >We are also starting to use Iomega's Zip drive to store/archive/use large >amounts of data. Merely attempting to find a solution that meets our needs, >both from a function, security, and fiscal perspective. Out of curiosity, what's your plan for securing the Zip drive cartridges? Cheers, Russ "any sufficiently advanced technology is indistinguishable from magic"...Arthur C. Clarke > From firewalls-owner Wed Oct 2 20:11:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA15877 for firewalls-outgoing; Wed, 2 Oct 1996 20:07:54 -0700 (PDT) Received: from pathway1.pathcom.com (pathway1.pathcom.com [204.191.122.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id UAA15864 for ; Wed, 2 Oct 1996 20:07:48 -0700 (PDT) Received: from nnavarro.pathcom.com (ts4l4.pathcom.com [204.191.122.72]) by pathway1.pathcom.com (8.7.5/8.7.3) with SMTP id XAA27814 for ; Wed, 2 Oct 1996 23:07:25 -0400 (EDT) Message-ID: <32532BD6.67A3@pathcom.com> Date: Wed, 02 Oct 1996 22:58:30 -0400 From: Nestor & Christine Navarro X-Mailer: Mozilla 3.0 (Win95; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: How does one set a rule in IBM's Internet Secure Network Gateway to allow Notes 4.1.4 replication? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am having setting up the IBM's firewall the "Secure Network Gateway" to allow a machine in an internal network with Lotus Notes 4.1.4 to replicate (or even at the moment to talk) to an external machine over the Internet. All I know is to open up PORT 1352. Part of my problem as well is my internal network also has unregistered IP addresses. So how do I handle Name Address Translation? If anyone can be of any help, I would gladly appreciate it. Thank you. Chris. From firewalls-owner Wed Oct 2 20:26:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA16127 for firewalls-outgoing; Wed, 2 Oct 1996 20:14:40 -0700 (PDT) Received: from smtp2.interramp.com (smtp2.interramp.com [38.8.200.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id UAA16120 for ; Wed, 2 Oct 1996 20:14:32 -0700 (PDT) Received: from davidh.interramp.com by smtp2.interramp.com (8.6.12/SMI-4.1.3-PSI-irsmtp) id XAA17439; Wed, 2 Oct 1996 23:13:51 -0400 Message-ID: <32533C06.2CBE@checkpoint.com> Date: Wed, 02 Oct 1996 23:07:34 -0500 From: David Helms Organization: CheckPoint Software Technologies X-Mailer: Mozilla 2.02Gold (Win95; I) MIME-Version: 1.0 To: jeromie@garrison.com CC: firewalls@GreatCircle.COM Subject: Re: Gauntlet vs. Sidewinder References: <9610030007.AA03411@ukn0.garrison.com.> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jeromie wrote, >(Many leading emails deleted) > > I would be interested in hearing how checkpoint is securing their > customers from SMTP based attacks! From what I have seen, they simply pass it > through to a mail machine... If that mail machine happends to be running > Sendmail 4.1, the attacker can blow holes right through the perimiter....? > > Jeromie Jackson > Garrison Technologies > jeromie@garrison.com > > Keep the flames burning. Jeromie, It's the firewall's responsibility to control access and pass protocols securely. If the customer has a server that they are going to allow public access to, we recommend that they isolate that server in a DMZ. This could be a mail server or a web server, or whatever. Here's how it works: [External Net]----[Firewall]----[Internal Net] | | [DMZ Net] They key here is that you can limit access to specific DMZ servers to specific services. You can log connection attempts to specific DMZ servers and most important, you only allow connections to DMZ servers, not connections from DMZ servers. You never allow connections originating from outside the inernal network to enter into the internal network. That way, even if a DMZ server gets hacked, it can't be used as a launching point to attack the good stuff, the internal network. Have a great day, David Helms a launching platform into the secure network. -- __________________________________ David Helms Senior Technical Consultant CheckPoint Software Technologies ph 703.684.4824 fx 703.684.4847 davidh@checkpoint.com __________________________________ From firewalls-owner Wed Oct 2 20:56:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA15780 for firewalls-outgoing; Wed, 2 Oct 1996 20:05:18 -0700 (PDT) Received: from dosgod.mi.org (dosgod.mi.org [205.149.142.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id UAA15773 for ; Wed, 2 Oct 1996 20:05:08 -0700 (PDT) Received: (from root@localhost) by dosgod.mi.org (8.7.4/8.7.3) id XAA16541; Wed, 2 Oct 1996 23:04:30 -0400 Date: Wed, 2 Oct 1996 23:04:29 -0400 (EDT) From: Eric Kimminau To: Tony.Bakker@ecmwf.int cc: Mikael Kuisma , sdadmin@jabberwocky.bbnplanet.com, Firewalls@greatcircle.com Subject: Re: Gauntlet 3.1 on SGI IRIX and SecurID In-Reply-To: <9610021404.ZM29469@barant> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Since Gauntlet 3.1 is ONLY for IRIX 5.3, Im assuming that you are NOT trying to use multiple netmasks on this system, that is, the netmask for all interfaces in this system is netmask 0xfffffc00 - I also see a GLARING problem in your network configuration, in that the broadcast address for this interface doesn't match the IP address assigned to it, ie: for an IP address of 136.156.112.128 with a netmask 0xfffffc00 the broadcast address SHOULD be 136.156.112.255 NOT 136.156.115.255. Id start there. Good luck. Eric. On Wed, 2 Oct 1996, Tony Bakker wrote: > Date: Wed, 2 Oct 1996 14:04:42 +0100 > From: Tony Bakker > To: Mikael Kuisma > Cc: sdadmin@jabberwocky.bbnplanet.com, Firewalls@greatcircle.com > Subject: Re: Gauntlet 3.1 on SGI IRIX and SecurID > > [To unsubscribe, mail to majordomo@jabberwocky.bbnplanet.com] > On Oct 2, 10:40, Mikael Kuisma wrote: > > Subject: Re: Gauntlet 3.1 on SGI IRIX and SecurID > > Tony Bakker wrote: > > > In the netperm-table I have got the line: > > > > > > authsrv: securidhost isis > > > > isis should be the name/address of the inside > > interface on the Gauntlet, i.e. the host > > that acts as the securid client. It should > > not be the name of the ACE server. > > > > Done that, but it still does not work! > > # grep secur /usr/gauntlet/config/netperm-table > authsrv: securidhost 136.156.112.128 > > # ifconfig ec0 > ec0: flags=c63 > inet 136.156.112.128 netmask 0xfffffc00 broadcast 136.156.115.255 > > authsrv[24258]: ACM Error: Unable to locate ACE/Server host > ; error Error 0 > > > Tony > ======================================================================== Eric Kimminau eric@kimminau.org "I speak my mind and no one else's." "I am the downhill tumble and roll champ, king of the toad finders, captain of the high altitude tree branch vista club, second place finisher in the round the yard backward dash, premier burper state division, sodbuster and worm scout first order, and generalissimo of the mud and mayhem society." Calvin, 1995 Baroque (adj.): when you run out of Monet. In dog years, Im dead. From firewalls-owner Wed Oct 2 21:11:09 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA17312 for firewalls-outgoing; Wed, 2 Oct 1996 20:31:36 -0700 (PDT) Received: from garrison.com (gw.garrison.com [205.241.58.147]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id UAA17303 for ; Wed, 2 Oct 1996 20:31:28 -0700 (PDT) Received: by garrison.com; id QAA03524; Tue, 1 Oct 1996 16:48:57 -0500 Received: from unknown(10.0.0.2) by gw.garrison.com via smap (V3.1.1) id xma003481; Tue, 1 Oct 96 16:48:38 -0500 Received: by ukn0.garrison.com. (4.1/Nutered Mailer) id AA03445; Wed, 2 Oct 96 22:26:17 CDT Date: Wed, 2 Oct 96 22:26:17 CDT From: jeromie@garrison.com (Hmm) Message-Id: <9610030326.AA03445@ukn0.garrison.com.> To: jeromie@garrison.com, david.helms@checkpoint.com Subject: Re: Gauntlet vs. Sidewinder Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Jeromie wrote, > > >(Many leading emails deleted) > > > > > I would be interested in hearing how checkpoint is securing their > > customers from SMTP based attacks! From what I have seen, they simply pass it > > through to a mail machine... If that mail machine happends to be running > > Sendmail 4.1, the attacker can blow holes right through the perimiter....? > > > > Jeromie Jackson > > Garrison Technologies > > jeromie@garrison.com > > > > Keep the flames burning. > > Jeromie, > > It's the firewall's responsibility to control access and pass protocols securely. > If the customer has a server that they are going to allow public access to, we > recommend that they isolate that server in a DMZ. This could be a mail server or > a web server, or whatever. > > Here's how it works: > > > [External Net]----[Firewall]----[Internal Net] > | > | > [DMZ Net] > > They key here is that you can limit access to specific DMZ servers to specific > services. You can log connection attempts to specific DMZ servers and most > important, you only allow connections to DMZ servers, not connections from DMZ > servers. You never allow connections originating from outside the inernal network > to enter into the internal network. That way, even if a DMZ server gets hacked, > it can't be used as a launching point to attack the good stuff, the internal network. > > Have a great day, > > David Helms > a launching platform into the secure network. > > My point is this: 1) People generally have their SMTP server sitting somewhere within the "[Internal Net]". The firewall would say something like "We only allow connections to port 25 of the SMTP gateway". If the SMTP gateway is sitting inside, the perimiter is broken. 2) If the internet SMTP gateway sits on the DMZ, and the customer has several internal SMTP gateways that distribute all the mail, then again, the SMTP gateway on the DMZ would have access to send data to the inside SMTP hosts, thus providing information flow. If the internal SMTP gateways are vulerable to attack (IE: version of sendmail that have problems, IE: ALL) then again, the perimiter is broken. If I am not seeing something here, please clarify it for us all. Jeromie Jackson Garrison Technologies jeromie@garrison.com From firewalls-owner Wed Oct 2 21:41:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA25365 for firewalls-outgoing; Wed, 2 Oct 1996 21:29:22 -0700 (PDT) Received: from smtp2.erols.com (smtp2.erols.com [205.252.116.102]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id VAA25329 for ; Wed, 2 Oct 1996 21:29:05 -0700 (PDT) Received: from ndapice.erols.com (col-as9s36.erols.com [205.252.119.36]) by smtp2.erols.com (8.7.5/8.7.3) with SMTP id AAA02198; Thu, 3 Oct 1996 00:28:10 -0400 (EDT) Message-Id: <199610030428.AAA02198@smtp2.erols.com> Comments: Authenticated sender is From: "Nick D'Apice" To: Skarban , firewalls@GreatCircle.COM Date: Thu, 3 Oct 1996 00:31:39 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: ifconfig X-mailer: Pegasus Mail for Win32 (v2.42) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk for SGI and BSDI, its 'ifconfig xxx alias a.b.c.d netmask a.b.c.d broadcast a.b.c.d....where 'xxx' is the interface, which can be obtained from a 'netstat -in' and views with an 'ifconfig xxx'. The alias keyword basically replaces the inet keyword from the usual command parameters ... > Date: Tue, 01 Oct 1996 06:10:55 +0100 > From: Skarban > Organization: Nova Hut a.s. > To: Firewall > Subject: ifconfig > Hi, > I am building virtual www server and i need to define multi IP > address over one physical interface of my SGI Challenge - S (Irix > 5.3). I am looking for parameter of Ifconfig command of SGI IRIX 5.3 > Hope to your kindly response. > > M. Skarban NH a.s. > Czech > mskarban@novahut.cz > From firewalls-owner Wed Oct 2 21:56:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA25283 for firewalls-outgoing; Wed, 2 Oct 1996 21:28:52 -0700 (PDT) Received: from smtp2.erols.com (smtp2.erols.com [205.252.116.102]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id VAA25239 for ; Wed, 2 Oct 1996 21:28:40 -0700 (PDT) Received: from ndapice.erols.com (col-as9s36.erols.com [205.252.119.36]) by smtp2.erols.com (8.7.5/8.7.3) with SMTP id AAA02191; Thu, 3 Oct 1996 00:28:08 -0400 (EDT) Message-Id: <199610030428.AAA02191@smtp2.erols.com> Comments: Authenticated sender is From: "Nick D'Apice" To: "Bouchard, Alexis, 2Lt,SAM/GNCP" , Firewalls@GreatCircle.COM Date: Thu, 3 Oct 1996 00:31:39 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: Gauntlet vs. Sidewinder X-mailer: Pegasus Mail for Win32 (v2.42) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ok, here's my two cents... you asked... I'm sure I'll ruffle somebody's feathers, but thats what we're here for... I don't have first-hand experience with Sidewinder, but have used several variants of the application relay and cicuit relay firewalls. (I strongly recommend the O'Reilly book, Building Internet Firewalls [or something like that I think by Cheswick]...the best I've read with practical implementation examples as well... Also Marcus Ranum's paper 'On Internet Firewalls', which pre-dates the book). Anyway, I'm a big fan of the TIS-Firewall Toolkit, (fwtk), and like "rolling-my-own" because I have the source code and know exactly what the system is doing.... Thus, when I recommend a system to a customer, I usually go with the Gauntlet, as it is based on the fwtk, and operates basically the same, but is commercially supported (so that when I'm done, the customer has support other than from just me, plus this doesn't violate the agreement for using the fwtk put forward by TIS, as its their commercial variant). Anyway, there is nothing I haven't been able to accomplish with the Gauntlet/fwtk. Even though the Gauntlet/fwtk is said to only support TCP (exceptions are UDP relays like DNS, Real Audio, etc.) via application relays, I have found that via either the 'ipfs' for transparent filtering and via the UDPrelay, I can implement even those risky protocols that some customers require (I state the risks and they still insist.. usually until they can break a legacy application out and put it on a bastion host) in a manner as secure as its going to get'... options that were only available in packet filters just a short while back. This area is changing daily, and there may be some new magic bullet out there with which I am unfamiliar (can only read and do so much in a 24-hour day)...so again this is my opinion alone based on personal exposure. Also, performance is terrific, reports are flexible, and basically it adheres to the philosophy of firewalls that I feel most comfortable -- keep it as simple as possible, and security through obsurity is NOT the way to secure a facility... The other firewalls, such as FW-1, raptor, etc. are really good products, its just I feel 'at home' with the TIS software due to the software source availability....no skeletons in the closet... I'll now get off of my soap-box..... let the shooting gallery begin... and apologies to those products with which I am unfamiliar...no slander intended... > From: "Bouchard, Alexis, 2Lt,SAM/GNCP" > To: Firewall Discussion > Subject: Gauntlet vs. Sidewinder > Date: Tue, 01 Oct 96 09:34:00 PDT > > > I have to choose between Gauntlet and Sidewinder as a Firewall > solution. > Both products meet my laundry list requirements. Both can do the > job of > securing my network, but which one is better? What I'm looking for > is which one is better then the other as far as easy of use, overall > security and support from the vender. I have all the general vender > info, but I'm looking for strong technical reasons why I should go > with one or the other. > > I'm a new kid on the block. This is my first Firewall experience. > I haven't had the luxury of seeing many Firewalls in use, or being > able to play and fiddle with them. I'm open to all input and all > advise. I need to take advantage of someone else's experiences. > > Alexis Bouchard > From firewalls-owner Wed Oct 2 22:25:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA02126 for firewalls-outgoing; Wed, 2 Oct 1996 22:18:12 -0700 (PDT) Received: from smtp2.erols.com (smtp2.erols.com [205.252.116.102]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id WAA02081 for ; Wed, 2 Oct 1996 22:17:59 -0700 (PDT) Received: from ndapice.erols.com (col-as9s36.erols.com [205.252.119.36]) by smtp2.erols.com (8.7.5/8.7.3) with SMTP id BAA04423; Thu, 3 Oct 1996 01:17:29 -0400 (EDT) Message-Id: <199610030517.BAA04423@smtp2.erols.com> Comments: Authenticated sender is From: "Nick D'Apice" To: kenng@kpmg.com (Ken Ng), firewalls@GreatCircle.COM Date: Thu, 3 Oct 1996 01:21:01 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: Gauntlet FW in big environments. X-mailer: Pegasus Mail for Win32 (v2.42) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The release notes from BSDI V2.1 indicate that a virtual memory 'leak' bug has been corrected. This could very well be your problem. I'm running Gauntlet and the FWTK in multiple areas, and have found the software itself to be reliable... problems I've encountered are frequently with the hardware and/or O/S bugs, but those have been far and few between... Getting ready to upgrade to Gauntlet 3.2, which I hear has improved performance... so much for my very little and sketchy feedback.... > Date: Tue, 1 Oct 1996 11:28:35 -0400 > From: kenng@kpmg.com (Ken Ng) > Subject: Gauntlet FW in big environments. > To: firewalls@GreatCircle.COM > Does anyone here have any experience with running Gauntlet > Firewalls in a "large" environment? By large, I mean about 500 > ip sites a day, 1.2 gig of http traffic a day, 100 meg of > email, and 200 meg of ftp traffic a day. I've got the TIS HP > Vectra pc running BSD 2.0 with TIS 3.1. The machine has 48 meg > of ram. > > The problem I'm having is that the machine typically either > reboots itself or it crashes until I reboot it manually. I > thought I fixed it by having it reboot from cron once a week in > the early morning. But now it starting to crash on day 6. > Will more memory help this thing? Are other people having > similar problems? What's everyone else using? > From firewalls-owner Wed Oct 2 22:56:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA04672 for firewalls-outgoing; Wed, 2 Oct 1996 22:41:49 -0700 (PDT) Received: from mailsrv1.pcy.mci.net (mailsrv1.pcy.mci.net [204.71.0.43]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id WAA04645 for ; Wed, 2 Oct 1996 22:41:39 -0700 (PDT) Received: from [166.55.36.134] (usr7-dialup6.mix1.WillowSprings.mci.net) by MAIL-CLUSTER.PCY.MCI.NET (PMDF V5.0-7 #10044) id <01IA6T3XDNHS8X3GYG@MAIL-CLUSTER.PCY.MCI.NET>; Thu, 03 Oct 1996 01:42:43 -0400 (EDT) Received: from [166.55.36.134] (usr7-dialup6.mix1.WillowSprings.mci.net) by MAIL-CLUSTER.PCY.MCI.NET (PMDF V5.0-7 #10044) id <01IA6T3QS3L08X3B23@MAIL-CLUSTER.PCY.MCI.NET>; Thu, 03 Oct 1996 01:41:43 -0400 (EDT) Date: Thu, 03 Oct 1996 00:39:12 -0500 From: Ted Stockwell Subject: Re: Opinions/Experiences re: Sidewinder? To: Camille Blakeley Cc: "Firewalls@GreatCircle.COM" Message-id: <01IA6T3RTRU08X3B23@MAIL-CLUSTER.PCY.MCI.NET> MIME-version: 1.0 X-Mailer: e-mailMCI v2.3 Content-type: TEXT/PLAIN; CHARSET=US-ASCII Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -- [ From: Ted Stockwell * EMC.Ver #2.3 ] -- > Date: Wednesday, 02-Oct-96 03:48 PM > From: Camille Blakeley \ Internet: (camille@blakeley.com) > To: Firewalls@GreatCircle.COM \ Internet: (firewalls@greatcircle.com) > > Subject: Re: Opinions/Experiences re: Sidewinder? > ... > My access list, for reasons I won't go into here, was very large, and the > Sidewinder just couldn't handle the size or dynamic nature of my access > requirements. The access control list system and its user interface has been completely reworked for version 3.0. You should now find it much better at managing large lists of machines and users. > I also didn't like the fact that you could use it for a web server, anonymous > ftp server, etc.. as well as a firewall. This made for some problems when > configuring, and I believe is just generally insecure. You really want to use > a seperate system for public access, I think. Actually, the ability to host servers safely is one of the advantages of Sidewinder's secured OS. The general risk is that the server may be overrun and you can use that process to connect to the other side. This is not the case with Sidewinder. If you were able to overrun the Web server, for example, you would still have no access to the internal network. You would not even be able to vandalize the web pages. If the web server attempted to modify the pages, the attempts would be audited and alarms sent out (pager, mail, or SNMP traps). Of course, you always have the option of turning off the servers and running them on a separate host. This is often advisable for high volume web sites where the web server would create too much of a load on the firewall. (disclosure: yes, I work at SCC) -- Ted Stockwell From firewalls-owner Wed Oct 2 23:27:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA08380 for firewalls-outgoing; Wed, 2 Oct 1996 23:15:33 -0700 (PDT) Received: from citecuh.citec.qld.gov.au (citecuh.citec.qld.gov.au [203.5.10.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id XAA08360 for ; Wed, 2 Oct 1996 23:15:23 -0700 (PDT) Received: (from mail@localhost) by citecuh.citec.qld.gov.au (8.7.6/8.7.3) id QAA20246 for ; Thu, 3 Oct 1996 16:14:54 +1000 (EST) Received: from guru.citec.qld.gov.au(147.132.20.47) by citecuh.citec.qld.gov.au via smap (V1.3) id /mail/incoming/sma020228; Thu Oct 3 16:14:34 1996 Received: (from sgcccdc@localhost) by guru.citec.qld.gov.au (8.6.12/8.6.12) id QAA02697 for firewalls@greatcircle.com; Thu, 3 Oct 1996 16:14:25 +1000 From: Colin Campbell Message-Id: <199610030614.QAA02697@guru.citec.qld.gov.au> Subject: Financial transactions and firewalls. To: firewalls@greatcircle.com Date: Thu, 3 Oct 1996 16:14:25 +1000 (EST) X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I recently spent several hours (yes hours!) on the phone discussing the relative merits of my "stupid firewall philosophy" with a gentleman representing a company implementing secure financial services on the Internet. His service, if I understood correctly, was based on (something like?) SWIFT which has been in use in Europe for 15-20 years by many large financial institutions and therefore was not going to be changed quickly if at all. My firewall was stupid (based on fwtk) because it put proxies in bewteen my inside hosts and external servers. Furthermore, any firewall that did any sort of network address translation or proxying was brain-dead. (My interpretation of his statements). Why? Because his software passed an identifying "ticket" with every packet. This ticket comprised an encrypted date+time, the IP address of the client machine and some other stuff. When the server saw a packet from a host whose IP address did not match that in the ticket, alarm bells would sound and the fraud squad would be on the door step within minutes. When I suggested to him that 80% (just guessing, so be nice to me) of the firewalls outside of the financial world use NAT and or proxies he scoffed at the prospect, suggesting that people using such stupid technologies were going to miss out on the upcoming revolution about to hit the Internet with secure financial transactions that would not work through such firewalls. He also mentioned the "new Microsoft software" several times (anyone know which?). Does anyone have any comments on this guy's philosophy, or mine for that matter? I would especially like to hear from anyone who's been following the development of secure financial transactions (SET comes to mind, right track?) and how these systems are expected to operate through "stupid firewalls" like mine. Colin From firewalls-owner Wed Oct 2 23:56:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA10817 for firewalls-outgoing; Wed, 2 Oct 1996 23:49:07 -0700 (PDT) Received: from tortola.u.arizona.edu (tortola.U.Arizona.EDU [128.196.137.22]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id XAA10793 for ; Wed, 2 Oct 1996 23:48:59 -0700 (PDT) Received: from localhost (waleed@localhost) by tortola.u.arizona.edu (8.7.6/8.7.3) with SMTP id XAA43858 for ; Wed, 2 Oct 1996 23:49:31 -0700 Date: Wed, 2 Oct 1996 23:49:30 -0700 (MST) From: Waleed Modra To: firewalls@GreatCircle.COM In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk set firewalls digest From firewalls-owner Thu Oct 3 00:26:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA13433 for firewalls-outgoing; Thu, 3 Oct 1996 00:19:09 -0700 (PDT) Received: from dxmint.cern.ch (dxmint.cern.ch [137.138.26.76]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id AAA13388 for ; Thu, 3 Oct 1996 00:18:56 -0700 (PDT) From: gamble@dxcoms.cern.ch Received: from dxcoms.cern.ch (dxcoms.cern.ch [137.138.28.176]) by dxmint.cern.ch with SMTP id JAA19875; Thu, 3 Oct 1996 09:18:17 +0200 (MET DST) Received: from localhost.cern.ch by dxcoms.cern.ch; (5.65v3.0/1.1.8.2/28Jul95-0949AM) id AA32401; Thu, 3 Oct 1996 09:18:16 +0200 Message-Id: <9610030718.AA32401@dxcoms.cern.ch> To: firewalls@GreatCircle.COM Cc: "Bryan D. Boyle" , gamble@dxcoms.cern.ch Subject: Re: Gauntlet vs. Sidewinder In-Reply-To: Your message of "Wed, 02 Oct 96 18:29:41 +0200." <199610021629.SAA13578@dxmint.cern.ch> Date: Thu, 03 Oct 96 09:18:16 +0200 X-Mts: smtp Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Bryan - > You're right - it's not an unbiased opinion. But after 25 years in > the business, first as a programmer, and then as a consultant > specializing in multi-protocol, multi-vendor, multi-application > environments & security, and having worked for numerous firewall > vendors, I can pick my own jobs and name my own price. And I'm here > at Checkpoint. Think about it... > -Barb Ummm .... I guess you thought Checkpoint needed your help !!! or Checkpoint thought they needed your help 8-): (I never could workout how to do these smiley things ...). Lets keep the discusion on technical pros and cons please. We (my organisation) are currently (like many others) trying to decide on the "best" firewall for our security policy ... so a set of plus/minus points on technical aspects would be very welcome. John. From firewalls-owner Thu Oct 3 01:26:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA18640 for firewalls-outgoing; Thu, 3 Oct 1996 01:21:24 -0700 (PDT) Received: from internet_host (internet_host.spmu.rssi.ru [194.85.234.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id BAA18499 for ; Thu, 3 Oct 1996 01:19:18 -0700 (PDT) Received: from proliant.spmu.rssi.ru by internet_host (NTMail 3.01.03) id oa030564; Thu, 3 Oct 1996 11:14:42 +0300 Message-ID: <32536873.297A@spmu.rssi.ru> Date: Thu, 03 Oct 1996 11:17:07 +0400 From: Lawrence Beobachter X-Mailer: Mozilla 2.0 (WinNT; I) MIME-Version: 1.0 To: "Nick D'Apice" CC: firewalls@GreatCircle.COM Subject: Re: ifconfig References: <199610030428.AAA02198@smtp2.erols.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Info: Evaluation version at internet_host Sender: firewalls-owner@GreatCircle.COM Precedence: bulk netmask a.b.c.d for alias statement should be netmask 0xffffffff. Correct me if I'm wrong. Nick D'Apice wrote: > > for SGI and BSDI, its 'ifconfig xxx alias a.b.c.d netmask a.b.c.d > broadcast a.b.c.d....where 'xxx' is the interface, which can be > obtained from a 'netstat -in' and views with an 'ifconfig xxx'. > The alias keyword basically replaces the inet keyword from the usual > command parameters ... > > > Date: Tue, 01 Oct 1996 06:10:55 +0100 > > From: Skarban > > Organization: Nova Hut a.s. > > To: Firewall > > Subject: ifconfig > > > Hi, > > I am building virtual www server and i need to define multi IP > > address over one physical interface of my SGI Challenge - S (Irix > > 5.3). I am looking for parameter of Ifconfig command of SGI IRIX 5.3 > > Hope to your kindly response. > > > > M. Skarban NH a.s. > > Czech > > mskarban@novahut.cz > > From firewalls-owner Thu Oct 3 02:11:54 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA23065 for firewalls-outgoing; Thu, 3 Oct 1996 02:02:24 -0700 (PDT) Received: from inetsrv1.biss.co.uk (inetsrv1.biss.co.uk [193.115.8.97]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id CAA23019 for ; Thu, 3 Oct 1996 02:02:08 -0700 (PDT) Received: from ccmailgw.biss.co.uk by inetsrv1.biss.co.uk with SMTP (1.38.193.4/16.2) id AA10816; Thu, 3 Oct 96 10:00:45 +0100 Received: from cc:Mail by ccmailgw.biss.co.uk id AA844362034; Thu, 03 Oct 96 09:50:27 GMT Date: Thu, 03 Oct 96 09:50:27 GMT From: "Steve Betts" Message-Id: <9609038443.AA844362034@ccmailgw.biss.co.uk> To: firewalls@GreatCircle.COM, Colin Campbell Subject: Re: Financial transactions and firewalls. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Colin Campbell asked: > He also mentioned the "new Microsoft software" several times (anyone > know which?). I guess he is talking about Merchant Server (MS) or possibly Normandy (which includes MS). MS is based on the UNIX E-shop virtual shop/mall product. Details of the Microsoft software are under Beta NDA at the moment. Normandy is a complete package for ISPs. I would be ^very^ surprised if firewalls and proxies will cause either of these products more than a configuration issue. Dont forget Microsoft have a proxy server of their own code-named Catapault. > Does anyone have any comments on this guy's philosophy, With Spoofing, DHCP and dial-up connections assigning different IP addresses to a PC on each visit, I would say that anyone who expects the IP address to even partially identify a user, particularly for a financial transaction, needs to have their head examined. Regards. ___ / ) / <, ) / / NB Opinions are my own and may (__ -/--- /_,/ -/--/- not be the same as my employers / ) / /7 /7 /7 /7 / `> /7 / / _/7 tel: +44 (0) 1 442 233 366 \___//(_(/_/ (/ (_(/_/\__ /(_(/_/(_/(_/,_7 fax: +44 (0) 1 442 236 623 From firewalls-owner Thu Oct 3 04:42:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA00770 for firewalls-outgoing; Thu, 3 Oct 1996 04:38:53 -0700 (PDT) Received: from mailgate.execpc.com (mailgate.execpc.com [169.207.16.5]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id EAA00751 for ; Thu, 3 Oct 1996 04:38:46 -0700 (PDT) Received: from mail.execpc.com (mail [169.207.16.2]) by mailgate.execpc.com (8.7.6/8.7.5) with ESMTP id GAA11869 for ; Thu, 3 Oct 1996 06:38:26 -0500 Received: from Pmreed (herrmann.execpc.com [204.95.215.32]) by mail.execpc.com (8.7.6/8.7.3) with ESMTP id GAA17890 for ; Thu, 3 Oct 1996 06:38:16 -0500 (CDT) Message-Id: <199610031138.GAA17890@mail.execpc.com> From: "Maurie Reed" To: Subject: set firewalls digest Date: Thu, 3 Oct 1996 06:37:20 -0500 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk set firewalls digest From firewalls-owner Thu Oct 3 04:55:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA01200 for firewalls-outgoing; Thu, 3 Oct 1996 04:48:12 -0700 (PDT) Received: from ereapp.erenj.com (ereapp.ERENJ.COM [159.70.31.