From firewalls-owner Sun Dec 1 11:25:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA09975 for firewalls-outgoing; Sun, 1 Dec 1996 11:13:12 -0800 (PST) Received: from relay.ashton.csc.com (relay.ashton.csc.com [20.2.54.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id LAA09948 for ; Sun, 1 Dec 1996 11:12:57 -0800 (PST) Received: by relay.ashton.csc.com; id OAA08018; Sun, 1 Dec 1996 14:13:45 -0500 Received: from mccoy.ashton.csc.com(20.2.51.2) by relay.ashton.csc.com via smap (g3.0.1) id sma008013; Sun, 1 Dec 96 14:13:30 -0500 Received: (from jhkerr@localhost) by mccoy.ashton.csc.com (8.6.12/8.6.9) id PAA03231; Sun, 1 Dec 1996 15:11:30 -0500 Date: Sun, 1 Dec 1996 15:11:30 -0500 (EST) From: "John H. Kerr" To: "Steve M. Dussault" cc: firewalls@GreatCircle.COM, daveh@bscg.com, jonhb@bscg.com Subject: Re: FW-1 Authentication with SecurID In-Reply-To: <329CEB06.5DBA@awuwi.mv.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Steve, I believe that this will be handled in version 3.0 of Firewall-1, but for right now you must go to the Firewall first authenticate yourself and once successfull you can then go ont to you desired site. >From the stuff that I have read wtih 3.0 all you will have to do is go to your final destination and the firewall will authenticate in between. Their will be no need to go to the Firewall first. On Wed, 27 Nov 1996, Steve M. Dussault wrote: > Greetings: > > I am looking for clarification on authentication with FW-1. > Specifically transparent authentication. The scenario is that an end > user needs to connect from the internal network to an external > destination. ( I know the scenario is backwards !) The requested > security implementation is that the user authenticates theirself via > SecurId and not have to go to the firewall and then to the final > destination, but directly to the final destination. > > Can this be done??? If so, how? Do you have to load the authenticating > daemons at installation time for this to work? > > Thank you in advance for your input and comments. > > Steve Dussault > From firewalls-owner Sun Dec 1 13:16:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA13094 for firewalls-outgoing; Sun, 1 Dec 1996 13:08:31 -0800 (PST) Received: from m7.sprynet.com ([165.121.2.64]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id NAA13086 for ; Sun, 1 Dec 1996 13:08:25 -0800 (PST) From: jmperez@sprynet.com Received: from [199.174.183.178] (dd52-178.compuserve.com [199.174.183.178]) by m7.sprynet.com (8.6.12/8.6.12) with SMTP id NAA19772; Sun, 1 Dec 1996 13:08:13 -0800 Date: Sun, 1 Dec 1996 13:08:13 -0800 Message-Id: <199612012108.NAA19772@m7.sprynet.com> MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit Subject: RE: V1 Smart Wall (Gauntlet) To: "To: \"firewalls@greatcircle.com\"" , "'Michael.Lazar@telos.com'" X-Mailer: SPRY Mail Version: 04.00.06.21 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi! We are looking at V1 Smart Wall which is based on TIS Took Kit (Gauntlet). 1. Is there anyone who can give us some pointers on install/config of this product? 2. Has anyone in the FW community tried any build-restore-break scenarios on this product? Would greatly appreciate any feedback/comments/suggestions from those in the security field who have tried this product. You may reply direct to: jmperez@asprynet.com. With warmest regards. J. Perez Chief Operating Officer From firewalls-owner Sun Dec 1 13:56:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA14775 for firewalls-outgoing; Sun, 1 Dec 1996 13:54:12 -0800 (PST) Received: from mesbne01.medeserv.com.au (mesbne01.medeserv.com.au [203.9.184.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id NAA14759 for ; Sun, 1 Dec 1996 13:54:03 -0800 (PST) Received: (from mail@localhost) by mesbne01.medeserv.com.au (8.7.4/8.7.3) id HAA29607 for ; Mon, 2 Dec 1996 07:53:56 +1000 (EST) Received: from tooh199.medeserv.com.au(203.9.187.199) by mesbne01 via smap (V1.3) id /mail/incoming/sma029579; Mon Dec 2 07:53:30 1996 Message-ID: <32A20036.60BA@medeserv.com.au> Date: Mon, 02 Dec 1996 08:01:39 +1000 From: Steven Herod Reply-To: sherod@medeserv.com.au Organization: Med-E-Serv Pty Ltd X-Mailer: Mozilla 3.0 (WinNT; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: (MSIE3.0) - Re: ActiveX and Risks References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > This *can* be done. Microsoft provides (for the cost of shipping the > CD-ROM) an administration kit that can be used to create an install > set The cost of distribution is more than the $20 shipping fee. You must change your web site to use IE specific features, issue press releases aligning youself with Microsofts internet strategy, install it on all the machines on your site and more..... I still prefer IE's mail & news over Netscape and think ActiveX beats Java anyday in producing something actually *useful*. If they didn't force you to sell your soul, everything would be okay :). Best Regards Steven Herod (And I like Microsoft products) From firewalls-owner Sun Dec 1 14:29:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA15314 for firewalls-outgoing; Sun, 1 Dec 1996 14:12:46 -0800 (PST) Received: from ns1.genuity.net (ns1.genuity.net [204.74.114.93]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id OAA15305 for ; Sun, 1 Dec 1996 14:12:35 -0800 (PST) Received: from x-files.genuity.net (x-files.genuity.net [204.74.125.103]) by ns1.genuity.net (8.7.3/8.7.3) with SMTP id PAA18204 for ; Sun, 1 Dec 1996 15:12:32 -0700 (MST) Received: by x-files.genuity.net with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BBDF9A.11907CA0@x-files.genuity.net>; Sun, 1 Dec 1996 15:12:29 -0700 Message-ID: From: Douglas Cheline To: "'Firewalls@GreatCircle.COM'" Subject: Firewalls over NT vs. UNIX Date: Sun, 1 Dec 1996 15:12:27 -0700 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The various Firewall vendors that I have spoken to have repeatedly stated that, eventhough their product does run over NT, running firewalls over UNIX is much more secure. The reasoning I get is that NT has some inherent vulnerabilities that cannot be plugged since the code is proprietary and closed. UNIX on the other hand is standard based and open, plus it has been on the market much longer and more efforts have been placed in plugging the holes there. This sounds nice but not very convincing unless some hard facts are revealed. Can knowledgable members of this forum tell me what those 'holes' in NT are? and is this a valid argument? disclaimer: I, myself, prefer UNIX based applications but I don't have a facts based argument for that preference when it comes to firewalls. Thanks in advance for your responses. Regards, >Douglas Cheline >Senior Consultant Business Solutions > >G E N U I T Y, Inc. >a Bechtel company > >dcheline@genuity.net http://www.genuity.net From firewalls-owner Sun Dec 1 15:24:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA17994 for firewalls-outgoing; Sun, 1 Dec 1996 15:09:19 -0800 (PST) Received: from diablo.cisco.com (diablo.cisco.com [171.68.223.106]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id PAA17974 for ; Sun, 1 Dec 1996 15:09:09 -0800 (PST) Received: from mhoward-pc.cisco.com (mhoward-isdn1.cisco.com [171.68.19.2]) by diablo.cisco.com (8.6.12/CISCO.SERVER.1.1) with SMTP id PAA27456; Sun, 1 Dec 1996 15:09:03 -0800 Message-Id: <2.2.32.19961201225549.008d362c@diablo.cisco.com> X-Sender: mhoward@diablo.cisco.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 01 Dec 1996 14:55:49 -0800 To: "Robert J. Brown" , Mike Shaver From: Matthew Howard Subject: Re: Cisco PIX Cc: Firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 02:22 AM 11/28/96 -0500, Robert J. Brown wrote: > > >On Thu, 28 Nov 1996, Mike Shaver wrote: > >> Thus spake Robert J. Brown: >> > And no, it is not a good idea to put the mailhub in the DMZ. Regardless of >> > where you put it, sensitive corporate data is located on that machine. It >> > should be inside the perimiter and incoming and outgoing mail proxied. >> >> Only if you've got sensitive corporate data travelling outside your >> firewall in the clear. Which is, as you would say, bad bad bad. >> > >If it is your corporate mailhub, I would assume it contains sensitive >information. If you aren't using some form of an smtp proxy, an evil >attacker can talk to your mailhub. If they can talk to your mailhub, odds >are they can wreck havoc on sendmail. Mail has to get to the inside >somehow, and without something to mitigate the risk you are asking for >trouble. > >Again, I'm not saying Cisco didn't implement something like this. I don't >know for sure. That's why I posed the question. What DOES PIX do to >protect your internal network's sendmail? What type of proxying is done? >Can an outside host EVER directly speak with sendmail? We use a static conduit that is stateful. Matt > >Robert J. Brown >rjb@calyx.com > > > > > From firewalls-owner Sun Dec 1 15:39:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA18014 for firewalls-outgoing; Sun, 1 Dec 1996 15:09:34 -0800 (PST) Received: from diablo.cisco.com (diablo.cisco.com [171.68.223.106]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id PAA17996 for ; Sun, 1 Dec 1996 15:09:21 -0800 (PST) Received: from mhoward-pc.cisco.com (mhoward-isdn1.cisco.com [171.68.19.2]) by diablo.cisco.com (8.6.12/CISCO.SERVER.1.1) with SMTP id PAA27494; Sun, 1 Dec 1996 15:09:06 -0800 Message-Id: <2.2.32.19961201225552.0087fa90@diablo.cisco.com> X-Sender: mhoward@diablo.cisco.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 01 Dec 1996 14:55:52 -0800 To: hagan@cih.com, "Robert J. Brown" From: Matthew Howard Subject: Re: Cisco PIX Cc: Mike Shaver , Firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 11:06 AM 11/28/96 -0500, Craig I. Hagan wrote: >> Again, I'm not saying Cisco didn't implement something like this. I don't >> know for sure. That's why I posed the question. What DOES PIX do to >> protect your internal network's sendmail? What type of proxying is done? >> Can an outside host EVER directly speak with sendmail? > >can i try rewording some of this to the following: what if my security >policy requires that certain applications not allow a direct circuit to an >internet (hostile) host due to the potential risk of damage should the >implementing software contain potential holes? Also, what is my security >policy requires that not all features of certain applications be allowed, >for example http is cool, java and/or activeX are not. > >>From what i've heard (cisco, et al, please correct me should i be wrong), >the PIX firewall doesn't handle the second situation (application layer >filtering). heck, very few firewalls out of the box handle it, especially >in quickly evolving application spaces like the web. we do use proxy technology as a way of doing authentication. As with our multimedia support, we can handle some policy at the application layer. Since our OS is actually a realtime embedded OS, we have high performance (the kernal is approx. 10k bytes, we run from flash). The key is we are stateful and on many protocols peek into the application layer, like vdo live, cuseeme, IRC, ftp... Our cut-through technology gives us lots of future flexibilities.. > >could someone from cisco give an opinion on whether the following >would be a reasonable use for their PIX firewall, and whether >this is the intended use: > >'net ---- PIX --- proxy app server > | > | > internal net > >thus the PIX machine (or competing product) could give me protocal layer >protection for both the internal net and the proxy app server. the proxy >app server would then handle certain applications which required >additional action above and beyond what PIX,et al, provides -- http >proxying/activeX blocking, perhaps it would might be a java VM which could >execute java and relay display information to the desktop, etc, process >mail to reduce the chance that someone could ship tainted binaries or >whatever in attachments, etc etc etc. [note: if you want to argue the >merits of the above kooky ideas, lets make it an offline thread, i'm >making them up as i go] we have some customers that do this. Matt > > >-- craig > >------------------------------------------------------------------------------- >Craig I. Hagan "It's a small world, but I wouldn't want to back it up" >hagan@cih.com "True hackers don't die, their ttl expires" > > > > > > > > Matthew Howard Product Line Manager mhoward@cisco.com Internet Business Unit 408-526-4720 (voice) Cisco Systems Inc. 408-527-8122 (fax) 170 West Tasman Drive Building VM2 (corner of First & Vista Montana) San Jose, CA 95134 From firewalls-owner Sun Dec 1 17:59:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA23340 for firewalls-outgoing; Sun, 1 Dec 1996 17:24:00 -0800 (PST) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id RAA23326 for firewalls@greatcircle.com; Sun, 1 Dec 1996 17:23:42 -0800 (PST) Received: from dfw-ix12.ix.netcom.com (dfw-ix12.ix.netcom.com [206.214.98.12]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id PAA25318 for ; Thu, 28 Nov 1996 15:29:20 -0800 (PST) Received: from (eusvcs@tfx-us6-08.ix.netcom.com [204.30.67.200]) by dfw-ix12.ix.netcom.com (8.6.13/8.6.12) with SMTP id PAA22707; Thu, 28 Nov 1996 15:28:09 -0800 Date: Thu, 28 Nov 1996 15:28:09 -0800 Message-Id: <199611282328.PAA22707@dfw-ix12.ix.netcom.com> From: eusvcs@ix.netcom.com (Bill Grover) Subject: RE: Machine reboots on starting Firewall-1 To: kashif.rashid@cressoft.com.pk Cc: firewalls@GreatCircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk While I don't have an answer to why your machine reboots there is a Firewall-1 mailing list. To subscribe send a message of the form: subscribe firewall-1 to majordomo@applicom.co.il There is also an archive of messages you can retrieve. Send the message: "help" (without the quotes)to majordomo@applicom.co.il for further information. There is also a we page you can receive information on. The page is: http://www.qualix.com/support.d/firewall-1.d/ and includes a pretty good FAQ and help section. I hope this helps. Bill Grover Systems Manager EU Services, Inc. Phone : 301-424-3300 x396 FAX : 301-838-9639 E-Mail: eusvcs@ix.netcom.com From firewalls-owner Sun Dec 1 18:41:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA26204 for firewalls-outgoing; Sun, 1 Dec 1996 18:38:01 -0800 (PST) Received: from bam.nuri.net (bam.nuri.net [203.255.112.