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id EAA01171 for ; Thu, 3 Oct 1996 04:48:02 -0700 (PDT) Received: (from smap@localhost) by ereapp.erenj.com (8.7.4/8.7.3) id HAA05478; Thu, 3 Oct 1996 07:47:30 -0400 Received: from eredns.erenj.com(159.70.1.252) by ereapp.erenj.com via smap (V1.3) id sma005473; Thu Oct 3 07:47:20 1996 Received: from stargate.erenj.com (stargate.erenj.com [159.70.1.8]) by eredns.erenj.com (8.7.4/8.7.3) with SMTP id HAA09335; Thu, 3 Oct 1996 07:47:17 -0400 Message-ID: <3253A7C5.41C6@erenj.com> Date: Thu, 03 Oct 1996 07:47:17 -0400 From: "Bryan D. Boyle" Organization: Exxon Research and Engineering Co. X-Mailer: Mozilla 3.0 (X11; I; OSF1 V4.0 alpha) MIME-Version: 1.0 To: "Mr. Jolt Cola" CC: firewalls@greatcircle.com Subject: Re: SSL Browsers References: <9610021450.AA07335@quix.robins.af.mil> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mr. Jolt Cola wrote: > > One thing to consider for browser choice in Intranet environments > is the fact that Netscape allows you to add RSA keys from an unknown > authority, whereas M$ Explorer just refuses to connect. Then again, > the cost of your browsers may outweight the cost of paying Verisign > their 290$. We signed our own digital key and used Netscape for SSL > but now clients are complaining that Explorer wont connect so we > have requested a key from the Verisign CA. Its a racket. :P It is a racket for the buzzwordy 'INTRAnet'; if the navigator tool is never going to access the outside directly, why can't I certify that my employee is my employee for the purposes of accessing inside information and authenticating their access through a corporate proxy. Besides, correctly built, the outside world will never see a direct connect from the desktop, only a corporate 'funnel' device like a proxy, so, in this model, the only certification needed is that my *company* is who it says it is, and the user authentication is my responsibility. Of course, that means that whatever certificate authority is charging $$$ is only certifying one 'organism'. It also places the responsibility for authentication with the authority who, in a corporation, is charged with controlling access. What Microsoft does or doesn't do, in this model, is irrelevant (at least to the outside world...), which allows you to choose the best tool for the job, regardless of the marketing propaganda. -- Bryan D. Boyle | EMAIL: bdboyle@erenj.com 908-730-3338 #include | http://www.access.digex.net/~bdboyle/index.html "They that can give up liberty to obtain a little temporary safety deserve neither liberty nor safety." - Benjamin Franklin, Historical Review of Pennsylvania From firewalls-owner Thu Oct 3 05:11:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA03044 for firewalls-outgoing; Thu, 3 Oct 1996 05:07:47 -0700 (PDT) Received: from www.valuu.net (www.valuu.net [204.252.40.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id FAA03022 for ; Thu, 3 Oct 1996 05:07:34 -0700 (PDT) Received: from fd.valuu.net ([204.252.40.3]) by www.valuu.net (post.office MTA v1.9.1 ID# 0-11837) with SMTP id AAA301; Thu, 3 Oct 1996 08:08:04 -0400 Received: by fd.valuu.net with Microsoft Mail id <01BBB101.5CC33040@fd.valuu.net>; Thu, 3 Oct 1996 08:03:29 -0400 Message-ID: <01BBB101.5CC33040@fd.valuu.net> From: rabbi@www.valuu.net (Rabbi Haim Cassorla) To: "'Arley Carter'" , "Barbara W. Jaarsma" Cc: "Bryan D. Boyle" , "firewalls@GreatCircle.COM" Subject: RE: Gauntlet vs. Sidewinder Date: Thu, 3 Oct 1996 08:03:27 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In human history, often it has been noted that a good offense is better = than any other defense. Put down the flame throwers. All of you network and/or security = professionals and/or wannabes think that everybody else looses their = personal integrity when they back their employer's product. I would = worry lots more about the Sr. person in greatsquares.com who said that = they would choose the product from greattriangles.com There is no such thing as an objective opinion. Each of us favors and/or = despises what we know because we know it. Look at all the eunuchs out = there who still flame M$ on general principle Shalom Hag Sameach From firewalls-owner Thu Oct 3 05:26:00 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA04059 for firewalls-outgoing; Thu, 3 Oct 1996 05:16:40 -0700 (PDT) Received: from maddie.atlantic.com (maddie.atlantic.com [198.252.200.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id FAA04023 for ; Thu, 3 Oct 1996 05:16:23 -0700 (PDT) Received: (from pokey@localhost) by maddie.atlantic.com (8.7.6/8.7.3) id HAA30042; Thu, 3 Oct 1996 07:55:04 -0400 From: Rick Romkey Message-Id: <199610031155.HAA30042@maddie.atlantic.com> Subject: Re: Gauntlet vs. Sidewinder To: jeromie@garrison.com (Hmm) Date: Thu, 3 Oct 1996 07:55:04 -0400 (EDT) Cc: bdboyle@erenj.com, barbara@us.checkpoint.com, firewalls@GreatCircle.COM In-Reply-To: <9610030007.AA03411@ukn0.garrison.com.> from "Hmm" at Oct 2, 96 07:07:30 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > I would be interested in hearing how checkpoint is securing their > customers from SMTP based attacks! From what I have seen, they simply pass it > through to a mail machine... If that mail machine happends to be running > Sendmail 4.1, the attacker can blow holes right through the perimiter....? > Part of the services offered by many of the resellers of firewalls include securing the operating system that a firewall runs on. This can include enabling the box with a store-and-forward mailer, removing funky services, putting Sendmail in a non-interactive mode, etc. That is why people should be careful with who they ultimately select to sell them firewall software. Quite some time ago I suggested the analogy that you wouldn't buy a car from a dealer that had no clue how to service the thing. The same should be true about firewalls (no...not that you shouldn't buy a firewall from a dealer that has no clue how to service cars...but you should buy a firewall from a vendor that you are confident can both help install and secure the machine and support the related infrastructure around it...). I think it is terrific that CheckPoint has made a patch available to address the SYN attack problems. I don't think it makes it the best firewall out there, though it definately is a feather in their cap. Selecting a firewall comes down to a few basic things (in no particular order): 1) it must support the services that you need 2) it must be affordable 3) it must be secure 4) it has to make sense I could talk to five different people in a day and using these 4 points, we could decide on five different firewalls because of the criteria the people have. With all due respect to the list, I doubt you'll get a generic "which one is better" answer from here because no one's network and security needs are the same. You need to call some capable VARs for the products you are interested in and talk to them about how the products will solve the four points above. There...now that I said it all, I guess everyone can unsubscribe from this list....assuming anyone ever figures out how! 8^) -Rick ---------------------------------------------------------------------------- Rick E Romkey | A T L A N T I C | Internet pokey@atlantic.com | Computing Technology Corporation | Specialists (860) 667-9596 | http://www.atlantic.com/ | ----------------------------------------------------------------------------- From firewalls-owner Thu Oct 3 05:42:39 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA05970 for firewalls-outgoing; Thu, 3 Oct 1996 05:29:24 -0700 (PDT) Received: from judge.ulst.ac.uk (judge.ulst.ac.uk [193.61.128.17]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id FAA05928 for ; Thu, 3 Oct 1996 05:29:09 -0700 (PDT) Received: from smserver1.ulst.ac.uk (smserver1.ulst.ac.uk [193.61.143.1]) by judge.ulst.ac.uk (8.7.6/8.7.3) with ESMTP id NAA19697 for ; Thu, 3 Oct 1996 13:28:35 +0100 (BST) Received: from SMSERVER1/SpoolDir by smserver1.ulst.ac.uk (Mercury 1.21); 3 Oct 96 13:24:03 GMT Received: from SpoolDir by SMSERVER1 (Mercury 1.21); 3 Oct 96 13:23:42 GMT From: "GOULDING CP" Organization: University of Ulster To: firewalls@greatcircle.com Date: Thu, 3 Oct 1996 13:23:35 GMT Subject: Firewalls and Java X-mailer: Pegasus Mail for Windows (v2.23) Message-ID: <3941B5B3207@smserver1.ulst.ac.uk> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I'm looking for refernces to creating proxy servers using Java, or other such implemenations of a firewall, again using Java. Peter From firewalls-owner Thu Oct 3 05:56:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA06634 for firewalls-outgoing; Thu, 3 Oct 1996 05:33:04 -0700 (PDT) Received: from deliverator.sgi.com (deliverator.sgi.com [204.94.214.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id FAA06593 for ; Thu, 3 Oct 1996 05:32:48 -0700 (PDT) Received: from baires.buenosaires.sgi.com by deliverator.sgi.com via ESMTP (950413.SGI.8.6.12/951211.SGI.AUTO) for <@external-mail-relay.sgi.com:firewalls@GreatCircle.COM> id FAA22222; Thu, 3 Oct 1996 05:32:21 -0700 Received: from caro.buenosaires.sgi.com by baires.buenosaires.sgi.com via ESMTP (940816.SGI.8.6.9/930416.SGI) for <@baires.buenosaires.sgi.com:firewalls@GreatCircle.COM> id IAA06900; Thu, 3 Oct 1996 08:32:11 -0400 Received: (from arusso@localhost) by caro.buenosaires.sgi.com (950413.SGI.8.6.12/950213.SGI.AUTOCF) id JAA08511 for firewalls@GreatCircle.COM; Thu, 3 Oct 1996 09:29:54 -0700 From: "Adrian Gustavo Russo" Message-Id: <9610030929.ZM8510@caro.buenosaires.sgi.com> Date: Thu, 3 Oct 1996 09:29:53 -0700 X-Mailer: Z-Mail (3.2.3 08feb96 MediaMail) To: firewalls@GreatCircle.COM Subject: PIX (CISCO) Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi is the PIX-FIREWALL Cisco with NAT a secure firewall in my intranet? -- _\|/_ (o o) +---------------------oOO-(_)-OOo---------------------+ | | | Adrian Gustavo Russo | | ==================== | | Licenciado en Informatica - Analista de Sistemas | | | | Silicon Graphics Argentina | | e-mail: arusso@buenosaires.sgi.com | | tel: 54 1 311-6666 | | | | Universidad Nacional de La Plata Argentina | | e-mail: arusso@isis.unlp.edu.ar | | tel: 54 21 35-102 | | | +-----------------------------------------------------+ (_| |_) From firewalls-owner Thu Oct 3 06:29:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA12584 for firewalls-outgoing; Thu, 3 Oct 1996 06:20:54 -0700 (PDT) Received: from habanero.jmu.edu (habanero.jmu.edu [134.126.71.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA12521; Thu, 3 Oct 1996 06:20:42 -0700 (PDT) Message-Id: <199610031320.GAA12521@miles.greatcircle.com> Received: by habanero.jmu.edu (1.37.109.16/16.2) id AA010648608; Thu, 3 Oct 1996 09:16:48 -0400 Date: Thu, 3 Oct 1996 09:16:48 -0400 From: gary flynn To: firewalls-owner@GreatCircle.COM, firewalls@GreatCircle.COM, keithm@asymetrix.com Subject: RE: NT Security Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: muzo > > > You can also boot to DOS > > and using the NTFS4DOS driver read any file regardless of encryption. > > Is there any PC OS which can prevent you from booting to DOS and doing the > same ? Is there any OS of any kind that prevents disk access if you have physical access to the computer? Of course not! From firewalls-owner Thu Oct 3 06:41:27 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA11156 for firewalls-outgoing; Thu, 3 Oct 1996 06:10:01 -0700 (PDT) Received: from ns.coy.com ([206.224.78.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA11149 for ; Thu, 3 Oct 1996 06:09:53 -0700 (PDT) Received: (from coy@localhost) by ns.coy.com (8.7.4/8.7.3) id IAA19150; Thu, 3 Oct 1996 08:09:20 -0500 Date: Thu, 3 Oct 1996 08:09:19 -0500 (CDT) From: Chip Coy To: firewalls@GreatCircle.COM Subject: Re: Information Seeking In-Reply-To: <199610011850.LAA00292@abraham.cs.berkeley.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 1 Oct 1996, John Anonymous MacDonald wrote: > Can anyone on this list recommend a reputable and professional group that > can perform security (both network and host; Internet related) audits at a > medium sized company located in the United States? Take a look at IBM, http://www.ibm.com/Security/consult.htm. I work for them. We do both hosts and networks. As far as reputation/professionalism, we have a number of past clients who will recommend us. Chip Coy coy@coy.com, coy@austin.ibm.com From firewalls-owner Thu Oct 3 06:42:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA07958 for firewalls-outgoing; Thu, 3 Oct 1996 05:46:37 -0700 (PDT) Received: from mail.Clark.Net (mail.clark.net [168.143.0.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id FAA07885 for ; Thu, 3 Oct 1996 05:46:15 -0700 (PDT) Received: from explorer2.clark.net (proberts@explorer2.clark.net [168.143.0.5]) by mail.Clark.Net (8.7.3/8.6.5) with ESMTP id IAA10670; Thu, 3 Oct 1996 08:45:47 -0400 (EDT) Received: from localhost (proberts@localhost) by explorer2.clark.net (8.7.1/8.7.1) with SMTP id IAA19368; Thu, 3 Oct 1996 08:45:46 -0400 (EDT) X-Authentication-Warning: explorer2.clark.net: proberts owned process doing -bs Date: Thu, 3 Oct 1996 08:45:46 -0400 (EDT) From: "Paul D. Robertson" X-Sender: proberts@explorer2 To: Colin Campbell cc: firewalls@GreatCircle.COM Subject: Re: Financial transactions and firewalls. In-Reply-To: <199610030614.QAA02697@guru.citec.qld.gov.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 3 Oct 1996, Colin Campbell wrote: > Why? Because his software passed an identifying "ticket" with every > packet. This ticket comprised an encrypted date+time, the IP address of > the client machine and some other stuff. When the server saw a packet > from a host whose IP address did not match that in the ticket, alarm > bells would sound and the fraud squad would be on the door step within > minutes. I've seen several schemes like this before, I tend to tell them the same sort of thing, and point out that I can pretty much guarentee that I have about 30-50,000 people who won't be using their software myself, and don't feel like I'll be alone. > Does anyone have any comments on this guy's philosophy, or mine for that > matter? I would especially like to hear from anyone who's been following > the development of secure financial transactions (SET comes to mind, > right track?) and how these systems are expected to operate through > "stupid firewalls" like mine. I tend to point them towards what Progressive has learned, since the whole TCP enabled implementation of Real Audio, and the proxy code was, in my mind a large education to them in terms of what they were going to have to do to co-exist with the firewall community. There's not a great deal of utility to securing the transaction if one or both of the endpoints is wide open. I'll be talking fairly seriously with a few of the transaction folks as a follow-up to a conferance I attended, and their ability to deal with proxies will be a recurring theme. I won't be wasting hours on the ones who don't get it right off the bat though. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@clark.net which may have no basis whatsoever in fact." PSB#9280 From firewalls-owner Thu Oct 3 06:56:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA11671 for firewalls-outgoing; Thu, 3 Oct 1996 06:12:47 -0700 (PDT) Received: from smtp2.interramp.com (smtp2.interramp.com [38.8.200.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA11522 for ; Thu, 3 Oct 1996 06:12:07 -0700 (PDT) Received: from davidh.interramp.com by smtp2.interramp.com (8.6.12/SMI-4.1.3-PSI-irsmtp) id JAA21578; Thu, 3 Oct 1996 09:11:35 -0400 Message-ID: <3253C81B.5632@checkpoint.com> Date: Thu, 03 Oct 1996 09:05:15 -0500 From: David Helms Organization: CheckPoint Software Technologies X-Mailer: Mozilla 2.02Gold (Win95; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: [Fwd: Re: Gauntlet vs. Sidewinder] Content-Type: multipart/mixed; boundary="------------71B4112927A" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is a multi-part message in MIME format. --------------71B4112927A Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Micheal, Exactly right. It can be a pop server. This would mean that the pop session is initiated from inside the network. Not from the DMZ. You would not necessarily have to put it on a separate DMZ machine. It could be on the firewall, but I generally recommend to my customers to keep services off the firewall. David -- __________________________________ David Helms Senior Technical Consultant CheckPoint Software Technologies ph 703.684.4824 fx 703.684.4847 davidh@checkpoint.com __________________________________ --------------71B4112927A Content-Type: message/rfc822 Content-Transfer-Encoding: 7bit Content-Disposition: inline Return-Path: Received: from cale.checkpoint.com by us.checkpoint.com (5.x/SMI-SVR4) id AA27433; Thu, 3 Oct 1996 00:15:04 -0700 Received: from master.the-link.com (master.the-link.com [204.221.32.253]) by cale.checkpoint.com (8.7.5/8.7.1) with ESMTP id KAA08466 for ; Thu, 3 Oct 1996 10:11:49 +0200 (IST) Received: from bambino.continentalmills.com ([204.221.32.15]) by master.the-link.com (8.7.4/8.6.9) with ESMTP id CAA24510 for ; Thu, 3 Oct 1996 02:12:01 -0500 (CDT) Message-Id: <199610030712.CAA24510@master.the-link.com> From: "Michael Endrizzi" To: "David Helms" Subject: Re: Gauntlet vs. Sidewinder Date: Thu, 3 Oct 1996 02:10:59 -0500 X-Msmail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=ISO-8859-1 X-Mozilla-Status: 0011 if dmz can't send mail to internal network, then it better be a pop server. in addition, if i buy a fw-1, does that mean i have to buy another machine and configure it myself just to "secure" email. ---------- > From: David Helms > To: jeromie@garrison.com > Cc: firewalls@GreatCircle.COM > Subject: Re: Gauntlet vs. Sidewinder > Date: Wednesday, October 02, 1996 11:07 PM > > Jeromie wrote, > > >(Many leading emails deleted) > > > > > I would be interested in hearing how checkpoint is securing their > > customers from SMTP based attacks! From what I have seen, they simply pass it > > through to a mail machine... If that mail machine happends to be running > > Sendmail 4.1, the attacker can blow holes right through the perimiter....? > > > > Jeromie Jackson > > Garrison Technologies > > jeromie@garrison.com > > > > Keep the flames burning. > > Jeromie, > > It's the firewall's responsibility to control access and pass protocols securely. > If the customer has a server that they are going to allow public access to, we > recommend that they isolate that server in a DMZ. This could be a mail server or > a web server, or whatever. > > Here's how it works: > > > [External Net]----[Firewall]----[Internal Net] > | > | > [DMZ Net] > > They key here is that you can limit access to specific DMZ servers to specific > services. You can log connection attempts to specific DMZ servers and most > important, you only allow connections to DMZ servers, not connections from DMZ > servers. You never allow connections originating from outside the inernal network > to enter into the internal network. That way, even if a DMZ server gets hacked, > it can't be used as a launching point to attack the good stuff, the internal network. > > Have a great day, > > David Helms > a launching platform into the secure network. > > > > > -- > __________________________________ > David Helms > Senior Technical Consultant > CheckPoint Software Technologies > ph 703.684.4824 > fx 703.684.4847 > davidh@checkpoint.com > __________________________________ --------------71B4112927A-- From firewalls-owner Thu Oct 3 07:32:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA19280 for firewalls-outgoing; Thu, 3 Oct 1996 07:17:45 -0700 (PDT) Received: from ALABAMA.CF.CS.YALE.EDU (RT-GW.CS.YALE.EDU [128.36.0.13]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA19270 for ; Thu, 3 Oct 1996 07:17:37 -0700 (PDT) From: long-morrow@CS.YALE.EDU Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU (8.7.1/res.host.cf-4.0) with ESMTP id KAA05016; Thu, 3 Oct 1996 10:17:03 -0400 (EDT) sender long-morrow@CS.YALE.EDU for Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-8.7.1/res.client.cf-4.0) id KAA15954; Thu, 3 Oct 1996 10:17:00 -0400 (EDT) Date: Thu, 3 Oct 1996 10:17:00 -0400 (EDT) Message-Id: <199610031417.KAA15954@SPARKY.CF.CS.YALE.EDU> To: firewalls@greatcircle.com, sgcccdc@citec.qld.gov.au Subject: Re: Financial transactions and firewalls. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From: Colin Campbell >through such firewalls. He also mentioned the "new Microsoft software" >several times (anyone know which?). Regarding finanacial transactions and open standards involving the Internet two products come to mind: 1. Microsoft Merchant System is an Internet retail commerce solution currently in beta designed to make it easy to set up electronic storefronts and clear credit card transactions. Microsoft says in a press release ( http://www.microsoft.com/corpinfo/press/1996/aug96/VERIFOPR.htm ) that they will be incorporating VeriFone's virtual point-of-sale (vPOS) software for the first general availability release scheduled for 4th quarter 1996. Not clear is whether SET (the Mastercard/VISA Secure Electronic Transaction protocol) will be implemented in that release or a later release of MS Merchant System. 2. Microsoft Open Financial Connectivity (OFC) -- not really a product per se, but a spec, a vision and a number of software products incorporating OFC including some Web based tools for open Internet banking and an OFC (as well as Visa Interactive ADMS 2.0 online banking spec and Intuit) compatible client -- MS Money '97. I'd presume if the guy was talking about SET he was probably talking about #1 above. On the other hand the guy could have been talking about Micrsoft Catapult (currently in beta) proxy services, which (though the documentation never mentions the word 'firewall') provides a 'caching proxy' enhancement to the IIS server as well as the RWS ( Remote Windows Sockets ) Winsock 1.1 remoting proxy service. I suspect that the Microsoft Proxy Server (codenamed 'Catapult') will be added to the 'Back Office' package offerings at the end of this year based on questions in one of those marketing phone surveys I received. It may be that some e-commerce or financial transaction software for the Internet may be on the BackOffice schedule as well though I have no firm info on this. - Morrow From firewalls-owner Thu Oct 3 07:41:26 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA21092 for firewalls-outgoing; Thu, 3 Oct 1996 07:37:36 -0700 (PDT) Received: from peapod.be ([194.105.102.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA21065 for ; Thu, 3 Oct 1996 07:37:27 -0700 (PDT) From: koen@peapod.be Received: by gateway.peapod.be id <19585>; Thu, 3 Oct 1996 16:35:35 -0100 Date: Thu, 3 Oct 1996 12:34:21 -0100 X-Mailer: Mozilla 2.02 (WinNT; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: overrunning things Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <96Oct3.163535gmt-0100.19585@gateway.peapod.be> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, When reading through some of the stuff here and elsewhere I often find the terms "overrun buffers" and "overrun servers". Would somebody be so kind to try and explain this to me(What, how,...?)or give me a URL, book title... where I can find some reading material. I do know in general what it means, its the tech stuff that I'm interested in... thanks Koen :-) From firewalls-owner Thu Oct 3 08:12:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA25132 for firewalls-outgoing; Thu, 3 Oct 1996 08:08:16 -0700 (PDT) Received: from sprite (sprite.acsacs.com [206.16.240.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id IAA25124 for ; Thu, 3 Oct 1996 08:08:09 -0700 (PDT) Date: Thu, 3 Oct 1996 08:07:43 -0700 (PDT) From: "Daniel J Blander - Sr. Systems Engineer for ACS" X-Sender: phaedrus@ferrari To: David Helms cc: firewalls@greatcircle.com Subject: Re: Gauntlet vs. Sidewinder In-Reply-To: <32533C06.2CBE@checkpoint.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I would agree strongly with David here - I would never allow SMTP services (proven the most buggy and difficult to secure) on any highly secure firewall. Its the most uncontrollable and most difficult to monitor service (its miserable wading through hundreds of legitimate connections via SMTP to look for VRFY, EXPN, DEBUG, etc commands...and break in attempts). A DMZ / bastion host system is the best solution for this. On Wed, 2 Oct 1996, David Helms wrote: > Date: Wed, 02 Oct 1996 23:07:34 -0500 > From: David Helms > To: jeromie@garrison.com > Cc: firewalls@GreatCircle.COM > Subject: Re: Gauntlet vs. Sidewinder > > Jeromie wrote, > > >(Many leading emails deleted) > > > > > I would be interested in hearing how checkpoint is securing their > > customers from SMTP based attacks! From what I have seen, they simply pass it > > through to a mail machine... If that mail machine happends to be running > > Sendmail 4.1, the attacker can blow holes right through the perimiter....? > > > > Jeromie Jackson > > Garrison Technologies > > jeromie@garrison.com > > > > Keep the flames burning. > > Jeromie, > > It's the firewall's responsibility to control access and pass protocols securely. > If the customer has a server that they are going to allow public access to, we > recommend that they isolate that server in a DMZ. This could be a mail server or > a web server, or whatever. > > Here's how it works: > > > [External Net]----[Firewall]----[Internal Net] > | > | > [DMZ Net] > > They key here is that you can limit access to specific DMZ servers to specific > services. You can log connection attempts to specific DMZ servers and most > important, you only allow connections to DMZ servers, not connections from DMZ > servers. You never allow connections originating from outside the inernal network > to enter into the internal network. That way, even if a DMZ server gets hacked, > it can't be used as a launching point to attack the good stuff, the internal network. > > Have a great day, > > David Helms > a launching platform into the secure network. > > > > > -- > __________________________________ > David Helms > Senior Technical Consultant > CheckPoint Software Technologies > ph 703.684.4824 > fx 703.684.4847 > davidh@checkpoint.com > __________________________________ > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Daniel Blander =8^) Sr. Systems Engineer Applied Computer Solutions ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Phone: (714) 842.7800 Fax: (714) 842.8299 Email: Daniel.Blander@acsacs.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The Official Applied Computer Solutions Home Page and Tech Tip of the Week: http://www.acsacs.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From firewalls-owner Thu Oct 3 08:41:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA26774 for firewalls-outgoing; Thu, 3 Oct 1996 08:24:10 -0700 (PDT) Received: from loki.asymetrix.com (loki.asymetrix.com [192.147.176.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA26723 for ; Thu, 3 Oct 1996 08:23:53 -0700 (PDT) Received: from mailgate.asymetrix.com (mailgate.asymetrix.com [192.220.170.13]) by loki.asymetrix.com (8.7.3/8.7.1) with SMTP id IAA01696 for ; Thu, 3 Oct 1996 08:09:00 -0700 (PDT) Received: by mailgate.asymetrix.com with Microsoft Mail id <3253DAE5@mailgate.asymetrix.com>; Thu, 03 Oct 96 08:25:25 PDT From: Keith McCammon To: "'Firewalls'" Subject: RE: NT Security Date: Thu, 03 Oct 96 08:30:00 PDT Message-ID: <3253DAE5@mailgate.asymetrix.com> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Just to add to the below, Microsoft also doesn't seem to take certification and security seriously. See http://www.microsoft.com/kb/bussys/winnt/q93362.htm. I quote:" Microsoft has opted not to include certain components of NT in the evaluation process, not because they would not pass the evaluation, but to save time by reducing the load on the NSA." Additionally," Networking on NT may not have to go through the "Red Book," or "Trusted Network Interpretation." It may be enough to consider networking to be another subsystem, and therefore only the Orange Book would apply." Microsoft is so confident in their security mechanisms that they believe that in theory their object-checking system will work identically with networked or local objects. However, it's foolish at best to assume this is actaully true, and my guess is that Microsoft wants to avoid the pain of Red Book rejection or is unwilling to secure their NOS in order to meet the independent standards. Having a NOS certifiable to me means there has been at least a small amount of objective evaluation of the system, and for Microsoft to opt not to undergo Red Book evaluation does not give me confidence given their track record of dropping the ball on security issues. The explanation that they want to save the load on the NSA is hard to believe as well. Keith McCammon Asymetrix Corp MIS Analyst *Opinions Are My Own* ---------- NT will have Kerberos 5 authentication which is probably what you are thinking of. But even thought an O.S. may have strong internal security mechanisms, that security mechanism never leaves the local machine. Once a external connection is made into a machine, some service aliases what it authenticated, to some valid internal user. Your internal O.S. has process-to-process communciations that can be snooped, your client-to-server process From firewalls-owner Thu Oct 3 09:01:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA29410 for firewalls-outgoing; Thu, 3 Oct 1996 08:44:40 -0700 (PDT) Received: from kerby.cybersafe.com (kerby.cybersafe.com [192.156.168.6]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA29399 for ; Thu, 3 Oct 1996 08:44:29 -0700 (PDT) Received: from odo.cybersafe.com (odo.cybersafe.com [192.156.168.102]) by kerby.cybersafe.com (8.7.6/8.7.3/8.7.5, dpg hack 30jul96) with SMTP id IAA19771 for ; Thu, 3 Oct 1996 08:43:59 -0700 (PDT) Message-Id: <2.2.32.19961003154359.00769410@pop-srvr> X-Sender: tonyp@pop-srvr X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 03 Oct 1996 08:43:59 -0700 To: firewalls@GreatCircle.COM From: "Anthony R. Plastino III" Subject: Re: Information Seeking Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 11:50 AM 10/1/96 -0700, John Anonymous MacDonald wrote: >Hello: > >Can anyone on this list recommend a reputable and professional group that >can perform security (both network and host; Internet related) audits at a >medium sized company located in the United States? > surf to: http://www.cybersafe.com/Consulting/secassmt.htm Anthony R. Plastino III - Systems Administrator CyberSafe Corporation - tony.plastino@CyberSafe.COM 1605 NW Sammamish Rd. - http://www.cybersafe.com Issaquah, WA 98027 - ===================================================== Mine are _not_ the opinions of my employer. From firewalls-owner Thu Oct 3 09:42:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA04270 for firewalls-outgoing; Thu, 3 Oct 1996 09:28:17 -0700 (PDT) Received: from newfed.FRB.GOV (newfed.frb.gov [198.3.221.5]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id JAA04250 for ; Thu, 3 Oct 1996 09:28:08 -0700 (PDT) Received: from FRB.GOV by newfed.FRB.GOV (4.1/SMI-4.0) id AA02758; Thu, 3 Oct 96 12:27:34 EDT Received: from kryten.frb.gov by frbgate.FRB.GOV (4.1/SMI-4.0) id AA08312; Thu, 3 Oct 96 12:11:37 EDT Received: from localhost.frb.gov (localhost.frb.gov [127.0.0.1]) by kryten.frb.gov (8.6.12/8.6.12) with SMTP id MAA21504; Thu, 3 Oct 1996 12:10:29 -0400 Message-Id: <199610031610.MAA21504@kryten.frb.gov> X-Authentication-Warning: kryten.frb.gov: Host localhost.frb.gov didn't use HELO protocol X-Mailer: exmh version 1.6.5 12/11/95 To: Matthew Thompson Cc: "'Firewalls'" , "'Keith McCammon'" Subject: Re: NT Security In-Reply-To: Your message of "Fri, 04 Oct 1996 08:37:41 +1200." <96Oct3.091712nzst.35717@kotuku.manukau.govt.nz> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 03 Oct 1996 12:10:29 -0400 From: "Jonathan M. Bresler" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>What??? NTFS is not encrypted! NTFS is not a secure file system! You can >>directly edit NTFS disk sectors from WITHIN NT! You can also boot to DOS >>and using the NTFS4DOS driver read any file regardless of encryption. You >>can also reinstall NT and Take Ownership of entire volumes! And if you >>physically transfer the hard disk to another NT box you can also take >>ownership, negating all file security! > >The same attacks apply to Unix and Netware. What do you recommend people do >to extend/replace these 3 operating systems to solve this problem? CFS: cryptographic file system available from Matt Blaze of either AT&T or Lucent (for Unix, if you run either NT or Netware......) jmb From firewalls-owner Thu Oct 3 09:56:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA06634 for firewalls-outgoing; Thu, 3 Oct 1996 09:46:05 -0700 (PDT) Received: from arioch.tky.hut.fi (arioch.tky.hut.fi [130.233.34.126]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id JAA06599 for ; Thu, 3 Oct 1996 09:45:55 -0700 (PDT) Received: (from pvirkkul@localhost) by arioch.tky.hut.fi (8.8.0/8.8.0) id SAA01610; Thu, 3 Oct 1996 18:45:25 +0200 Date: Thu, 3 Oct 1996 18:45:25 +0200 Message-Id: <199610031645.SAA01610@arioch.tky.hut.fi> From: Petri Virkkula To: firewalls@GreatCircle.COM Subject: RE: NT Security In-Reply-To: <199610021833.UAA09340@news.be.innet.net> References: <199610021833.UAA09340@news.be.innet.net> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 02 Oct 1996 20:44:45 -0100, fdehert@innet.be (Frank J.J. De Hert) said: Frank> This is true if the user hasn't taken ownership of certain Frank> directories and set the permissions such that only the user has Frank> access. For even an administrator to look at these files, the Frank> admin has to take ownership and set appropriate permissions Frank> (unless I missed something somewhere). I think Backup rights are enough, no need to change ownership etc. Petri From firewalls-owner Thu Oct 3 10:13:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA05786 for firewalls-outgoing; Thu, 3 Oct 1996 09:39:55 -0700 (PDT) Received: from arioch.tky.hut.fi (arioch.tky.hut.fi [130.233.34.126]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id JAA05779 for ; Thu, 3 Oct 1996 09:39:49 -0700 (PDT) Received: (from pvirkkul@localhost) by arioch.tky.hut.fi (8.8.0/8.8.0) id SAA01603; Thu, 3 Oct 1996 18:39:19 +0200 Date: Thu, 3 Oct 1996 18:39:19 +0200 Message-Id: <199610031639.SAA01603@arioch.tky.hut.fi> From: Petri Virkkula To: firewalls@GreatCircle.COM Subject: RE: NT Security In-Reply-To: <199610031320.GAA12521@miles.greatcircle.com> References: <199610031320.GAA12521@miles.greatcircle.