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id SAA26187 for ; Sun, 1 Dec 1996 18:37:48 -0800 (PST) Received: from ns.nuri.net (angel.inet.co.kr [203.255.113.32]) by bam.nuri.net (8.8.3/8.8.3) with ESMTP id LAA07497 for ; Mon, 2 Dec 1996 11:37:15 +0900 (KST) Message-Id: <199612020237.LAA07497@bam.nuri.net> From: "Young-jin Hong" To: Subject: =?EUC-KR?B?USkgV2hhdCBpcyBDSVJDVUlUIEdBVEVXQVkoPUNJUkNVSVQgTEVWRUwg?= =?EUC-KR?B?UFJPWFkpPw==?= Date: Mon, 2 Dec 1996 11:38:32 +0900 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-2022-KR Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk $)CDear list members. I'd like to know what 'circuit gateway(=circuit level proxy)' is or how different from application gateway and packet-filtering in generic firewalls. Let me know what it is or where i can find it out. Thanx in advance. Young-jin Hong -- E-mail : wits@nuri.net WWW : http://www.iworld.net/~wits From firewalls-owner Sun Dec 1 18:54:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA26171 for firewalls-outgoing; Sun, 1 Dec 1996 18:37:23 -0800 (PST) Received: from RSA.COM (chirality.rsa.com [192.80.211.33]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id SAA26155 for ; Sun, 1 Dec 1996 18:37:10 -0800 (PST) Received: from lobester.rsa.com by RSA.COM with SMTP id AA16419; Sun, 1 Dec 96 17:38:16 PST Received: by LOBESTER.rsa.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5) id <01BBDFB6.CCFDFD20@LOBESTER.rsa.com>; Sun, 1 Dec 1996 18:38:09 -0800 Message-Id: From: Kurt Stammberger To: "'cat-ietf@mit.edu'" , "'e-payment@bellcore.com'" , "'firewalls@greatcircle.com'" , "'ids@uow.edu.au'" , "'ietf-otp@bellcore.com'" , "'ietf-pkix@tandem.com'" To: "'ietf-tls@w3.org'" , "'ietf@cnri.reston.va.us'" , "'ipsec@ans.net'" , "'pem-dev@tis.com'" , "'psrg@isi.edu'" , "'sndss-authors@isi.edu'" To: "'sndss-chairs@tis.com'" , "'spki@c2.net'" , "'virus-l@lehigh.edu'" , "'www-buyinfo@allegra.att.com'" , "'www-security@ns2.rutgers.edu'" , "'David M. Balenson'" Subject: ANNOUNCEMENT: 1997 RSA Data Security Conference Date: Sun, 1 Dec 1996 18:38:08 -0800 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk 28-31 January, 1997 NOB HILL, SAN FRANCISCO 1997 marks RSA's fifteenth anniversary and our sixth annual conference. Two days of general sessions and two days of classes will provide over 100 different classes to choose from, with separate tracks for mathematicians and cryptographers, developers, industry analysts and business people. We invite you to join us. Find out more information, view the class syllabi and register online at http://www.rsa.com Thanks Kurt Stammberger RSADSI > From firewalls-owner Sun Dec 1 19:39:56 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA29435 for firewalls-outgoing; Sun, 1 Dec 1996 19:31:39 -0800 (PST) Received: from gdut.edu.cn (ggdn.gdut.edu.cn [202.116.128.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id TAA29318 for ; Sun, 1 Dec 1996 19:29:18 -0800 (PST) Received: from CiscoWork.gdut.edu.cn by gdut.edu.cn (5.x/SMI-SVR4) id AA01824; Mon, 2 Dec 1996 11:27:41 +0800 Message-Id: <30C0EF82.6CFC@gdut.edu.cn> Date: Sat, 02 Dec 1995 19:29:54 -0500 From: Zheng Wenfeng Reply-To: zhengwf@gdut.edu.cn Organization: GuangDong University of Technology(NOC) X-Mailer: Mozilla 3.0b7 (Win95; I) Mime-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: Critical Message Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dear Mr. or Miss. sorry! I have encountered a critical problem, Now I don't know who can help me? I have made the critical problem when I use the tar command, the following message is my process course, first, I have sent the command when I am a supervisor, #tar -cvf /dev/dsk/c0t3d0s0 /home1/wjz/*.txt and /dev/dsk/c0t3d0s3 is the boot root disk, I know I have made a critical mistake but now I haven't any way to resolv the above problem, can you give me a help? thank you!!1 By the way, my UNIX host is Solaris 2.3 operation system. Best Regards Addr: East 729 DongFeng Road,GuangZhou, Email:lucky@gdut.edu.cn GuangDong province,China or:zhengwf@gdut.edu.cn Code:510090 Organize:Education department From firewalls-owner Sun Dec 1 21:59:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA05456 for firewalls-outgoing; Sun, 1 Dec 1996 21:49:22 -0800 (PST) Received: from grover.dataplex.com.au (grover.dataplex.com.au [203.4.207.126]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id VAA05449 for ; Sun, 1 Dec 1996 21:49:13 -0800 (PST) Received: from fnord.dataplex.com.au (203.4.207.190) by grover.dataplex.com.au (EMWAC SMTPRS 0.80) with SMTP id ; Mon, 02 Dec 1996 16:44:25 +1100 Received: by fnord.dataplex.com.au with Microsoft Exchange (IMC 4.0.837.3) id <01BBE068.80322090@fnord.dataplex.com.au>; Mon, 2 Dec 1996 15:50:11 +1000 Message-ID: From: David Allen To: "'firewalls-digest@GreatCircle.COM'" Subject: RE: Notification: Inbound Mail Failure - Address not found Date: Mon, 2 Dec 1996 15:50:07 +1000 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.837.3 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk STOP SENDING THESE BLOODY THINGS!!!!!!!!!!!!!!!! >---------- >From: System >Administrator[SMTP:postmaster@R&D_DEPT.DataplexPtyLtd.com] >Sent: Monday, 2 December 1996 04:48 >To: David Allen >Subject: Notification: Inbound Mail Failure - Address not found > >A mail message was not sent because the following address(es) could not >be found: > > wef@fnord.dataplex.com.au > >The message that caused this notification was: > > To: > From: > Subject: Firewalls-Digest V5 #639 > > > From firewalls-owner Sun Dec 1 22:57:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA08232 for firewalls-outgoing; Sun, 1 Dec 1996 22:52:20 -0800 (PST) Received: from juneau.steldyn.com ([204.76.191.254]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id WAA08225 for ; Sun, 1 Dec 1996 22:52:12 -0800 (PST) Received: by juneau.steldyn.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BBDFE2.D4FE7730@juneau.steldyn.com>; Sun, 1 Dec 1996 23:53:21 -0700 Message-ID: From: Chris Pugrud To: "'Russ'" , Firewalls Mailing list Subject: RE: NAT? Security? Date: Sun, 1 Dec 1996 23:53:19 -0700 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I can think of one king of NAT that would provide a level of security, something I've been wrestling around with in my head for a few weeks. Call this the GNAT (Global Network Address Translation) ((It's early, I'm sick, and I haven't had enough wine)). The GNAT sits on the periphery, it either is the Internet router, or is the only device connected to it. The GNAT knows the address of the few devices that it is connected to: 1. The Internet Router 2. The Web/FTP server 3. The Proxy Server 4. The SMTP Gateway The GNAT has only one address. The company only advertises one address to all of the Internet. The GNAT tracks all established connections, where they are going to, where they are coming from. When a connection request comes in (say SMTP), the GNAT looks up it's table and sees that all SMTP requests are to be directed to the SMTP Gateway, it forwards the request to the Gateway and performs NAT for the connection. When it sees a request for HTTP it forwards it to the appropriate place likewise. Now when the GNAT sees a request for port 99 (just an example, not to disparage the upright users of port 99/tcp) it looks in it table and sees that this port is unused and dumps the packet or sends some form of error message. The purpose of the GNAT is to provide 2 things: 1. A singular Global address for a point-of-presence. A company has one address that hides behind it any number of servers. Simplistic round robin load balancing should also be fairly easy to add into the setup. This would also make it easier to expand their Internet servers as needed and avoid disasters similar to when a local ISP changed the address of their POP server. 2. A level of Security by Obscurity. S.b.O is in and of itself a Bad Thing(TM). The GNAT goes a step farther by not even allowing connections to servers on un-authorized ports. When un-authorized connections come in, they go to the bit bucket. DOS is still possible, but DOS is an entirely different problem. The GNAT works by only giving a predator one tool to work with. One port that can be heavily guarded and reinforced. Thoughts, comments? Chris All original thoughts, mis-spellings, and mis-fires (c) 1996 Chris Pugrud >-----Original Message----- >From: Russ [SMTP:Russ.Cooper@RC.on.ca] >Sent: Wednesday, November 27, 1996 4:24 AM >To: Firewalls Mailing list; 'Ryan Russell/SYBASE' >Subject: RE: Cisco's PIX firewall > >Ryan said... >>NAT gives security for two kinds of hosts: >* >1. Public hosts......"NAT is not really needed in this case, nor >does it add much security by itself."... >* >2. Internal hosts......stuff about no one-to-one mapping...but >there is a one-to-one mapping to anything that is inside a NAT and is >going to accept inbound connections...like an internal SMTP server for >example. Then there's the fact that once an internal host makes a >connection through a NAT, it can then be tampered with as if there was >no NAT. >* >If someone asked me what security NAT provides, I'd say none at all. >Firewall-1 and PIX offer security, and, they offer NAT. NAT is not a >security product, it may obscure things, but it protects nothing by >itself. >* >Cheers, >Russ >R.C. Consulting, Inc. - NT/Internet Security Consulting >mailto:Russ.Cooper@RC.on.ca <-- *note the new address* From firewalls-owner Sun Dec 1 23:10:09 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA08344 for firewalls-outgoing; Sun, 1 Dec 1996 22:56:23 -0800 (PST) Received: from internic.uob.bh ([193.188.12.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id WAA08312 for ; Sun, 1 Dec 1996 22:56:07 -0800 (PST) Received: from hisham.uob.bh ([193.188.12.106]) by internic.uob.bh (Netscape Mail Server v2.0) with SMTP id AAA18474 for ; Mon, 2 Dec 1996 09:59:28 +0300 Message-ID: <32A27FF4.431B@admin.uob.bh> Date: Mon, 02 Dec 1996 10:06:28 +0300 From: "Hisham Khalifa Al Saad" Reply-To: webmaster@admin.uob.bh X-Mailer: Mozilla 3.0 (Win95; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: [Fwd: Caution : Internet Virus] Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi members of Firewalls, I got this Virus alert in my mail box, and by myself i forward it to you: ------------------------------------------------------------------------ Hi, We just got word that there is a new virus screaming around the internet that will wipe out your hard drive if you open the file. Here is the word they sent us... "There is a computer virus that is being sent across the internet. If you receive an e-mail with a subject line of "Irinia", DO NOT read the message. Delete it immediately. Some miscreant is sending people files under the name of "Irinia". If you receive this file or e-mail, do not download it. It has a virus that rewrites your hard drive, obliterating anything on it. Please be careful and forward this e-mail to anyone you care about." This information was received from Professor Edward Prideaux, College of Salvonic Studies, London. This virus appears to be much more aggressive than the irritating Microsoft word virus. Be alert. ----------------------- END OF ALERT MESSAGE ---------------------------------- Thank you, Take Care, Hisham Al Saad University of Bahrain From firewalls-owner Sun Dec 1 23:24:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA08834 for firewalls-outgoing; Sun, 1 Dec 1996 23:09:44 -0800 (PST) Received: from juneau.steldyn.com ([204.76.191.254]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id XAA08827 for ; Sun, 1 Dec 1996 23:09:37 -0800 (PST) Received: by juneau.steldyn.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BBDFE5.46D30540@juneau.steldyn.com>; Mon, 2 Dec 1996 00:10:51 -0700 Message-ID: From: Chris Pugrud To: "'Rabid Wombat'" , "'Stewart Shinewald'" Cc: Firewalls Mailing list Subject: RE: How to secure a Webpage? Date: Mon, 2 Dec 1996 00:10:50 -0700 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I prefer using SCSI disks and setting the hardware Write-Protect jumper. Fast and Safe. With a good OS you only need a disk for temp and log files, the rest goes on the WP disk. Do all of your development on a mirror machine, then bake. When thoroughly cooked (tested, for those who didn't stuff out on the American bastardization called Thanksgiving) mount in external server and enjoy! Chris >-----Original Message----- >From: Rabid Wombat [SMTP:wombat@mcfeely.bsfs.org] >Sent: Wednesday, November 27, 1996 3:30 PM >To: Stewart Shinewald >Cc: Firewalls Mailing list >Subject: Re: How to secure a Webpage? > >You can always develop your content on another system, put the content on >a zip drive, set the media to read-only, and mount it on the external >system. > >-r.w. > > >On Wed, 27 Nov 1996, Stewart Shinewald wrote: > >> Our company is considering the development of a webpage and placing it >> outside our firewall. >> >> Can anyone advise me or point me in the right direction to identify what >> controls are required for a webpage to be made as secure as possible to >> either prevent a change or at least identify if a change were made. Is >> my assumption valid that a properly set up firewall would prevent webpage >> browsers from penetrating our firewall? >> >> Any assistance would be appreciated. >> >> Stewart Shinewald >> Internal Audit >> From firewalls-owner Sun Dec 1 23:41:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA10556 for firewalls-outgoing; Sun, 1 Dec 1996 23:38:13 -0800 (PST) Received: from tce.nl ([194.171.39.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id XAA10538 for ; Sun, 1 Dec 1996 23:38:05 -0800 (PST) Received: by tce.nl (SMI-8.6/SMI-SVR4) id IAA02948; Mon, 2 Dec 1996 08:41:06 +0100 Date: Mon, 2 Dec 1996 08:41:06 +0100 From: weldam@tce.nl (Ramon Weldam) Message-Id: <199612020741.IAA02948@tce.nl> To: Firewalls@GreatCircle.COM Subject: How do I get off the list ? X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, Can anyone help me to get off the list ? Please help me. From firewalls-owner Mon Dec 2 00:40:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA14741 for firewalls-outgoing; Mon, 2 Dec 1996 00:34:25 -0800 (PST) Received: from ncept.pt.nce.sita.int (ncept.pt.nce.sita.int [57.7.6.251]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id AAA14733 for ; Mon, 2 Dec 1996 00:34:16 -0800 (PST) Received: from pc_ptdv.pt.nce.sita.int by ncept.pt.nce.sita.int (8.7.3/SitaNet-1.4) id JAA11212; Mon, 2 Dec 1996 09:34:07 +0100 (MET) Date: Mon, 2 Dec 96 09:36:48 PST From: Denis Valois Subject: RE: [Fwd: Caution : Internet Virus] To: firewalls@GreatCircle.COM, webmaster@internic.uob.bh X-Mailer: Chameleon ENGP1, TCP/IP for Windows, NetManage Inc. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is a hoax. Anyway, just by saying that "reading" a mailgram wipes out your hard drive is of utmost foolishness. Denis Valois Computer & Network Security SITA (Societe Internationale de Telecommunications Aeronautiques) On Mon, 02 Dec 1996 10:06:28 +0300 Hisham Khalifa Al Saad wrote: >Hi members of Firewalls, > >I got this Virus alert in my mail box, and by myself i forward it to >you: > >---------------------------------------------------------------------- -- > >Hi, > We just got word that there is a new virus screaming around the >internet that will wipe out your hard drive if you open the file. >Here is the word >they sent us... > >"There is a computer virus that is being sent across the internet. If >you receive an e-mail with a subject line of "Irinia", DO NOT read the >message. >Delete it immediately. Some miscreant is sending people files under the >name of "Irinia". If you receive this file or e-mail, do not download >it. >It has a virus that rewrites your hard drive, obliterating anything on >it. >Please be careful and forward this e-mail to anyone you care about." > >This information was received from Professor Edward Prideaux, College of >Salvonic Studies, London. > >This virus appears to be much more aggressive than the irritating >Microsoft word virus. Be alert. > >----------------------- END OF ALERT MESSAGE >---------------------------------- > > >Thank you, >Take Care, > >Hisham Al Saad >University of Bahrain > From firewalls-owner Mon Dec 2 00:55:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA14573 for firewalls-outgoing; Mon, 2 Dec 1996 00:29:24 -0800 (PST) Received: from relay1.shore.net (relay1.shore.net [192.233.85.129]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id AAA14566 for ; Mon, 2 Dec 1996 00:29:16 -0800 (PST) Received: from [198.115.177.223] (slip-0-23.slip.shore.net [198.115.177.223]) by relay1.shore.net (8.8.3/8.8.3) with SMTP id DAA19018; Mon, 2 Dec 1996 03:29:05 -0500 (EST) X-Sender: vin@shell1.shore.net Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 2 Dec 1996 03:29:06 -0500 To: firewalls@greatcircle.com From: vin@shore.net (Vin McLellan) Subject: Corporation Security - 90 Day Study Cc: warroom2@aol.com, tuckerp@css583.gordon.army.mil Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Phil Tucker" asked: >A Corporation Security Study was conducted during July-Oct >timeframe. This was aired on TV but did not indicate if a >copy of the report was available. Does anyone know where a >copy of this report might be retrieved? You may be seeking the WarRoom Research study on corporate security practices, which collected 205 anonymous reports from Fortune 1000 firms. It was described in a 11/21 press conference at the National Press Club in D.C., broadcast live on C-Span, where I was one of several on a panel from industry and government invited to commented on the results. You can get the survey report from WarRoom Research, LLC, 1134 Veranda Ct., Baltimore, MD, 21226. Tel. (410) 437-1106 All but sponsored by Sam Nunn's Senate subcommittee studying Troubles in Cyberspace, the WarRoom survey got a snapshot of the state of the art, which (as all here might expect) was troublesome in several aspects. I'd quibble with some of the methodology -- I'm always uncomfortable when everyone who handles the numbers has a vested interest in high counts; and this survey was selectively distributed by vendors of security products and services -- but the survey results drew a lot of media attention. Nearly half (98) of the 205 respondents reported that their computers or networks had been successfully penetrated by "outsiders" in the past year, and many reported surprisingly high costs (as opposed to losses) associated with these attacks. (36, I recall, pegged costs at over $1 million.) I think the numbers are a little slippery (eg, respondents may have tallied PC-virus outbreaks among generic "penetrations," and it wasn't clear if the "costs" were cumulative, solid, or estimates,) but even as a flawed snapshot it was thought-provoking. (The industrious WarRoom researchers plan a broader, more scientific, study early next year; perhaps in cooperation with a federal agency.) I was disturbed that so many respondents, a large majority, reported that their firms had no formal, written, security policies. I was also intrigued that e-mail files seem to be the target of choice for online intruders... and worried (but not surprised) to learn that some 30 percent of the executives surveyed doubted that their IS staff would _know_ if their computers had been illicitly penetrated. (Actually, I was surprised so many executives were aware of this.) I was far less concerned than others on the panel that police are so seldom notified of these incidents. Suerte, _Vin (Fair warning: Washington's concern about cyberwar and cyberterrorism -- and the barely-muted desire of the FBI and other lawmen to establish _domestic_ GAK rights for their investigations -- make it likely our craft will soon confront additional, perhaps conflicting, regulatory and legislative pressures from dot-gov. If you're associated with an ISS professional group, goose them to stick an oar in! Reality checks might be critically important for federal CompSec policy in '97. Newsat11! Beg pardon for the digression.) Vin McLellan +The Privacy Guild+ 53 Nichols St., Chelsea, Ma. 02150 USA Tel: (617) 884-5548 <*><*><*><*><*><*><*><*><*> From firewalls-owner Mon Dec 2 03:26:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA23054 for firewalls-outgoing; Mon, 2 Dec 1996 03:11:25 -0800 (PST) Received: from europa.lif.icnet.uk (europa.lif.icnet.uk [143.65.1.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id DAA23047 for ; Mon, 2 Dec 1996 03:11:17 -0800 (PST) From: harley@icrf.icnet.uk Message-Id: <199612021111.DAA23047@miles.greatcircle.com> Received: by europa.lif.icnet.uk; Mon, 2 Dec 1996 11:10:43 GMT Subject: RE: [Fwd: Caution : Internet Virus] (fwd) To: firewalls@GreatCircle.COM Date: Mon, 2 Dec 1996 11:10:43 +0000 (GMT) X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > This is a hoax. It's also off-topic. I won't post it in full, but there's a pretty reasonable CIAC bulletin addressing most of the alerts which regularly plague us at: http://ciac.llnl.gov/ciac/bulletins/h-05.shtml It includes info on the alerts mentioned below, some historical background, and suggestions on validating hoaxes rather than passing them on uncritically. David Harley \ | / alt.comp.virus FAQ D.Harley@icrf.icnet.uk \ | / & Anti-Virus Web Page Support & Security Analyst \ | / Folk London On-Line gig-list Imperial Cancer Research Fund ____\|/____ http://webworlds.co.uk/dharley/ -----------------extract------------------------------- INFORMATION BULLETIN H-05 Internet Hoaxes: PKZ300, Irina, Good Times, Deeyenda, Ghost November 20, 1996 16:00 GMT PROBLEM: This bulletin addresses the following hoaxes and erroneous warnings: PKZ300 Warning, Irina, Good Times, Deeyenda, and Ghost.exe PLATFORM: All, via e-mail DAMAGE: Time lost reading and responding to the messages SOLUTION: Pass unvalidated warnings only to your computer security department or incident response team. See below on how to recognize validated and unvalidated warnings and hoaxes. VULNERABILITY New hoaxes and warnings have appeared on the Internet and old ASSESSMENT: hoaxes are still being cirulated. ---------------------end extract-------------------------------- From firewalls-owner Mon Dec 2 03:55:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA24082 for firewalls-outgoing; Mon, 2 Dec 1996 03:51:06 -0800 (PST) Received: from woffice10.welsh-ofce.gov.uk (woffice10.welsh-ofce.gov.uk [194.81.116.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id DAA24069 for ; Mon, 2 Dec 1996 03:50:53 -0800 (PST) Received: from b1.gtnet.gov.uk (b18.gtnet.gov.uk [194.81.25.18]) by woffice10.welsh-ofce.gov.uk (8.8.3/8.6.12) with SMTP id LAA08290 for ; Mon, 2 Dec 1996 11:48:41 GMT Date: Mon, 2 Dec 96 11:30:40 PST From: howells@Welsh-Ofce.gov.uk Subject: RE: Firewalls-Digest V5 #642 IRINIA VIRUS To: Firewalls@GreatCircle.COM X-Mailer: Chameleon ENGP1, TCP/IP for Windows, NetManage Inc. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk For all subscribers to note - this has already been admited to have been a marketing ploy to publicise a new book based on the Internet/Cyberspace. The original e-mails sent out (proporting to be from the School of Slavonic Studies, University of London) was actually sent by the book publishers. It should have been immediately followed by a second e-mail explaining the hoax and a little about the book. Unfortunately, in many cases the second e-mail dis not arrive and the 'warning' propagated around the world. Several of the UK based Internet magazines have covered the story (try http://www.paragon.co.uk/ The name Irina (or Irenia) is the name of the book and the use of the name of the School of Slavonic Studies was meant as a play on words apparently. Regards Jerry ------------------------------------- Name: Jeremy P Howells E-mail: howells@welsh-ofce.gov.uk Time: 11:38:52 Date: 12/02/96 Tel: 01222 825754 Fax: 01222 825852 ------------------------------------ ---------------Original Message--------------- Firewalls-Digest Monday, December 2 1996 Volume 05 : Number 642 Date: Mon, 02 Dec 1996 10:06:28 +0300 From: "Hisham Khalifa Al Saad" Subject: [Fwd: Caution : Internet Virus] Hi members of Firewalls, I got this Virus alert in my mail box, and by myself i forward it to you: - ------------------------------------------------------------------------ Hi, We just got word that there is a new virus screaming around the internet that will wipe out your hard drive if you open the file. Here is the word they sent us... "There is a computer virus that is being sent across the internet. If you receive an e-mail with a subject line of "Irinia", DO NOT read the message. Delete it immediately. Some miscreant is sending people files under the name of "Irinia". If you receive this file or e-mail, do not download it. It has a virus that rewrites your hard drive, obliterating anything on it. Please be careful and forward this e-mail to anyone you care about." This information was received from Professor Edward Prideaux, College of Salvonic Studies, London. This virus appears to be much more aggressive than the irritating Microsoft word virus. Be alert. - ----------------------- END OF ALERT MESSAGE From firewalls-owner Mon Dec 2 04:55:04 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA27858 for firewalls-outgoing; Mon, 2 Dec 1996 04:51:52 -0800 (PST) Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id EAA27843 for ; Mon, 2 Dec 1996 04:51:44 -0800 (PST) Received: from big-dogs.cisco.com ([171.68.53.75]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id EAA21546; Mon, 2 Dec 1996 04:51:12 -0800 Message-Id: <2.2.32.19961202125115.0073774c@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 02 Dec 1996 07:51:15 -0500 To: webmaster@internic.uob.bh From: Paul Ferguson Subject: Re: [Fwd: Caution : Internet Virus] Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please. This is a miserable *hoax*. - paul At 10:06 AM 12/2/96 +0300, Hisham Khalifa Al Saad wrote: >Hi members of Firewalls, > >I got this Virus alert in my mail box, and by myself i forward it to >you: > >------------------------------------------------------------------------ > >Hi, > We just got word that there is a new virus screaming around the >internet that will wipe out your hard drive if you open the file. >Here is the word >they sent us... > >"There is a computer virus that is being sent across the internet. If >you receive an e-mail with a subject line of "Irinia", DO NOT read the >message. >Delete it immediately. Some miscreant is sending people files under the >name of "Irinia". If you receive this file or e-mail, do not download >it. >It has a virus that rewrites your hard drive, obliterating anything on >it. >Please be careful and forward this e-mail to anyone you care about." > >This information was received from Professor Edward Prideaux, College of >Salvonic Studies, London. > >This virus appears to be much more aggressive than the irritating >Microsoft word virus. Be alert. > >----------------------- END OF ALERT MESSAGE >---------------------------------- > > >Thank you, >Take Care, > >Hisham Al Saad >University of Bahrain > -- Paul Ferguson || || Consulting Engineering || || Herndon, Virginia USA |||| |||| tel: +1.703.397.5938 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Mon Dec 2 05:25:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA28723 for firewalls-outgoing; Mon, 2 Dec 1996 05:17:15 -0800 (PST) Received: from ereapp.erenj.com (ereapp.ERENJ.COM [159.70.31.