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 3 Oct 1996 09:16:48 -0400, gary flynn said: >> From: muzo >> >> > You can also boot to DOS >> > and using the NTFS4DOS driver read any file regardless of encryption. >> >> Is there any PC OS which can prevent you from booting to DOS and doing the >> same ? gary> Is there any OS of any kind that prevents disk access if you have gary> physical access to the computer? Of course not! That depends on definition of computer. If you count smart cards as computers, the "filesystem" is still secure even if you have physical access to the card. Petri From firewalls-owner Thu Oct 3 10:27:00 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA10472 for firewalls-outgoing; Thu, 3 Oct 1996 10:22:40 -0700 (PDT) Received: from ns.gbnet.net (ns.gbnet.net [194.70.126.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA10409 for ; Thu, 3 Oct 1996 10:22:23 -0700 (PDT) Received: (from jrg@localhost) by ns.gbnet.net (8.7.5/8.7.3) id SAA18106; Thu, 3 Oct 1996 18:18:28 +0100 (BST) Date: Thu, 3 Oct 1996 18:18:28 +0100 (BST) From: James R Grinter Message-Id: <199610031718.SAA18106@ns.gbnet.net> X-Subliminal: H is for Hypertext X-Mailer: Mail User's Shell (7.2.5 10/14/92) To: "Nick D'Apice" , Skarban , firewalls@GreatCircle.COM Subject: Re: ifconfig Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu 3 Oct, 1996, "Nick D'Apice" wrote: >for SGI and BSDI, its 'ifconfig xxx alias a.b.c.d netmask a.b.c.d the original poster asks about IRIX 5.3. That only supports aliases if you apply a patch. The poster is in .cz so probably won't be able to download it from the SGI web server, but he could try looking for it anyway (look in the webforce areas). IRIX 6.2 adds support in the release operating system, and improves performance, but often results in crashing the OS because of some pointer errors when deleting them. C'est la vie. >> Date: Tue, 01 Oct 1996 06:10:55 +0100 >> From: Skarban >> I am building virtual www server and i need to define multi IP >> address over one physical interface of my SGI Challenge - S (Irix >> 5.3). I am looking for parameter of Ifconfig command of SGI IRIX 5.3 James. From firewalls-owner Thu Oct 3 10:27:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA04869 for firewalls-outgoing; Thu, 3 Oct 1996 09:31:41 -0700 (PDT) Received: from us.checkpoint.com (us.checkpoint.com [206.86.35.130]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id JAA04662 for ; Thu, 3 Oct 1996 09:31:02 -0700 (PDT) Received: from bradley.us.checkpoint (johnc-pc) by us.checkpoint.com (5.x/SMI-SVR4) id AA17153; Thu, 3 Oct 1996 09:31:54 -0700 Message-Id: <3253EA49.46E4@us.checkpoint.com> Date: Thu, 03 Oct 1996 09:31:05 -0700 From: Bradley Brown Reply-To: bradley@us.checkpoint.com Organization: CheckPoint Software Technologies, Inc. X-Mailer: Mozilla 3.0b7 (Win95; I) Mime-Version: 1.0 To: Firewalls@GreatCircle.COM, pat@tandem.com Subject: Re: Firewalls-Digest V5 #549 References: <199610030328.UAA17091@miles.greatcircle.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Pat wrote: >Date: Wed, 2 Oct 1996 15:28:07 -0700 >From: pat@tandem.com >Subject: RE: SYN Flood defenses, Firewall-1 >>"Barbara W. Jaarsma" wrote: >>>P.S. Note the free SYNDefender upgrade on out web site >>>(http://www.checkpoint.com). Know anyone else who has one? >> >How does this protect the firewall-1 host itself (if at all)?? -pat The SYN Flooding Attack takes advantage of inadequate Queue lengths in the host OS, i.e., using less than 10% of the available bandwidth on a T1 connection to the Internet a host can be flooded. The SYNDefender software is integrated with the Check Point INSPECT Engine which intercepts all packets before they are passed off to the host system's OS. The FireWall-1 host OS will never see the invalid SYN packets. Since SYNDefender is a kernel-level process which is handling the connection attempts, it operates very fast and without context switching. As with normal connections handled by INSPECT, thousands of invalid connection attempts can be intermediated simultaneously without placing an undue burden on the host's CPU. ----------------------------------------------------------------------- Bradley Brown Email: bradley@us.checkpoint.com CheckPoint Software Technologies Phone: (415) 562-0400 x225 "Global Secure Connectivity" Fax: (415) 562-0410 From firewalls-owner Thu Oct 3 10:42:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA11331 for firewalls-outgoing; Thu, 3 Oct 1996 10:28:43 -0700 (PDT) Received: from garrison.com (gw.garrison.com [205.241.58.147]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA11287; Thu, 3 Oct 1996 10:28:22 -0700 (PDT) Received: by garrison.com; id GAA21805; Wed, 2 Oct 1996 06:45:29 -0500 Received: from unknown(10.0.0.2) by gw.garrison.com via smap (V3.1.1) id xma021749; Wed, 2 Oct 96 06:45:05 -0500 Received: by ukn0.garrison.com. (4.1/Nutered Mailer) id AA03486; Thu, 3 Oct 96 12:23:03 CDT Date: Thu, 3 Oct 96 12:23:03 CDT From: jeromie@garrison.com (Hmm) Message-Id: <9610031723.AA03486@ukn0.garrison.com.> To: firewalls-owner@GreatCircle.COM, jeromie@garrison.com, david.helms@checkpoint.com, joav.kohn@us.landisstaefa.com Subject: Re: Gauntlet vs. Sidewinder Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > 1) People generally have their SMTP server sitting somewhere within > > the "[Internal Net]". The firewall would say something like "We only allow > > connections to port 25 of the SMTP gateway". If the SMTP gateway is sitting > > inside, the perimiter is broken. > > > > The proper way to set this up is to have the firewall itself accept mail with > smapd and sendmail v8.6 and then re-route that mail to the internal servers. > The internal servers are never vulnerable to an attack because the outside > world cannot talk directly to them. > Agreed, that is what I was explaining to checkpoint. > > > > 2) If the internet SMTP gateway sits on the DMZ, and the customer > > has several internal SMTP gateways that distribute all the mail, then again, > > the SMTP gateway on the DMZ would have access to send data to the inside SMTP > > hosts, thus providing information flow. If the internal SMTP gateways are > > vulerable to attack (IE: version of sendmail that have problems, IE: ALL) > then > > again, the perimiter is broken. > > > > The best way to secure things is to assume nothing is secure on your internal > network. Reduce your points of faliure on the DMZ, and trust nothing. If you > make sure that your DMZ versions of sendmail are secure and they talk to your > internal servers, no direct communication ever takes place from the external > network to the internal network. > "If you make sure that your DMZ versions of sendmail are secure.." History has proven, sendmail & security do not belong in the same sentence. 8-) Jeromie Jackson Garrison Technologies jeromie@garrison.com From firewalls-owner Thu Oct 3 11:16:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA09288 for firewalls-outgoing; Thu, 3 Oct 1996 10:13:10 -0700 (PDT) Received: from gatekeep.us.landisgyr.com (gatekeep.us.landisgyr.com [206.175.68.122]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA09246; Thu, 3 Oct 1996 10:12:57 -0700 (PDT) Received: by gatekeep.us.landisgyr.com; id JAA24079; Thu, 3 Oct 1996 09:06:43 -0400 Received: from unknown(204.207.110.148) by gatekeep.us.landisgyr.com via smap (V3.1) id xmac24042; Thu, 3 Oct 96 09:06:33 -0400 Received: from mailrelay.us.landisgyr.com by pmdf.us.landisgyr.com (PMDF V5.0-4 #10101) id <01IA7ELGC48000042X@pmdf.us.landisgyr.com>; Thu, 03 Oct 1996 11:59:12 -0500 (CDT) Received: with PMDF-MR; Thu, 03 Oct 1996 07:06:32 -0500 (CDT) MR-Received: by mta PFMSV1.MUAS; Relayed; Thu, 03 Oct 1996 07:06:32 -0500 MR-Received: by mta PFMSV1; Relayed; Thu, 03 Oct 1996 07:06:32 -0500 MR-Received: by mta PFMMRX; Relayed; Thu, 03 Oct 1996 07:07:59 -0500 Disclose-recipients: prohibited Date: Thu, 03 Oct 1996 07:06:32 -0500 (CDT) From: Joav Kohn Subject: Re: Gauntlet vs. Sidewinder In-reply-to: <9610030326.AA03445@ukn0.garrison.com> To: firewalls-owner , jeromie , "david.helms" Cc: firewalls Message-id: <2432060703101996/A00383/PFMSV1/11AA19C61F00*@MHS.us.landisgyr.com> Autoforwarded: false MIME-version: 1.0 Content-type: TEXT/PLAIN; CHARSET=US-ASCII Content-transfer-encoding: 7BIT Importance: normal Sensitivity: Company-Confidential UA-content-id: 11AA19C61F00 X400-MTS-identifier: [;2432060703101996/A00383/PFMSV1] Hop-count: 2 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > 1) People generally have their SMTP server sitting somewhere within > the "[Internal Net]". The firewall would say something like "We only allow > connections to port 25 of the SMTP gateway". If the SMTP gateway is sitting > inside, the perimiter is broken. > The proper way to set this up is to have the firewall itself accept mail with smapd and sendmail v8.6 and then re-route that mail to the internal servers. The internal servers are never vulnerable to an attack because the outside world cannot talk directly to them. > > 2) If the internet SMTP gateway sits on the DMZ, and the customer > has several internal SMTP gateways that distribute all the mail, then again, > the SMTP gateway on the DMZ would have access to send data to the inside SMTP > hosts, thus providing information flow. If the internal SMTP gateways are > vulerable to attack (IE: version of sendmail that have problems, IE: ALL) then > again, the perimiter is broken. > The best way to secure things is to assume nothing is secure on your internal network. Reduce your points of faliure on the DMZ, and trust nothing. If you make sure that your DMZ versions of sendmail are secure and they talk to your internal servers, no direct communication ever takes place from the external network to the internal network. -joav From firewalls-owner Thu Oct 3 11:22:04 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA15852 for firewalls-outgoing; Thu, 3 Oct 1996 11:00:24 -0700 (PDT) Received: from main.geminisecure.com (main.geminisecure.com [205.179.16.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA15781 for ; Thu, 3 Oct 1996 10:59:50 -0700 (PDT) Received: (from leonard@localhost) by main.geminisecure.com (8.6.9/8.6.9) id LAA01461; Thu, 3 Oct 1996 11:02:17 -0700 Date: Thu, 3 Oct 1996 11:02:17 -0700 (PDT) From: Leonard Miyata To: firewalls@greatcircle.com Subject: SYN solution? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Has anyone looked at the syn flood attack solution posted by BSDI (www.bsdi.com) that their providing source code for??? Leonard Miyata aka leonard@geminisecure.com Gemini Computers Inc. From firewalls-owner Thu Oct 3 11:41:19 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA15680 for firewalls-outgoing; Thu, 3 Oct 1996 10:59:06 -0700 (PDT) Received: from e-tex.com (e-tex.com [206.25.36.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA15637 for ; Thu, 3 Oct 1996 10:58:51 -0700 (PDT) Received: from ctownen by e-tex.com with smtp (Smail3.1.29.1 #1) id m0v8s1n-0002G2C; Thu, 3 Oct 96 12:57 CDT Message-ID: <3253FECE.C05@e-tex.com> Date: Thu, 03 Oct 1996 12:58:38 -0500 From: Chris Townend Organization: Texas Department of Transportation X-Mailer: Mozilla 2.0 (WinNT; U) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM CC: mail.e-tex.com Subject: Re: Firewalls-Digest V5 #550 References: <199610030800.BAA16858@miles.greatcircle.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My network currently utilizes nasi dial-out capabilities through a netware connect 2.0 server. Dial-out clients are using win3.11 with netscape 1.22. These clients do not have a tcp/ip stack on network card, only ipx. Can anyone tell me how vulnerable my network is to access from other Internet hosts, and how to protect it? Any advice would be greatly appreciated! From firewalls-owner Thu Oct 3 12:39:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA19547 for firewalls-outgoing; Thu, 3 Oct 1996 11:26:17 -0700 (PDT) Received: from mailhub.axion.bt.co.uk (mailhub.axion.bt.co.uk [132.146.5.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id LAA19495 for ; Thu, 3 Oct 1996 11:25:59 -0700 (PDT) Received: from msmsmtp1.comnet.bt.co.uk (actually msmsmtp2.comnet.bt.co.uk) by mailhub.axion.bt.co.uk with SMTP (PP); Thu, 3 Oct 1996 19:23:18 +0100 Received: by msmsmtp1.comnet.bt.co.uk with Microsoft Mail id <32540420@msmsmtp1.comnet.bt.co.uk>; Thu, 03 Oct 96 19:21:20 BST From: "Bettich,K,NAT22,BETTICK M" To: Firewalls Newsgroup Subject: Dynamic Address allocation Date: Thu, 03 Oct 96 18:27:00 BST Message-ID: <32540420@msmsmtp1.comnet.bt.co.uk> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello My knowledge of firewalls is very limited but I am considering an Intranet design whereby a firewall would translate private IP addresses into a registered address. Can a firewall map several private addresses to a single public address at the same time. If so, what's the maximum number of concurrent sessions handled typically? The purpose is to keep the number of registered IP addresses as low as possible without impacting too much on the network performance from an Intranet user's point of view when he/she tries to access the outside WWW. Thanks very much Karim From firewalls-owner Thu Oct 3 13:23:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA27430 for firewalls-outgoing; Thu, 3 Oct 1996 12:57:11 -0700 (PDT) Received: from anka.mindvision.com (anka.mindvision.com [198.247.220.254]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id MAA27351 for ; Thu, 3 Oct 1996 12:56:44 -0700 (PDT) Received: (from alan@localhost) by anka.mindvision.com (8.6.11/8.6.9) id OAA00859; Thu, 3 Oct 1996 14:55:44 -0500 Message-Id: <199610031955.OAA00859@anka.mindvision.com> Subject: Re: Dynamic Address allocation To: BETTICK@boat.bt.com (Bettich K NAT22 BETTICK M) Date: Thu, 3 Oct 1996 14:55:43 -0500 (CDT) Cc: Firewalls@GreatCircle.COM In-Reply-To: <32540420@msmsmtp1.comnet.bt.co.uk> from "Bettich,K,NAT22,BETTICK M" at Oct 3, 96 06:27:00 pm From: alan@mindvision.com (Alan Hannan) Reply-To: alan@mindvision.com (Alan Hannan) X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, > My knowledge of firewalls is very limited but I am considering an Intranet > design whereby a firewall would translate private IP addresses into a > registered address. This is a fairly standard design, typically know as a transparent proxy/application gateway firewall. > Can a firewall map several private addresses to a single > public address at the same time. Yes. The majority (??) or commercial firewalls do just that, mapping large amounts of address space (/16|Class Bs and larger) to just _one_ IP address visible to the world. > If so, what's the maximum number of > concurrent sessions handled typically? I don't know that there is a technical design limit, I suppose there could be, but practically, it is limited only by the firewall software and platform hardware's ability to build and maintain the connections/throughput. > The purpose is to keep the number of registered IP addresses as low as > possible without impacting too much on the network performance from an > Intranet user's point of view when he/she tries to access the outside WWW. This should do the trick. Gauntlet, Centri, Raptor, others come to mind as commercial solutions... -alan From firewalls-owner Thu Oct 3 13:27:00 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA24468 for firewalls-outgoing; Thu, 3 Oct 1996 12:24:16 -0700 (PDT) Received: from www.valuu.net (www.valuu.net [204.252.40.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id MAA24426; Thu, 3 Oct 1996 12:24:00 -0700 (PDT) Received: from fd.valuu.net ([204.252.40.3]) by www.valuu.net (post.office MTA v1.9.1 ID# 0-11837) with SMTP id AAA346; Thu, 3 Oct 1996 15:24:43 -0400 Received: by fd.valuu.net with Microsoft Mail id <01BBB13E.5D6AF540@fd.valuu.net>; Thu, 3 Oct 1996 15:20:09 -0400 Message-ID: <01BBB13E.5D6AF540@fd.valuu.net> From: rabbi@www.valuu.net (Rabbi Haim Cassorla) To: "'Chris Townend'" , "Firewalls@GreatCircle.COM" Cc: "mail.e-tex.com@GreatCircle.COM" Subject: RE: Fireballs-Digest V5 #550 Date: Thu, 3 Oct 1996 15:20:07 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The short answer is: 1. Very. 2. Unplug it. ---------- From: Chris Townend[SMTP:ctownend@e-tex.com] Sent: Thursday, October 03, 1996 1:58 PM To: Firewalls@GreatCircle.COM Cc: mail.e-tex.com@GreatCircle.COM Subject: Re: Firewalls-Digest V5 #550 My network currently utilizes nasi dial-out capabilities through a netware connect 2.0 server. Dial-out clients are using win3.11 with netscape 1.22. These clients do not have a tcp/ip stack on network card, only ipx. Can anyone tell me how vulnerable my network is to access from other Internet hosts, and how to protect it? Any advice would be greatly appreciated! From firewalls-owner Thu Oct 3 13:53:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA27778 for firewalls-outgoing; Thu, 3 Oct 1996 13:01:03 -0700 (PDT) Received: from relay4.oleane.net (Relay4.OLEANE.NET [194.2.1.6]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id MAA27498 for ; Thu, 3 Oct 1996 12:58:57 -0700 (PDT) Received: from dyn-234.gre.oleane.com (dyn-234.gre.oleane.com [194.2.9.234]) by relay4.oleane.net (8.7.5/8.7.3) with SMTP id UAA29911 for ; Thu, 3 Oct 1996 20:54:53 +0100 (MET) X-Authentication-Warning: relay4.oleane.net: Host dyn-234.gre.oleane.com [194.2.9.234] didn't use HELO protocol Message-Id: <1.5.4.32.19961003205647.00698e6c@pop.dial.oleane.com> X-Sender: mc007@pop.dial.oleane.com X-Mailer: Windows Eudora Light Version 1.5.4 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 03 Oct 1996 21:56:47 +0100 To: firewalls@greatcircle.com From: Marc Chatel Subject: Need volunteer FTP archive site to host new security software Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello all, I am looking for one or more anonymous FTP sites that would be interested in hosting a new security software kit called "S4". S4 stands for the "Secure System Setup Script". The kit is currently about 6.5 megabytes (and will probably grow), and it may be necessary to keep several versions archived over time if the kit proves popular. The kit does not currently contain anything that would cause "export control" problems if hosted in the U.S., but this COULD change over time. Because of this (and if sites are interested, of course), the ideal setup may be for a non-U.S. master FTP site, with mirrors in the U.S or elsewhere. Better suggestions from people more knowledgeable than me about the problem are welcome. :-) Interested sites may contact me at mchatel@dial.oleane.com. I will need to use a "simple" authentication method to update the FTP area, since I live in France and basically cannot use any serious crypto without a permit. A bit more detail on S4 is included below for your reading pleasure... Sincere Regards, Marc Chatel 9, ave Jean Monnet 74940 ANNECY-LE-VIEUX FRANCE Private E-mail: mchatel@dial.oleane.com ----------- details on S4 (the Secure System Setup Script) ------------- S4 is best described as "a security glueware compromise". The goal of S4 is to minimize the time necessary to accomplish the following: Move from a) system with freshly installed base operating system with no config done yet to b) system with a maximum number of obvious security holes closed, ready to connect to an insecure network, and which offers some basic services that people need today: FTP/WWW/SMTP/POP. Most services offered (including the ones I just listed) run chrooted and non-privileged. The current S4 is able to move a system from a) to b) in approx. 60 minutes. The installer spends most of that time pressing "Y", "N", and RETURN to accept default parameters and page through the output. I guess it could be described as an "automatic system defense tool", as opposed to "automatic system scanning tools", which are more common... Although it currently runs on only one platform (OSF/Digital Unix on Alpha), I believe people will find the tool interesting (even if it is just to pick some parts out of it). My goal in publishing S4 is to find volunteers that will find it useful enough to add functionality to it, and help me port it to other platforms (my experience is that testing a tool like this requires exclusive access to at least one machine of the type being tested, preferably two). The actual S4 "kit" is composed at > 90% of software packages already published on Internet and written by many people. All packages included are in source form (S4 compiles all packages during installation, that's why it takes an hour to run). In some cases, I have made slight modifications to the packages (usually to improve drop privilege/chroot methods and to fix syslog issues introduced by chroot environments). Packages currently included in the S4 kit (either as-is or modified) are: ----------------------------------------------------------------------------- "aftpd", originally written by Marcus J. Ranum, based on Berkeley sources "arpwatch" from the University of California, Lawrence Berkeley Laboratory the Berkeley "db" package, from the University of California at Berkeley "gzip", from the Free Software Foundation "libpcap" from the University of California, Lawrence Berkeley Laboratory the NCSA "httpd" web server, from the National Center for Supercomputing Applications at the University of Illinois at Urbana-Champaign PERL (version 5.003), from Larry Wall "poppasswd", originally from Daniel L. Leavitt at MITRE (I believe) "qpopper", a collective work currently hosted at QualComm "sendmail", from the University of California at Berkeley "spop", put in the public domain by the RAND Corporation "tcpd", from Wietse Venema at the Eindhoven University of Technology ----------------------------------------------------------------------------- The parts of S4 actually written by me are mostly installation shellscripts, and a few C programs here and there to handle specific issues. *************************** LICENSING/COPYRIGHT ISSUES: *************************** My primary goal is usefulness. To some extent, the S4 kit can be considered an "aggregation" of many software packages (the S4 shellscripts sit in their own directory and drive each package's installation script from outside). Each package included in the S4 kit remains on its own license/copyright terms. The top directory of the S4 kit includes a file called S4_LICENSE.txt that includes the basic license text from all of the parties involved (I think). Each kit included is in source and includes its own license text. For the parts of S4 specifically written by me, I chose licensing terms as convenient as possible. The S4-specific files include the following text: # ------------------------------------------------------------------------------ # Copyright (c) 1995,1996 Donated to the public domain # # Original author and maintainer: Marc Chatel mchatel@dial.oleane.com # Last known maintainer: Marc Chatel mchatel@dial.oleane.com # # This file was created as part of the S4 (Secure System Setup Script) kit. # Permission is granted to any person or entity to do any of the following: # a) use this file alone or in some other software # b) modify this file or include parts of this file in other files # c) re-distribute this file AS IS or modified, for non-commercial # or commercial purposes, alone or as part of some software package # # No warranties of any kind, express or implied, on the functionality and safety # of the contents of this file. Use at your own risk! # # If you do useful changes to this file (bug fixes, portability fixes, # enhancements), you should TRY to contact the current maintainer, who may be # maintaining a "latest greatest" version of the file. You do not HAVE TO, # but you should TRY. Promote software reuse! It helps everybody, including you! # ------------------------------------------------------------------------------ --------------- end of message ----------------- From firewalls-owner Thu Oct 3 15:09:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA22004 for firewalls-outgoing; Thu, 3 Oct 1996 11:57:39 -0700 (PDT) Received: from sapa.inka.de (sapa.inka.de [193.197.84.6]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id LAA21986; Thu, 3 Oct 1996 11:57:07 -0700 (PDT) Received: from uu.inka.de (root@[193.197.84.8]) by sapa.inka.de with smtp (S3.1.29.1) id ; Thu, 3 Oct 96 20:55 MET DST Received: from lina (lists@lina.inka.de) by uu.inka.de with bsmtp (S3.1.29.1) id ; Thu, 3 Oct 96 20:55 MET DST Received: by lina id m0v8spB-0004jMC (Debian /\oo/\ Smail3.1.29.1 #29.37); Thu, 3 Oct 96 20:48 MET DST Message-Id: From: lists@lina.inka.de (Bernd Eckenfels) Subject: Re: Gauntlet vs. Sidewinder To: jeromie@garrison.com (Hmm) Date: Thu, 3 Oct 1996 20:48:43 +0200 (MET DST) Cc: firewalls-owner@GreatCircle.COM, jeromie@garrison.com, david.helms@checkpoint.com, joav.kohn@us.landisstaefa.com, firewalls@GreatCircle.COM In-Reply-To: <9610031723.AA03486@ukn0.garrison.com.> from "Hmm" at Oct 3, 96 12:23:03 pm X-Mailer: ELM [version 2.4 PL25 PGP2] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, > > The proper way to set this up is to have the firewall itself accept mail with > > smapd and sendmail v8.6 and then re-route that mail to the internal servers. > > The internal servers are never vulnerable to an attack because the outside > > world cannot talk directly to them. > > > > Agreed, that is what I was explaining to checkpoint. Umm.. thats not completely right. Where is the difference in receiving mail from the outside or from an smapd forwarder? In both caes you can still have broken Envelops or Headers. It's probably better to put the MX Host outside of the firewall, or an secure forwarder on the firewall, but secure MTAs like qmail are a possible solution without using smtp-forwarders which dont give you much security (at least not hose i know of). Greetings Bernd > > The best way to secure things is to assume nothing is secure on your internal > > network. Reduce your points of faliure on the DMZ, and trust nothing. If you > > make sure that your DMZ versions of sendmail are secure and they talk to your > > internal servers, no direct communication ever takes place from the external > > network to the internal network. > > > > "If you make sure that your DMZ versions of sendmail are secure.." If you trust your DMZ hosts you can even put them inside the Firewall perimeter, right. If you receive Mail on a bastion host on the DMZ, then you still need a way tosecure mail from the bastion host to the internal net (i.e. filtering mail forwarder on the firewall or secure MTA on the internal net). Since Hackers can still send you malicious mail if they have hacked the bastion. Greetings Bernd -- (OO) -- Bernd_Eckenfels@Wittumstrasse13.76646Bruchsal.de -- ( .. ) ecki@{lina.inka.de,linux.de} http://home.pages.de/~eckes/ o--o *plush* 2048/A2C51749 eckes@irc +4972573817 *plush* (O____O) If privacy is outlawed only Outlaws have privacy From firewalls-owner Thu Oct 3 15:26:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA01664 for firewalls-outgoing; Thu, 3 Oct 1996 13:45:19 -0700 (PDT) Received: from habanero.jmu.edu (habanero.jmu.edu [134.126.71.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id NAA01627 for ; Thu, 3 Oct 1996 13:45:02 -0700 (PDT) Message-Id: <199610032045.NAA01627@miles.greatcircle.com> Received: by habanero.jmu.edu (1.37.109.16/16.2) id AA104565278; Thu, 3 Oct 1996 16:41:18 -0400 Date: Thu, 3 Oct 1996 16:41:18 -0400 From: gary flynn To: firewalls@greatcircle.com Subject: UDP 137 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm seeing lots of access violations for UDP 137 which is used by Netbios name services. I'm blocking 137-139 from the Internet. What I don't understand is why these are trying to come in from the Internet destined for machines all over campus...some that aren't even running Netbios services (or so I'm told). Going through RFC1001 and 1002 (quickly, I'm afraid) it seems that these packets would be used to challenge a name. Why would computers from sites all over the world be challenging end user computers here? One of the sites sending the packets was a Web site and I thought maybe it did that because it was an NT based server or something but I checked with the person whose PC was the target and they'd never heard of the Web site (no it wasn't one that they'd publicly deny :-) Of course, I might be misunderstanding the protocol and perhaps the Internet is supporting Netbios broadcast service which means its supporting a whole bunch of machines broadcasting their names. Tell me this isn't true! Appletalk on the Internet :-) Can someone explain this to me? thanks, Gary Flynn Network Manager James Madison University From firewalls-owner Thu Oct 3 15:52:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA12337 for firewalls-outgoing; Thu, 3 Oct 1996 15:13:56 -0700 (PDT) Received: from wichita.fn.net ([204.233.71.