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id FAA28703 for ; Mon, 2 Dec 1996 05:17:05 -0800 (PST) Received: (from smap@localhost) by ereapp.erenj.com (8.8.3/8.8.3) id IAA06437; Mon, 2 Dec 1996 08:16:01 -0500 Received: from eredns.erenj.com(159.70.1.252) by ereapp.erenj.com via smap (V1.3) id sma006435; Mon Dec 2 08:15:38 1996 Received: from stargate.erenj.com (stargate.erenj.com [159.70.1.8]) by eredns.erenj.com (8.7.4/8.7.3) with SMTP id IAA15129; Mon, 2 Dec 1996 08:15:36 -0500 Received: from stargate.erenj.com by stargate.erenj.com; (5.65v3.2/1.1.8.2/12Feb96-1009AM/bdboyle@erenj.com) id AA06412; Mon, 2 Dec 1996 08:15:29 -0500 Message-Id: <32A2D671.2781@erenj.com> Date: Mon, 02 Dec 1996 08:15:29 -0500 From: "Bryan D. Boyle" Organization: Exxon Research and Engineering Co. X-Mailer: Mozilla 3.0C-NSCP (X11; I; OSF1 V4.0 alpha) Mime-Version: 1.0 To: Denis Valois Cc: firewalls@GreatCircle.COM, webmaster@internic.uob.bh Subject: Re: Internet Virus HOAX, Part 3x10^4 References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Denis Valois wrote: > > This is a hoax. > > Anyway, just by saying that "reading" a mailgram wipes out > your hard drive is of utmost foolishness. For more information, please consult the CIAC bulletin at this URL (for those not web challenged...) concerning this HOAX. In the future, it would be nice if people checked AUTHORITATIVE sources before spamming mailboxes with this stuff, albeit with good intentions... CIAC Current HOAX bulletin: http://ciac.llnl.gov/ciac/bulletins/h-05.shtml -- Bryan D. Boyle | EMAIL: bdboyle@erenj.com 908-730-3338 #include | http://www.access.digex.net/~bdboyle/index.html "They that can give up liberty to obtain a little temporary safety deserve neither liberty nor safety." - Benjamin Franklin, Historical Review of Pennsylvania From firewalls-owner Mon Dec 2 05:40:09 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA00258 for firewalls-outgoing; Mon, 2 Dec 1996 05:38:04 -0800 (PST) Received: from gargoyle.clark.net (gargoyle.clark.net [168.143.0.250]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id FAA00251 for ; Mon, 2 Dec 1996 05:37:56 -0800 (PST) Received: (from proberts@localhost) by gargoyle.clark.net (8.7.4/8.7.3) id JAA25557; Mon, 2 Dec 1996 09:44:04 -0500 Date: Mon, 2 Dec 1996 09:44:04 -0500 (EST) From: "Paul D. Robertson" X-Sender: proberts@localhost To: Paul Ferguson cc: webmaster@internic.uob.bh, firewalls@GreatCircle.COM Subject: Irinia In-Reply-To: <2.2.32.19961202125115.0073774c@lint.cisco.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 2 Dec 1996, Paul Ferguson wrote: > Please. > > This is a miserable *hoax*. I think the whole Goodtimes hoax was about 200 times more effective than any _real_ virus in terms of attacks. If I've responeded once, I've responded 50 times, and now it's mutating *sigh*. Now if we could all just mail out the clue virus. Paul > At 10:06 AM 12/2/96 +0300, Hisham Khalifa Al Saad wrote: > > >Hi members of Firewalls, > > > >I got this Virus alert in my mail box, and by myself i forward it to > >you: > > > >------------------------------------------------------------------------ > > > >Hi, > > We just got word that there is a new virus screaming around the > >internet that will wipe out your hard drive if you open the file. > >Here is the word > >they sent us... > > > >"There is a computer virus that is being sent across the internet. If > >you receive an e-mail with a subject line of "Irinia", DO NOT read the > >message. > >Delete it immediately. Some miscreant is sending people files under the > >name of "Irinia". If you receive this file or e-mail, do not download > >it. > >It has a virus that rewrites your hard drive, obliterating anything on > >it. > >Please be careful and forward this e-mail to anyone you care about." > > > >This information was received from Professor Edward Prideaux, College of > >Salvonic Studies, London. > > > >This virus appears to be much more aggressive than the irritating > >Microsoft word virus. Be alert. > > > >----------------------- END OF ALERT MESSAGE > >---------------------------------- > > > > > >Thank you, > >Take Care, > > > >Hisham Al Saad > >University of Bahrain > > > > -- > Paul Ferguson || || > Consulting Engineering || || > Herndon, Virginia USA |||| |||| > tel: +1.703.397.5938 ..:||||||:..:||||||:.. > e-mail: pferguso@cisco.com c i s c o S y s t e m s > ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@clark.net which may have no basis whatsoever in fact." PSB#9280 From firewalls-owner Mon Dec 2 05:58:00 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA01048 for firewalls-outgoing; Mon, 2 Dec 1996 05:47:24 -0800 (PST) Received: from trumpet.aix.calpoly.edu (trumpet.aix.calpoly.edu [129.65.65.6]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id FAA01020 for ; Mon, 2 Dec 1996 05:47:14 -0800 (PST) Received: by trumpet.aix.calpoly.edu (AIX 3.2/UCB 5.64/4.03) id AA12610; Mon, 2 Dec 1996 05:46:27 -0800 Date: Mon, 2 Dec 1996 05:46:26 -0800 (PST) From: Fade To: Hisham Khalifa Al Saad Cc: firewalls@GreatCircle.COM Subject: Re: [Fwd: Caution : Internet Virus] In-Reply-To: <32A27FF4.431B@admin.uob.bh> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 2 Dec 1996, Hisham Khalifa Al Saad wrote: > Hi members of Firewalls, > > I got this Virus alert in my mail box, and by myself i forward it to > you: > > ------------------------------------------------------------------------ > > Hi, > We just got word that there is a new virus screaming around the > internet that will wipe out your hard drive if you open the file. > Here is the word > they sent us... > > "There is a computer virus that is being sent across the internet. If > you receive an e-mail with a subject line of "Irinia", DO NOT read the > message. > Delete it immediately. Some miscreant is sending people files under the > name of "Irinia". If you receive this file or e-mail, do not download > it. > It has a virus that rewrites your hard drive, obliterating anything on > it. > Please be careful and forward this e-mail to anyone you care about." > > This information was received from Professor Edward Prideaux, College of > Salvonic Studies, London. > > This virus appears to be much more aggressive than the irritating > Microsoft word virus. Be alert. > > ----------------------- END OF ALERT MESSAGE > ---------------------------------- > > Although this is obviously a hoax, it points out an interesting security weakness. You have, in fact, spread the "virus" by emailing this "warning" to other people. The "virus" is the panic (or possible panic) caused by such a warning. Proving once again that the human factor is the weakest link in computer security. But enough with the off-topic emails. R. E. Paret From firewalls-owner Mon Dec 2 06:11:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA01893 for firewalls-outgoing; Mon, 2 Dec 1996 05:59:19 -0800 (PST) Received: from cypress.cycon.com (cypress.CYCON.COM [204.5.16.32]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id FAA01872 for ; Mon, 2 Dec 1996 05:59:05 -0800 (PST) Received: from localhost (sconner@localhost) by cypress.cycon.com (8.7.5/8.7.3) with SMTP id JAA10840; Mon, 2 Dec 1996 09:05:31 -0500 Date: Mon, 2 Dec 1996 09:05:29 -0500 (EST) From: Steve Conner To: Zheng Wenfeng cc: Firewalls@GreatCircle.COM Subject: Re: Critical Message In-Reply-To: <30C0EF82.6CFC@gdut.edu.cn> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, As long as you haven't rebooted the machine, you should be OK. All you have done is wiped out a symbolic link to a low level device driver. To fix it do the following: cd /dev/dsk ln -s ../../devices/iommu@0,10000000/sbus@0,10001000/espdma@4,8400000/esp@4,8800000/sd@3,0:a /dev/dsk/c0t3d0s0 The ln is one complete command so make sure you type in the above three lines in as one command, sorry, my mail editor only allows 70ish characters per line. This should fix your problem. Steve --------------------------------------------------------------- Steve Conner Cypress Consulting, Inc. sconner@cycon.com 703-256-1279 Manager, Research & Development http://www.cycon.com CYCON Labyrinth, Firewall and Network Address Translator --------------------------------------------------------------- On Sat, 2 Dec 1995, Zheng Wenfeng wrote: > Dear Mr. or Miss. > sorry! I have encountered a critical problem, Now I don't know who > can help me? > I have made the critical problem when I use the tar command, the > following > message is my process course, > first, I have sent the command when I am a supervisor, > #tar -cvf /dev/dsk/c0t3d0s0 /home1/wjz/*.txt > and /dev/dsk/c0t3d0s3 is the boot root disk, I know I have made a > critical mistake > but now I haven't any way to resolv the above problem, can you give me > a help? > thank you!!1 > By the way, my UNIX host is Solaris 2.3 operation system. > > Best Regards > > Addr: East 729 DongFeng Road,GuangZhou, > Email:lucky@gdut.edu.cn > GuangDong province,China > or:zhengwf@gdut.edu.cn > Code:510090 > Organize:Education department > From firewalls-owner Mon Dec 2 06:25:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA03471 for firewalls-outgoing; Mon, 2 Dec 1996 06:14:06 -0800 (PST) Received: from eplegal.eapi.com (marauder.epcorp.com [198.30.14.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA03450 for ; Mon, 2 Dec 1996 06:13:44 -0800 (PST) Received: from eppcmcw.eapi.com by eplegal.eapi.com id aa00392; 2 Dec 96 9:13 EST Message-Id: <3.0.32.19961202091325.0077cfd4@eptax.epcorp.com> X-Sender: martinw@eptax.epcorp.com X-Mailer: Windows Eudora Pro Version 3.0 Demo (32) Date: Mon, 02 Dec 1996 09:13:30 -0500 To: firewalls@greatcircle.com From: "Martin C. Walker" Subject: 2 questions re:fw-1 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Runing FW-1 v2.1 on Solaris 2.5 x86. I have 2 questions 1. Where in the hierarchy of things that FW does is NAT applied on both the inbound and outbound (wrt the packet direction) interfaces ? I have "inbound" set in my properties. Am I correct in thinking that, for a forward moving packet outbound from the internal network the following happens: packet reaches fw-1 internal interface anti spoofing applied items marked "first" in security policy properties rule base except for last rule items marked "before last" in security policy properties last rule of rule base items marked "last" in security policy properties implicit drop nat packet leaves external interface (boldy going where no packet has gone before) 2. At what level does snoop work on the fw-1 machine wrt to the FW-1 actions. ie will snoop only see packets that make it through the first 8 things above ? ------------------------------------------------------------------------ Martin C. Walker martinw@epcorp.com Project Lead Voice: (513)629-2517 Eagle-Picher Industries Fax: (513)629-2449 580 Walnut St, Cincinnati, OH 45202 From firewalls-owner Mon Dec 2 07:25:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA08487 for firewalls-outgoing; Mon, 2 Dec 1996 07:13:34 -0800 (PST) Received: from smtp2.interramp.com (smtp2.interramp.com [38.8.200.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA08470 for ; Mon, 2 Dec 1996 07:13:19 -0800 (PST) Received: from davidh.interramp.com by smtp2.interramp.com (8.8.1/SMI-4.1.3-PSI-irsmtp) id KAA24077; Mon, 2 Dec 1996 10:13:08 -0500 (EST) Message-ID: <32A2DDF1.3BEB@checkpoint.com> Date: Mon, 02 Dec 1996 07:47:37 -0600 From: David Helms Reply-To: david.helms@checkpoint.com Organization: CheckPoint Software Technologies X-Mailer: Mozilla 3.0 (Win95; I) MIME-Version: 1.0 To: Bill Husler CC: Dave Roberts , Firewalls@GreatCircle.COM Subject: Re: Redundant FW-1s in Parallel!? References: <199611300302.FAA18918@cale.checkpoint.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bill, The answer is yes and no. We have tried to not use the phrase "High Availability" on purpose. Qualix provides high availability in their solution and it is a valuable supplement to what FW-1 does. What "State Sharing" does is solve the assymetrical routing problem when you have multiple, valid, routed paths that the packets within a logical session can take. If this ability to handle multple paths is combined with a routing topology mechanism that is extremely responsive to topology changes, then you approach the functionality level of a "High Availability" system. So, in short, yes the "after" diagram you have shown will work, in terms of solving the assymetrical routing problem. However, to make that system "Highly Available" you also have to include the surrounding routers into the picture and make the sure they are playing the game also. David Bill Husler wrote: > > David, > Let me see if I understand this. > > Currently, if we want HA we must use Qualix software which required two > dedicated lan ports and external shared DASD between two firewalls - one > of which is simply a hot standby. With this configuration on a Sparc-5, > we only get to have two usable interfaces. If I understand what we will > get with Checkpoints flavor is the ability to actually use these other > interfaces for the sort of things we wanted to in the first place like > providing employee dial-up or private connections to other companies > while provide load balancing and fail-over. Is this true? > > BEFORE AFTER > > -------------------- -------------- > Int | | Ext Int | | Ext > -----| Primary Firewall |----- -----| Firewall A |----- > | | | | | | | | > | -------------------- | | -------------- | > | ......|.|........|........ | | | | | > | . req | | ---------- . | | -------- -------- | > -----| . for | | |Ext Disk| . |----- -----| | DIAL | | OTHR | > |----- > | . HA | | ---------- . | | -------- -------- | > | ......|.|........|........ | | | | | > | -------------------- | | -------------- | > | | | | | | | | > -----| Backup Firewall |----- -----| Firewall B |----- > | | | | > -------------------- -------------- > Bill > > >Subject: Re: Redundant FW-1s in Parallel!? > >Sent: 11/27/96 9:04 AM > >Received: 11/27/96 8:01 PM > >From: David Helms, david.helms@checkpoint.com > >To: Dave Roberts, djr@saa-cons.co.uk > >CC: Firewalls@GreatCircle.COM > > > >Dave, > > > >See my comments below.... > > > >Dave Roberts wrote: > >> > >> On Tue, 26 Nov 1996, David Helms wrote: > >> > >> > That "State-Sharing" protocol was announced as a feature of the V3.0 > >> > release of FireWall-1. > >> > >> How does the software share the state information? ie what kind of > >> protocol over what kind of medium. > > > >The state sharing protocol is a TCP-protocol that falls within the group > >of what are considered FW-1 control protocols. > > > >> Is it encrypted and/or authenticated? > > > >Yes and yes, based on the same mechanism as other FW-1 control > >protocols. > > > >David > >> > >> -- > >> Dave Roberts For PGP Key - send mail with subject of 'get pgp':- > >> Senior Unix Admin < 51 4B 6A 35 3F C4 B6 3D 13 88 0C B2 48 61 51 1C > > >> SAA Consultants Ltd Std disclaimer applies, it's nothing to do with them > >> Plymouth, UK. Tel: +44 1752 606000 Fax: +44 1752 606838 > > > >-- > >__________________________________ > > David Helms > > Senior Technical Consultant > > CheckPoint Software Technologies > > ph 703.684.4824 > > fx 703.684.4847 > > davidh@checkpoint.com > >__________________________________ -- __________________________________ David Helms Senior Technical Consultant CheckPoint Software Technologies ph 703.684.4824 fx 703.684.4847 davidh@checkpoint.com __________________________________ From firewalls-owner Mon Dec 2 07:41:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA09152 for firewalls-outgoing; Mon, 2 Dec 1996 07:23:33 -0800 (PST) Received: from eplegal.eapi.com (marauder.epcorp.com [198.30.14.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA09140 for ; Mon, 2 Dec 1996 07:23:21 -0800 (PST) Received: from eppcmcw.eapi.com by eplegal.eapi.com id aa02802; 2 Dec 96 10:22 EST Message-Id: <3.0.32.19961202102312.009d5d54@eptax.epcorp.com> X-Sender: martinw@eptax.epcorp.com X-Mailer: Windows Eudora Pro Version 3.0 Demo (32) Date: Mon, 02 Dec 1996 10:23:15 -0500 To: Firewalls@GreatCircle.com From: "Martin C. Walker" Subject: 2 questions re:fw-1 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Runing FW-1 v2.1 on Solaris 2.5 x86. I have 2 questions 1. Where in the hierarchy of things that FW does is NAT applied on both the inbound and outbound (wrt the packet direction) interfaces ? I have "inbound" set in my properties. Am I correct in thinking that, for a forward moving packet outbound from the internal network the following happens: packet reaches fw-1 internal interface anti spoofing applied items marked "first" in security policy properties rule base except for last rule items marked "before last" in security policy properties last rule of rule base items marked "last" in security policy properties implicit drop nat packet leaves external interface (boldy going where no packet has gone before) 2. At what level does snoop work on the fw-1 machine wrt to the FW-1 actions. ie will snoop only see packets that make it through the first 8 things above ? ------------------------------------------------------------------------ Martin C. Walker martinw@epcorp.com Project Lead Voice: (513)629-2517 Eagle-Picher Industries Fax: (513)629-2449 580 Walnut St, Cincinnati, OH 45202 From firewalls-owner Mon Dec 2 08:26:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA11981 for firewalls-outgoing; Mon, 2 Dec 1996 08:09:13 -0800 (PST) Received: from gw.garrison.com (gw.garrison.com [205.241.58.147]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA11973 for ; Mon, 2 Dec 1996 08:09:06 -0800 (PST) Received: by gw.garrison.com; id EAA17165; Mon, 2 Dec 1996 04:03:01 -0600 (CST) Received: from ukn0.garrison.com(10.0.0.2) by gw.garrison.com via smap (3.2) id xma017156; Mon, 2 Dec 96 04:02:55 -0600 Received: by garrison.com. (4.1/Surrogate Sendmail hack) id AA01528; Mon, 2 Dec 96 10:04:05 CST Date: Mon, 2 Dec 96 10:04:05 CST From: jeromie@garrison.com (Jeromie Jackson) Message-Id: <9612021604.AA01528@garrison.com.> To: zaka@tiac.net, lazar@netevolve.com Subject: Re: Cisco's PIX firewall Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > The biggest advantage to the PIX is that you can use a private addressing > scheme on your network. This allows you to create a meaningful IP > addressing scheme. For example, you can designate the second octet to > match the OSPF area the address is used in. (i.e 10.3.0.0 for area 3, > 10.4.0.0 for area 4 and so on). Another advantage to private addressing is > that you never have to worry about renumbering your network due to changing > ISP's or anything like that. Let us not forget, that just about any firewall in the market has the ability to allow you to use internal net 10 addressing... This is not feature of the box itself. Jeromie Jackson Garrison Technologies jeromie@garrison.com From firewalls-owner Mon Dec 2 08:56:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA14716 for firewalls-outgoing; Mon, 2 Dec 1996 08:48:15 -0800 (PST) Received: from aries.dgsca.unam.mx (aries.dgsca.unam.mx [132.248.120.102]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id IAA14709 for ; Mon, 2 Dec 1996 08:48:07 -0800 (PST) Received: by aries.dgsca.unam.mx (940816.SGI.8.6.9/940406.SGI.AUTO) id KAA21297; Mon, 2 Dec 1996 10:42:09 -0600 Date: Mon, 2 Dec 1996 10:42:01 -0600 (CST) From: "Raul Sanchez A." To: firewalls@greatcircle.com Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk suscribe firewalls resa@servidor.unam.mx From firewalls-owner Mon Dec 2 09:11:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA14508 for firewalls-outgoing; Mon, 2 Dec 1996 08:44:42 -0800 (PST) Received: from mailhost.lanl.gov (mailhost.lanl.gov [128.165.3.12]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA14485 for ; Mon, 2 Dec 1996 08:44:29 -0800 (PST) Received: from [128.165.20.50] ([128.165.20.50]) by mailhost.lanl.gov (8.7.6/8.7.3) with ESMTP id JAA09268; Mon, 2 Dec 1996 09:44:21 -0700 (MST) X-Sender: u094929@128.165.3.68 Message-Id: In-Reply-To: <31FCF437.41C67EA6@hephaestus.icorp.net> References: <199607280352.XAA03167@bert.markettech.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 2 Dec 1996 09:44:18 -0700 To: Eric Wieling , isdnsec@markettech.com, firewalls@GreatCircle.COM From: "Gary G. Christoph" Subject: Re: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Eric- Does the offer still hold? :-) Thanks, Gary At 10:26 -0700 7/29/96, Eric Wieling wrote: >ISDN Secrets wrote: >> >> Most places in the country are charged by the minute >> for ISDN access even for local calls. Some areas as >> much as 2 cents per B channel (that's 4 cents per minute >> with 128KB access) during primetime hours. Where I live, >> in the month of July alone I would have paid $1279.20 >> for dedicated access (unless you know the secret the >> phone company will not share with you). I only paid >> $45. > >It's called Data Over Voice Bearer Service (DOVBS) and I'll tell you >about it for free, if you e-mail me. 8-) > >-- >Eric Wieling >Advanced Network Research >InterCommerce Corporation >Pager: 800-758-3680 > >If you consistently take an antagonistic approach, however, people are >going to start thinking you're from New York. :-) > --Larry Wall to Dan Bernstein ---------------------------------------------------------------------- Gary G. Christoph, Ph.D. Systems Security Research and Development Team Leader Computer Research and Applications Group, CIC-3, MS-B265 Computing, Information and Communications Division University of California, Los Alamos National Laboratory Los Alamos, NM 87545 ggc@lanl.gov (505) 667-3709 FAX (505) 665-5520 ---------------------------------------------------------------------- From firewalls-owner Mon Dec 2 09:33:56 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA15456 for firewalls-outgoing; Mon, 2 Dec 1996 08:55:52 -0800 (PST) Received: from hq.si.net (hq.si.net [192.156.192.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA15440 for ; Mon, 2 Dec 1996 08:55:44 -0800 (PST) Received: (from mlu@localhost) by hq.si.net (8.8.3/8.7.3) id LAA05893; Mon, 2 Dec 1996 11:54:45 -0500 (EST) Date: Mon, 2 Dec 1996 11:54:45 -0500 (EST) From: Ming Lu Message-Id: <199612021654.LAA05893@hq.si.net> To: Denis.Valois@pt.nce.sita.int, firewalls@GreatCircle.COM, webmaster@internic.uob.bh Subject: RE: [Fwd: Caution : Internet Virus] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Bill Gates' machines, it is possible..:-), not on unix Cheers Ming From firewalls-owner Mon Dec 2 10:03:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA19881 for firewalls-outgoing; Mon, 2 Dec 1996 09:48:22 -0800 (PST) Received: from ncc.moc.kw (ncc.moc.kw [196.1.69.98]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id JAA19831 for ; Mon, 2 Dec 1996 09:47:38 -0800 (PST) Received: from elias.moc.kw (raadazar.moc.kw [168.187.100.241]) by ncc.moc.kw (8.7.5/8.7.3) with SMTP id UAA19939 for ; Mon, 2 Dec 1996 20:47:33 -0300 (GMT) Message-ID: <32A31829.5E60@ncc.moc.kw> Date: Mon, 02 Dec 1996 20:55:53 +0300 From: Biju John Reply-To: nbku1@ncc.moc.kw Organization: NBK X-Mailer: Mozilla 3.0 (Win95; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: SSL Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, Any one suggest where can I get information (simple explanation ) on SSL (Not Netscape site!!) BJ From firewalls-owner Mon Dec 2 10:12:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA20820 for firewalls-outgoing; Mon, 2 Dec 1996 09:57:54 -0800 (PST) Received: from newman (newman.aventail.com [38.225.141.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id JAA20800 for ; Mon, 2 Dec 1996 09:57:42 -0800 (PST) Received: from 192.168.1.29 (steinbrenner [192.168.1.29]) by newman (8.6.12/8.6.9) with ESMTP id KAA00960; Wed, 13 Nov 1996 10:54:08 -0800 X-Mailer: exmh version 1.6.7 5/3/96 From: marcvh@aventail.com (Marc VanHeyningen) To: "Young-jin Hong" Subject: Re: =?EUC-KR?B?USkgV2hhdCBpcyBDSVJDVUlUIEdBVEVXQVkoPUNJUkNVSVQgTEVWRUwg?= =?EUC-KR?B?UFJPWFkpPw==?= cc: Firewalls@greatcircle.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 02 Dec 1996 09:52:39 -0800 Message-ID: <19827.849549159@cosmo.aventail.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Dear list members. > >I'd like to know what 'circuit gateway(=circuit level proxy)' is or >how different from application gateway and packet-filtering in >generic firewalls. > >Let me know what it is or where i can find it out. Briefly, a circuit level proxy is a "generic" application gateway which is like an application proxy in that it does not forward packets but instead proxies application-level content across a barrier, but is designed to be general enough to work with many different protocols, not just one. In practice, SOCKS is the most common circuit-level solution used and discussed. In practice, the distinction can get blurred sometimes. Our SOCKS v5 server, for instance, is a circuit level proxy but is capable of doing some things normally associated with an application proxy, like performing content-based filtering of HTTP requests. I'd recommend Chapter 3 of the Wily Hacker book. There's also a white paper on our web site that discusses some of the tradeoffs: . -- Marc VanHeyningen marcvh@aventail.com Internet Security Architect Aventail http://www.aventail.com/ From firewalls-owner Mon Dec 2 10:51:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA22117 for firewalls-outgoing; Mon, 2 Dec 1996 10:10:28 -0800 (PST) Received: from pancake.remcomp.fr (pancake.remcomp.fr [194.51.30.247]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA22029 for ; Mon, 2 Dec 1996 10:10:04 -0800 (PST) Received: from tony.zapata.com ([128.127.10.2]) by zapata.omnix.fr.org (8.6.12/8.6.9) with SMTP id SAA02634; Mon, 2 Dec 1996 18:08:41 +0100 Message-ID: <32A2D5D2.6D5D@omnix.fr.org> Date: Mon, 02 Dec 1996 14:12:50 +0100 From: Stephane Bouch=?iso-8859-1?Q?