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id PAA12319 for ; Thu, 3 Oct 1996 15:13:38 -0700 (PDT) Received: (from bkmarsh@localhost) by wichita.fn.net (8.7.6/8.6.9) id RAA18671; Thu, 3 Oct 1996 17:13:04 -0500 (CDT) Date: Thu, 3 Oct 1996 17:13:03 -0500 (CDT) From: "Bruce M." X-Sender: bkmarsh@wichita.fn.net To: Bradley Brown cc: firewalls@greatcircle.com Subject: Re: Check Point and SYN Flood Attack In-Reply-To: <3253E7B1.63F1@us.checkpoint.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 3 Oct 1996, Bradley Brown wrote: > I saw your email on the FW mailing list. I suggest you read to white > paper posted on our site to get a better understanding of our solution. > The key element of the SYN Flood attack is that a site (Firewall or > Internet server) can be hosed due to the OS inability to handle the > unresolved connection attempts with an attack that uses less than 10% of > the available bandwidth across a T1 connection. With SYNDefender, the OS > is protected and valid Internet connections can pass through the > firewall to the destination server unimpeded. I read through the white paper and besides a few hazy blips about how your "patent-pending Stateful Inspection" protects Firewall-1, I still haven't received a decent refutation to my original observation: What is going to keep the firewall itself from becoming ensnared in a SYN flooding DOS attack? Even if it protects your host, won't Internet traffic essentially stop reaching it if the firewall is stuck chasing down SYNs from bogus addresses? Am I missing an important factor in this equation? ________________________________ [ Bruce M. - Feist Systems, Inc. ] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 'DISA information shows that computer attacks on the Department of Defense are successful 65 percent of the time. The DoD, despite its problems, probably has one of the strongest computer security programs in government.' -GAO/T-AIMD-96-108 From firewalls-owner Thu Oct 3 15:56:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA05442 for firewalls-outgoing; Thu, 3 Oct 1996 14:17:24 -0700 (PDT) Received: from ns.rc.toronto.on.ca ([142.77.249.9]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id OAA05426 for ; Thu, 3 Oct 1996 14:17:11 -0700 (PDT) Received: by ns.rc.toronto.on.ca with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5) id <01BBB14E.8C597920@ns.rc.toronto.on.ca>; Thu, 3 Oct 1996 17:16:00 -0400 Message-ID: From: Russ To: "'firewalls@GreatCircle.COM'" , "'Petri Virkkula'" Subject: RE: NT Security Date: Thu, 3 Oct 1996 17:15:57 -0400 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I think Backup rights are enough, no need to change ownership > etc. Backup rights, membership in the Backup Operators group, Server Operators Group, or anyone assigned explicitly the right to Backup Files and Directories (and typically its sister right to Restore Files and Directories) do not have the facility to Read, Write, Execute, Delete, Change Permissions or Take Ownership of Files or Directories, outside the use of a program which uses Backup or Restore functions specific to NT (copying a file in a DOS window would not work for these users, for example). The API calls to perform Backup or Restore operations register events in the event log stating that such an action has been taken. Obviously, the tape contains all the data and that could be read on another system outside of the Domain very easily, but if the data was restored into the same NT environment, it would still not be possible to read the data as a member of the above mentioned groups. Just because one is a member of the above mentioned groups does not permit them access to directories or files through normal access methods (i.e. File Manager, DOS, or Explorer in NT 4.0). Obviously its possible to programmatically simulate a backup program, and while generating an event indicating the backup, have that program display the contents of the data being backed up. Judicious granting of the right, or membership in the above mentioned groups, therefore, is extremely wise. An often overlooked, and possibly more critical right, is the ability to perform restore operations. Restoring a system to a pre-secure state (or some previously secure state which the perpetrator has some knowledge of) can be far more damaging than losing a current backup. Cheers, Russ "any sufficiently advanced technology is indistinguishable from magic"...Arthur C. Clarke > From firewalls-owner Thu Oct 3 16:20:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA13426 for firewalls-outgoing; Thu, 3 Oct 1996 15:27:47 -0700 (PDT) Received: from answerman.mindspring.com (answerman.mindspring.com [204.180.128.8]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id PAA13373 for ; Thu, 3 Oct 1996 15:27:24 -0700 (PDT) Received: from [168.121.206.219] (user-168-121-206-219.dialup.mindspring.com [168.121.206.219]) by answerman.mindspring.com (8.7.5/8.7.3) with SMTP id SAA26449; Thu, 3 Oct 1996 18:26:41 -0400 (EDT) Date: Thu, 3 Oct 1996 18:26:41 -0400 (EDT) Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Chip Coy From: pelicans@mindspring.com (BeachCruiser) Subject: Re: Information Seeking Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 8:09 AM 10/3/96, Chip Coy wrote: >On Tue, 1 Oct 1996, John Anonymous MacDonald wrote: > Can anyone on this list recommend a reputable and professional group that > can perform security (both network and host; Internet related) audits at a > medium sized company located in the United States? Well, if the outfits that do most of the secuity planning, auditing and accreditation testing for the defense and intelligence communities would be of any interest, I suggest calling: Jim Harper Computer Sciences Corporation Hanover, Maryland (410) 684-3500 Ron Gove SAIC McLean, Virginia (703) 556-9722 Robert Kitzmiller DSA Fairfax, Virginia (703) 591-3704 Stuart Moore Booz Allen and Hamilton McLean, Virginia (703) 902-5310 Happy Hunting :-) ___________________________ Bob McKisson Cypress Systems Corporation P. O. Box 809 Virginia Beach, VA 23451 (757) 425-4195 Voice (757) 425-4196 FAX (757) 442-0888 STU-III pelicans@mindspring.com From firewalls-owner Thu Oct 3 16:30:00 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA03757 for firewalls-outgoing; Thu, 3 Oct 1996 14:03:40 -0700 (PDT) Received: from hermes.intel.com ([143.183.152.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id OAA03697 for ; Thu, 3 Oct 1996 14:03:21 -0700 (PDT) Received: from genel.csnet.can.ibm.com by hermes.intel.com (8.7.6/10.0i); Thu, 3 Oct 1996 14:02:50 -0700 Received: by genel.csnet.can.ibm.com with Microsoft Mail id <01BBB14C.4BC73D40@genel.csnet.can.ibm.com>; Thu, 3 Oct 1996 16:59:52 -0400 Message-ID: <01BBB14C.4BC73D40@genel.csnet.can.ibm.com> From: Gene Lee To: "firewalls@GreatCircle.COM" , "'Nestor & Christine Navarro'" Subject: RE: How does one set a rule in IBM's Internet Secure Network Gateway to allow Notes 4.1.4 replication? Date: Thu, 3 Oct 1996 16:59:52 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wednesday, October 02, 1996 10:58 PM, Nestor & Christine Navarro[SMTP:nnavarro@pathcom.com] wrote: >I am having setting up the IBM's firewall the "Secure Network Gateway" >to allow a machine in an internal network with Lotus Notes 4.1.4 to >replicate (or even at the moment to talk) to an external machine over >the Internet. All I know is to open up PORT 1352. Part of my problem >as well is my internal network also has unregistered IP addresses. So >how do I handle Name Address Translation? Christine, if you are using SNG v2.2, you can use the NAT function built-in and create a filter rule to pass traffic through port 1352. Remember that the filter filters on NATed addresses so you would use the unregistered IP address in your rules. Also remember that the pool of registered IP addresses cannot be in the same network as your unsecured network hanging off the firewall, but must be a different subnet which is routed through the firewall by the external router. -- Gene Lee genel@inforamp.net genelee@vnet.ibm.com From firewalls-owner Thu Oct 3 16:41:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA07714 for firewalls-outgoing; Thu, 3 Oct 1996 14:39:34 -0700 (PDT) Received: from abayuba.soltel.com.uy (abayuba.soltel.com.uy [206.99.46.130]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id OAA07689 for ; Thu, 3 Oct 1996 14:39:22 -0700 (PDT) Received: (from beto@localhost) by abayuba.soltel.com.uy (8.6.12/8.6.9) id SAA10757; Thu, 3 Oct 1996 18:31:12 -0300 Date: Thu, 3 Oct 1996 18:31:12 -0300 From: Mario Pereyra Message-Id: <199610032131.SAA10757@abayuba.soltel.com.uy> To: BETTICK@boat.bt.com, Firewalls@GreatCircle.COM Subject: Re: Dynamic Address allocation Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Karim, you must view http://socks.nec.com/ From firewalls-owner Thu Oct 3 17:17:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA27929 for firewalls-outgoing; Thu, 3 Oct 1996 17:03:51 -0700 (PDT) Received: from tophat.stetson.edu (tophat.stetson.edu [147.253.10.40]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id RAA27878 for ; Thu, 3 Oct 1996 17:03:33 -0700 (PDT) Received: from localhost (midengre@localhost) by tophat.stetson.edu (8.7.1/8.7.1) with SMTP id TAA01784; Thu, 3 Oct 1996 19:56:55 -0400 (EDT) X-Authentication-Warning: tophat.stetson.edu: midengre owned process doing -bs Date: Thu, 3 Oct 1996 19:56:55 -0400 (EDT) From: Michael Idengren Reply-To: Michael Idengren To: Leonard Miyata cc: firewalls@GreatCircle.COM Subject: Re: SYN solution? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Has anyone looked at the syn flood attack solution posted > by BSDI (www.bsdi.com) that their providing source code > for??? Also: For many platforms, there is a kernel patch available that will symptoms of a SYN flood (characteristic of a denial of service attack). I particularly like the SunOS fix, which will dynamically increase the proc table when a flood hits. See http://www.netaxs.com/~freedman/syn for more info. Mike Idengren | MEISTER ---------------------------------+---------------------------------- Center for Information Technology| Alachua Free-Net IRC Administrator Stetson University | WorldWide Free-Net IRC Network Coordinator From firewalls-owner Thu Oct 3 17:27:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA24118 for firewalls-outgoing; Thu, 3 Oct 1996 16:43:34 -0700 (PDT) Received: from sgi.sgi.com (SGI.COM [192.48.153.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id QAA23994 for ; Thu, 3 Oct 1996 16:42:49 -0700 (PDT) Received: from hollywood.engr.sgi.com ([150.166.61.38]) by sgi.sgi.com (950413.SGI.8.6.12/950213.SGI.AUTOCF) via ESMTP id QAA10734; Thu, 3 Oct 1996 16:42:07 -0700 Received: by hollywood.engr.sgi.com (940816.SGI.8.6.9/911001.SGI) id QAA07393; Thu, 3 Oct 1996 16:42:06 -0700 From: fisher@hollywood.engr.sgi.com (William Fisher) Message-Id: <199610032342.QAA07393@hollywood.engr.sgi.com> Subject: Re: ifconfig To: jrg@gbnet.net (James R Grinter) Date: Thu, 3 Oct 1996 16:42:02 -0800 (PDT) Cc: ndapice@erols.com, mskarban@novahut.cz, firewalls@GreatCircle.COM, fisher@hollywood.engr.sgi.com (William Fisher) In-Reply-To: <199610031718.SAA18106@ns.gbnet.net> from "James R Grinter" at Oct 3, 96 06:18:28 pm Reply-To: fisher@sgi.com X-Mailer: ELM [version 2.4 PL3] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > On Thu 3 Oct, 1996, "Nick D'Apice" wrote: > >for SGI and BSDI, its 'ifconfig xxx alias a.b.c.d netmask a.b.c.d > > the original poster asks about IRIX 5.3. That only supports > aliases if you apply a patch. The poster is in .cz so probably won't > be able to download it from the SGI web server, but he could try > looking for it anyway (look in the webforce areas). > > IRIX 6.2 adds support in the release operating system, and improves > performance, but often results in crashing the OS because of some > pointer errors when deleting them. C'est la vie. > That problem has been fixed in an Irix 6.2 patch. You can get the patches fro the patch server or by calling customer support. -- Bill (fisher@sgi.com) > >> Date: Tue, 01 Oct 1996 06:10:55 +0100 > >> From: Skarban > > >> I am building virtual www server and i need to define multi IP > >> address over one physical interface of my SGI Challenge - S (Irix > >> 5.3). I am looking for parameter of Ifconfig command of SGI IRIX 5.3 > > James. > From firewalls-owner Thu Oct 3 17:41:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA02320 for firewalls-outgoing; Thu, 3 Oct 1996 17:34:04 -0700 (PDT) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id RAA02266; Thu, 3 Oct 1996 17:33:42 -0700 (PDT) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id TAA24850; Thu, 3 Oct 1996 19:24:30 -0400 Date: Thu, 3 Oct 1996 19:24:27 -0400 (EDT) From: Rabid Wombat To: Rabbi Haim Cassorla cc: "'Chris Townend'" , "Firewalls@GreatCircle.COM" , "mail.e-tex.com@GreatCircle.COM" Subject: RE: Fireballs-Digest V5 #550 In-Reply-To: <01BBB13E.5D6AF540@fd.valuu.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 3 Oct 1996, Rabbi Haim Cassorla wrote: > The short answer is: > > 1. Very. > 2. Unplug it. Would you care to elaborate on this? I have set up NCSI comm servers on a segment that is screened by a router - only IPX can cross, no IP is allowed. The modems are set for "no answer", and there are no other systems on this screened segment. Users can access the NCSI ports via IPX/NCSI through the screening router. The ACS^2/SA's are attached to a secure hub. The hub attaches to the router. I'm not trying to make it impossible for an insider to get out - just exercise some administrative control, and have an alternative to locally attached modems (hence the ability to deny them to users). Of course, an insider *could* still set up a cellular modem, etc., but they could take data out on a floppy disk, too. This isn't my concern (today). I just want to do a reasonable job of providing dial-out access while blocking incoming calls. It isn't a great leap from having a modem on the desk for dial-out, and then installing PC Anywhere to dial in from home, or loading Chameleon, and leaving IP routing turned on, etc. These are the things I'm trying to stop. NOT someone on the inside who writes a winsock-capable TCP/IP app that tunnels through IPX to get to the dial-out, so he/she can dial into another system that breaks out the IP and passes it on. Like I said - the insider could just walk off with a tape or disk. It is the outside I'm worried about. Yes - You could trick a dial-out user of mine into downloading a trojan horse. You could also get them to do this through our firewall, as we allow ftp if it originates "outbound." I just want my dial-out system to be good enough that it doesn't "backdoor" the firewall. Just where do you see the risk? If you really know something about NCSI/NASI, and aren't just blowing smoke, I'd like to hear from you. -r.w. On Thu, 3 Oct 1996, Rabbi Haim Cassorla wrote: > The short answer is: > > 1. Very. > 2. Unplug it. > > ---------- > From: Chris Townend[SMTP:ctownend@e-tex.com] > Sent: Thursday, October 03, 1996 1:58 PM > To: Firewalls@GreatCircle.COM > Cc: mail.e-tex.com@GreatCircle.COM > Subject: Re: Firewalls-Digest V5 #550 > > My network currently utilizes nasi dial-out capabilities through > a netware connect 2.0 server. Dial-out clients are using > win3.11 with netscape 1.22. These clients do not have a tcp/ip > stack on network card, only ipx. Can anyone tell me how > vulnerable my network is to access from other Internet hosts, > and how to protect it? Any advice would be greatly appreciated! > > > From firewalls-owner Thu Oct 3 19:00:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA08749 for firewalls-outgoing; Thu, 3 Oct 1996 18:46:19 -0700 (PDT) Received: from morebbs.com (morebbs.com [206.165.150.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id SAA08742 for ; Thu, 3 Oct 1996 18:46:11 -0700 (PDT) From: potlicker@morebbs.com Received: by morebbs.com id 0UKAX00O Thu, 03 Oct 96 21:45:23 Message-ID: <9610032145.0UKAX00@morebbs.com> Organization: MORE BBS X-Mailer: TBBS/TIGER v1.0/PRIMP 1.56p Date: Thu, 03 Oct 96 21:45:23 Subject: Audio/video To: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk 1) How much bandwidth, in kbps, does a RealAudio connection use assuming that the firewall can keep up with the Internet access line speed? 2) How much bandwidth does a QuickTime video thingy use, also assuming the firewall can keep up with the access line speed? 3) Nothing to do with firewalls. Does anybody know the name of the music or tune for the song "Canny Newcastle" by Thomas Thompson, in the Geordie Song Book by Butler Publishing, Northumberland? We would all like to sing it to the right tune when we get tanked on the mead. Hinnie PoT_LiCkEr From firewalls-owner Thu Oct 3 19:14:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA08879 for firewalls-outgoing; Thu, 3 Oct 1996 18:53:06 -0700 (PDT) Received: from dns1.noc.best.net (dns1.noc.best.net [206.86.8.69]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id SAA08872 for ; Thu, 3 Oct 1996 18:52:57 -0700 (PDT) Received: from shellx.best.com (shellx.best.com [206.86.0.11]) by dns1.noc.best.net (8.6.12/8.6.5) with ESMTP id RAA01818; Thu, 3 Oct 1996 17:37:27 -0700 Received: from [204.156.153.118] (mblakele.vip.best.com [204.156.153.118]) by shellx.best.com (8.6.12/8.6.5) with ESMTP id RAA04437; Thu, 3 Oct 1996 17:36:38 -0700 X-Sender: mblakele@pop Message-Id: In-Reply-To: <9610030100.AA03436@ukn0.garrison.com.> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 3 Oct 1996 17:17:37 -0700 To: jeromie@garrison.com (Hmm) From: Camille Blakeley Subject: Re: Opinions/Experiences re: Sidewinder? Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I cannot speak of earlier versions than 2.2, but 2.2 & 3.0 appear to >be quite easy in order to add generic proxies. I was able to do so in a >matter >of 15 minutes my first time, following the manuals instructions. By the way, >the manual for Sidewinder is much better than the documentation I have seen >elsewhere, including Gauntlet. Have you found a good paper on custom >configuration of the netperm-table!?!?@#? I believe I was using 2.2. I agree their documentation (for the GUI interface, not what it is actually doing) is first rate. However, I regard having to vi at least 4 different files (more if you want to be able to let that port back in, as well), as well as a few other functions, in order to make a proxy excessive. My recollection of TIS was two files. I would also like to add that their tech support is very good at what it does. They can coach you through their interface and do preliminary UNIX commands on the command line if necessary (they prefer not to). Unfortunately, they have the same fault as the documentation; they have very little knowledge (if any) of UNIX and don't have a real good understanding of what the operating system is doing, only their GUI. As to the netperm-table, I found the man pages with my old version of TIS to be sufficient. However, I didn't expect much, the software was free :-). Camille Camille Blakeley (camille@blakeley.com) From firewalls-owner Thu Oct 3 19:41:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA10651 for firewalls-outgoing; Thu, 3 Oct 1996 19:21:31 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id TAA10627 for ; Thu, 3 Oct 1996 19:21:19 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.6.9/8.6.9) id WAA02869; Thu, 3 Oct 1996 22:26:49 -0500 From: Adam Shostack Message-Id: <199610040326.WAA02869@homeport.org> Subject: NT FTPd? To: ntsecurity@iss.net Date: Thu, 3 Oct 1996 22:26:48 -0500 (EST) Cc: firewalls@greatcircle.com (Firewalls mailing list) X-Mailer: ELM [version 2.4 PL24 ME8b] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk (Cross posted to Firewalls, ntsec) I'm looking for a FTP server to run on Windows NT. My criteria are: * Claims to offer security * Can provide ability to prevent moving up a directory tree. (chroot) * Can use NT login mechanisms to control login & activity as different users. Source would be nice. Free would be nice, but a downloadable demo version is a must for pay software. Please respond to me, and I'll summarize. Adam -- "Every year the Republicans campaign like Libertarians, and then go to Wasthington and spend like Democrats." Vote Harry Browne for President. http://www.harrybrowne96.org From firewalls-owner Thu Oct 3 20:42:26 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA16278 for firewalls-outgoing; Thu, 3 Oct 1996 20:35:21 -0700 (PDT) Received: from wichita.fn.net ([204.233.71.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id UAA16271 for ; Thu, 3 Oct 1996 20:35:10 -0700 (PDT) Received: (from bkmarsh@localhost) by wichita.fn.net (8.7.6/8.6.9) id WAA02884; Thu, 3 Oct 1996 22:34:44 -0500 (CDT) Date: Thu, 3 Oct 1996 22:34:43 -0500 (CDT) From: "Bruce M." X-Sender: bkmarsh@wichita.fn.net To: firewalls@greatcircle.com Subject: Re: Check Point and SYN Flood Attack (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ---------- Forwarded message ---------- Date: Thu, 03 Oct 1996 15:53:54 -0700 From: Bradley Brown To: "Bruce M." Subject: Re: Check Point and SYN Flood Attack Bruce, My comments below, /Bradley Bruce M. wrote: > > On Thu, 3 Oct 1996, Bradley Brown wrote: > > > I saw your email on the FW mailing list. I suggest you read to white > > paper posted on our site to get a better understanding of our solution. > > The key element of the SYN Flood attack is that a site (Firewall or > > Internet server) can be hosed due to the OS inability to handle the > > unresolved connection attempts with an attack that uses less than 10% of > > the available bandwidth across a T1 connection. With SYNDefender, the OS > > is protected and valid Internet connections can pass through the > > firewall to the destination server unimpeded. > > I read through the white paper and besides a few hazy blips about how > your "patent-pending Stateful Inspection" protects Firewall-1, I still > haven't received a decent refutation to my original observation: What is > going to keep the firewall itself from becoming ensnared in a SYN > flooding DOS attack? Even if it protects your host, won't Internet traffic > essentially stop reaching it if the firewall is stuck chasing down SYNs > from bogus addresses? Am I missing an important factor in this equation? Several points to try to make this more clear: 1. SYN Floods take advantage of a queue managed by the OS. This queue is typically small in size and requires significant resources of the host if made much larger. Typically, this queue handles about 10 connection attempts and can be filled in seconds with a SYN Flood Attack. This is the whole reason the attack is so effective - it can be launched from a limited bandwidth link and still be effective at creating a denial of service condition. 2. Management of SYN connection attempts with FireWall-1 IS NOT managed by the OS, or a user-level process. It is managed at the kernel-level using software specifically designed to do this WITHOUT the memory/CPU overhead or limitations normally imposed by the OS. The Check Point solution can handle thousands of simultaneous connection attempts without danger of filling any queues. Valid connection attempts will be completed as per usual while invalid attempts will be timed out by the firewall and discarded from the firewall queue (the only time valid attempts do not get through is when the queue is filled up and cannot accept additional request which is NOT a problem with FireWall-1). Assume, for example, that the attacker is sending 500 packets per second. If the timeout is set to 5 seconds, then the largest number of unresolved connections which will exist at any point in time is about 2500 which does not even come close to exceeding FireWall-1's ability to track connections. The only way the SYN Flood Attack can create a denial of service condition in this case is if the attacker is capable of filling the whole T1 pipe to the firewall, in which case, they might as well use another more effective approach to fill the pipe. Hopefully this explains everything clearly. I assume you currently have a pure proxy-based firewall which is vulnerable to this type of attack (and hence, your view that the firewall 'must' have the same limitations as the target host). If so, it might be worth your while to look more closely at FireWall-1 which combines kernel-level intelligence with traditional proxies to give you the best of both worlds. Only firewalls with kernel-level intelligence can block SYN Flooding Attacks efficiently and be totally immune to standard scanners, etc. > > ________________________________ > [ Bruce M. - Feist Systems, Inc. ] > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > 'DISA information shows that computer attacks on the > Department of Defense are successful 65 percent of the time. > The DoD, despite its problems, probably has one of the strongest > computer security programs in government.' -GAO/T-AIMD-96-108 -- ----------------------------------------------------------------------- Bradley Brown Email: bradley@us.checkpoint.com CheckPoint Software Technologies Phone: (415) 562-0400 x225 "Global Secure Connectivity" Fax: (415) 562-0410 From firewalls-owner Thu Oct 3 21:26:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA19083 for firewalls-outgoing; Thu, 3 Oct 1996 21:14:24 -0700 (PDT) Received: from hermes.intel.com (hermes.intel.com [143.183.152.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id VAA19074 for ; Thu, 3 Oct 1996 21:14:14 -0700 (PDT) Received: from ts58-10.tor.iSTAR.ca by hermes.intel.com (8.7.6/10.0i); Thu, 3 Oct 1996 21:13:35 -0700 Received: by ts58-10.tor.iSTAR.ca with Microsoft Mail id <01BBB188.780FF180@ts58-10.tor.iSTAR.ca>; Fri, 4 Oct 1996 00:10:37 -0400 Message-ID: <01BBB188.780FF180@ts58-10.tor.iSTAR.ca> From: Gene Lee To: "ntsecurity@iss.net" Cc: Firewalls mailing list Subject: RE: NT FTPd? Date: Fri, 4 Oct 1996 00:10:35 -0400 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thursday, October 03, 1996 6:26 PM, Adam Shostack[SMTP:adam@homeport.org] wrote: >I'm looking for a FTP server to run on Windows NT. > >* Claims to offer security >* Can provide ability to prevent moving up a directory tree. (chroot) >* Can use NT login mechanisms to control login & activity as >different users. > >Source would be nice. Free would be nice, but a downloadable demo >version is a must for pay software. NT comes standard with an ftpd (not sure if you'd call it secure though). You can also try: Winsock archive mirror: http://warum.uni-mannheim.de/systems/windows/win32/win95-winsock/Daemons/FTPD/00_index.txt Commercial NT ftpd: http://www.gekko.com/library/internet/Internet%20NT%20FTP%20Deamon I've heard rumours of an NT port of wu-ftpd, but I can't substantiate this. -- Gene Lee genel@inforamp.net genelee@vnet.ibm.com From firewalls-owner Thu Oct 3 21:41:09 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA19542 for firewalls-outgoing; Thu, 3 Oct 1996 21:20:52 -0700 (PDT) Received: from wadjet.cerner.com ([159.140.254.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id VAA19535 for ; Thu, 3 Oct 1996 21:20:42 -0700 (PDT) Received: from wadjet.cerner.com (daemon@localhost) by wadjet.cerner.com (8.7.2/8.7.2) with ESMTP id XAA21109 for ; Thu, 3 Oct 1996 23:23:10 -0500 (CDT) Received: from mailwhq05.cerner.com (mailwhq05.cerner.com [159.140.10.42]) by wadjet.cerner.com (8.7.2/8.7.2) with SMTP id XAA21105 for ; Thu, 3 Oct 1996 23:23:10 -0500 (CDT) Received: by mailwhq05.cerner.com with Microsoft Exchange (IMC 4.0.837.3) id <01BBB181.1CB40D00@mailwhq05.cerner.com>; Thu, 3 Oct 1996 23:17:57 -0500 Message-ID: From: "Bird,Tina" To: "'firewalls@greatcircle.com'" Subject: Re: Gauntlet vs. Sidewinder Date: Thu, 3 Oct 1996 23:17:07 -0500 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.837.3 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'll start with the disclosure: I don't work for SCC, tho' I do have several school friends who do... I've been running Sidewinder versions 2.2 and 3.0 for about a year now. I was responsible for the selection of our Internet firewall, and chose Sidewinder because of the "type enforcement" (which prevents hostile processes from accessing files or memory or any of those other bad things), because changes to executable code on the system are forbidden when the network connections are live, and because there's no all-powerful "root" account on the system despite its being a modified BSD UNIX. None of the other commercially available application proxy firewalls have security features this strong built into the operating system (at least, not that I was able to identify during my product review!). The initial installation of the 2.2 software was pretty ugly, due to the complexity of our corporate network and our struggle with getting exactly the right hardware components. However, throughout the installation and, in fact, throughout our work with SCC, we've found the technical support staff and developers to be tremendously helpful. None of my outstanding support issues have "out-stood" more than a couple of days. Our PC environment provides plenty of opportunity to stress our suppliers (we've got an internal network with over 2000 Win95 PCs and servers ranging from NT to an IBM SP2, with lots of VAXen thrown in for good measure), and SCC met the challenges head-on. As the person responsible for integrating firewall security into all of Cerner's network applications, I'm a lot more productive thanks to the robustness of the Sidewinder and the solid relationship I have with Secure Computing. (Honest, they're not paying me for this.) I'm not quite as familiar with the 3.0 software, having only installed it last week, but it appears to have a much more flexible User/Groups mechanism. My only qualm at the moment is that I've got two boxes with pretty complicated user access rules and access control lists, and at this time I have no idea of how to port that information into the upgraded system. I considered the Gauntlet system in my initial product review, but a couple of the executive level requirements for the Internet firewall (read: non-technical) precluded its use. I was able to directly compare the Sidewinder with the Eagle system, the Digital Firewall (don't know if that's still its name) and IBM's product -- none of these three had such good OS-level security as the Sidewinder did. Tina Bird UNIX System Administrator Cerner Corporation From firewalls-owner Thu Oct 3 22:58:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA24700 for firewalls-outgoing; Thu, 3 Oct 1996 22:48:58 -0700 (PDT) Received: from pinky.junction.net (pinky.junction.net [199.166.227.12]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id WAA24693 for ; Thu, 3 Oct 1996 22:48:46 -0700 (PDT) Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by pinky.junction.net (8.6.12/8.6.12) with ESMTP id WAA29456 for ; Thu, 3 Oct 1996 22:02:11 -0700 Received: from localhost (michael@localhost) by sidhe.memra.com (8.6.12/8.6.12) with SMTP id WAA28561 for ; Thu, 3 Oct 1996 22:43:21 -0700 Date: Thu, 3 Oct 1996 22:43:20 -0700 (PDT) From: Michael Dillon To: "Firewalls@GreatCircle.COM" Subject: RE: Fireballs-Digest V5 #550 In-Reply-To: Message-ID: Organization: Memra Software Inc. - Internet consulting MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 3 Oct 1996, Rabid Wombat wrote: > and leaving IP routing turned on, etc. These are the things I'm trying to > stop. NOT someone on the inside who writes a winsock-capable TCP/IP app > that tunnels through IPX to get to the dial-out, so he/she can dial into > another system that breaks out the IP and passes it on. Like I said - the > insider could just walk off with a tape or disk. It is the outside I'm > worried about. That TCP/IP tunnel is a hole. If someone is running a scanner looking for winsock machines, they will find your user's machine, and if IP routing is enabled or if there is an exploitable bug that allows them to make IP routing happen, then your firewall is non-existent. Basically, vulnerable OSes (anything but properly configured UNIX systems) should never be exposed to the net. A firewall should always be protecting them. Thus, burn all your modems and only allow application layer connections via your firewall. Michael Dillon - ISP & Internet Consulting Memra Software Inc. - Fax: +1-604-546-3049 http://www.memra.com - E-mail: michael@memra.com From firewalls-owner Fri Oct 4 01:26:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA28688 for firewalls-outgoing; Fri, 4 Oct 1996 00:59:43 -0700 (PDT) Received: from mail1.digital.com (mail1.digital.com [204.123.2.50]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id AAA28680 for ; Fri, 4 Oct 1996 00:59:33 -0700 (PDT) Received: from osftag.geo.dec.com by mail1.digital.com (5.65 EXP 4/12/95 for V3.2/1.0/WV) id AA12205; Fri, 4 Oct 1996 00:54:27 -0700 Received: from osftag.geo.dec.com (osftag.geo.dec.com [16.184.80.100]) by osftag.geo.dec.com (8.7.1/8.6.10) with SMTP id JAA23207; Fri, 4 Oct 1996 09:55:56 +0200 (MET DST) Message-Id: <3254C30B.446B@osftag.geo.dec.com> Date: Fri, 04 Oct 1996 09:55:55 +0200 From: thierry agassis Organization: Multivendor Customers Services - Digital X-Mailer: Mozilla 2.0 (X11; I; OSF1 V3.2 alpha) Mime-Version: 1.0 To: Marc Chatel Cc: firewalls@GreatCircle.COM Subject: Re: Need volunteer FTP archive site to host new security software References: <1.5.4.32.19961003205647.00698e6c@pop.dial.oleane.