=E9 , ?=@remcomp.fr Organization: OMNISET X-Mailer: Mozilla 2.01 (Win95; I) MIME-Version: 1.0 To: webmaster@admin.uob.bh CC: firewalls@GreatCircle.COM Subject: Re: [Fwd: Caution : Internet Virus] References: <32A27FF4.431B@admin.uob.bh> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hisham Khalifa Al Saad wrote: > = > Hi members of Firewalls, > = > I got this Virus alert in my mail box, and by myself i forward it to > you: > = > ------------------------------------------------------------------------>= = > Hi, > We just got word that there is a new virus screaming around the > internet that will wipe out your hard drive if you open the file. > Here is the word > they sent us... > = > "There is a computer virus that is being sent across the internet. If > you receive an e-mail with a subject line of "Irinia", DO NOT read the > message. > Delete it immediately. Some miscreant is sending people files under the > name of "Irinia". If you receive this file or e-mail, do not download > it. > It has a virus that rewrites your hard drive, obliterating anything on > it. > Please be careful and forward this e-mail to anyone you care about." > = > This information was received from Professor Edward Prideaux, College of > Salvonic Studies, London. > = > This virus appears to be much more aggressive than the irritating > Microsoft word virus. Be alert. > = > ----------------------- END OF ALERT MESSAGE > ---------------------------------- > = > Thank you, > Take Care, > = > Hisham Al Saad > University of Bahrain Please give us more information about this. Who sent it the alert = message to you. Is this a TROJAN? A VIRUS? WHAT IS THE ATTACHEMENT ? It doesn't look serious, technically speaking (without more details). = Please; let us know about. -- = = ------------------------------------------------------------------------ St= =E9phane Bouch=E9 | "Lie is virtual reality" OMNISET | PC Security Experts | "World is crazier than cows" sb@omniset.com | = ------------------------------------------------------------------------ From firewalls-owner Mon Dec 2 10:58:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA23784 for firewalls-outgoing; Mon, 2 Dec 1996 10:31:57 -0800 (PST) Received: from relay1.shore.net (relay1.shore.net [192.233.85.129]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA23764 for ; Mon, 2 Dec 1996 10:31:44 -0800 (PST) Received: from [198.115.177.209] (slip-0-9.slip.shore.net [198.115.177.209]) by relay1.shore.net (8.8.3/8.8.3) with SMTP id NAA19748 for ; Mon, 2 Dec 1996 13:31:37 -0500 (EST) X-Sender: vin@shell1.shore.net Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 2 Dec 1996 13:31:39 -0500 To: firewalls@greatcircle.com From: vin@shore.net (Vin McLellan) Subject: Corporation Security - 90 Day Study Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mark Gembicki of WarRoom Research tells me that his survey of information security in 205 Fortune 1000 companies is now available online at , along with a press release and a statement from Sen. Nunn's Permanent Subcommittee on Investigations. Vin McLellan +The Privacy Guild+ 53 Nichols St., Chelsea, Ma. 02150 USA Tel: (617) 884-5548 <*><*><*><*><*><*><*><*><*> From firewalls-owner Mon Dec 2 11:18:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA22942 for firewalls-outgoing; Mon, 2 Dec 1996 10:22:32 -0800 (PST) Received: from emout07.mail.aol.com (emout07.mx.aol.com [198.81.11.22]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA22909 for ; Mon, 2 Dec 1996 10:22:07 -0800 (PST) From: WarRoom2@aol.com Received: by emout07.mail.aol.com (8.6.12/8.6.12) id NAA10471 for firewalls@greatcircle.com; Mon, 2 Dec 1996 13:21:53 -0500 Date: Mon, 2 Dec 1996 13:21:53 -0500 Message-ID: <961202132153_1684427786@emout07.mail.aol.com> To: firewalls@greatcircle.com Subject: WarRoom's Information Systems Security Survey -- http://www.infowar.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A variety of information on WarRoom Research's Information Systems Security (ISS) Survey is now available online. The following files reside at http://www.infowar.com: survey.doc -- survey questionaire in Word; surv_q12.hcx -- display of question number 12 in Harvard Chart XL; surv_q15.hcx -- display of question number 15 in Harvard Chart XL; news.txt -- WarRoom Research news release about survey in ASCII; results.txt -- survey results by question in ASCII; results.wk4 -- survey results by question in Lotus 1-2-3; and senate.txt -- statement from Permanent Subcommittee on Investigations in ASCII. Should anyone have questions or comments, I would be happy to respond. Best regards, Mark Gembicki, Exec. VP WarRoom Research 410.437.1110 central 410.437.1118 fax WarRoom2@aol.com From firewalls-owner Mon Dec 2 11:43:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA20164 for firewalls-outgoing; Mon, 2 Dec 1996 09:52:09 -0800 (PST) Received: from chronos.synopsys.com (chronos.synopsys.com [146.225.8.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id JAA20150 for ; Mon, 2 Dec 1996 09:51:57 -0800 (PST) Received: from atropos.synopsys.com by chronos.synopsys.com with SMTP id AA10689 (5.65c/IDA-1.4.4 for ); Mon, 2 Dec 1996 09:50:57 -0800 Received: from flying.synopsys.com (flying.synopsys.com [146.225.72.11]) by atropos.synopsys.com (8.6.9/8.6.9) with ESMTP id JAA27995; Mon, 2 Dec 1996 09:51:45 -0800 From: Habeeb Qadri Received: by flying.synopsys.com (SMI-8.6/SNPS-Sol2) id JAA09181; Mon, 2 Dec 1996 09:51:51 -0800 Date: Mon, 2 Dec 1996 09:51:51 -0800 Message-Id: <199612021751.JAA09181@flying.synopsys.com> To: firewalls-digest@GreatCircle.COM, felipe@pty.com Subject: Re: FW-1 for ISP's X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Felipe: you probably do not want to hear this, BUT..... The intent of the CheckPoint license is that if you have 300 hosts on the INSIDE of your firewall, and you ONLY have a "250 user license" then you are in violation of their licensing policy. It does not matter if only less than 250 hosts on the INSIDE need/use the firewall protection. As far is CheckPoint is concerned, their FW-1 software is "protecting" more than 250 hosts regardless of whether they need it or not. Suggest you check with your reseller, and or CheckPoint directly to avoid licensing problems later. Habeeb Qadri PS: I dont work for CheckPoint, but have taught their FW-1 class in the United Stats as a consultant for about 15 months. > From postmaster@synopsys.com Wed Nov 27 19:19:44 1996 > Subject: FW-1 for ISP's > To: firewalls-digest@GreatCircle.COM > Date: Wed, 27 Nov 1996 20:54:21 +0500 (GMT) > From: felipe@pty.com (Ing. Felipe Tribaldos) > X-Url: http://www.pty.com/ > Mime-Version: 1.0 > Content-Transfer-Encoding: 7bit > > Hi; > > I would like to hear about ISP's who have FW-1 on Solaris. > We purchased it, but are having problems with the licensing (250 node) > version 2.0. > > I would like to hear especially if you have access server inside > our outside of the firewall. This is a tricky issue, as any ISP > knows that AS keep growing and growing. > > Also where do you put all the routers, these keep growing also. > Do you protect dedicated customers networks also? > > I would like to hear how others have handled this issue, as an > unlimited license is out of the quesion $19K!. If we only > protect a couple of servers, then it doesn't make sense > to use FW-1 since in the case of an ISP all the servers provide > public services, such as DNS,MAIL,FTP,WWW,NEWS, etc.? > Please answer by > private email, as I am on digest mode, and won't see messages right > away. > > Thanks; > > Felipe > > -- > ___________________________________________________________________________ > | Ing. Felipe Tribaldos | > | Gerente de Operaciones / Operations Manager Tel. +(507)269-3571/223-5111| > | CyberMedia Panama Fax. +(507)264-6082 | > | Internet Access - Web Publishing Res. +(507)269-7330 | > | url: http://www.pty.com/ email: felipe@pty.com | > | __________________________________________________________________________| > From firewalls-owner Mon Dec 2 11:52:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA28854 for firewalls-outgoing; Mon, 2 Dec 1996 11:24:04 -0800 (PST) Received: from whiz.mfi.com (whiz.mfi.com [198.71.19.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id LAA28815 for ; Mon, 2 Dec 1996 11:23:52 -0800 (PST) Received: from ccmail2.mfi.com by whiz.mfi.com (AIX 3.2/UCB 5.64/4.03) id AA11294; Mon, 2 Dec 1996 11:22:38 -0800 Received: from ccMail by mfi.com (SMTPLINK V2.11) id AA849554501; Mon, 02 Dec 96 11:24:07 PST Date: Mon, 02 Dec 96 11:24:07 PST From: "Richard Power" Message-Id: <9611028495.AA849554501@mfi.com> To: firewalls-digest@GreatCircle.COM, INFSEC-L@ETSUADMN.TAMU-COMMERCE.EDU, best-of-security@suburbia.net Subject: Free "Intranet security tips from CSI Sender: firewalls-owner@GreatCircle.COM Precedence: bulk If you want a free copy of the "CSI Roundtable on Intranet Security," e-mail your postal address to prapalus@mfi.com. This report is not available electronically. 2 December 1996 FOR IMMEDIATE RELEASE CSI roundtable explores Intranet security: Web of productivity or peril? SAN FRANCISCO -- According to industry analysts, one in every five corporations has already deployed an Intranet and 70% of corporations plan to in 1997. The white-hot drive toward corporate Intranets exceeds even the thrust toward Internet access; analysts project that by the year 2000, there will be five million Intranet servers versus less than one million Internet servers. Clearly, this is a sweeping change in how information systems are built. What are the information security implications? What are the risks, threats and vulnerabilities of the Intranet computing environment? In a special edition of the Computer Security Alert, a roundtable of information security experts offer a fascinating look into the challenges of Intranet security. The questions that CSI's blue-ribbon panel tackles include: How does Intranet security differ from LAN/WAN and client/server security? What vulnerabilities are accentuated in Intranet? How can you control content on Intranet web sites? Where does the Internet end and the Intranet begin? How would you do an Intranet risk analysis? What issues should be spelled out in an Intranet security policy? The Computer Security Alert is the members-only monthly newsletter of the Computer Security Institute. CSI offers a two-day class, "How to Secure Your Intra/Internet Connections," which details how an organization can safely and securely utilize Intra/Internet technology. For further information, please call 415/905-2310. ### Computer Security Institute is the oldest international membership organization specifically serving the information security professional. Established in 1974, CSI has thousands of members worldwide and provides a wide variety of information and educational programs to assist them in protecting the information assets of corporate, government and educational organizations. From firewalls-owner Mon Dec 2 12:23:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA01408 for firewalls-outgoing; Mon, 2 Dec 1996 11:48:01 -0800 (PST) Received: from panix3.panix.com (panix3.panix.com [198.7.0.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA01382 for ; Mon, 2 Dec 1996 11:47:50 -0800 (PST) Received: from localhost (fangyou2@localhost) by panix3.panix.com (8.8.2/8.7/PanixU1.3) with SMTP id OAA24114 for ; Mon, 2 Dec 1996 14:47:57 -0500 (EST) Date: Mon, 2 Dec 1996 14:47:50 -0500 (EST) From: FaNgYoU2 To: firewalls@GreatCircle.com Subject: Re: Question on Windows NT web behind firewall Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The web server on the NT machine inside the TIS Gauntlet is running Netscape Server 2.0 Does that have any know vulnerablities that can be exploited by users with http connections from the Internet? Please stop sending e-mail asking how I got through the Gauntlet. I did not get through the Gauntlet. I got physical access exactly the way I said I did. FaNgYoU2, Cyberspace^^Vampyre ^^ Touch it, touch it, touch me ... creatures of the Night ^^ From firewalls-owner Mon Dec 2 12:37:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA00473 for firewalls-outgoing; Mon, 2 Dec 1996 11:40:10 -0800 (PST) Received: from relay6.UU.NET (relay6.UU.NET [192.48.96.16]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA00432 for ; Mon, 2 Dec 1996 11:39:55 -0800 (PST) Received: from uurcp.rcp.net.pe by relay6.UU.NET with SMTP (peer crosschecked as: [161.132.2.10]) id QQbsju09992; Mon, 2 Dec 1996 14:39:59 -0500 (EST) Received: from mem.gob.pe(really [161.132.54.4]) by uurcp.rcp.net.pe via sendmail with smtp id for ; Mon, 2 Dec 1996 14:37:29 -0500 (EST) (Smail-3.2 1996-Jul-4 #1 built 1996-Sep-16) Received: from MEM/MAIL by mem.gob.pe (Mercury 1.13); Mon, 2 Dec 96 14:35:08 -0500 Received: from MAIL by MEM (Mercury 1.13); Mon, 2 Dec 96 14:30:04 -0500 Received: from amauta by mem.gob.pe (Mercury 1.13); Mon, 2 Dec 96 14:30:02 -0500 Comments: Authenticated sender is From: "Sergio Untiveros" Organization: Ministerio de Energia y Minas To: Firewalls@GreatCircle.COM Date: Mon, 2 Dec 1996 14:35:18 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: I free Firewall Software for NT. X-mailer: Pegasus Mail for Win32 (v2.42) Message-ID: <214AE50EED@mem.gob.pe> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello friends. I need a free firewall software on NT server v4.0. Where I will found it? Thanks for your helps. Sergio Ministerio de Energia y Minas Sergio Untiveros / Network Manager Telf. 4750064 Anexo 223, 403 Telf: 9946059 http://www.mem.gob.pe From firewalls-owner Mon Dec 2 13:26:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA10820 for firewalls-outgoing; Mon, 2 Dec 1996 13:19:33 -0800 (PST) Received: from main.geminisecure.com (main.geminisecure.com [205.179.16.