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Marc (author of RFC1919), Many thank's for makeing S4 public. I know how much time and effort you've put on it. Could soemone expose an S4'ed bastion host and ask the worse (or best ?) hackers (to the right sense of the term !) to break it ? Best regards ! -- Thierry AGASSIS Mail address : UNIX and Internet Support thierry@osftag.geo.dec.com DEC-TEP 16 Partner URL : (from inside dec.com ): http://www-mcs.geo.dec.com From firewalls-owner Fri Oct 4 02:03:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA02097 for firewalls-outgoing; Fri, 4 Oct 1996 01:50:24 -0700 (PDT) Received: from gmap-gw.gmap.leeds.ac.uk (gmap-gw.leeds.ac.uk [129.11.84.200]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id BAA02051 for ; Fri, 4 Oct 1996 01:50:10 -0700 (PDT) Received: (from root@localhost) by gmap-gw.gmap.leeds.ac.uk (8.7.6/8.6.9) id JAA17884 for ; Fri, 4 Oct 1996 09:50:54 +0100 (BST) Received: from gmap3.gmap.leeds.ac.uk(129.11.200.3) by gmap-gw via smap (V1.3) id sma017877; Fri Oct 4 09:50:48 1996 Received: from gmap.leeds.ac.uk (gmap124 [129.11.200.124]) by gmap3 (8.6.12/8.6.9) with SMTP id JAA15564 for ; Fri, 4 Oct 1996 09:50:56 +0100 From: Danny Cox Date: Fri, 4 Oct 1996 09:49:30 +0000 Message-Id: <3172.9610040849@gmap.leeds.ac.uk> To: firewalls@greatcircle.com Subject: qmail X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Regarding one of our current threads .. are there many folk on this list use qmail rather than smap[d] or sendmail etc. ? I understand that it's reckoned to be pretty good, although I've not looked too hard at it - I got the impression that there are quite a few parts to it. Cheers Danny From firewalls-owner Fri Oct 4 02:46:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA05708 for firewalls-outgoing; Fri, 4 Oct 1996 02:22:03 -0700 (PDT) Received: from mailhub.axion.bt.co.uk (mailhub.axion.bt.co.uk [132.146.5.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id CAA05701 for ; Fri, 4 Oct 1996 02:21:49 -0700 (PDT) Received: from msmsmtp1.comnet.bt.co.uk (actually msmsmtp2.comnet.bt.co.uk) by mailhub.axion.bt.co.uk with SMTP (PP); Fri, 4 Oct 1996 09:36:35 +0100 Received: by msmsmtp1.comnet.bt.co.uk with Microsoft Mail id <3254CC1C@msmsmtp1.comnet.bt.co.uk>; Fri, 04 Oct 96 09:34:36 BST From: "Bettich,K,NAT22,BETTICK M" To: Firewalls Newsgroup Subject: RE: PIX (CISCO) Date: Fri, 04 Oct 96 09:35:00 BST Message-ID: <3254CC1C@msmsmtp1.comnet.bt.co.uk> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi According to the docs, the PIX is very secure. One of my colleagues had a chance to play with a box and he reckons it's got a very good performance in terms of speed and security. The PIX is using adaptive security which means all the inbound traffic is checked against Source and Destination IP address, Source and destination port number, protocol, TCP sequence number It conceals the Intranet from the outside world by running NAT. Dynamic address allocation is only enabled for connections initiated from the inside network and is port-specific. It has Private Link Encryption which allows users to communicate in privacy over a public IP network (secure tunnels). More info at the following URLs: http://www.cisco.com/warp/public/751/pix/index.html http://www.translation.com/ Best regards Karim ---------- From: Adrian Gustavo Russo To: firewalls Subject: PIX (CISCO) Date: 03 October 1996 09:29 Hi is the PIX-FIREWALL Cisco with NAT a secure firewall in my intranet? -- _\|/_ (o o) +---------------------oOO-(_)-OOo---------------------+ | | | Adrian Gustavo Russo | | ==================== | | Licenciado en Informatica - Analista de Sistemas | | | | Silicon Graphics Argentina | | e-mail: arusso@buenosaires.sgi.com | | tel: 54 1 311-6666 | | | | Universidad Nacional de La Plata Argentina | | e-mail: arusso@isis.unlp.edu.ar | | tel: 54 21 35-102 | | | +-----------------------------------------------------+ (_| |_) From firewalls-owner Fri Oct 4 02:59:53 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA06403 for firewalls-outgoing; Fri, 4 Oct 1996 02:31:07 -0700 (PDT) Received: from mhead.saic.com ([194.131.225.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id CAA06373 for ; Fri, 4 Oct 1996 02:30:40 -0700 (PDT) Received: from eumadw027.EUMAD by mhead.saic.com (SMI-8.6/SMI-SVR4) id KAA29561; Fri, 4 Oct 1996 10:30:30 +0100 Received: by eumadw027.EUMAD with Microsoft Mail id <01BBB1DE.8B59E100@eumadw027.EUMAD>; Fri, 4 Oct 1996 10:26:46 +-100 Message-ID: <01BBB1DE.8B59E100@eumadw027.EUMAD> From: Suheil Shahryar To: "'firewalls@greatcircle.com'" Cc: "'Chip Coy'" , "'Steve Manning (SAIC)'" Subject: RE: Information Seeking Date: Fri, 4 Oct 1996 10:26:38 +-100 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 1 Oct 1996, John Anonymous MacDonald wrote: > Can anyone on this list recommend a reputable and professional group > that can perform security (both network and host; Internet related) audits > at a medium sized company located in the United States? Try SAIC: http://www.saic.com/consulting/index.html or send an email to STEVE.A.MANNING@cpmx.saic.com. (SAIC stands for Science Applications International Corporation.) Our clients come from US commercial and financial institutions, government, national security & defense, energy, health, etc. Alternatively, I will be happy to receive and respond to your requirements. I work for SAIC LTD in the UK where we provide Consultancy and Systems Integration services based around Security Technologies (including enterprise audits and web security) to European clients of SAIC. Suheil Shahryar Senior Technology Consultant SAIC LTD Berkshire House, Queen Street Maidenhead, Berks SL6 1NF UK Tel: +44-1628-686121 Fax: +44-1628-686198 email:Suheil.Shahryar@cpmx.saic.com NOTE: ANY OPINIONS EXPRESSED ABOVE ARE PERSONAL ONLY. From firewalls-owner Fri Oct 4 04:46:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA13967 for firewalls-outgoing; Fri, 4 Oct 1996 04:21:54 -0700 (PDT) Received: from garrison.com (gw.garrison.com [205.241.58.147]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id EAA13955 for ; Fri, 4 Oct 1996 04:21:39 -0700 (PDT) Received: by garrison.com; id AAA10389; Thu, 3 Oct 1996 00:38:31 -0500 Received: from unknown(10.0.0.2) by gw.garrison.com via smap (V3.1.1) id xma010335; Thu, 3 Oct 96 00:38:06 -0500 Received: by ukn0.garrison.com. (4.1/Nutered Mailer) id AA03519; Fri, 4 Oct 96 06:16:24 CDT Date: Fri, 4 Oct 96 06:16:24 CDT From: jeromie@garrison.com (Jeromie Jackson) Message-Id: <9610041116.AA03519@ukn0.garrison.com.> To: Firewalls@greatcircle.com, BETTICK@boat.bt.com Subject: RE: PIX (CISCO) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Hi > According to the docs, the PIX is very secure. One of my colleagues had a > chance to play with a box and he reckons it's got a very good performance in > terms of speed and security. > The PIX is using adaptive security which means all the inbound traffic is > checked against Source and Destination IP address, Source and destination > port number, protocol, TCP sequence number This is called "IP FILTERING" > It conceals the Intranet from the outside world by running NAT. Dynamic > address allocation is only enabled for connections initiated from the inside > network and is port-specific. > It has Private Link Encryption which allows users to communicate in privacy > over a public IP network (secure tunnels). > This box is an IP filtering box that understands "Stateful Inspection" or "SYN/ACK" flags, or whatever you care to call it. The box has the same limitations as all other IP filtering mechanisms. It does not increase the level of assurance of the existing daemons, thus doesn't put a very strong bubble around your network. IP filtering relies on header information (src, port, dst, port, flags). My usual ACL example: "We do not allow any inbound connections EXCEPT SMTP" "We allow only XYZ.COM to connect to our telnet port" That would be a fair policy for many corporations. Spoofing IP addresses is quite trivial.. If someone can spoof the address of XYZ.COM, they would effectively circumvent the ACL's in place, thus busting through the perimiter bubble. This would be similarly true of application level gateways, although in app. gateways you also have the ability to increase the level of assurance of the daemons, seperate the outside network services from the internal network, provide 2-factor authentication mechanisms, and have a decent/good audit & data reduction tool to audit traffic. Jeromie Jackson Garrison Technologies jeromie@garrison.com From firewalls-owner Fri Oct 4 05:14:30 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA15405 for firewalls-outgoing; Fri, 4 Oct 1996 05:02:33 -0700 (PDT) Received: from ragnarok.hks.com ([192.101.199.9]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id FAA15398 for ; Fri, 4 Oct 1996 05:02:23 -0700 (PDT) Received: (qmail 21702 invoked by uid 401); 4 Oct 1996 12:01:56 -0000 Date: Fri, 4 Oct 1996 08:01:56 -0400 (EDT) From: Jim Littlefield To: Danny Cox cc: firewalls@GreatCircle.COM Subject: Re: qmail In-Reply-To: <3172.9610040849@gmap.leeds.ac.uk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 4 Oct 1996, Danny Cox wrote: > Regarding one of our current threads .. are there many folk on this list > use qmail rather than smap[d] or sendmail etc. ? I understand that it's > reckoned to be pretty good, although I've not looked too hard at it - I > got the impression that there are quite a few parts to it. I have been running it on a few machines, including my firewall/mail server. It is quite a bit different than sendmail w/smap, but seems to be very effective at delivering high volumes of mail. Is it secure? Having examined the source somewhat, it certainly appears that Dan has made a good effort at reducing/eliminating the problems with sendmail, without losing functionality. Is it secure? ...the vote is still out. Cheap, fast, secure...pick any two ;) -- Jim Littlefield "I used to be an airline pilot. I got fired because I kept locking the keys in the plane. They caught me on an 80 foot stepladder with a coathanger." - Steven Wright From firewalls-owner Fri Oct 4 05:31:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA16116 for firewalls-outgoing; Fri, 4 Oct 1996 05:17:16 -0700 (PDT) Received: from www.webgalaxy.net (www.allensysgroup.com [205.245.8.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id FAA16108 for ; Fri, 4 Oct 1996 05:17:02 -0700 (PDT) Received: from snapper.naplesoft.com ([205.245.8.252]) by www.webgalaxy.net (post.office MTA v1.9.3 ID# 0-16970) with SMTP id AAA220 for ; Fri, 4 Oct 1996 08:17:42 -0400 Received: by snapper.naplesoft.com with Microsoft Mail id <01BBB1C3.B1C90160@snapper.naplesoft.com>; Fri, 4 Oct 1996 07:14:34 -0400 Message-ID: <01BBB1C3.B1C90160@snapper.naplesoft.com> From: bbrown@allensysgroup.com (Bobby Brown ) To: "'Firewalls@GreatCircle.COM'" Subject: Raptor for NT user wanted Date: Fri, 4 Oct 1996 07:14:33 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I would like to have contact with other Raptor firewall users running on Windows NT for information sources and discussions. I am presently running 3.02 till new version is released. Contact me directly by e-mail (not the mail list) TIA, Bobby Brown **************************************************************** Bobby Brown Allen Systems Group, INC. 750 11th Street South FAX- 941-263-1952 Naples, FL. 33940 BUS- 941-435-2299 bbrown@allensysgroup.com http://www.allensysgroup.com http://www.webgalaxy.net From firewalls-owner Fri Oct 4 06:05:10 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA18001 for firewalls-outgoing; Fri, 4 Oct 1996 05:38:55 -0700 (PDT) Received: from fire1.sprintlink.net (fire1.sprintlink.net [206.229.244.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id FAA17964 for ; Fri, 4 Oct 1996 05:38:38 -0700 (PDT) Received: from mercury.int.sprintlink.net ([206.229.244.25]) by fire1.sprintlink.net via smtpd (for miles.greatcircle.com [198.102.244.34]) with SMTP; 4 Oct 1996 12:39:57 UT Received: (from dvv@localhost) by mercury.int.sprintlink.net (8.7.3/8.6.12) id IAA19398; Fri, 4 Oct 1996 08:38:17 -0400 (EDT) Message-Id: <199610041238.IAA19398@mercury.int.sprintlink.net> Subject: Re: Check Point and SYN Flood Attack (fwd) To: bkmarsh@feist.com (Bruce M.) Date: Fri, 4 Oct 1996 08:38:16 -0400 (EDT) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Bruce M." at Oct 3, 96 10:34:43 pm From: dvv@sprint.net (Dima Volodin) X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bruce M. writes: > > Several points to try to make this more clear: > 1. SYN Floods take advantage of a queue managed by the OS. This queue is > typically small in size and requires significant resources of the host ^^^^^^^^^^^^^^^ [etc etc etc] Now do you remember the "typical" way Win 3.xx handled the VM? Do you remember a certain product (SoftRAM? RAMDoubler? I never remember its name) that "intelligently" handled Win's deficiency? Now do you remember what happened to that product when Win'95 started using a more-or-less decent VM? Same for SYNDefender or what-its-name - OS kernels might be easily fixed to handle SYN flood attacks. The resources consumption is absolutely the same as it is for whatever firewall - you always have _this_ many bytes to keep track of TCP state. And, BTW, 5 sec is way too low for the timeout. Dima From firewalls-owner Fri Oct 4 06:41:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA23596 for firewalls-outgoing; Fri, 4 Oct 1996 06:28:59 -0700 (PDT) Received: from ACML.COM ([206.218.249.66]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA23491 for ; Fri, 4 Oct 1996 06:28:21 -0700 (PDT) Received: from smtpngw.acml.com by ACML.COM (SMI-8.6/SMI-SVR4) id JAA08695; Fri, 4 Oct 1996 09:33:45 -0400 Received: by smtpngw.acml.com (IBM OS/2 SENDMAIL VERSION 1.3.14/2.12um) id AA7539; Fri, 04 Oct 96 09:27:13 -0400 Message-Id: <9610041327.AA7539@smtpngw.acml.com> Received: from ACML with "Lotus Notes Mail Gateway for SMTP" id C45B5880E649CA22852563B90049BCAD; Fri, 4 Oct 96 09:27:11 To: Firewalls-Digest Cc: firewalls-digest From: Rey LeClerc/New York/ACMC Date: 4 Oct 96 9:26:21 Subject: Information Security Administrator - UNIX / Internet Systems X-Lotus-Type: Reply to _All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I do not know if this is the right place for this, but we are currently looking for an Information Security Administrator - UNIX / Internet Systems. Attached is the position description. If there is any interest, please contact rey_leclerc@acml.com. Thanks. POSITION DESCRIPTION TITLE: Information Security Administrator - UNIX / Internet Systems DEPARTMENT: CSD Planning & Control REPORTS TO: AVP, Information Security, CSD Planning & Control LOCATION: New York (AMA) SUMMARY: The purpose of this job is to administer and enforce logical and manual security controls and procedures to protect company hardware, software, networks, and data in UNIX, Firewalls and Internet distributed system platforms. RESPONSIBILITIES: Evaluate, select, test, implement and enforce manual and automated security controls that promote the safeguard of Alliance Capital's assets, including the implementation and maintenance of single sign-on mechanisms. Develop user profiles or other access control devices for data access for UNIX servers, including SecurID. Ensure that security files and all system user activities comply with the existing security policies, standards and procedures established by the Information Security Committee. Install, maintain and monitor the usage of firewalls and Internet access. Perform security database administration maintenance activities including: receiving, reviewing, processing and filing all computer security forms and documents; grant, implement and revoke access to computer systems and resources; ensure all terminations and transfers are correctly reflected in the security files; make changes to the security files to reflect necessary corrections; and ensure the security files are backed up on a daily basis; and administer remote dial-in server. Perform audit activities including: daily and weekly reviews of the audit files; monitor and follow-up on apparent unauthorized access and security violations; perform periodic reviews to evaluate the effectiveness of security practices; and identify risky security areas and advise the Information Security Manager and appropriate management. Maintain ongoing communications with all system users and resource owners; operate as a security help desk by answering questions, resolving problems, providing assistance and conducting orientation sessions to system owners and resource owners. Backup to the Mainframe Information Security Administrator. Assists in the development, implementation, testing and maintenance of the disaster recovery/ business resumption plans. DIMENSIONS: NUMBER OF DIRECT REPORTS: None NUMBER SUPERVISED (EXCL. DIRECT REPORTS): N/A CSD OPERATING BUDGET: N/A CSD-CONTROLLED CAPITAL EXPENDITURE BUDGET: N/A BACKGROUND REQUIRED: EDUCATION: Bachelors Degree in business, computer science or information systems is essential. Certification as information systems auditor (CISA), information systems security professional (CISSP) or Novell NetWare Engineer (CNE) a plus. EXPERIENCE: 4-6 years experience with UNIX and Internet system administration. Knowledge of Novell NetWare, Windows NT, OS/2, and information security a plus. SPECIALIZED SKILLS: Must have technical expertise with UNIX. Knowledge of security techniques and information systems controls to secure UNIX, Sybase and firewall software. Novell Netware, Windows NT and OS/2 platforms a plus. Must be able to write information security scripts using C, Perl. Skills in recording and reporting data accurately, filing and retrieving information, checking data for completeness and compliance with standards. Skills in written and verbal communications, relating technical aspects to management and end users. Skills in reading and evaluating technical information. Skills in managing, planning and organizing their own work efforts. Ability to react calmly, quickly, and rationally during crisis situation. From firewalls-owner Fri Oct 4 06:56:56 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA24579 for firewalls-outgoing; Fri, 4 Oct 1996 06:40:57 -0700 (PDT) Received: from mailbox.neosoft.com (mailbox.neosoft.com [206.109.1.16]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA24558 for ; Fri, 4 Oct 1996 06:40:41 -0700 (PDT) Received: from fw.nmti.com (fw.baileynm.com [206.109.159.11]) by mailbox.neosoft.com (8.7.5/8.7.3) with SMTP id IAA10400; Fri, 4 Oct 1996 08:40:12 -0500 (CDT) Received: from web.nmti.com(198.178.0.201) by fw.nmti.com via smap (V1.3) id sma011785; Fri Oct 4 08:39:00 1996 Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id IAA03404; Fri, 4 Oct 1996 08:39:00 -0500 Received: by sonic.nmti.com; id AA02372; Fri, 4 Oct 1996 08:38:53 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9610041338.AA02372@sonic.nmti.com.nmti.com> Subject: Re: NT FTPd? To: genel@inforamp.net (Gene Lee) Date: Fri, 4 Oct 1996 08:38:53 -0500 (CDT) Cc: ntsecurity@iss.net, firewalls@GreatCircle.COM In-Reply-To: <01BBB188.780FF180@ts58-10.tor.iSTAR.ca> from "Gene Lee" at Oct 4, 96 00:10:35 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thursday, October 03, 1996 6:26 PM, Adam Shostack[SMTP:adam@homeport.org] wrote: >I'm looking for a FTP server to run on Windows NT. > >* Claims to offer security The FTP protocol has no security capability. If you want security, don't use FTP. See if there's an ssh server for NT and use scp, or use HTTPS/SSL. From firewalls-owner Fri Oct 4 07:36:40 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA24768 for firewalls-outgoing; Fri, 4 Oct 1996 06:43:46 -0700 (PDT) Received: from scruz.net (nic.scruz.net [165.227.1.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA24761 for ; Fri, 4 Oct 1996 06:43:31 -0700 (PDT) Received: from ws-jax-d3810 by scruz.net (8.7.3/1.34) id GAA07465; Fri, 4 Oct 1996 06:43:05 -0700 (PDT) Date: Fri, 4 Oct 96 09:43:48 From: rich Subject: smtp and auth To: firewalls@greatcircle.com X-PRIORITY: 3 (Normal) X-Mailer: Chameleon notFound, TCP/IP for Windows, NetManage Inc. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What would cause SOME mail servers to send back a AUTH/113 connection before allowing mail to be sent? Also, it seems to be random. In otherwords, some servers do it sometimes but other times they do not. Since I am blocking all connection requests from the outside in, this causes some of my internal mail servers to hang from time to time. When I looked at the firewall logs, I see SYN's coming from the mail server at the other end trying port 113. Any hints? thanks, rich From firewalls-owner Fri Oct 4 07:46:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA25052 for firewalls-outgoing; Fri, 4 Oct 1996 06:50:40 -0700 (PDT) Received: from mailbox.neosoft.com (mailbox.neosoft.com [206.109.1.16]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA25045 for ; Fri, 4 Oct 1996 06:50:31 -0700 (PDT) Received: from fw.nmti.com (fw.baileynm.com [206.109.159.11]) by mailbox.neosoft.com (8.7.5/8.7.3) with SMTP id IAA11302; Fri, 4 Oct 1996 08:50:02 -0500 (CDT) Received: from web.nmti.com(198.178.0.201) by fw.nmti.com via smap (V1.3) id sma011833; Fri Oct 4 08:48:05 1996 Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id IAA03545; Fri, 4 Oct 1996 08:48:05 -0500 Received: by sonic.nmti.com; id AA02979; Fri, 4 Oct 1996 08:47:58 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9610041347.AA02979@sonic.nmti.com.nmti.com> Subject: Re: Fireballs-Digest V5 #550 To: michael@memra.com (Michael Dillon) Date: Fri, 4 Oct 1996 08:47:58 -0500 (CDT) Cc: Firewalls@GreatCircle.COM In-Reply-To: from "Michael Dillon" at Oct 3, 96 10:43:20 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Basically, vulnerable OSes (anything but properly configured UNIX systems) Wouldn't you say that VMS was probably pretty safe, so long as you remember to change the feild service password? From firewalls-owner Fri Oct 4 07:58:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA23574 for firewalls-outgoing; Fri, 4 Oct 1996 06:28:47 -0700 (PDT) Received: from ACML.COM ([206.218.249.66]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA23478 for ; Fri, 4 Oct 1996 06:28:17 -0700 (PDT) Received: from smtpngw.acml.com by ACML.COM (SMI-8.6/SMI-SVR4) id JAA08689; Fri, 4 Oct 1996 09:33:42 -0400 Received: by smtpngw.acml.com (IBM OS/2 SENDMAIL VERSION 1.3.14/2.12um) id AA7535; Fri, 04 Oct 96 09:27:09 -0400 Message-Id: <9610041327.AA7535@smtpngw.acml.com> Received: from ACML with "Lotus Notes Mail Gateway for SMTP" id 3F7F631BAB88C4E7852563B900493280; Fri, 4 Oct 96 09:27:08 To: Firewalls-Digest Cc: firewalls-digest From: Rey LeClerc/New York/ACMC Date: 4 Oct 96 9:26:47 Subject: Information Security Administrator - UNIX / Internet Systems X-Lotus-Type: Reply to _All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I do not know if this is the right place for this, but we are currently looking for an Information Security Administrator - UNIX / Internet Systems. The position is based out of New York City. Attached is the position description. If there is any interest, please contact rey_leclerc@acml.com. Thanks. POSITION DESCRIPTION TITLE: Information Security Administrator - UNIX / Internet Systems DEPARTMENT: CSD Planning & Control REPORTS TO: AVP, Information Security, CSD Planning & Control LOCATION: New York (AMA) SUMMARY: The purpose of this job is to administer and enforce logical and manual security controls and procedures to protect company hardware, software, networks, and data in UNIX, Firewalls and Internet distributed system platforms. RESPONSIBILITIES: Evaluate, select, test, implement and enforce manual and automated security controls that promote the safeguard of Alliance Capital's assets, including the implementation and maintenance of single sign-on mechanisms. Develop user profiles or other access control devices for data access for UNIX servers, including SecurID. Ensure that security files and all system user activities comply with the existing security policies, standards and procedures established by the Information Security Committee. Install, maintain and monitor the usage of firewalls and Internet access. Perform security database administration maintenance activities including: receiving, reviewing, processing and filing all computer security forms and documents; grant, implement and revoke access to computer systems and resources; ensure all terminations and transfers are correctly reflected in the security files; make changes to the security files to reflect necessary corrections; and ensure the security files are backed up on a daily basis; and administer remote dial-in server. Perform audit activities including: daily and weekly reviews of the audit files; monitor and follow-up on apparent unauthorized access and security violations; perform periodic reviews to evaluate the effectiveness of security practices; and identify risky security areas and advise the Information Security Manager and appropriate management. Maintain ongoing communications with all system users and resource owners; operate as a security help desk by answering questions, resolving problems, providing assistance and conducting orientation sessions to system owners and resource owners. Backup to the Mainframe Information Security Administrator. Assists in the development, implementation, testing and maintenance of the disaster recovery/ business resumption plans. DIMENSIONS: NUMBER OF DIRECT REPORTS: None NUMBER SUPERVISED (EXCL. DIRECT REPORTS): N/A CSD OPERATING BUDGET: N/A CSD-CONTROLLED CAPITAL EXPENDITURE BUDGET: N/A BACKGROUND REQUIRED: EDUCATION: Bachelors Degree in business, computer science or information systems is essential. Certification as information systems auditor (CISA), information systems security professional (CISSP) or Novell NetWare Engineer (CNE) a plus. EXPERIENCE: 4-6 years experience with UNIX and Internet system administration. Knowledge of Novell NetWare, Windows NT, OS/2, and information security a plus. SPECIALIZED SKILLS: Must have technical expertise with UNIX. Knowledge of security techniques and information systems controls to secure UNIX, Sybase and firewall software. Novell Netware, Windows NT and OS/2 platforms a plus. Must be able to write information security scripts using C, Perl. Skills in recording and reporting data accurately, filing and retrieving information, checking data for completeness and compliance with standards. Skills in written and verbal communications, relating technical aspects to management and end users. Skills in reading and evaluating technical information. Skills in managing, planning and organizing their own work efforts. Ability to react calmly, quickly, and rationally during crisis situation. From firewalls-owner Fri Oct 4 08:13:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA29106 for firewalls-outgoing; Fri, 4 Oct 1996 07:35:21 -0700 (PDT) Received: from services.britgas.co.uk (gate.britgas.co.uk [193.133.101.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA29076 for ; Fri, 4 Oct 1996 07:35:03 -0700 (PDT) Received: (from news@localhost) by services.britgas.co.uk (8.6.12/8.6.9) id PAA19050; Fri, 4 Oct 1996 15:38:32 +0100 To: firewalls@greatcircle.com Path: usenet From: Keith Vickers Newsgroups: britgas.maillist.firewalls Subject: test Date: Fri, 04 Oct 1996 15:34:27 +0100 Organization: British Gas Services Lines: 1 Message-ID: <32552073.6BE@service.britgas.co.uk> NNTP-Posting-Host: 93.224.229.4 Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Mailer: Mozilla 2.0 (Win95; I) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ggfgg From firewalls-owner Fri Oct 4 08:29:04 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA28310 for firewalls-outgoing; Fri, 4 Oct 1996 07:27:54 -0700 (PDT) Received: from ultra1.dreamscape.com (ultra1.dreamscape.com [206.64.128.7]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA28276 for ; Fri, 4 Oct 1996 07:27:40 -0700 (PDT) Received: from bertha.bcbsnye.com (sd25.dreamscape.com [206.114.183.250]) by ultra1.dreamscape.com (8.7.4/8.7.3) with SMTP id KAA12573 for ; Fri, 4 Oct 1996 10:26:09 -0400 (EDT) Message-ID: <32551EF1.34AA@dreamscape.com> Date: Fri, 04 Oct 1996 10:28:01 -0400 From: "Steven E. Matkoski" X-Mailer: Mozilla 3.0 (Win95; I) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: async file transfers through firewall, how? References: <199610040800.BAA28806@miles.greatcircle.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have the requirement to allow async users to transfer files to a ftp server. The async users connect to cisco 2511's which are connected to a perimeter network where the firewall is connected. I want the user to start a file transfer (x,y,z modem) and have the terminal server convert to ftp which would be filtered by the firewall. Has anyone tried anything like this? or have any ideas if it possible? -- Thanks! -steve. matkoski@dreamscape.com From firewalls-owner Fri Oct 4 08:35:00 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA29955 for firewalls-outgoing; Fri, 4 Oct 1996 07:42:24 -0700 (PDT) Received: from yeager.nmh.org (YEAGER.NMH.ORG [165.20.13.23]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA29854 for ; Fri, 4 Oct 1996 07:41:51 -0700 (PDT) Received: from nmhnt.nmh.org (nmhnt.nmh.org [165.20.13.27]) by yeager.nmh.org (8.6.9/8.6.9) with SMTP id JAA15007; Fri, 4 Oct 1996 09:44:43 -0500 Message-Id: <199610041444.JAA15007@yeager.nmh.org> Date: Fri, 4 Oct 1996 09:54:00 -0500 From: "Davidson, Clyde" Subject: RE: Gauntlet vs. Sidewinder To: Firewalls , "'joav.kohn@us.landisstaefa.com'" X-Mailer: Worldtalk (NetConnex V4.00a)/MIME Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Since this still is the subject, I've been told that Sidewinder works just that way. External users can only send to the sendmail that is on the external side of Sidewinder. It then passes the message to the sendmail on the internal side of Sidewinder. The internal sendmail then re-routes it to the internal servers. Therefore, if you crack the sendmail on the external side you still don't have access to the internal network. Clyde Davidson Data Security Coordinator NMH ---------- Joav Kohn wrote: "The proper way to set this up is to have the firewall itself accept mail with smapd and sendmail v8.6 and then re-route that mail to the internal servers. The internal servers are never vulnerable to an attack because the outside world cannot talk directly to them." From firewalls-owner Fri Oct 4 08:41:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA29583 for firewalls-outgoing; Fri, 4 Oct 1996 07:39:31 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA29528 for ; Fri, 4 Oct 1996 07:39:01 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.6.9/8.6.9) id KAA04915; Fri, 4 Oct 1996 10:44:12 -0500 From: Adam Shostack Message-Id: <199610041544.KAA04915@homeport.org> Subject: Re: NT FTPd? To: peter@baileynm.com (Peter da Silva) Date: Fri, 4 Oct 1996 10:44:11 -0500 (EST) Cc: genel@inforamp.net, ntsecurity@iss.net, firewalls@GreatCircle.COM In-Reply-To: <9610041338.AA02372@sonic.nmti.com.nmti.com> from "Peter da Silva" at Oct 4, 96 08:38:53 am X-Mailer: ELM [version 2.4 PL24 ME8b] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Peter da Silva wrote: | On Thursday, October 03, 1996 6:26 PM, Adam | Shostack[SMTP:adam@homeport.org] wrote: | >I'm looking for a FTP server to run on Windows NT. | > | >* Claims to offer security | | The FTP protocol has no security capability. If you want security, don't use | FTP. See if there's an ssh server for NT and use scp, or use HTTPS/SSL. I may have been sloppy in my use of words. By 'claims to offfer security,' I meant that the authors had made an effort to protect the daemon itself from attack. The ftpd will be sitting behind an ftp-gw, and have other controls as part of a system that I feel offers a fair degree of security by design. The same criteria that require NT also prevent us from using other protocols in the near term. I'd like it to use the NT file security mechanisms for about the same reasons, my customer has chosen to move ahead on a tight deadline, putting band-aids on a system, and asked me to offer advice with that in mind. They are being appraised of the risks. Adam -- "Every year the Republicans campaign like Libertarians, and then go to Wasthington and spend like Democrats." Vote Harry Browne for President. http://www.harrybrowne96.org From firewalls-owner Fri Oct 4 08:41:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA27238 for firewalls-outgoing; Fri, 4 Oct 1996 07:15:41 -0700 (PDT) Received: from relay5.UU.NET (relay5.UU.NET [192.48.96.15]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA27158 for ; Fri, 4 Oct 1996 07:15:05 -0700 (PDT) Received: from netevolve.com by relay5.UU.NET with SMTP (peer crosschecked as: [206.136.48.11]) id QQbjzc14481; Fri, 4 Oct 1996 10:14:38 -0400 (EDT) Received: from lazar by netevolve.com (4.1/SMI-4.1) id AA07899; Fri, 4 Oct 96 10:17:16 EDT Message-Id: <2.2.32.19961004141153.0068802c@netevolve.com> X-Sender: lazar@netevolve.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 04 Oct 1996 10:11:53 -0400 To: firewalls@greatcircle.com From: Irwin Lazar Subject: Small network Firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greetings all. I am working on a project to increase the security on a small LAN (less than 20 users). This LAN has a live connection to the internet via a 56Kb Frame Relay pipe. So far the requirements are to set up an internal web server that can't be accessed from the Internet, to prevent SNMP scans from the Internet, to prevent Telnet from the internet, and to prevent IP Spoofing. There is also a requirement for reporting break-ins to a syslog server. An external web server and FTP server will also be setup running NT 4.0. I've been looking at using private addressing on the LAN with a NAT between the LAN and a DMZ. The NAT will be a Cisco 2500 running their new 11.2.1 release. There will also be a Cisco 2500 between the Internet and the DMZ. I will be using the Cisco's as network layer firewalls by using extended IP Access lists. Are there any application layer firewalls out there that would be usefull for a small LAN such as this? Can anyone recommend a few to look at? Does the above plan sound coherent? Also, in an unrelated request, does anyone know of a good Windows NT mailing list or perhaps a place that holds a list of mailing lists? Thanks, Irwin Lazar Network Evolutions, Inc. From firewalls-owner Fri Oct 4 08:48:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA26599 for firewalls-outgoing; Fri, 4 Oct 1996 07:09:26 -0700 (PDT) Received: from ultra1.dreamscape.com (ultra1.dreamscape.com [206.64.128.7]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA26592 for ; Fri, 4 Oct 1996 07:09:17 -0700 (PDT) Received: from bertha.bcbsnye.com (sd25.dreamscape.com [206.114.183.250]) by ultra1.dreamscape.com (8.7.4/8.7.3) with SMTP id KAA07583 for ; Fri, 4 Oct 1996 10:06:53 -0400 (EDT) Message-ID: <32551A5F.47C0@dreamscape.com> Date: Fri, 04 Oct 1996 10:08:31 -0400 From: "Steven E. Matkoski" X-Mailer: Mozilla 3.0 (Win95; I) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: cisco 2511 file transfer through firewall. References: <199610040800.BAA28806@miles.greatcircle.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am trying to set up a dial-in service for our company and would like to know how to handle file transfers between a terminal server and the firewall. Here is the layout: I have 4 cisco 2511's connected to the perimeter network (ethernet), which is attached to my firewall. I have to support async file transfers (X,Y,Z modem) to a ftp server within the secure network, how do terminal servers handle such transfers? do they convert to ftp? I dont know which ports to open for these transfers. Any help is appreciated. -- Thanks! -steve. matkoski@dreamscape.com From firewalls-owner Fri Oct 4 08:55:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA26677 for firewalls-outgoing; Fri, 4 Oct 1996 07:10:55 -0700 (PDT) Received: from mailbox.neosoft.com (mailbox.neosoft.com [206.109.1.16]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA26647 for ; Fri, 4 Oct 1996 07:10:37 -0700 (PDT) Received: from fw.nmti.com (fw.baileynm.com [206.109.159.11]) by mailbox.neosoft.com (8.7.5/8.7.3) with SMTP id JAA13247; Fri, 4 Oct 1996 09:10:04 -0500 (CDT) Received: from web.nmti.com(198.178.0.201) by fw.nmti.com via smap (V1.3) id sma011910; Fri Oct 4 09:03:18 1996 Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id JAA04102; Fri, 4 Oct 1996 09:03:18 -0500 Received: by sonic.nmti.com; id AA04139; Fri, 4 Oct 1996 09:03:11 -0500 From: peter@baileynm.com (Peter da Silva) Message-Id: <9610041403.AA04139@sonic.nmti.com.nmti.com> Subject: Re: PIX (CISCO) To: jeromie@garrison.com (Jeromie Jackson) Date: Fri, 4 Oct 1996 09:03:11 -0500 (CDT) Cc: Firewalls@greatcircle.com, BETTICK@boat.bt.com In-Reply-To: <9610041116.AA03519@ukn0.garrison.com.> from "Jeromie Jackson" at Oct 4, 96 06:16:24 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Lord knows I'm no fan of IP filtering but this is a straw man. > bubble around your network. IP filtering relies on header information > (src, port, dst, port, flags). My usual ACL example: > > "We do not allow any inbound connections EXCEPT SMTP" > "We allow only XYZ.COM to connect to our telnet port" > > That would be a fair policy for many corporations. No, it wouldn't. And it wouldn't be a fair policy with proxies, either. A more likely arrangement would be "we allow outbound connections, and we allow inbound SMTP and FTP connections to our public access server." From firewalls-owner Fri Oct 4 10:03:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA08303 for firewalls-outgoing; Fri, 4 Oct 1996 09:27:26 -0700 (PDT) Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id JAA08183 for ; Fri, 4 Oct 1996 09:26:38 -0700 (PDT) Received: from smtp1.sybase.com (sybgate) by halon.sybase.com (5.x/SMI-SVR4/SybFW4.0) id AA19298; Fri, 4 Oct 1996 09:27:57 -0700 Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) id AA21069; Fri, 4 Oct 96 09:26:07 PDT Received: by notesgw2.sybase.com (5.x/SMI-4.1/SybEGW3.3) id AA26761; Fri, 4 Oct 1996 09:26:07 -0700 Message-Id: <9610041626.AA26761@notesgw2.sybase.com> Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id 2F9FD24FCA6EE953882563B9005A41BA; Fri, 4 Oct 96 09:26:05 EDT To: "Bruce M." Cc: Bradley Brown , firewalls From: Ryan Russell/SYBASE Date: 4 Oct 96 9:28:32 EDT Subject: Re: Check Point and SYN Flood Attack X-Lotus-Type: Reply All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Here's a glib answer, but it may help explain things: Firewall-1 doesn't have a problem with the SYN packets for the same reason that every router along the way doesn't. It doesn't "use" the packets per se... It just keeps a table entry for it, and sends an ACK (I presume) to see if it gets a reply. It can keep track of thousands of these half open conenctions at a time.. Ryan ---------- Previous Message ---------- To: bradley cc: firewalls From: bkmarsh @ feist.com ("Bruce M.") @ smtp Date: 10/03/96 05:13:03 PM Subject: Re: Check Point and SYN Flood Attack On Thu, 3 Oct 1996, Bradley Brown wrote: > I saw your email on the FW mailing list. I suggest you read to white > paper posted on our site to get a better understanding of our solution. > The key element of the SYN Flood attack is that a site (Firewall or > Internet server) can be hosed due to the OS inability to handle the > unresolved connection attempts with an attack that uses less than 10% of > the available bandwidth across a T1 connection. With SYNDefender, the OS > is protected and valid Internet connections can pass through the > firewall to the destination server unimpeded. I read through the white paper and besides a few hazy blips about how your "patent-pending Stateful Inspection" protects Firewall-1, I still haven't received a decent refutation to my original observation: What is going to keep the firewall itself from becoming ensnared in a SYN flooding DOS attack? Even if it protects your host, won't Internet traffic essentially stop reaching it if the firewall is stuck chasing down SYNs from bogus addresses? Am I missing an important factor in this equation? ________________________________ [ Bruce M. - Feist Systems, Inc. ] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 'DISA information shows that computer attacks on the Department of Defense are successful 65 percent of the time. The DoD, despite its problems, probably has one of the strongest computer security programs in government.' -GAO/T-AIMD-96-108 From firewalls-owner Fri Oct 4 10:17:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA07117 for firewalls-outgoing; Fri, 4 Oct 1996 09:14:24 -0700 (PDT) Received: from us.checkpoint.com (us.checkpoint.com [206.86.35.130]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id JAA07110 for ; Fri, 4 Oct 1996 09:14:14 -0700 (PDT) Received: from bradley.us.checkpoint (johnc-pc) by us.checkpoint.com (5.x/SMI-SVR4) id AA29010; Fri, 4 Oct 1996 09:15:09 -0700 Message-Id: <325537D6.1F17@us.checkpoint.com> Date: Fri, 04 Oct 1996 09:14:14 -0700 From: Bradley Brown Reply-To: bradley@us.checkpoint.com Organization: CheckPoint Software Technologies, Inc. X-Mailer: Mozilla 3.0b7 (Win95; I) Mime-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: Re: Check Point SYNDefender and SYN Flood Attacks References: <199610040800.BAA28806@miles.greatcircle.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bruce M. wrote: > > On Thu, 3 Oct 1996, Bradley Brown wrote: >> I saw your email on the FW mailing list. I suggest you read to white >> paper posted on our site to get a better understanding of our solution. >> The key element of the SYN Flood attack is that a site (Firewall or >> Internet server) can be hosed due to the OS inability to handle the >> unresolved connection attempts with an attack that uses less than 10% of >> the available bandwidth across a T1 connection. With SYNDefender, the OS >> is protected and valid Internet connections can pass through the >> firewall to the destination server unimpeded. > I read through the white paper and besides a few hazy blips about how >your "patent-pending Stateful Inspection" protects Firewall-1, I still >haven't received a decent refutation to my original observation: What is >going to keep the firewall itself from becoming ensnared in a SYN >flooding DOS attack? Even if it protects your host, won't Internet traffic >essentially stop reaching it if the firewall is stuck chasing down SYNs >from bogus addresses? Am I missing an important factor in this equation? > > ________________________________ > [ Bruce M. - Feist Systems, Inc. ] > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Several points to try to make this more clear: 1. SYN Floods take advantage of a queue managed by the OS. This queue is typically small in size and requires significant resources of the host if made much larger. Typically, this queue handles about 10 connection attempts and can be filled in seconds with by a SYN Flood Attack. This is the primary reason the attack is so effective - it can be launched from a limited bandwidth link and still be effective at creating a denial of service condition on an Internet host or firewall that lacks protection. 2. Management of SYN connection attempts with FireWall-1 IS NOT managed by the OS, or a user-level process. It is managed at the kernel-level using software specifically designed to do this WITHOUT the memory/CPU overhead or limitations normally imposed by the OS. The Check Point solution can handle thousands of simultaneous connection attempts without danger of filling any queues. Valid connection attempts will be completed as per usual while invalid attempts will be timed out by the firewall and discarded from the firewall queue (the only time valid attempts would not be able to get through is if the queue filled up and could not accept additional request which is NOT a problem with FireWall-1). Assume, for example, that the attacker is sending 500 packets per second. If the timeout is set to 5 seconds, then the largest number of unresolved connections which will exist at any point in time is about 2500 which does not even come close to exceeding FireWall-1's ability to track connections and manage the queue. The only way the SYN Flood Attack can create a denial of service condition in this case is if the attacker is capable of filling the whole T1 pipe to the firewall, in which case, they might as well use another more effective approach to fill the pipe. ----------------------------------------------------------------------- Bradley Brown Email: bradley@us.checkpoint.com CheckPoint Software Technologies Phone: (415) 562-0400 x225 "Global Secure Connectivity" Fax: (415) 562-0410 From firewalls-owner Fri Oct 4 11:31:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA16969 for firewalls-outgoing; Fri, 4 Oct 1996 10:53:12 -0700 (PDT) Received: from xr3.atlas.fr (xr3.atlas.fr [194.51.9.5]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA16933 for ; Fri, 4 Oct 1996 10:52:43 -0700 (PDT) X400-Received: by /PRMD=INTERNET/ADMD=ATLAS/C=FR/; Relayed; Fri, 4 Oct 1996 19:51:47 +0200 X400-Received: by mta xr3.atlas.fr in /PRMD=INTERNET/ADMD=ATLAS/C=FR/; Relayed; Fri, 4 Oct 1996 19:51:47 +0200 X400-Received: by /ADMD=ATLAS/C=FR/; Relayed; Fri, 4 Oct 1996 19:51:05 +0200 X400-Received: by /PRMD=elf02/ADMD=ATLAS/C=FR/; Relayed; Fri, 4 Oct 1996 19:49:06 +0200 Date: Fri, 4 Oct 1996 19:49:06 +0200 X400-Originator: Maurice.Seiler@tls1.elfsanofi.fr X400-Recipients: firewalls@greatcircle.com X400-MTS-Identifier: [/PRMD=elf02/ADMD=ATLAS/C=FR/;844465746133500006seiler] X400-Content-Type: P2-1984 (2) Content-Identifier: UCOMX Alternate-Recipient: Allowed From: Mr Maurice SEILER Message-ID: <844465746133500006seiler*/G=Maurice/S=Seiler/OU=tls1/O=elfsanofi/PRMD=elf02/ADMD=ATLAS/C=FR/@MHS> To: Firewalls (Non Receipt Notification Requested) Subject: WinFrame by CITRIX Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi!, Does somebody know something about WINFRAME by CITRIX? (Sort of X-terminal by M$) Any known security problems? How does this go through the FireWall? Thanks, Maurice From firewalls-owner Fri Oct 4 11:35:09 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA18422 for firewalls-outgoing; Fri, 4 Oct 1996 11:07:28 -0700 (PDT) Received: from spot1.fvcc.cc.mt.us (spot1.fvcc.cc.mt.us [150.131.64.209]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id LAA18371 for ; Fri, 4 Oct 1996 11:07:00 -0700 (PDT) Received: from aerie.fvcc.cc.mt.us (aerie.fvcc.cc.mt.us [150.131.64.210]) by spot1.fvcc.cc.mt.us (8.6.12/8.6.9) with SMTP id MAA16571; Fri, 4 Oct 1996 12:01:25 -0600 Message-Id: <199610041801.MAA16571@spot1.fvcc.cc.mt.us> Comments: Authenticated sender is From: "Rick Owens" Organization: Flathead Valley Community College To: "Steven E. Matkoski" , Firewalls@GreatCircle.COM Date: Fri, 4 Oct 1996 12:01:38 -0700 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: async file transfers through firewall, how? X-mailer: Pegasus Mail for Windows (v2.42a) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On 4 Oct 96 at 10:28, Steven E. Matkoski wrote: > I have the requirement to allow async users to transfer files to a > ftp server. The async users connect to cisco 2511's which are > connected to a perimeter network where the firewall is connected. I > want the user to start a file transfer (x,y,z modem) and have the > terminal server convert to ftp which would be filtered by the > firewall. Has anyone tried anything like this? or have any ideas if > it possible? Possible alternate solution: If you have a spare 386 or better, how 'bout setting up the PC as a Unix server that people can telnet to? Thus JQuser dials in, telnets to the (minimal) Unix server, transfers the file with whatever protocol, and disconnects. The server could poll for new files and transfer them as appropriate. -------------------------------------------------------------------- Rick Owens | FVCC, Kalispell, MT, USA, Sol 3 #include "New restaurant on the moon. Great food, no atmosphere." -------------------------------------------------------------------- From firewalls-owner Fri Oct 4 11:41:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA16927 for firewalls-outgoing; Fri, 4 Oct 1996 10:52:29 -0700 (PDT) Received: from pcslink.com (pcslink.com [206.43.160.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA16907 for ; Fri, 4 Oct 1996 10:52:16 -0700 (PDT) Received: (from ryan@localhost) by pcslink.com (8.6.12/8.6.12) id KAA29763; Fri, 4 Oct 1996 10:51:37 -0700 From: Ryan Mooney Message-Id: <199610041751.KAA29763@pcslink.com> Subject: Re: PIX (CISCO) To: jeromie@garrison.com (Jeromie Jackson) Date: Fri, 4 Oct 1996 10:51:37 -0700 (MST) Cc: Firewalls@GreatCircle.COM, BETTICK@boat.bt.com In-Reply-To: <9610041116.AA03519@ukn0.garrison.com.> from "Jeromie Jackson" at Oct 4, 96 06:16:24 am X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Jeromie Jackson > "We do not allow any inbound connections EXCEPT SMTP" > "We allow only XYZ.COM to connect to our telnet port" > > That would be a fair policy for many corporations. Spoofing IP addresses > is quite trivial.. If someone can spoof the address of XYZ.COM, they would > effectively circumvent the ACL's in place, thus busting through the perimiter > bubble. This would be similarly true of application level gateways, although > in app. gateways you also have the ability to increase the level of assurance > of the daemons, seperate the outside network services from the internal network, > provide 2-factor authentication mechanisms, and have a decent/good audit & > data reduction tool to audit traffic. > deny input from internal networks on external port deny input from ! internal networks on internal port deny input if fragment size is too small I agree that you'd still want app level security on the "exposed" hosts that answer for e-mail etc... but the IP spoofing is IMHO handled not to badly but well designed filter rules, certainly better than by most application layer gateways. I realize that this is (somewhat) of a religious issue, and don't intend to start any flame wars.... so take this however you want... (grain of salt, packet of pepper, whatever). Just my 0.02 ---------------------------------------------------------------------------- Ryan Mooney Phone (602)265-9188 PCSLink ryan@pcslink.com Fax (602)265-9357 Internet Services The world needs more bitter, twisted souls. It would be a much better place. ----------------------------------------------------------------------------- From firewalls-owner Fri Oct 4 12:27:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA22380 for firewalls-outgoing; Fri, 4 Oct 1996 11:47:08 -0700 (PDT) Received: from FIREWALL.manulife.com (NS.MANULIFE.COM [167.92.115.15]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id LAA22350 for ; Fri, 4 Oct 1996 11:46:53 -0700 (PDT) Received: by FIREWALL.manulife.com; id AA09329; Fri, 4 Oct 96 14:44:30 EDT Received: from manu_hub_one.manulife.com(167.92.108.245) by ents-gw.manulife.com via smap (V3.1.1) id xma009319; Fri, 4 Oct 96 14:44:26 -0400 Received: by manu_hub_one.manulife.com (IBM OS/2 SENDMAIL VERSION 1.3.17/1.0) id AA3674; Fri, 04 Oct 96 14:50:49 -0700 Message-Id: <9610042150.AA3674@manu_hub_one.manulife.com> Received: from Manulife with "Lotus Notes Mail Gateway for SMTP" id C286C0301BAFCE12852563B900646170; Fri, 4 Oct 96 14:50:49 To: firewalls From: Graham Dougall Date: 4 Oct 96 14:44:01 EDT Subject: UDP 137 Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk gary flynn wrote: > I'm seeing lots of access violations for UDP 137 which is > used by Netbios name services. I'm blocking 137-139 from > the Internet. What I don't understand is why these are trying to > come in from the Internet destined for machines all over > campus...some that aren't even running Netbios services (or so > I'm told). We are seeing violations for UDP 137 as well. At the same time as the violation we see the same IP address accessing our web site which is behind the firewall recording the violation. I suspect that the systems at these IP addresses have WINS and/or NETBIOS over IP enabled whether they know it or not. In our case the IP address causing the violations appear to ISPs, so I belive that these are dialup users. Thus, when accessing our web site, WINS on their system is confused and attempts to do WINS name resolution using the address of our web site/firewall. E. Graham Dougall, CISSP, FLMI/ACS, I.S.P. Manulife Financial From firewalls-owner Fri Oct 4 12:46:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA17484 for firewalls-outgoing; Fri, 4 Oct 1996 10:59:35 -0700 (PDT) Received: from anka.mindvision.com (anka.mindvision.com [198.247.220.254]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA17461 for ; Fri, 4 Oct 1996 10:59:06 -0700 (PDT) Received: (from alan@localhost) by anka.mindvision.com (8.6.11/8.6.9) id MAA09292; Fri, 4 Oct 1996 12:58:24 -0500 Message-Id: <199610041758.MAA09292@anka.mindvision.com> Subject: Re: cisco 2511 file transfer through firewall. To: matkoski@dreamscape.com (Steven E. Matkoski) Date: Fri, 4 Oct 1996 12:58:23 -0500 (CDT) Cc: Firewalls@GreatCircle.COM In-Reply-To: <32551A5F.47C0@dreamscape.com> from "Steven E. Matkoski" at Oct 4, 96 10:08:31 am From: alan@mindvision.com (Alan Hannan) Reply-To: alan@mindvision.com (Alan Hannan) X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Steve, > I am trying to set up a dial-in service for our company and would like > to know how to handle file transfers between a terminal server and the > firewall. Here is the layout: I have 4 cisco 2511's connected to the > perimeter network (ethernet), which is attached to my firewall. TS1 TS2 TS3 TS4 RTR-To-World | | | | | ====================================== | Firewall | Internal_Network > I have > to support async file transfers (X,Y,Z modem) to a ftp server within > the secure network, how do terminal servers handle such transfers? I assume that a serial connection is constructed from the user to the appropriate terminal server. I assume that the user then initiates a telnet from the TS through the firewall to an internal_network server. If these assumptions are correct, the connection would look like this, on a physical level: Term_Prog -> Term_Server -> Firewall -> Internal_Server Therefore, the traffic _through_ the firewall would pass over the shell session, which I assume to be initiated by telnet, rsh, rlogin, etc... So, if it goes over the service telnet, rsh, rlogin, there is no difference (from the firewall's perspective) between xmodem traffic over the proxy, or character based terminal traffic. (Obv. routines could be put into the proxy server to catch and disable such traffic, but I don't know of any that filter xmodem, etc...) > do they convert to ftp? I dont know which ports to open for these > transfers. Any help is appreciated. With the system as described above, FTP is not an option. FTP would have to ride on tcp/ip back to the client, and there is no client in the path that talks ftp. So, you will be using the FTP server as an XModem server, effectively, and the filtering problem moves from a protocol/port basis to a content basis. $0.02 -alan From firewalls-owner Fri Oct 4 12:48:04 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA11456 for firewalls-outgoing; Fri, 4 Oct 1996 10:02:25 -0700 (PDT) Received: from hobbes.compusult.nf.ca (cerberus.compusult.nf.ca [198.165.106.252]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA11385 for ; Fri, 4 Oct 1996 10:02:02 -0700 (PDT) Received: from terra.compusult.nf.ca (terra.compusult.nf.ca [192.197.61.69]) by hobbes.compusult.nf.ca (8.6.10/8.6.12) with SMTP id OAA14304 for ; Fri, 4 Oct 1996 14:33:48 -0230 Message-Id: <1.5.4.32.19961004163133.0098eccc@compusult.nf.ca> X-Sender: ghynes@compusult.nf.ca X-Mailer: Windows Eudora Light Version 1.5.4 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 04 Oct 1996 14:31:33 -0200 To: Firewalls@GreatCircle.COM From: Gerard Hynes - Compusult Limited - Mount Pearl - NF - Canada Subject: Re: ATM Firewalls Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >------------------------------ >Date: Tue, 1 Oct 96 11:26:57 MDT >From: woods@ucar.edu (Greg Woods) >Subject: Re: ATM Firewalls > >> a three interface system consisting of: >> >> - 10 Mbps Ethernet - Inside Interface 1 >> - 155 Mbps ATM (LANE) - Inside Interface 2 >> - 100 Mbps FDDI - Outside Interface > >For most of us that I've heard use the term, this is not an "ATM >firewall". Although I cannot speak for anyone else, I think that to >call something like this an ATM firewall is deceptive. What *I* mean >when I use that term is something that can act as a firewall while >passing packets *at ATM speed*. While I would agree that something that >can at least pass packets at or close to FDDI speed is worthy of note, >this is not an "ATM firewall" by any reasonable definition. > >- --Greg >------------------------------ Page 24 of the September 1996, Data Communications issue has a blurb about some work done at the University of Kansas (Lawrence). >From the article they are using TIS's FWTK on DEC Alphas with OC-3 interfaces. Forwarding rate is ~110Mbit/s. Results of the U. Kansas test are also available at: http:://www.tisl.ukans.edu/aai/reports/aai-perf/ =[gh]= ****************************************************************************** * Gerard Hynes - ghynes@compusult.nf.ca * Life is what happens while * * - Systems Integration Manager - * you're busy making other * * Compusult Limited - Mount Pearl - NF * plans. * * - URL http://www.compusult.nf.ca - * John Lennon * ****************************************************************************** From firewalls-owner Fri Oct 4 12:48:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA14877 for firewalls-outgoing; Fri, 4 Oct 1996 10:31:29 -0700 (PDT) Received: from tuna.wang.com (TUNA.wang.com [150.124.136.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA14852 for ; Fri, 4 Oct 1996 10:31:13 -0700 (PDT) Received: from mars.wangfed.com (mars.Wangfed.COM [159.94.10.1]) by tuna.wang.com (8.6.12/8.6.12tf1) with SMTP id NAA13503 for ; Fri, 4 Oct 1996 13:30:25 -0400 Received: from uc0009.wangfed.com (uc0009 [159.94.10.15]) by mars.wangfed.com (8.7.5/3.8) with SMTP for delivery to "" id NAA26591; Fri, 4 Oct 1996 13:36:32 -0400 (EDT) Received: from [159.94.14.48] by uc0009.wangfed.com (BULL 5.61++/B.O.S 02.01) id AA28181; Fri, 4 Oct 96 13:22:27 -0400 Date: Fri, 4 Oct 96 13:22:27 -0400 Message-Id: <9610041722.AA28181@uc0009.wangfed.com> From: "K.M. Goertzel" Reply-To: "K.M. Goertzel" To: firewalls@GreatCircle.COM Subject: Re: Gauntlet vs. Sidewinder Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message <199610031155.HAA30042@maddie.atlantic.com> Rick Romkey writes: > 1) it must support the services that you need > 2) it must be affordable > 3) it must be secure > 4) it has to make sense It would seem that one of the considerations when selecting between products that meet requirement #3 above, that one way of "assuring" that the underlying operating system is as secure as the vendor claims it is would be to have an *independent* evaluation of the security of that operating system, instead of simply relying on the vendor's word that their method of "hardening" the OS - either using chroot or type enforcement - actually results in a "hacker-resitant" operating system. It would seem to me that a firewall that runs on an NSA evaluated operating system would at least provide that kind of independent "seal of approval". Of course, SCC have had a lot of experience building operating systems that are designed to be trustworthy. But they have yet to receive an NSA or ITSEC evaluation of their operating system. They might argue that such an evaluation is unnecessary. My feeling is that the NSA evaluation in this context is no different than a UL or Good Housekeeping seal on a household appliance. It's just one more way of knowing that experts who don't have a vested interest in the market success of the product have assured the truth of the product's security claims. For this reason, when considering requirement #3 above, I'd tend to look at a CyberGuard running on the B1 *evaluated* Nighthawk operating system. Absent a covert channel analysis on *any* of these firewall operating systems - at least for now - I'd feel warmer and fuzzier about the OS security claims made on behalf of Nighthawk than the claims made on behalf of the Sidewinder OS - at least until I've seen the certification and accreditation paperwork that comes out of the NSA's MISSI programme that will be using Sidewinder for some of its single-level X.400 firewalls. Now, can someone explain to me why Sidewinder doesn't appear on the NCSA's list of "blessed" firewalls - at least it doesn't according to the press release I received? ===== K.M. Goertzel * Manager, Business Development Secure Systems & Services Operation * WANG FEDERAL, Inc. tel (703)827 3914 * fax (703)827 3161 * email goertzek@wangfed.com "An elephant: a mouse built to government specifications" - Robert Heinlein From firewalls-owner Fri Oct 4 14:27:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA28884 for firewalls-outgoing; Fri, 4 Oct 1996 12:31:46 -0700 (PDT) Received: from trex.netrex.com (trex.netrex.com [206.253.226.