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id NAA10804 for ; Mon, 2 Dec 1996 13:19:23 -0800 (PST) Received: (from leonard@localhost) by main.geminisecure.com (8.6.9/8.6.9) id NAA08378; Mon, 2 Dec 1996 13:15:39 -0800 Date: Mon, 2 Dec 1996 13:15:39 -0800 (PST) From: Leonard Miyata To: Biju John cc: firewalls@GreatCircle.COM Subject: Re: SSL In-Reply-To: <32A31829.5E60@ncc.moc.kw> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The Northern Telecom (NORTEL) web site, (www.nortel.com) has several write ups and white papers posted. Search for their 'Entrust' home page off of their site Personal Opinions provided by Leonard Miyata aka leonard@geminisecure.com GEMINI COMPUTERS INC. On Mon, 2 Dec 1996, Biju John wrote: > Hello, > > Any one suggest where can I get information (simple explanation ) on SSL > (Not Netscape site!!) > > BJ > From firewalls-owner Mon Dec 2 13:40:53 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA11137 for firewalls-outgoing; Mon, 2 Dec 1996 13:24:02 -0800 (PST) Received: from ns1.ntshop.com ([207.91.166.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id NAA11117 for ; Mon, 2 Dec 1996 13:23:53 -0800 (PST) Received: from beast.ntshop.net ([207.91.166.3]) by ns1.ntshop.com (post.office MTA v2.0 0813 ID# 153-13296) with SMTP id AAA167 for ; Mon, 2 Dec 1996 15:27:24 -0600 Received: by beast.ntshop.net with Microsoft Mail id <01BBE064.DAA63E20@beast.ntshop.net>; Mon, 2 Dec 1996 15:24:05 -0600 Message-ID: <01BBE064.DAA63E20@beast.ntshop.net> From: Mark Joseph Edwards To: "'firewalls@GreatCircle.com'" Subject: RE: Internet Virus HOAX, Part 3x10^5 Date: Mon, 2 Dec 1996 15:24:01 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Psssst. Hey buddy....wanna buy a bridge in Brooklyn? > "There is a computer virus that is being sent across the internet. If > you receive an e-mail with a subject line of "Irinia", DO NOT read the > message. Delete it immediately From firewalls-owner Mon Dec 2 14:10:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA11635 for firewalls-outgoing; Mon, 2 Dec 1996 13:28:53 -0800 (PST) Received: from hp5.xlconnect.com ([166.80.10.159]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id NAA11583 for ; Mon, 2 Dec 1996 13:28:31 -0800 (PST) Received: by hp5.xlconnect.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BBE06D.9D0099E0@hp5.xlconnect.com>; Mon, 2 Dec 1996 16:26:47 -0500 Message-ID: From: "Osterwald, Paul" To: "'suntiver@mem.gob.pe'" , "'Firewalls@GreatCircle.COM'" Subject: RE: IP numbers end Date: Mon, 2 Dec 1996 16:31:06 -0500 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sergio: The Best Current Practice document 5 (BCP5, RFC 1918) advocates the use of privatized addressing. This in conjunction with a firewall will allow you to use a Class A, multiple B, or multiple C address spaces internally and then use your registered address on your Internet segment (outside the firewall). For publicly available firewall software, go to http://www.tis.com and obtain the firewall toolkit. It is an excellent product. They also have a mailing list to support it. For references on firewalls, there is Repelling the Wily Hacker by Cheswick and Bellovin and Building Internet Firewalls by Chapman and Zwicky. Hope this helps. Paul Subtle and insubstantial, the expert leaves no trace; Divinely mysterious, he is inaudible. - Sun Tzu -----Original Message----- From: Sergio Untiveros [SMTP:suntiver@mem.gob.pe] Sent: Wednesday, November 27, 1996 1:29 AM To: Firewalls@GreatCircle.COM Subject: IP numbers end Hi friends. I write from Peru South America. My question is follow: How Can we have more IP numbers in our site?, becuse the 254 numbers are used. We not have subnets. Thanks for your help. Ministerio de Energia y Minas Sergio Untiveros Adm. de Red Telf. 4750064 Anexo 223, 403 Telf: 9946059 From firewalls-owner Mon Dec 2 14:26:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA15436 for firewalls-outgoing; Mon, 2 Dec 1996 14:13:04 -0800 (PST) Received: from europe.std.com (europe.std.com [199.172.62.20]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id OAA15400 for ; Mon, 2 Dec 1996 14:12:51 -0800 (PST) Received: from world.std.com by europe.std.com (8.7.5/BZS-8-1.0) id RAA03368; Mon, 2 Dec 1996 17:12:46 -0500 (EST) Received: by world.std.com (5.65c/Spike-2.0) id AA11389; Mon, 2 Dec 1996 17:12:25 -0500 From: heiser@world.std.com (Bill Heiser) Message-Id: <199612022212.AA11389@world.std.com> Subject: restricting OUTBOUND access To: firewalls@greatcircle.com Date: Mon, 2 Dec 1996 17:12:25 -0500 (EST) X-Mailer: ELM [version 2.4 PL25] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk An associate of mine is trying to convince me that it's safe to restrict only inbound traffic thru a firewall, but to allow completely unrestricted traffic outbound. I'm looking for concrete examples of why this is a Bad Thing. I guess I'm thinking in terms of inside users connecting to evil services on the outside, with the established connections being used to do Bad Things to inside systems. However I don't have any concrete examples. Also, since presumably once someone is "inside" they can do anything they want anyway (put stuff on a floppy, fax, etc), that makes a case for his argument that allowing outbound unrestricted access isn't so bad. But I'm not convinced. Any feedback on what kinds of bad things can happen (by users on the OUTSIDE) with this kind of firewall setup would be appreciated. Thanks in advance, Bill -- Bill Heiser heiser@world.std.com From firewalls-owner Mon Dec 2 15:40:50 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA23075 for firewalls-outgoing; Mon, 2 Dec 1996 15:35:44 -0800 (PST) Received: from osceola.gate.net (osceola.gate.net [199.227.0.18]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id PAA23066 for ; Mon, 2 Dec 1996 15:35:33 -0800 (PST) Received: from gate.net.gate.net (orlfl2-3.gate.net [199.227.3.130]) by osceola.gate.net (8.8.3/8.6.12) with ESMTP id SAA36116; Mon, 2 Dec 1996 18:35:23 -0500 Message-Id: <199612022335.SAA36116@osceola.gate.net> From: "William Beem" To: , Subject: Re: SSL Date: Mon, 2 Dec 1996 18:33:15 -0500 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Try http://www.microsoft.com/intdev/security --William ---------- > From: Biju John > To: firewalls@GreatCircle.COM > Subject: SSL > Date: Monday, December 02, 1996 12:55 PM > > Hello, > > Any one suggest where can I get information (simple explanation ) on SSL > (Not Netscape site!!) > > BJ From firewalls-owner Mon Dec 2 15:57:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA23877 for firewalls-outgoing; Mon, 2 Dec 1996 15:44:54 -0800 (PST) Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id PAA23859; Mon, 2 Dec 1996 15:44:46 -0800 (PST) Received: from dochin-pc.cisco.com (dhcp-vm1-2-150.cisco.com [171.68.164.150]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id PAA04476; Mon, 2 Dec 1996 15:44:41 -0800 Message-Id: <2.2.32.19961202223923.00d001a0@diablo.cisco.com> X-Sender: dochin@diablo.cisco.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 02 Dec 1996 14:39:23 -0800 To: Mark_Plesser_at_NYRAPO@GreatCircle.COM From: "Don S. Chin" Subject: Cisco's PIX Firewall Cc: firewalls@GreatCircle.COM, lazar@netevolve.com, mhoward@cisco.com, froys@cisco.com, jlw@cisco.com, afoss@cisco.com, amittal@cisco.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mark, I don't have the original email thread -- I'm working from a hard copy. To clarify the PIX Firewall, it is not a packet filter. It is a dedicated security device, built with one purpose in mind -- securing the private LAN to the Internet. We are in fact directly in competition with Checkpoint, Raptor, TIS, etc. The "cut-through proxy" feature provides a significant performance enhancement to the security function since users are authenticated at the application layer. Once authenticated, the process flow shifts back to the network layer which provides the high performance. The product itself is NCSA certified, and SRI has done a security audit on the PIX Firewall (see http://www.cisco.com/pix) I hope this clarifies things for you. Don Chin 170 West Tasman Drive Email: dochin@cisco.com Product Marketing Manager San Jose, CA 95134-1706 Internet Business Unit Direct (408) 527-8116 Cisco Systems Corp. FAX (408) 527-8122 From firewalls-owner Mon Dec 2 16:25:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA24544 for firewalls-outgoing; Mon, 2 Dec 1996 15:57:23 -0800 (PST) Received: from pinky.junction.net (pinky.junction.net [199.166.227.12]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id PAA24525 for ; Mon, 2 Dec 1996 15:57:15 -0800 (PST) Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by pinky.junction.net (8.6.12/8.6.12) with ESMTP id QAA20086 for ; Mon, 2 Dec 1996 16:13:19 -0800 Received: from localhost (michael@localhost) by sidhe.memra.com (8.6.12/8.6.12) with SMTP id PAA03673 for ; Mon, 2 Dec 1996 15:53:20 -0800 Date: Mon, 2 Dec 1996 15:53:18 -0800 (PST) From: Michael Dillon To: firewalls@GreatCircle.COM Subject: RE: [Fwd: Caution : Internet Virus] In-Reply-To: Message-ID: Organization: Memra Software Inc. - Internet consulting MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 2 Dec 1996, Denis Valois wrote: > This is a hoax. > > Anyway, just by saying that "reading" a mailgram wipes out > your hard drive is of utmost foolishness. Irina may be a hoax, but the danger is real. There are now email applications that *CAN* open up attached binaries and execute them without user intervention. Michael Dillon - ISP & Internet Consulting Memra Software Inc. - Fax: +1-604-546-3049 http://www.memra.com - E-mail: michael@memra.com From firewalls-owner Mon Dec 2 16:45:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA26711 for firewalls-outgoing; Mon, 2 Dec 1996 16:28:26 -0800 (PST) Received: from trumpet.aix.calpoly.edu (trumpet.aix.calpoly.edu [129.65.65.6]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id QAA26704 for ; Mon, 2 Dec 1996 16:28:14 -0800 (PST) Received: by trumpet.aix.calpoly.edu (AIX 3.2/UCB 5.64/4.03) id AA81393; Mon, 2 Dec 1996 16:26:11 -0800 Date: Mon, 2 Dec 1996 16:26:10 -0800 (PST) From: "R. E. Paret" To: Bill Heiser Cc: firewalls@GreatCircle.COM Subject: Re: restricting OUTBOUND access In-Reply-To: <199612022212.AA11389@world.std.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 2 Dec 1996, Bill Heiser wrote: > > An associate of mine is trying to convince me that it's safe > to restrict only inbound traffic thru a firewall, but to > allow completely unrestricted traffic outbound. I'm looking > for concrete examples of why this is a Bad Thing. There are a variety of reasons why this could be a Bad Thing(tm), depending on your perspective. One is if your organization wanted to filter out web sites based on content (no looking at erotica during business hours) accessing such material would be termed a Bad Thing and thus need to be restricted. While we're on the topic of the WWW, hostile Java applets on a seemingly safe site could wreak havok on your internal network. An malcontent on the inside could ftp exploit code to gain a greater level of priviledge on the internal network, which is also a Bad Thing. There are probably more examples where you would want to control outbound access (and not neccessarily just though firewalls) but those are the few I can think of off the top of my head. R.E. Paret From firewalls-owner Mon Dec 2 17:01:04 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA24113 for firewalls-outgoing; Mon, 2 Dec 1996 15:49:26 -0800 (PST) Received: from pinky.junction.net (pinky.junction.net [199.166.227.12]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id PAA24106 for ; Mon, 2 Dec 1996 15:49:19 -0800 (PST) Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by pinky.junction.net (8.6.12/8.6.12) with ESMTP id QAA19994 for ; Mon, 2 Dec 1996 16:05:20 -0800 Received: from localhost (michael@localhost) by sidhe.memra.com (8.6.12/8.6.12) with SMTP id PAA03613 for ; Mon, 2 Dec 1996 15:45:19 -0800 Date: Mon, 2 Dec 1996 15:45:18 -0800 (PST) From: Michael Dillon To: firewalls@GreatCircle.COM Subject: Re: (MSIE3.0) - Re: ActiveX and Risks In-Reply-To: <32A20036.60BA@medeserv.com.au> Message-ID: Organization: Memra Software Inc. - Internet consulting MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 2 Dec 1996, Steven Herod wrote: > > This *can* be done. Microsoft provides (for the cost of shipping the > > CD-ROM) an administration kit that can be used to create an install > > set > > The cost of distribution is more than the $20 shipping fee. > You must change your web site to use IE specific features, issue > press releases aligning youself with Microsofts internet strategy, > install it on all the machines on your site and more..... There are alternatives as well that usually include Netscape and Eudora and various other utilities with a dialler and install script. http://www.intercon.com/valet http://www.ccsweb.com http://www.usefulware.com Michael Dillon - ISP & Internet Consulting Memra Software Inc. - Fax: +1-604-546-3049 http://www.memra.com - E-mail: michael@memra.com From firewalls-owner Mon Dec 2 17:08:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA24122 for firewalls-outgoing; Mon, 2 Dec 1996 15:49:59 -0800 (PST) Received: from LIVEDGAR.gsionline.com (livedgar.gsionline.com [204.254.209.