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id MAA28774 for ; Fri, 4 Oct 1996 12:31:16 -0700 (PDT) Received: from foghorn.netrex.com (foghorn [206.253.226.10]) by trex.netrex.com (8.7.6/8.7.3) with SMTP id PAA18322; Fri, 4 Oct 1996 15:30:26 -0400 (EDT) Message-Id: <3.0b28.32.19961004152554.00b3b458@trex.netrex.com> X-Sender: richards@trex.netrex.com X-Mailer: Windows Eudora Pro Version 3.0b28 (32) Date: Fri, 04 Oct 1996 15:26:01 -0400 To: jeromie@garrison.com (Hmm) From: Richard Stiennon Subject: Re: Gauntlet vs. Sidewinder Cc: bdboyle@erenj.com, barbara@us.checkpoint.com, firewalls@GreatCircle.COM Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 07:07 PM 10/2/96 CDT, Hmm wrote: > > I would be interested in hearing how checkpoint is securing their >customers from SMTP based attacks! From what I have seen, they simply pass it >through to a mail machine... If that mail machine happends to be running >Sendmail 4.1, the attacker can blow holes right through the perimiter....? Well, how about not allowing telnet to the mail server? hmmm... ---------------------------------------------------------------------------- Richard Stiennon richards@netrex.com Director, Business Development http://www.netrex.com Netrex, Inc. Voice: 810-352-9643 Southfield, Michigan Fax: 810-352-2375 ----------------------------------------------------------------------------- Providing businesses and organizations with secure Internet solutions. From firewalls-owner Fri Oct 4 15:38:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA04825 for firewalls-outgoing; Fri, 4 Oct 1996 13:15:01 -0700 (PDT) Received: from bdiwall0.bracco.com (bdiwall0.bracco.com [204.255.10.129]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id NAA04802 for ; Fri, 4 Oct 1996 13:14:47 -0700 (PDT) Received: by bdiwall0.bracco.com; id QAA09719; Fri, 4 Oct 1996 16:10:27 -0400 Received: from unknown(204.255.10.36) by bdiwall0.bracco.com via smap (V3.1.1) id xma009717; Fri, 4 Oct 96 16:10:01 -0400 Received: from ccMail by bdigate0.bracco.com (IMA Internet Exchange 1.04b) id 2556f460; Fri, 4 Oct 96 16:10:46 -0400 Mime-Version: 1.0 Date: Fri, 4 Oct 1996 16:14:16 -0400 Message-ID: <2556f460@bracco.com> From: mcruz@bracco.com (Michael Cruz) Subject: Re: WinFrame by CITRIX To: firewalls@greatcircle.com, Mr Maurice SEILER Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We use it. Works well on the local LAN and via dial-up 14400 or 28800. We've not tried going through the firewall. No need to yet. I'm not the WINFRAME guru around here, but you should only have to open the WINFRAME port(1494) through your firewall. It rides on TCP/IP so whatever procedure you use now will work the same way for WINFRAME. I'm not sure of any other implications of this. I'd be leary of doing it. mike Michael W. Cruz BRACCO Diagnostics Inc. Princeton, New Jersey mcruz@bracco.com ______________________________ Reply Separator _________________________________ Subject: WinFrame by CITRIX Author: Mr Maurice SEILER at *Internet* Date: 10/4/96 7:49 PM Hi!, Does somebody know something about WINFRAME by CITRIX? (Sort of X-terminal by M$) Any known security problems? How does this go through the FireWall? Thanks, Maurice From firewalls-owner Sat Oct 5 17:27:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA03383 for firewalls-outgoing; Fri, 4 Oct 1996 13:02:36 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id NAA03322 for ; Fri, 4 Oct 1996 13:02:06 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id NAA03503; Fri, 4 Oct 1996 13:00:25 -0700 Received: from qs.secapl.com(192.131.69.9) by mycroft via smap (V1.3mjr) id sma003484; Fri Oct 4 12:59:26 1996 Received: from Cookie.secapl.com (Cookie.secapl.com [192.108.247.19]) by qs.secapl.com (8.6.12/8.6.12) with SMTP id OAA137476; Fri, 4 Oct 1996 14:48:35 -0500 Received: from Fozzie.secapl.com by Cookie.secapl.com (AIX 3.2/UCB 5.64/4.03) id AA149725; Fri, 4 Oct 1996 15:00:09 -0500 Received: from localhost by fozzie.secapl.com (AIX 4.1/UCB 5.64/4.03) id AA35236; Fri, 4 Oct 1996 15:59:05 -0400 Date: Fri, 4 Oct 1996 15:59:03 -0400 (EDT) From: Tony Iannotti To: Mr Maurice SEILER Cc: Firewalls Subject: Re: WinFrame by CITRIX In-Reply-To: <844465746133500006seiler*/G=Maurice/S=Seiler/OU=tls1/O=elfsanofi/PRMD=elf02/ADMD=ATLAS/C=FR/@MHS> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 4 Oct 1996, Mr Maurice SEILER wrote: > Does somebody know something about WINFRAME by CITRIX? (Sort of X-terminal by M$) We've been evaluating it here, it's not really an X-terminal per se, though it can deliver windows programs or the whole NT desktop to an X-window... It's more like a multi-user version of NT. (Also, not by MS, though based on licensed code) > Any known security problems? Seems to be a few rev's behind NT, 3.51 with only one service pack I think, so it's really the same as NT. Add to that the fact that (if running on X at least) everything is in the clear. > How does this go through the FireWall? This I couldn't say, we don't let it. _________________________________________________________________________ Tony Iannotti "Sed quis custodiet ipsos custodes?" Security APL tony@secapl.com -Juvenal 101 Hudson Street 201/332-2020 Jersey City, NJ 07302 From firewalls-owner Sat Oct 5 17:31:39 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA01437 for firewalls-outgoing; Fri, 4 Oct 1996 12:46:51 -0700 (PDT) Received: from intfw.bear.com (intfw.bear.com [206.25.172.66]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id MAA01276 for ; Fri, 4 Oct 1996 12:46:05 -0700 (PDT) Received: by intfw.bear.com (4.1/SMI-4.1) id AA11801; Fri, 4 Oct 96 15:45:29 EDT Received: from fastbear(165.168.74.3) by intfw via smap (V1.3) id sma011139; Fri Oct 4 15:37:04 1996 Received: from ursa2.bear.com by fastbear.bear.com (4.1/SMI-4.1/1.0 AMR 12/15/94) id AA05509; Fri, 4 Oct 96 15:41:46 EDT Received: from whip_xfr.bear.com (whip-xfr) by ursa2.bear.com (4.1/SMI-4.1/AMR+DJMS(2)) id AA10542; Fri, 4 Oct 96 15:38:04 EDT Received: from wizard.bsnet by whip_xfr.bear.com (SMI-8.6/SMI-SVR4) id PAA26744; Fri, 4 Oct 1996 15:37:15 -0400 Received: from neptune by wizard.bsnet (SMI-8.6/SMI-SVR4) id PAA21632; Fri, 4 Oct 1996 15:37:15 -0400 Message-Id: <3255676B.3A0C@bear.com> Date: Fri, 04 Oct 1996 15:37:15 -0400 From: Shahryar Jahangir Organization: Bear Stearns X-Mailer: Mozilla 3.0Gold (X11; I; SunOS 5.5 sun4m) Mime-Version: 1.0 To: Irwin Lazar Cc: firewalls@greatcircle.com Subject: Re: Small network Firewall References: <2.2.32.19961004141153.0068802c@netevolve.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Irwin, All the firewalls discussed on this group can be implemented. I would suggest using a Netra as your firewall and run FW-first or FW-light from checkpoint sftwr. It can do everything you are looking for. I must admit that Gaunlet will also do the job, but with a complete SUN solution right out of the box, what could be easier ? luck sj Irwin Lazar wrote: > > Greetings all. I am working on a project to increase the security on a > small LAN (less than 20 users). This LAN has a live connection to the > internet via a 56Kb Frame Relay pipe. > > So far the requirements are to set up an internal web server that can't be > accessed from the Internet, to prevent SNMP scans from the Internet, to > prevent Telnet from the internet, and to prevent IP Spoofing. There is also > a requirement for reporting break-ins to a syslog server. An external web > server and FTP server will also be setup running NT 4.0. > > I've been looking at using private addressing on the LAN with a NAT between > the LAN and a DMZ. The NAT will be a Cisco 2500 running their new 11.2.1 > release. There will also be a Cisco 2500 between the Internet and the DMZ. > I will be using the Cisco's as network layer firewalls by using extended IP > Access lists. > > Are there any application layer firewalls out there that would be usefull > for a small LAN such as this? Can anyone recommend a few to look at? Does > the above plan sound coherent? > > Also, in an unrelated request, does anyone know of a good Windows NT mailing > list or perhaps a place that holds a list of mailing lists? > > Thanks, > Irwin Lazar > Network Evolutions, Inc. -- ........................................... " Is there a God ? I don't know, the computer is down !" Shahryar Jahangir Information Services Bear Stearns & Co. Inc. 245 Park Avenue New York, NY 10167 email: sj@bear.com Tel: 212 272 7764 Fax : 212 499 6977 ........................................... -- ******************************************************************************* Bear Stearns is not responsible for any recommendation, solicitation, offer or agreement or any information about any transaction, customer account or account activity contained in this communication. ******************************************************************************* From firewalls-owner Sat Oct 5 17:58:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA08179 for firewalls-outgoing; Fri, 4 Oct 1996 13:32:10 -0700 (PDT) Received: from kcpgw2.kcp.com (kcpgw2.kcp.com [198.62.69.67]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id NAA07941 for ; Fri, 4 Oct 1996 13:31:00 -0700 (PDT) Received: by kcpgw2.kcp.com id AA03154 (InterLock SMTP Gateway 3.0 for firewalls@greatcircle.com); Fri, 4 Oct 1996 15:30:29 -0500 Message-Id: <199610042030.AA03154@kcpgw2.kcp.com> Received: by kcpgw2.kcp.com (Protected-side Proxy Mail Agent-2); Fri, 4 Oct 1996 15:30:29 -0500 Received: by kcpgw2.kcp.com (Protected-side Proxy Mail Agent-1); Fri, 4 Oct 1996 15:30:29 -0500 Mime-Version: 1.0 Date: Fri, 4 Oct 1996 15:25:09 -0500 From: dharris@kcp.com (Delmer Harris) Subject: Re: Financial transactions and firewalls. To: firewalls@greatcircle.com, Colin Campbell Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Colin/list: The "gentleman" in question has many brothers and sisters in other fields. I have only been at this firewall stuff for about three years and I have already had to fight off three requests for "just a tiny hole" in my firewall so we could use the latest "firewalls unaware" application that we just _had_ to have. In each case the application developer was aghast when I suggested that the product would be much more useful if it was firewall aware _and_ based on a standard ("well understood") protocol like telnet, http, or ftp. Keep fighting the good fight. If it isn't firewalls aware it probably isn't security aware either. BTW: From a class I took at Interop I got the impression that SET is not incompatible with firewalls because it rides on top of other protocols which firewalls can handle. Is this impression correct? Delmer D. Harris dharris@kcp.com ______________________________ Reply Separator _________________________________ Subject: Financial transactions and firewalls. Author: Colin Campbell at INTERNET-MAIL Date: 10/3/96 4:14 PM Hi, I recently spent several hours (yes hours!) on the phone discussing the relative merits of my "stupid firewall philosophy" with a gentleman representing a company implementing secure financial services on the Internet. His service, if I understood correctly, was based on (something like?) SWIFT which has been in use in Europe for 15-20 years by many large financial institutions and therefore was not going to be changed quickly if at all. My firewall was stupid (based on fwtk) because it put proxies in bewteen my inside hosts and external servers. Furthermore, any firewall that did any sort of network address translation or proxying was brain-dead. (My interpretation of his statements). Why? Because his software passed an identifying "ticket" with every packet. This ticket comprised an encrypted date+time, the IP address of the client machine and some other stuff. When the server saw a packet from a host whose IP address did not match that in the ticket, alarm bells would sound and the fraud squad would be on the door step within minutes. When I suggested to him that 80% (just guessing, so be nice to me) of the firewalls outside of the financial world use NAT and or proxies he scoffed at the prospect, suggesting that people using such stupid technologies were going to miss out on the upcoming revolution about to hit the Internet with secure financial transactions that would not work through such firewalls. He also mentioned the "new Microsoft software" several times (anyone know which?). Does anyone have any comments on this guy's philosophy, or mine for that matter? I would especially like to hear from anyone who's been following the development of secure financial transactions (SET comes to mind, right track?) and how these systems are expected to operate through "stupid firewalls" like mine. Colin From firewalls-owner Sat Oct 5 18:05:30 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA18198 for firewalls-outgoing; Fri, 4 Oct 1996 14:48:33 -0700 (PDT) Received: from user1.scranton.com (user1.scranton.com [204.186.119.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id OAA18154 for ; Fri, 4 Oct 1996 14:48:19 -0700 (PDT) Received: from localhost (moroni@localhost) by user1.scranton.com (8.6.12/8.6.9) with SMTP id RAA02750 for ; Fri, 4 Oct 1996 17:54:18 -0400 X-Authentication-Warning: user1.scranton.com: moroni owned process doing -bs Date: Fri, 4 Oct 1996 17:54:18 -0400 (EDT) From: Moroni To: firewalls@GreatCircle.COM Subject: Pumpcon Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have been busy and may have missed an announcement on the Pumpcon so could anyone tell me what hotel in Philly it is this year? Also ,is it open invitation? Please respond by email to me personally rather than taking up bandwidth. Thanks in Advance From firewalls-owner Sat Oct 5 18:12:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA29722 for firewalls-outgoing; Fri, 4 Oct 1996 16:06:49 -0700 (PDT) Received: from Fox.nstn.ca (fox.nstn.ca [137.186.128.12]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id QAA29678 for ; Fri, 4 Oct 1996 16:06:29 -0700 (PDT) Received: from 204.191.136.4.istar.ca (ts1-11.ott.iSTAR.ca [204.191.144.31]) by Fox.nstn.ca (8.7.5/8.7.3) with SMTP id UAA22262; Fri, 4 Oct 1996 20:04:59 -0300 (ADT) Date: Fri, 4 Oct 1996 20:04:59 -0300 (ADT) Message-Id: <199610042304.UAA22262@Fox.nstn.ca> X-Sender: champ@fox.nstn.ca X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Adam Shostack From: "L. Champagne" Subject: Re: NT FTPd? Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You could use IIS (Internet Information Service) from Microsoft. Version 1.0 runs well on NT 3.5.1, version 2.0 is out, runs on NT 4.0 (actually it comes with NT 4.0). Its free and has three services: gopher, ftp and http. It's simple, integrates with the OS. Start/Stop (un)desired services. Also heard good comments about FTP Serv-U. Go www.altavista.digital.com and search: serv-u. Lyn Champagne "Knowing more than one language is an asset knowing when to shup is of equal value." At 22:26 10/03/96 -0500, you wrote: >(Cross posted to Firewalls, ntsec) > >I'm looking for a FTP server to run on Windows NT. > >My criteria are: > >* Claims to offer security >* Can provide ability to prevent moving up a directory tree. (chroot) >* Can use NT login mechanisms to control login & activity as >different users. > >Source would be nice. Free would be nice, but a downloadable demo >version is a must for pay software. > >Please respond to me, and I'll summarize. > > >Adam >-- >"Every year the Republicans campaign like Libertarians, and then go to >Wasthington and spend like Democrats." > >Vote Harry Browne for President. http://www.harrybrowne96.org > > > > > From firewalls-owner Sat Oct 5 18:26:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA14042 for firewalls-outgoing; Fri, 4 Oct 1996 17:27:10 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id RAA09122 for ; Fri, 4 Oct 1996 17:01:10 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id QAA07121; Fri, 4 Oct 1996 16:59:28 -0700 Received: from nic.incolumitas.se(194.52.80.4) by mycroft via smap (V1.3mjr) id sma007099; Fri Oct 4 16:59:11 1996 Received: (from rom@localhost) by nic.incolumitas.se (8.7.5/8.7.3) id CAA10384; Sat, 5 Oct 1996 02:04:11 +0200 (MET DST) Date: Sat, 5 Oct 1996 02:04:11 +0200 (MET DST) From: Robert Malmgren Message-Id: <199610050004.CAA10384@nic.incolumitas.se> To: genel@inforamp.net, peter@baileynm.com Subject: Re: [NTSEC] Re: NT FTPd? Cc: ntsecurity@iss.net, firewalls@GreatCircle.COM Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-MD5: 8d+sJMLi8rn2r/7If9gsRg== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From owner-ntsecurity@iss.net Fri Oct 4 23:27 MET 1996 > From: peter@baileynm.com (Peter da Silva) > Subject: [NTSEC] Re: NT FTPd? > To: genel@inforamp.net (Gene Lee) > Date: Fri, 4 Oct 1996 08:38:53 -0500 (CDT) > Cc: ntsecurity@iss.net, firewalls@GreatCircle.COM > > On Thursday, October 03, 1996 6:26 PM, Adam Shostack[SMTP:adam@homeport.org] wrote: > >I'm looking for a FTP server to run on Windows NT. > > > >* Claims to offer security > > The FTP protocol has no security capability. If you want security, don't use > FTP. See if there's an ssh server for NT and use scp, or use HTTPS/SSL. > Well... this is not completely true. There has been a draft RFC on how to negotiate secure authentication and a secure session. There are a number of implementation of this as well. I have a kerberized version of FTP that uses these features. Unfortunately there are no port of it to NT, I just use it on UNIX-boxes so far. But the source for a neat kerberos-package that includes this and more network utils just sits in ftp.nada.kth.se:/pub/krb/src waiting for someone to port it ;-) But the _vanilla_ version of FTP is, as you point out, rather unsecure... piraya$ /usr/athena/bin/ftp spam Connected to spam 220 spam FTP server (Version 6.00) ready. Trying KERBEROS_V4... Kerberos login successful. Name (spam:rom): P:232 User rom logged in. Remote system type is UNIX. -- Robert From firewalls-owner Sat Oct 5 18:26:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA13141 for firewalls-outgoing; Fri, 4 Oct 1996 13:59:27 -0700 (PDT) Received: from xyzzy.plugh.edmonton.ab.ca (xyzzy.plugh.edmonton.ab.ca [198.161.22.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id NAA13094 for ; Fri, 4 Oct 1996 13:59:05 -0700 (PDT) Received: (from uucp@localhost) by xyzzy.plugh.edmonton.ab.ca (8.6.12/8.6.9) id OAA10278; Fri, 4 Oct 1996 14:57:33 -0600 Received: from beckio.precise.ab.ca(192.168.30.61), claiming to be "snouts.obtuse.com" via SMTP by mailhost.Plugh.edmonton.ab.ca, id smtpd10276aaa; Fri Oct 4 14:57:25 1996 Received: (from beck@localhost) by snouts.obtuse.com (8.7.5/8.7.3) id OAA02912; Fri, 4 Oct 1996 14:57:29 -0600 From: Bob Beck Message-Id: <199610042057.OAA02912@snouts.obtuse.com> Subject: Re: smtp and auth To: raf@ezunx.com (rich) Date: Fri, 4 Oct 1996 14:57:27 -0600 (MDT) Cc: firewalls@GreatCircle.COM In-Reply-To: from "rich" at Oct 4, 96 09:43:48 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > What would cause SOME mail servers to send back a AUTH/113 connection before > allowing mail to be sent? Also, it seems to be random. In otherwords, some > servers do it sometimes but other times they do not. Since I am blocking > all connection requests from the outside in, this causes some of my internal > mail servers to hang from time to time. When I looked at the firewall logs, > I see SYN's coming from the mail server at the other end trying port 113. > Any hints? > Sendmail and others (as well as the tcp wrappers) can be configured to shoot connecting beasts with an ident request. It should (if they have it configured right) just time out and proceed, but ya never know. It's of dubious value on external SMTP connections, but different strokes for different folks, It's how some people set up their world. You mail server probably shouldn't "hang" on these type of requests. It should just give up after a reasonable amount of time, So you might want to take a look at what your mail server is doing when talking to a catatonic server. It should hopefully give up and die. Failing that, you can just open up ident to your mailmachine, and put a dumb ident daemon on it that answers all requests with "xxxx" or something if you don't feel like giving out any information. doing that is basically harmless (done right anyway). -Bob From firewalls-owner Sat Oct 5 18:57:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA28161 for firewalls-outgoing; Fri, 4 Oct 1996 21:10:19 -0700 (PDT) Received: from morbius.softiron.com ([199.233.153.120]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id VAA28154 for ; Fri, 4 Oct 1996 21:10:09 -0700 (PDT) From: woody@softiron.com Received: by morbius.softiron.com (SMI-8.6/SMI-SVR4) id VAA03507; Fri, 4 Oct 1996 21:07:49 -0700 Date: Fri, 4 Oct 1996 21:07:49 -0700 Message-Id: <199610050407.VAA03507@morbius.softiron.com> To: raf@ezunx.com CC: firewalls@greatcircle.com In-reply-to: (message from rich on Fri, 4 Oct 96 09:43:48) Subject: Re: smtp and auth Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Date: Fri, 4 Oct 96 09:43:48 What would cause SOME mail servers to send back a AUTH/113 connection before allowing mail to be sent? Also, it seems to be random. In otherwords, some servers do it sometimes but other times they do not. I had xinetd query remote authorization for acceptance of mail when I was running a smtp server in a dangerous area. Perhaps that is what you are seeing: the remote site wants some indication that a user isn't trying to trivially spoof mail. No idea why the hosts would not do this consistently, though. All my models suggest they should do this all the time. --woody -- Robert Wooddell Weaver email: robertw@softiron.com Senior Systems Engineer voice: 510.855.2072 SoftIRON Systems pager: 510.702.4334 alpha page at: http://www.metrocall.com/Page.html From firewalls-owner Sat Oct 5 19:00:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA29383 for firewalls-outgoing; Fri, 4 Oct 1996 21:17:40 -0700 (PDT) Received: from minotaur.labyrinth.net.au (minotaur.labyrinth.net.au [203.9.148.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id VAA29374 for ; Fri, 4 Oct 1996 21:17:23 -0700 (PDT) Received: (from mail@localhost) by minotaur.labyrinth.net.au (8.7.2/8.7.2) id OAA02790; Sat, 5 Oct 1996 14:20:09 +1000 (EST) X-Authentication-Warning: minotaur.labyrinth.net.au: mail set sender to using -f Received: from gate.quick.com.au(203.12.250.130) by minotaur.labyrinth.net.au via smap (V1.3) id sma002771; Sat Oct 5 14:19:43 1996 Received: (from sjg@localhost) by zen.quick.com.au (8.7.3/8.6.9) id OAA20126; Sat, 5 Oct 1996 14:18:44 +1000 (EST) Date: Sat, 5 Oct 1996 14:18:44 +1000 (EST) From: "Simon J. Gerraty" Message-Id: <199610050418.OAA20126@zen.quick.com.au> To: mchatel@dial.oleane.com Cc: firewalls@greatcircle.com Subject: Re: Need volunteer FTP archive site to host new security software Newsgroups: lists.firewalls References: <1.5.4.32.19961003205647.00698e6c@pop.dial.oleane.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Marc Chatel writes: > S4 is best described as "a security glueware compromise". The goal of S4 >is to minimize the time necessary to accomplish the following: >The installer spends most of that time pressing "Y", "N", and RETURN to accept >Although it currently runs on only one platform (OSF/Digital Unix on Alpha), You might like to have a look at ftp://ftp.quick.com.au/pub/unix/config-sh.cpio.Z which is a very generic tool for doing this sort of thing - with no user interaction required. Indeed, I've used it quite a bit for building firewall bastions (like a cookie cutter). Its all written in Bourne shell and is quite portable (*BSD,SunOS,Solaris,IRIX, and even HP-UX[*], all known to work), on Solaris, it also takes care of installing patches. You can build a single config tree that supports multiple systems and architectures, ftp://ftp.quick.com.au/pub/unix/config-example.cpio.Z is a subset of my configs tree here and contains many useful bits of shell script etc. No, it does not contain the bastion configs :-) For more detail, see http://www.quick.com.au/FreeWare/ --sjg From firewalls-owner Sat Oct 5 19:13:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA07626 for firewalls-outgoing; Fri, 4 Oct 1996 19:32:33 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id TAA06969 for ; Fri, 4 Oct 1996 19:30:46 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id SAA08865; Fri, 4 Oct 1996 18:13:03 -0700 Received: from mail13.digital.com(192.208.46.30) by mycroft via smap (V1.3mjr) id sma008858; Fri Oct 4 18:12:50 1996 Received: from whyvms.ako.dec.com by mail13.digital.com (8.7.5/UNX 1.2/1.0/WV) id VAA25811; Fri, 4 Oct 1996 21:09:06 -0400 (EDT) Received: from isbu-mail.ljo.dec.com by whyvms.ako.dec.com (5.65/MS-010395) id AA12210; Fri, 4 Oct 1996 21:07:28 -0400 Received: from tun-26.imc.das.dec.com [16.136.208.26] (HELO ccstest44) by isbu-mail.ljo.dec.com (AltaVista Mail V1.0/1.0 BL17 listener) id 0000_0042_3255_b548_d4b2; Fri, 04 Oct 1996 21:09:28 -0400 Message-Id: <1.5.4.32.19961005015131.006c5a8c@isbu-mail.ljo.dec.com> X-Sender: jim.lester@isbu-mail.ljo.dec.com X-Mailer: Windows Eudora Light Version 1.5.4 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 04 Oct 1996 20:51:31 -0500 To: "Steven E. Matkoski" , Firewalls@GreatCircle.COM From: Jim Lester Subject: Re: async file transfers through firewall, how? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You can do this Digital's Altavista tunnels. Go to the URL shown in my signature, page down and enter the frames or no-frames product section, click on products and tunnel. Download a whitepaper or an eval copy of the product. Good luck. At 10:28 AM 10/4/96 -0400, Steven E. Matkoski wrote: >I have the requirement to allow async users to transfer files to a ftp >server. The async users connect to cisco 2511's which are connected to >a perimeter network where the firewall is connected. I want the user >to start a file transfer (x,y,z modem) and have the terminal server >convert to ftp which would be filtered by the firewall. Has anyone >tried anything like this? or have any ideas if it possible? > >-- > >Thanks! >-steve. >matkoski@dreamscape.com > Jim Lester, Business Alliance Manager Altavista Internet Software Digital Equipment Corporation http://altavista.software.digital.com voice: 404.843.9645 From firewalls-owner Sat Oct 5 19:20:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA20542 for firewalls-outgoing; Fri, 4 Oct 1996 20:26:38 -0700 (PDT) Received: from mail13.digital.com (mail13.digital.com [192.208.46.30]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id UAA15110 for ; Fri, 4 Oct 1996 20:03:08 -0700 (PDT) Received: from whyvms.ako.dec.com by mail13.digital.com (8.7.5/UNX 1.2/1.0/WV) id WAA11997; Fri, 4 Oct 1996 22:55:52 -0400 (EDT) Received: from isbu-mail.ljo.dec.com by whyvms.ako.dec.com (5.65/MS-010395) id AA12257; Fri, 4 Oct 1996 21:12:49 -0400 Received: from tun-26.imc.das.dec.com [16.136.208.26] (HELO ccstest44) by isbu-mail.ljo.dec.com (AltaVista Mail V1.0/1.0 BL17 listener) id 0000_0042_3255_b68f_d555; Fri, 04 Oct 1996 21:14:55 -0400 Message-Id: <1.5.4.32.19961005015658.006c5218@isbu-mail.ljo.dec.com> X-Sender: jim.lester@isbu-mail.ljo.dec.com X-Mailer: Windows Eudora Light Version 1.5.4 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 04 Oct 1996 20:56:58 -0500 To: Irwin Lazar , firewalls@GreatCircle.COM From: Jim Lester Subject: Re: Small network Firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Irwin, go to altavista.software.digital.com and download an eval copy of Digital's AltaVista firewall for NT or Unix. Both are NCSA certified. Look at Altavista tunnels if you also want a means of providing rock solid (128bit RSA RC4 encryption)for user access outside the firewall. At 10:11 AM 10/4/96 -0400, Irwin Lazar wrote: >Greetings all. I am working on a project to increase the security on a >small LAN (less than 20 users). This LAN has a live connection to the >internet via a 56Kb Frame Relay pipe. > >So far the requirements are to set up an internal web server that can't be >accessed from the Internet, to prevent SNMP scans from the Internet, to >prevent Telnet from the internet, and to prevent IP Spoofing. There is also >a requirement for reporting break-ins to a syslog server. An external web >server and FTP server will also be setup running NT 4.0. > >I've been looking at using private addressing on the LAN with a NAT between >the LAN and a DMZ. The NAT will be a Cisco 2500 running their new 11.2.1 >release. There will also be a Cisco 2500 between the Internet and the DMZ. >I will be using the Cisco's as network layer firewalls by using extended IP >Access lists. > >Are there any application layer firewalls out there that would be usefull >for a small LAN such as this? Can anyone recommend a few to look at? Does >the above plan sound coherent? > >Also, in an unrelated request, does anyone know of a good Windows NT mailing >list or perhaps a place that holds a list of mailing lists? > >Thanks, >Irwin Lazar >Network Evolutions, Inc. > > Jim Lester, Business Alliance Manager Altavista Internet Software Digital Equipment Corporation http://altavista.software.digital.com voice: 404.843.9645 From firewalls-owner Sat Oct 5 19:41:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA15424 for firewalls-outgoing; Sat, 5 Oct 1996 06:28:59 -0700 (PDT) Received: from internet_host (internet_host.spmu.rssi.ru [194.85.234.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA11999 for ; Sat, 5 Oct 1996 06:10:53 -0700 (PDT) Received: from proliant.spmu.rssi.ru by internet_host (NTMail 3.01.03) id na030745; Sat, 5 Oct 1996 15:47:53 +0300 Message-ID: <32564B8D.4796@spmu.rssi.ru> Date: Sat, 05 Oct 1996 15:50:37 +0400 From: Lawrence Beobachter X-Mailer: Mozilla 2.0 (WinNT; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: DMZ server References: <2.2.32.19961003154359.00769410@pop-srvr> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Info: Evaluation version at internet_host Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello! I saw this term here several times in connection with bastion host. What does this acronym mean? From firewalls-owner Sat Oct 5 19:57:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA19448 for firewalls-outgoing; Sat, 5 Oct 1996 17:57:47 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA25866 for ; Sat, 5 Oct 1996 07:28:19 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.6.9/8.6.9) id KAA09000; Sat, 5 Oct 1996 10:33:53 -0500 From: Adam Shostack Message-Id: <199610051533.KAA09000@homeport.org> Subject: Re: NT FTPd? To: Russ.Cooper@RC.Toronto.on.ca (Russ) Date: Sat, 5 Oct 1996 10:33:52 -0500 (EST) Cc: firewalls@greatcircle.com In-Reply-To: from "Russ" at Oct 5, 96 09:42:31 am X-Mailer: ELM [version 2.4 PL24 ME8b] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Russ wrote: | The IIS FTPd can do authentication using Windows NT accounts from the | server's SAM database. Its important to note that these logins will be | sent in clear text, so someone sniffing could get valid NT User account | information by watching an FTP login sequence. Thats part of the FTP protocol, but thanks for pointing it out. The accounts will hopefully be tied down so that they can only ftp, so the sniffing is less of a problem. | The .. bug that plagued the earlier FTPd has long been fixed in the IIS | FTPd, and today, the IIS FTPd is considered quite stable and secure. It When I say software is secure, I usually mean that I've done a design review and a source inspection of it. If I can't do the source review I examine binaries with a debugger and other tools (strings, ar, nm, ldd are all useful) to try to get an idea of what it can do. I also run it under a monitor (truss, ktrace, trace) and watch what it does. Doing these things builds my confidence level that it doesn't make any nasty calls. Many people have told me that the IIS ftpd is secure, and I'm wondering what generates that confidence. -- "Every year the Republicans campaign like Libertarians, and then go to Wasthington and spend like Democrats." Vote Harry Browne for President. http://www.harrybrowne96.org From firewalls-owner Sat Oct 5 20:11:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA17241 for firewalls-outgoing; Sat, 5 Oct 1996 17:28:05 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id TAA07060 for ; Fri, 4 Oct 1996 19:30:59 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id SAA09212; Fri, 4 Oct 1996 18:21:27 -0700 Received: from mail13.digital.com(192.208.46.30) by mycroft via smap (V1.3mjr) id sma009184; Fri Oct 4 18:20:49 1996 Received: from whyvms.ako.dec.com by mail13.digital.com (8.7.5/UNX 1.2/1.0/WV) id VAA29051; Fri, 4 Oct 1996 21:17:47 -0400 (EDT) Received: from isbu-mail.ljo.dec.com by whyvms.ako.dec.com (5.65/MS-010395) id AA12289; Fri, 4 Oct 1996 21:16:09 -0400 Received: from tun-26.imc.das.dec.com [16.136.208.26] (HELO ccstest44) by isbu-mail.ljo.dec.com (AltaVista Mail V1.0/1.0 BL17 listener) id 0000_0042_3255_b751_d5db; Fri, 04 Oct 1996 21:18:09 -0400 Message-Id: <1.5.4.32.19961005020012.006c8938@isbu-mail.ljo.dec.com> X-Sender: jim.lester@isbu-mail.ljo.dec.com X-Mailer: Windows Eudora Light Version 1.5.4 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 04 Oct 1996 21:00:12 -0500 To: "Steven E. Matkoski" , Firewalls@GreatCircle.COM From: Jim Lester Subject: Re: cisco 2511 file transfer through firewall. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Steve, Digital's AltaVista Tunnels will allow your folks access through your firewall and into your intranet for ftp, web, mail, telnet and file and print services. The tunnels provide 512bit authentication and 128bit RSA RC4 encryption of all traffic. The cost is about $150 per user, turnkey. Go to the URL in my address line to download an eval copy. At 10:08 AM 10/4/96 -0400, Steven E. Matkoski wrote: >I am trying to set up a dial-in service for our company and would like >to know how to handle file transfers between a terminal server and the >firewall. Here is the layout: I have 4 cisco 2511's connected to the >perimeter network (ethernet), which is attached to my firewall. I have >to support async file transfers (X,Y,Z modem) to a ftp server within >the secure network, how do terminal servers handle such transfers? >do they convert to ftp? I dont know which ports to open for these >transfers. Any help is appreciated. > >-- > >Thanks! >-steve. >matkoski@dreamscape.com > Jim Lester, Business Alliance Manager Altavista Internet Software Digital Equipment Corporation http://altavista.software.digital.com voice: 404.843.9645 From firewalls-owner Sat Oct 5 20:14:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA18168 for firewalls-outgoing; Sat, 5 Oct 1996 17:34:46 -0700 (PDT) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id TAA07105 for ; Fri, 4 Oct 1996 19:31:06 -0700 (PDT) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-960123) id SAA09219; Fri, 4 Oct 1996 18:21:27 -0700 Received: from mail13.digital.com(192.208.46.30) by mycroft via smap (V1.3mjr) id sma009187; Fri Oct 4 18:20:59 1996 Received: from whyvms.ako.dec.com by mail13.digital.com (8.7.5/UNX 1.2/1.0/WV) id VAA20894; Fri, 4 Oct 1996 21:19:43 -0400 (EDT) Received: from isbu-mail.ljo.dec.com by whyvms.ako.dec.com (5.65/MS-010395) id AA12318; Fri, 4 Oct 1996 21:18:04 -0400 Received: from tun-26.imc.das.dec.com [16.136.208.26] (HELO ccstest44) by isbu-mail.ljo.dec.com (AltaVista Mail V1.0/1.0 BL17 listener) id 0000_0042_3255_b7d2_d60b; Fri, 04 Oct 1996 21:20:18 -0400 Message-Id: <1.5.4.32.19961005020221.006c2550@isbu-mail.ljo.dec.com> X-Sender: jim.lester@isbu-mail.ljo.dec.com X-Mailer: Windows Eudora Light Version 1.5.4 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 04 Oct 1996 21:02:21 -0500 To: "Steven E. Matkoski" , Firewalls@GreatCircle.COM From: Jim Lester Subject: Re: cisco 2511 file transfer through firewall. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Steve, (Oops!, the prior email made it sound like the eval was $150. The eval is our course free! Sorry!) Digital's AltaVista Tunnels will allow your folks access through your firewall and into your intranet for ftp, web, mail, telnet and file and print services. The tunnels provide 512bit authentication and 128bit RSA RC4 encryption of all traffic. The cost is about $150 per user, turnkey. Go to the URL in my address line to download a free eval copy. At 10:08 AM 10/4/96 -0400, Steven E. Matkoski wrote: >I am trying to set up a dial-in service for our company and would like >to know how to handle file transfers between a terminal server and the >firewall. Here is the layout: I have 4 cisco 2511's connected to the >perimeter network (ethernet), which is attached to my firewall. I have >to support async file transfers (X,Y,Z modem) to a ftp server within >the secure network, how do terminal servers handle such transfers? >do they convert to ftp? I dont know which ports to open for these >transfers. Any help is appreciated. > >-- > >Thanks! >-steve. >matkoski@dreamscape.com > Jim Lester, Business Alliance Manager Altavista Internet Software Digital Equipment Corporation http://altavista.software.digital.com voice: 404.843.9645 From firewalls-owner Sat Oct 5 20:32:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA20596 for firewalls-outgoing; Sat, 5 Oct 1996 18:05:13 -0700 (PDT) Received: from su1.in.net (su1.in.net [199.0.62.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA00693 for ; Sat, 5 Oct 1996 07:57:18 -0700 (PDT) Received: from pm2-14.in.net by su1.in.net with SMTP (5.65/1.2-eef) id AA09342; Sat, 5 Oct 96 09:54:19 -0400 Date: Sat, 5 Oct 96 09:54:19 -0400 Message-Id: <9610051354.AA09342@su1.in.net> X-Sender: frankw@in.net X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.com From: Frank Willoughby Subject: Re: Gauntlet vs. Sidewinder Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 01:22 PM 10/4/96 -0400, "K.M. Goertzel" allegedly wrote: >Now, can someone explain to me why Sidewinder doesn't appear on the NCSA's list >of "blessed" firewalls - at least it doesn't according to the press release I >received? I could venture a guess - they don't feel there is any added value in being added to NCSA's list and I would agree with their choice. A cursory examination of the firewalls which made it into the list would tend to support my conclusion. Many (can we spell most) of the firewalls mentioned in their list are susceptible to a couple of types of attacks. Also, of all of the firewalls on their list, there are only 1 or two that I would consider for recommending to a client. This brings me to another subject. Several companies have been getting into the business of "certifying" firewalls and from what I have seen so far, I'm rather underwhelmed at the results. Some companies will run the satan/santa or other product against a firewall and then "certify" it - if the firewall passes the test. IMHO, free satan/santa tool is vastly over-rated and will (at best) tell you if the sysadmin has made a feeble attempt in keeping up with the CERT advisories and has been trying to keep the patches current. This is a far cry from the ability to protect the corporations networks from an attack by a determined hacker over the Internet. While I am not really wild about firewall certifications, nor am I thrilled about the apparent conflict-of-interest issues surrounding the certifications, my main gripe is with the methodologies used to approve the firewalls. Personally, I would recommend that they re-examine the methodologies and come up with better tests. FWIW, Marcus Ranum wrote a good article about "firewall certifications". Last time I checked, it could be found on V-ONE's home page. >K.M. Goertzel * Manager, Business Development >Secure Systems & Services Operation * WANG FEDERAL, Inc. >tel (703)827 3914 * fax (703)827 3161 * email goertzek@wangfed.com > >"An elephant: a mouse built to government specifications" > - Robert Heinlein Best Regards, Frank Any sufficiently advanced bug is indistinguishable from a feature. -- Rich Kulawiec The opinions expressed above are of the author and may not necessarily be representative of Fortified Networks Inc. Fortified Networks Inc. - Information Security Consulting http://www.fortified.com Phone: (317) 573-0800 FAX: (317) 573-0817 Home of the Free Internet Firewall Evaluation Checklist From firewalls-owner Sat Oct 5 20:41:54 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA12965 for firewalls-outgoing; Sat, 5 Oct 1996 20:05:35 -0700 (PDT) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id UAA12947 for ; Sat, 5 Oct 1996 20:05:26 -0700 (PDT) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id VAA01202; Sat, 5 Oct 1996 21:56:51 -0400 Date: Sat, 5 Oct 1996 21:56:48 -0400 (EDT) From: Rabid Wombat To: John J McMahon cc: firewalls@GreatCircle.COM Subject: Re: ATM Firewalls In-Reply-To: <32513C32.13728473@tis.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I don't doubt this can be built, but I DO wonder how well the firewall was able to keep up with the load. Do you have any info on the performance? TIA -r.w. On Tue, 1 Oct 1996, John J McMahon wrote: > Dr. Bill Hancock wrote: > > (edited) > > FYI, there were two refereed papers on high-speed firewalls > > delivered at the April 1996 InterOP show in Las Vegas... > > FYI - > > The Firewall in the NOC at Interop Las Vegas and Atlanta > this year was partially on ATM. I can't speak for the Las > Vegas design (I didn't build it), but the Atlanta design was > a three interface system consisting of: > > - 10 Mbps Ethernet - Inside Interface 1 > - 155 Mbps ATM (LANE) - Inside Interface 2 > - 100 Mbps FDDI - Outside Interface > > The base system was a Sun SparcStation 20, running SunOS 4.1.4 > and TIS Gauntlet 3.1.1. The FDDI and ATM boards came from > Interphase. > > Cheers, > John > -- > John "FuzzFace" McMahon > Gauntlet Internet Firewall Technical Support > Support: gauntlet-support@trusted.com, 301-527-9555, 301-527-0482 (fax) > Pennsic XXV: Cry Havoc... And let slip the golf carts of War... > Is this a comment on the "new affluence" of SCA members in the information age? :) -r.w. From firewalls-owner Sat Oct 5 21:18:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA25240 for firewalls-outgoing; Sat, 5 Oct 1996 20:58:06 -0700 (PDT) Received: from hustle.rahul.net (hustle.rahul.net [192.160.13.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id UAA24906 for ; Sat, 5 Oct 1996 20:57:02 -0700 (PDT) Received: from mistik.UUCP by hustle.rahul.net with UUCP id AA28476 (5.67b8/IDA-1.5 for firewalls@greatcircle.com); Sat, 5 Oct 1996 20:56:37 -0700 Received: by mistik.express.net (UUPC/extended 1.12r); Sat, 05 Oct 1996 23:56:20 -0400 Message-Id: <32572de4.mistik@mistik.express.net> Date: Sat, 05 Oct 1996 23:56:07 -0400 From: "Mustafa Soysal MS57" Organization: . To: firewalls@greatcircle.com Subject: inability of Greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Well folks, I have tried to get off this list by sending messages to majordomo@greatcircle.com which seemed to be maintained by MSen.com at some point which explains why things are broken. I don't see any other way than start bouncing the mail back for getting off the list. A company involved in firewalls should be able to find a better internet provider to run their list and even help them protect their machines with firewalls. Something isn't working in that picture ;) Goodbye! Mustafa Soysal From firewalls-owner Sat Oct 5 22:11:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA04309 for firewalls-outgoing; Sat, 5 Oct 1996 22:02:58 -0700 (PDT) Received: from [198.102.244.97] (pb520-ppp.greatcircle.com [198.102.244.97]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id WAA04290; Sat, 5 Oct 1996 22:02:42 -0700 (PDT) X-Sender: brent@miles.greatcircle.com Message-Id: In-Reply-To: <32572de4.mistik@mistik.express.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sat, 5 Oct 1996 23:57:47 -0600 To: "Mustafa Soysal MS57" , firewalls@greatcircle.com From: Brent Chapman Subject: Re: inability of Greatcircle.com Cc: mcb@greatcircle.com, postmaster@mistik.express.net, postmaster@express.net Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 11:56 PM -0400 10/5/96, Mustafa Soysal MS57 wrote: >Well folks, I have tried to get off this list by sending messages to >majordomo@greatcircle.com which seemed to be maintained by MSen.com at >some point which explains why things are broken. The Firewalls mailing list has never been maintained by anyone other than GreatCircle.COM. Great Circle Associates is not currently, and never has been, a customer, partner, vendor, or any other affiliate of MSen. I've checked the archive of messages sent to Majordomo@GreatCircle.COM so far this month; we haven't received any containing the strings "mustaafa" or "express.net". >I don't see any other way than start bouncing the mail back for getting >off the list. A petty tantrum of vandalism, in other words. How about something as radical as forwarding copies of the messages you've gotten to me, or to Postmaster@GreatCircle.COM, so that we can take a look at them and maybe figure out what's going on? >A company involved in firewalls should be able to find a better internet >provider to run their list and even help them protect their machines >with firewalls. Something isn't working in that picture ;) We're quite happy with our Internet service provider, thank you, though you seem a little confused as to who that is. We run our own mailing lists, and always have, though you seem certain it is otherwise. Maybe you're not looking at the same picture I am? >Goodbye! > >Mustafa Soysal Good riddance. -Brent ----------------------+----------------------------+------------------------ Brent Chapman | Great Circle Associates | 1057 West Dana Street Brent@GreatCircle.COM | http://www.greatcircle.com | Mountain View, CA 94041 ----------------------+----------------------------+------------------------ Internet Tutorials from the Experts! From firewalls-owner Sat Oct 5 23:33:00 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA11346 for firewalls-outgoing; Sat, 5 Oct 1996 23:15:58 -0700 (PDT) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id XAA11329 for firewalls@greatcircle.com; Sat, 5 Oct 1996 23:15:48 -0700 (PDT) Received: from giswitch.sggw.waw.pl (giswitch.sggw.waw.pl [148.81.186.111]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA12086 for ; Fri, 4 Oct 1996 10:08:08 -0700 (PDT) Received: (from guest@localhost) by giswitch.sggw.waw.pl (8.6.12/8.6.9) id SAA12600 for ; Fri, 4 Oct 1996 18:57:59 +0100 Posted-Date: Fri, 4 Oct 1996 18:57:59 +0100 Received: from localhost(127.0.0.1) by giswitch.sggw.waw.pl via smap (V1.3) id sma012597; Fri Oct 4 18:57:02 1996 Date: Fri, 4 Oct 1996 18:57:02 +0100 (MET) From: Marek Czajko To: firewalls@GreatCircle.COM Subject: Re: Welcome to fwtk-users In-Reply-To: <3221.9610041339@gmap.leeds.ac.uk> Message-ID: Organization: DSIS&FG WAU Rakowiecka 26/30 02-528 Warsaw Poland MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 4 Oct 1996, Danny Cox wrote: > [To unsubscribe from this list send the message "unsubscribe fwtk-users" in the > BODY of a mail message to majordomo@tis.com.] > > > > [To unsubscribe from this list send the message "unsubscribe fwtk-users" in the > > BODY of a mail message to majordomo@tis.com.] > > > > Anyone else getting messages with a lot of these in ? I've had about ten today so far. > I also --- Marek Czajko ( e-mail: mcj@giswitch.sggw.waw.pl ) ( Address, PGP public key: finger info@giswitch.sggw.waw.pl ) --- Department of Spatial Information Systems and Forest Geodesy Warsaw Agricultural University From firewalls-owner Sat Oct 5 23:56:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA11358 for firewalls-outgoing; Sat, 5 Oct 1996 23:16:13 -0700 (PDT) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id XAA11349 for firewalls@greatcircle.com; Sat, 5 Oct 1996 23:16:03 -0700 (PDT) Received: from smtp2.interramp.com (smtp2.interramp.com [38.8.200.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id LAA18933 for ; Fri, 4 Oct 1996 11:12:02 -0700 (PDT) Received: from davidh.interramp.com by smtp2.interramp.com (8.6.12/SMI-4.1.3-PSI-irsmtp) id OAA29315; Fri, 4 Oct 1996 14:11:33 -0400 Message-ID: <32555FE9.1BAD@checkpoint.com> Date: Fri, 04 Oct 1996 14:05:13 -0500 From: David Helms Organization: CheckPoint Software Technologies X-Mailer: Mozilla 2.02Gold (Win95; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: [Fwd: Re: Gauntlet vs. Sidewinder] Content-Type: multipart/mixed; boundary="------------619227BD5283" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is a multi-part message in MIME format. --------------619227BD5283 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Joav, I disagree with the concept of ever letting anyone connect to the firewall unless it provides significant value. Stateful inspection lets you route through the firewall securely without ever having to connect to the firewall. David -- __________________________________ David Helms Senior Technical Consultant CheckPoint Software Technologies ph 703.684.4824 fx 703.684.4847 davidh@checkpoint.com __________________________________ --------------619227BD5283 Content-Type: message/rfc822 Content-Transfer-Encoding: 7bit Content-Disposition: inline Return-Path: Received: from cale.checkpoint.com by us.checkpoint.com (5.x/SMI-SVR4) id AA26139; Thu, 3 Oct 1996 12:55:37 -0700 Received: from relay5.UU.NET (relay5.UU.NET [192.48.96.15]) by cale.checkpoint.com (8.7.5/8.7.1) with ESMTP id WAA01472 for ; Thu, 3 Oct 1996 22:52:25 +0200 (IST) Received: from miles.greatcircle.com by relay5.UU.NET with ESMTP (peer crosschecked as: miles.greatcircle.com [198.102.244.34]) id QQbjwh28938; Thu, 3 Oct 1996 15:48:58 -0400 (EDT) Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA09288 for firewalls-outgoing; Thu, 3 Oct 1996 10:13:10 -0700 (PDT) Received: from gatekeep.us.landisgyr.com (gatekeep.us.landisgyr.com [206.175.68.122]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA09246; Thu, 3 Oct 1996 10:12:57 -0700 (PDT) Received: by gatekeep.us.landisgyr.com; id JAA24079; Thu, 3 Oct 1996 09:06:43 -0400 Received: from unknown(204.207.110.148) by gatekeep.us.landisgyr.com via smap (V3.1) id xmac24042; Thu, 3 Oct 96 09:06:33 -0400 Received: from mailrelay.us.landisgyr.com by pmdf.us.landisgyr.com (PMDF V5.0-4 #10101) id <01IA7ELGC48000042X@pmdf.us.landisgyr.com>; Thu, 03 Oct 1996 11:59:12 -0500 (CDT) Received: with PMDF-MR; Thu, 03 Oct 1996 07:06:32 -0500 (CDT) Mr-Received: by mta PFMSV1.MUAS; Relayed; Thu, 03 Oct 1996 07:06:32 -0500 Mr-Received: by mta PFMSV1; Relayed; Thu, 03 Oct 1996 07:06:32 -0500 Mr-Received: by mta PFMMRX; Relayed; Thu, 03 Oct 1996 07:07:59 -0500 Disclose-Recipients: prohibited Date: Thu, 03 Oct 1996 07:06:32 -0500 (CDT) From: Joav Kohn Subject: Re: Gauntlet vs. Sidewinder In-Reply-To: <9610030326.AA03445@ukn0.garrison.com> To: firewalls-owner , jeromie , "david.helms" Cc: firewalls Message-Id: <2432060703101996/A00383/PFMSV1/11AA19C61F00*@MHS.us.landisgyr.com> Autoforwarded: false Mime-Version: 1.0 Content-Transfer-Encoding: 7BIT Importance: normal Sensitivity: Company-Confidential Ua-Content-Id: 11AA19C61F00 X400-Mts-Identifier: [;2432060703101996/A00383/PFMSV1] Hop-Count: 2 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Content-Type: TEXT/PLAIN; CHARSET=US-ASCII X-Mozilla-Status: 0011 > 1) People generally have their SMTP server sitting somewhere within > the "[Internal Net]". The firewall would say something like "We only allow > connections to port 25 of the SMTP gateway". If the SMTP gateway is sitting > inside, the perimiter is broken. > The proper way to set this up is to have the firewall itself accept mail with smapd and sendmail v8.6 and then re-route that mail to the internal servers. The internal servers are never vulnerable to an attack because the outside world cannot talk directly to them. > > 2) If the internet SMTP gateway sits on the DMZ, and the customer > has several internal SMTP gateways that distribute all the mail, then again, > the SMTP gateway on the DMZ would have access to send data to the inside SMTP > hosts, thus providing information flow. If the internal SMTP gateways are > vulerable to attack (IE: version of sendmail that have problems, IE: ALL) then > again, the perimiter is broken. > The best way to secure things is to assume nothing is secure on your internal network. Reduce your points of faliure on the DMZ, and trust nothing. If you make sure that your DMZ versions of sendmail are secure and they talk to your internal servers, no direct communication ever takes place from the external network to the internal network. -joav --------------619227BD5283-- From firewalls-owner Sun Oct 6 01:26:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA29226 for firewalls-outgoing; Sun, 6 Oct 1996 00:22:04 -0700 (PDT) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id AAA29152 for firewalls@greatcircle.com; Sun, 6 Oct 1996 00:21:41 -0700 (PDT) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id WAA09854 for firewalls; Sat, 5 Oct 1996 22:57:10 -0700 (PDT) Message-Id: <199610060557.WAA09854@miles.greatcircle.com> From: mcb@greatcircle.com (Michael C. Berch) Date: Sat, 5 Oct 1996 22:57:09 +0000 In-Reply-To: <32572de4.mistik@mistik.express.net> X-Mailer: Mail User's Shell (7.2.5 10/14/92) To: firewalls Subject: Re: inability of Greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk "Mustafa Soysal MS57" wrote: > Well folks, I have tried to get off this list by sending messages to > majordomo@greatcircle.com which seemed to be maintained by MSen.com at > some point which explains why things are broken. > > I don't see any other way than start bouncing the mail back for getting > off the list. Just to follow up on Brent's response to this, please be assured that the Majordomo server here is working just fine, and no, we have no idea what he's talking about either. :-) -- Michael C. Berch Postmaster and List Manager, Great Circle Associates mcb@greatcircle.com From firewalls-owner Sun Oct 6 07:42:17 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA10658 for firewalls-outgoing; Sun, 6 Oct 1996 07:26:49 -0700 (PDT) Received: from po-external.FCNBD.COM ([147.113.146.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA10648 for ; Sun, 6 Oct 1996 07:26:40 -0700 (PDT) Received: from po-internal.FCNBD.COM (internalhost.FCNBD.COM [147.113.104.10]) by po-external.FCNBD.COM (8.7.5/fcnbd/domain/1.5.1) with ESMTP id JAA28922; Sun, 6 Oct 1996 09:29:20 -0500 (CDT) Received: from abacab.cmg.FCNBD.COM (abacab.cmg.FCNBD.COM [147.113.112.11]) by po-internal.FCNBD.COM (8.7.5/fcnbd/internal-domain/1.4.1) with ESMTP id JAA23788; Sun, 6 Oct 1996 09:27:13 -0500 (CDT) Received: from abernathy.cmg.FCNBD.COM (pmarc@abernathy.cmg.FCNBD.COM [147.113.118.125]) by abacab.cmg.FCNBD.COM (8.7.5/fcnbd/server-subdomain/2.3) with ESMTP id JAA06061; Sun, 6 Oct 1996 09:26:04 -0500 (CDT) Received: (from pmarc@localhost) by abernathy.cmg.FCNBD.COM (8.7.5/8.7.5) id JAA00290; Sun, 6 Oct 1996 09:26:02 -0500 (CDT) Message-Id: <199610061426.JAA00290@abernathy.cmg.FCNBD.COM> MIME-Version: 1.0 (NeXT Mail 3.3risc v118.3) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable In-Reply-To: <199610042030.AA03154@kcpgw2.kcp.com> X-Nextstep-Mailer: Mail 3.3 (Enhance 1.3) Received: by NeXT.Mailer (1.118.3) From: "Paul M. Cardon" Date: Sun, 6 Oct 96 09:25:46 -0500 To: dharris@kcp.com (Delmer Harris) Subject: Re: Financial transactions and firewalls. cc: firewalls@greatcircle.com, Colin Campbell Reply-To: pmarc@cmg.FCNBD.COM References: <199610042030.AA03154@kcpgw2.kcp.com> X-Warners: Yakko, Wakko, and Dot Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My MUA insists that dharris@kcp.com (Delmer Harris) wrote: > BTW: =46rom a class I took at Interop I got the impression that = SET > is not incompatible with firewalls because it rides on top of = other > protocols which firewalls can handle. Is this impression = correct? The SET protocol is designed to be transport independent. = However,=20 for the purposes of providing clear definitions of how transport = mechanisms=20 should be used to foster interoperability, a SET Transport Summit = will be=20 held in Dallas, Texas, USA from Monday, October 28 through = Wednesday,=20 October 30. The results of this summit will be published in a new Book 4 to be = added to=20 the three books of the current SET specification. --- Paul M. Cardon - System Officer Capital Markets Systems - First Chicago NBD Corporation pmarc@cmg.fcnbd.com - (312) 732-7392 I never give them hell. I just tell the truth and they think it's = hell. - H. Truman MD5 (/dev/null) =3D d41d8cd98f00b204e9800998ecf8427e From firewalls-owner Sun Oct 6 11:26:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA21703 for firewalls-outgoing; Sun, 6 Oct 1996 11:16:30 -0700 (PDT) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id LAA21654 for firewalls@greatcircle.com; Sun, 6 Oct 1996 11:16:18 -0700 (PDT) Received: from lokkur.dexter.mi.us (lokkur.dexter.mi.us [148.59.2.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id JAA16676 for ; Sun, 6 Oct 1996 09:21:34 -0700 (PDT) Received: (from scs@localhost) by lokkur.dexter.mi.us (8.7.5/8.7.5/lokkur-1.1-scs) id MAA23849; Sun, 6 Oct 1996 12:20:42 -0400 (EDT) To: firewalls@GreatCircle.COM Path: lokkur.dexter.mi.us!not-for-mail From: scs@lokkur.dexter.mi.us (Steve Simmons) Newsgroups: local.firewalls Subject: Re: inability of Greatcircle.com Date: 6 Oct 1996 12:20:41 -0400 Organization: Inland Sea Lines: 13 Distribution: local Message-ID: <538m8p$n96@lokkur.dexter.mi.us> References: <32572de4.mistik@mistik.express.net> X-Newsreader: NN version 6.5.0 CURRENT #2 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk "Mustafa Soysal MS57" writes: >Well folks, I have tried to get off this list by sending messages to >majordomo@greatcircle.com which seemed to be maintained by MSen.com at >some point which explains why things are broken. For the record, Msen never ran the firewalls mailing list nor maintained majordomo. I ought to know, I was an owner at Msen. -- ``There is sufficient body of legal precedent allowing that you can't have obscenity when you have a work that has ideas of even the slightest social importance. Ideas, Mr. Bacchus. What did your wooden pecker represent?'' ``I have no idea. It was my birthday.'' -- Eddie Campbell, Bacchus #16 From firewalls-owner Sun Oct 6 13:26:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA28472 for firewalls-outgoing; Sun, 6 Oct 1996 13:09:58 -0700 (PDT) Received: from news.be.innet.net (news.be.innet.net [194.7.1.5]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id NAA28465 for ; Sun, 6 Oct 1996 13:09:47 -0700 (PDT) Received: from pool011-28.innet.be (pool011-28.innet.be [194.7.12.59]) by news.be.innet.net (8.7.6/8.7.3) with SMTP id WAA16252; Sun, 6 Oct 1996 22:09:05 +0200 (MET DST) Message-Id: <199610062009.WAA16252@news.be.innet.net> X-Sender: fdehert@pophost.innet.be X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 06 Oct 1996 22:13:23 -0100 To: patton@sysnet.net From: fdehert@innet.be (Frank J.J. De Hert) Subject: Re: NT Security Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >> This is true if the user hasn't taken ownership of certain directories and >> set the permissions such that only the user has access. For even an > >ahh, so local users have FULL CONTROL so they can play havoc with file Discretionary Access Control does mean just that, the user can decide who gets access to his/her OWN files, and what kind of access. However, it does not mean that the user should have full control of 'system files', especially executables. One of the main principles you have to stick by when securing a computer system is making sure that system executables are read and/or execute (whichever is appropriate for your O.S.) ONLY. NT however demands that a lot of executables (mostly .DLLs) are Change enabled for Everyone. Well, bring in the Trojan Horses... >ownership and permissions? You got a bigger problem. I don't blame >you, NT's permissions out of the box are bar none the worst in the As I mentioned in one of my previous msgs, we're used to a VMS environment, and when we looked at how NT came out of the box we nearly had a fit. We tried to mimic VMS file protections, which resulted in a setup that was useless to the users. e.g. MSOffice shortcutbar showed only questionmarks in stead of the usual icons (small problem to us but not, apparently, to the majority of users. Mind you for the Administrator the shortcutbar had all its correct icons!), Word stopped working, PowerPoint had problems, helpfiles wouldn't open, etc, etc, etc, ... >industry. I bet 99.9% of admins don't even look to see how bad it >really is. Tightening them up can be quite a chore, especially when >you're doing it by trial and error. But I've managed to pull it off on >one of our public boxes. Was a several week hastle though. After running around fixing files left and right, we're now at the point where we, sadly enough, give Everyone (shudder) full control and then deny access to a list of directories and files half a mile long. We hope we have most files covered, but if your method works well, maybe you'd like to share it with us so we can try it out and compare. Because currently, of course, users can still play havoc on their 'own' drive and trash any of the applications they have installed. > > -- Frank De Hert System/Security Manager NATO Programming Centre. "It's the damndest job, but some poor schmuck has to do it!" From firewalls-owner Sun Oct 6 17:45:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA11409 for firewalls-outgoing; Sun, 6 Oct 1996 17:32:12 -0700 (PDT) Received: from LIVEDGAR.gsionline.com (livedgar.gsionline.com [204.254.209.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id RAA11389 for ; Sun, 6 Oct 1996 17:32:03 -0700 (PDT) Received: from LIVEDGAR.gsionline.com by LIVEDGAR.gsionline.com (NTMail 3.02.09) with ESMTP id na034541 for ; Sun, 6 Oct 1996 20:31:00 -0400 X-Sender: nbk#204.254.209.2@192.168.0.22 X-Mailer: Windows Eudora Version 1.4.3 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: dharris@kcp.com (Delmer Harris) From: nkeenan@gsionline.com (Nick Keenan) Subject: Re: Financial transactions and firewalls. Cc: firewalls@greatcircle.com, Colin Campbell Date: Sun, 6 Oct 1996 20:31:00 -0400 Message-Id: <00310073409783@gsionline.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk As an application developer I have to respond: 1. The "gentleman" from the orignal post was out of bounds. It should be obvious to anyone who's got an eye on the 'net these days that proxying is the wave of the future, and will be getting much bigger. It solves a lot of problems, and not just with security, but with administration and network design. Anyone writing software these days tha