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id PAA24115 for ; Mon, 2 Dec 1996 15:49:49 -0800 (PST) Received: from LIVEDGAR.gsionline.com by LIVEDGAR.gsionline.com (NTMail 3.02.09) with ESMTP id ia053958 for ; Mon, 2 Dec 1996 18:51:46 -0500 X-Sender: nbk#204.254.209.2@192.168.0.22 X-Mailer: Windows Eudora Version 1.4.3 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: heiser@world.std.com (Bill Heiser) From: nkeenan@gsionline.com (Nick Keenan) Subject: Re: restricting OUTBOUND access Cc: firewalls@greatcircle.com Date: Mon, 2 Dec 1996 18:51:46 -0500 Message-Id: <23514668534765@gsionline.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >Any feedback on what kinds of bad things can happen (by users >on the OUTSIDE) with this kind of firewall setup would be >appreciated. > Well, this may be a stretch into the hypothetical: User is running windows 95. Uses outgoing connection to connect into a modem pool outside of the firewall (could be anywhere on the Internet with new TCP/IP based modem pool servers). Uses Dial-Up Networking to dial into a Remote Access Server. His computer, AND HIS NETWORK, are now accessible from the RAS host. So imagine this scenario (again, far into the hypothetical): Bad guy wants to trap the unwary. Sets up a Dial-up bulletin board with bait (porn* perhaps?). Says only access is through dial-up, doesn't want to deal with Internet Porno Cops. Also sets up modem pool in same area code, on the Internet, and invites people to connect to the modem pool and dial the BBS. Users think they are being clever, viewing porn at work with no one the wiser. In reality, they are providing a back door for him to hack their network. Unlikely, yes. This is a hypothetical. But the point is that Windows 95 allows you to compromise the network via outgoing modem calls. And you can use TCP/IP to access a modem. *Footnote: I hate using porn as an example, but it was the only bait I could think of on short notice. Already too much misinformation has been spread linking the Internet and porn -- see the Rimm study claiming that over 2/3 of Internet traffic is porn. Nick From firewalls-owner Mon Dec 2 17:28:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA01306 for firewalls-outgoing; Mon, 2 Dec 1996 17:13:56 -0800 (PST) Received: from news.rc.on.ca ([207.176.151.6]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id RAA01289 for ; Mon, 2 Dec 1996 17:13:46 -0800 (PST) Received: by mail.rc.on.ca with IMAIL 2.0 id <01BBE08C.FB0CE470@mail.rc.on.ca>; Mon, 2 Dec 1996 20:11:19 -0500 Message-ID: From: Russ To: "Firewalls@GreatCircle.COM" , "'Sergio Untiveros'" Subject: RE: I free Firewall Software for NT. Date: Mon, 2 Dec 1996 20:11:18 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Connector (Beta) (4.5.1280.0) Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Hello friends. I need a free firewall software on NT server v4.0.=20 >Where I will found it? Thanks for your helps. * Control Panel/Networks/TCP-IP/Advanced/Enable Security/Configure/Permit Only/Permit Only/Permit Only/Ok/Ok/Ok/Ok * Bada bing bada bang, nothing can penetrate it. Whaddaya want for nuthin... * Cheers, Russ R.C. Consulting, Inc. - NT/Internet Security Consulting mailto:Russ.Cooper@RC.on.ca <-- *note the new address* From firewalls-owner Mon Dec 2 17:40:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA02130 for firewalls-outgoing; Mon, 2 Dec 1996 17:20:57 -0800 (PST) Received: from cidintpop2.INFOSEL.NET.MX (cidintpop2.infosel.net.mx [148.246.247.106]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id RAA02093 for ; Mon, 2 Dec 1996 17:20:39 -0800 (PST) Received: from cidexchange.infosel.com.mx ([148.246.8.22]) by cidintpop2.INFOSEL.NET.MX (post.office MTA v2.0 0813 ID# 0-11856) with SMTP id AAA182 for ; Mon, 2 Dec 1996 19:19:56 -0600 Received: by cidexchange.infosel.com.mx with Microsoft Exchange (IMC 4.0.837.3) id <01BBE085.6C796D70@cidexchange.infosel.com.mx>; Mon, 2 Dec 1996 19:17:13 -0600 Message-ID: X-MS-TNEF-Correlator: From: =?iso-8859-1?Q?Jaime_Alberto_Botello_Cant=FA?= To: "'firewalls@greatcircle.com'" Subject: Configuring NAT feature in Cisco IOS 11.2 Date: Mon, 2 Dec 1996 19:17:06 -0600 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.837.3 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="---- =_NextPart_000_01BBE085.6C85A270" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------ =_NextPart_000_01BBE085.6C85A270 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Hi, Someone know how to configure the NAT feature in the cisco IOS 11.2?, we are trying to do some test to check the performance and to evaluate this like an option to smaller clients. I already look at cisco web, but no luck. Thanks in advance. ------ =_NextPart_000_01BBE085.6C85A270 Content-Type: application/ms-tnef Content-Transfer-Encoding: base64 eJ8+Ig4BAQaQCAAEAAAAAAABAAEAAQeQBgAIAAAA5AQAAAAAAADoAAEIgAcAGAAAAElQTS5NaWNy b3NvZnQgTWFpbC5Ob3RlADEIAQWAAwAOAAAAzAcMAAIAEwARAAYAAQAMAQEggAMADgAAAMwHDAAC ABMAEQAKAAEAEAEBCYABACEAAABBMDY3NkQxNzY4NENEMDExQTQyNDAwQTAyNERGMEZBOQAHBwEN gAQAAgAAAAIAAgABBIABACoAAABDb25maWd1cmluZyBOQVQgZmVhdHVyZSBpbiBDaXNjbyBJT1Mg MTEuMgB/DQEDkAYA+AYAACcAAAALAAIAAQAAAAIBMQABAAAA/AAAAFBDREZFQjA5AAEAAgBtAAAA AAAAADihuxAF5RAaobsIACsqVsIAAG1zcHN0LmRsbAAAAAAATklUQfm/uAEAqgA32W4AAABDOlxQ cm9ncmFtIEZpbGVzXE1pY3Jvc29mdCBFeGNoYW5nZVxtYWlsYm94XG1haWxib3gucHN0ABgAAAAA AAAA8jxG+3A4zhGZPQAB+godkYKAAAAAAAAAGAAAAAAAAADyPEb7cDjOEZk9AAH6Ch2RooAAABAA AACgZ20XaEzQEaQkAKAk3w+pKgAAAENvbmZpZ3VyaW5nIE5BVCBmZWF0dXJlIGluIENpc2NvIElP UyAxMS4yAEAAOQBQo/6yt+C7AR4AcAABAAAAKgAAAENvbmZpZ3VyaW5nIE5BVCBmZWF0dXJlIGlu IENpc2NvIElPUyAxMS4yAAAAAgFxAAEAAAAWAAAAAbvgt2TLF21no0xoEdCkJACgJN8PqQAAAwAG EJkIOBADAAcQwwAAAB4ACBABAAAAZQAAAEhJLFNPTUVPTkVLTk9XSE9XVE9DT05GSUdVUkVUSEVO QVRGRUFUVVJFSU5USEVDSVNDT0lPUzExMj8sV0VBUkVUUllJTkdUT0RPU09NRVRFU1RUT0NIRUNL VEhFUEVSRk9STUEAAAAAAwAQEAAAAAADABEQAQAAAAIBCRABAAAAQQEAAD0BAACFAQAATFpGdXYL LuADAAoAcmNwZzEyNSYyAPgLYG5nAdA1OJ0B9yACpAPjAgBjaArAYHNldDAgBxMCgH05CoF1YwBQ CwMLtSBIXGksCqIKhAqAUwNwZUECIGUga25vB+BoERTRdG8gBaBuZmkmZwhwFJB0aBSQTkHAVCBm ZWF0FdILgI0WA2MEAAWgIElPBfAAMTEuMj8sIHenFJAKwBXxcnkLgGcVMvpkFVBzFEEVMAeQBUAV QmkWIGNrFgNwBJACEHIlA4FjGKFuZBUyZXYdB0B1FrAV8gQAIGxp0msb4iBvBTBpAiAVMvJzAMBs bASQFWAdUAnwqHRzLhN6SRiwbAlwyGFkeR1Ab28a4Bawyxd1GJBiGHBidQVAFMArHUASMGsfa1QR AG5rfwQgFxEgkByAG8EfZRHxAAElQAAAAAMAgBD/////CwBmgAggBgAAAAAAwAAAAAAAAEYAAAAA A4UAAAAA//8DAGeACCAGAAAAAADAAAAAAAAARgAAAAAQhQAAAAAAAAMAaoAIIAYAAAAAAMAAAAAA AABGAAAAAFKFAABQDQAAHgBrgAggBgAAAAAAwAAAAAAAAEYAAAAAVIUAAAEAAAAEAAAAOC4wAAMA bIAIIAYAAAAAAMAAAAAAAABGAAAAAAGFAAAAAAAACwBtgAggBgAAAAAAwAAAAAAAAEYAAAAADoUA AAAAAAADAGmACCAGAAAAAADAAAAAAAAARgAAAAARhQAAAAAAAAMAboAIIAYAAAAAAMAAAAAAAABG AAAAABiFAAAAAAAAHgBvgAggBgAAAAAAwAAAAAAAAEYAAAAANoUAAAEAAAABAAAAAAAAAB4AcIAI IAYAAAAAAMAAAAAAAABGAAAAADeFAAABAAAAAQAAAAAAAAAeAHGACCAGAAAAAADAAAAAAAAARgAA AAA4hQAAAQAAAAEAAAAAAAAAAwDxPwkEAAADACYAAAAAAAMANgAAAAAAAgFHAAEAAAAzAAAAYz1V UzthPSA7cD1JbmZvU2VsO2w9Q0lERVhDSEFOR0UtOTYxMjAzMDExNzA2Wi0zNjEAAAIB+T8BAAAA SwAAAAAAAADcp0DIwEIQGrS5CAArL+GCAQAAAAAAAAAvTz1JTkZPU0VML09VPU1FWElDTy9DTj1S RUNJUElFTlRTL0NOPUpCT1RFTExPAAAeAPg/AQAAABwAAABKYWltZSBBbGJlcnRvIEJvdGVsbG8g Q2FudPoAAgH7PwEAAABLAAAAAAAAANynQMjAQhAatLkIACsv4YIBAAAAAAAAAC9PPUlORk9TRUwv T1U9TUVYSUNPL0NOPVJFQ0lQSUVOVFMvQ049SkJPVEVMTE8AAB4A+j8BAAAAHAAAAEphaW1lIEFs YmVydG8gQm90ZWxsbyBDYW50+gBAAAcwIA33srfguwFAAAgw4AsXtbfguwEDAA00/T8AAAIBFDQB AAAAEAAAAFSUocApfxAbpYcIACsqJRceAD0AAQAAAAEAAAAAAAAACwApAAEAAAALACMAAAAAAAIB fwABAAAAUAAAADxjPVVTJWE9XyVwPUluZm9TZWwlbD1DSURFWENIQU5HRS05NjEyMDMwMTE3MDZa LTM2MUBjaWRleGNoYW5nZS5pbmZvc2VsLmNvbS5teD4AM4w= ------ =_NextPart_000_01BBE085.6C85A270-- From firewalls-owner Mon Dec 2 18:15:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA06655 for firewalls-outgoing; Mon, 2 Dec 1996 18:02:31 -0800 (PST) Received: from hq.si.net (hq.si.net [192.156.192.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id SAA06628 for ; Mon, 2 Dec 1996 18:02:23 -0800 (PST) Received: (from mlu@localhost) by hq.si.net (8.8.3/8.7.3) id VAA14816; Mon, 2 Dec 1996 21:02:22 -0500 (EST) Date: Mon, 2 Dec 1996 21:02:22 -0500 (EST) From: Ming Lu Message-Id: <199612030202.VAA14816@hq.si.net> To: heiser@world.std.com, nkeenan@gsionline.com Subject: Re: restricting OUTBOUND access Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Nick: did you mean dialup via win95? It will bypass firewall anyway. I really don't see how the firewall can block people in this case; unless the modem pool is behind the firewall. Regards Ming From firewalls-owner Mon Dec 2 18:25:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA07891 for firewalls-outgoing; Mon, 2 Dec 1996 18:13:49 -0800 (PST) Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id SAA07881 for ; Mon, 2 Dec 1996 18:13:40 -0800 (PST) Received: from big-dogs.cisco.com ([171.68.53.75]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id SAA05301; Mon, 2 Dec 1996 18:13:30 -0800 Message-Id: <2.2.32.19961203021331.006c4b88@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Date: Mon, 02 Dec 1996 21:13:31 -0500 To: Jaime Alberto Botello =?iso-8859-1?Q?Cant=FA?= From: Paul Ferguson Subject: Re: Configuring NAT feature in Cisco IOS 11.2 Cc: "'firewalls@greatcircle.com'" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 07:17 PM 12/2/96 -0600, Jaime Alberto Botello Cant=FA wrote: > >Someone know how to configure the NAT feature in the cisco IOS 11.2?,=20 >we are trying to do some test to check the performance and to evaluate=20 >this like an option to smaller clients. > >I already look at cisco web, but no luck. > >Thanks in advance. > You must not have looked here: http://cio.cisco.com/univercd/data/doc/software/11_2/cnp1/5cip.htm#REF30065 - paul -- Paul Ferguson || || Consulting Engineering || || Herndon, Virginia USA |||| |||| tel: +1.703.397.5938 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Mon Dec 2 18:55:27 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA11607 for firewalls-outgoing; Mon, 2 Dec 1996 18:50:29 -0800 (PST) Received: from darkstar.sysinfo.com (darkstar.sysinfo.com [204.246.65.62]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id SAA11588 for ; Mon, 2 Dec 1996 18:50:20 -0800 (PST) Received: from parka.winternet.com (dufresne@parka.winternet.com [198.174.169.9]) by darkstar.sysinfo.com (8.8.2/8.8.2) with SMTP id UAA00283; Mon, 2 Dec 1996 20:52:00 -0600 Date: Mon, 2 Dec 1996 20:44:27 -0600 (CST) From: Ron DuFresne To: Denis Valois cc: firewalls@GreatCircle.COM, webmaster@internic.uob.bh Subject: RE: [Fwd: Caution : Internet Virus] In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hmm, could well be a new form of one of the M$office macro viri, and, if you read a mail attachment with word that is infected, you will infect your system, at least *.dot and *.doc files. Might be a tad of truth in the 'reading' part... Later, Ron DuFresne On Mon, 2 Dec 1996, Denis Valois wrote: > This is a hoax. > > Anyway, just by saying that "reading" a mailgram wipes out > your hard drive is of utmost foolishness. > > > Denis Valois > Computer & Network Security > SITA (Societe Internationale de Telecommunications Aeronautiques) > > On Mon, 02 Dec 1996 10:06:28 +0300 Hisham Khalifa Al Saad wrote: > >Hi members of Firewalls, > > > >I got this Virus alert in my mail box, and by myself i forward it to > >you: > > > >---------------------------------------------------------------------- > -- > > > >Hi, > > We just got word that there is a new virus screaming around the > >internet that will wipe out your hard drive if you open the file. > >Here is the word > >they sent us... > > > >"There is a computer virus that is being sent across the internet. > If > >you receive an e-mail with a subject line of "Irinia", DO NOT read > the > >message. > >Delete it immediately. Some miscreant is sending people files under > the > >name of "Irinia". If you receive this file or e-mail, do not > download > >it. > >It has a virus that rewrites your hard drive, obliterating anything > on > >it. > >Please be careful and forward this e-mail to anyone you care about." > > > >This information was received from Professor Edward Prideaux, College > of > >Salvonic Studies, London. > > > >This virus appears to be much more aggressive than the irritating > >Microsoft word virus. Be alert. > > > >----------------------- END OF ALERT MESSAGE > >---------------------------------- > > > > > >Thank you, > >Take Care, > > > >Hisham Al Saad > >University of Bahrain > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. From firewalls-owner Mon Dec 2 19:10:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA10821 for firewalls-outgoing; Mon, 2 Dec 1996 18:44:13 -0800 (PST) Received: from darkstar.sysinfo.com (darkstar.sysinfo.com [204.246.65.62]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id SAA10796 for ; Mon, 2 Dec 1996 18:44:00 -0800 (PST) Received: from parka.winternet.com (dufresne@parka.winternet.com [198.174.169.9]) by darkstar.sysinfo.com (8.8.2/8.8.2) with SMTP id UAA00272; Mon, 2 Dec 1996 20:45:41 -0600 Date: Mon, 2 Dec 1996 20:38:08 -0600 (CST) From: Ron DuFresne To: Hisham Khalifa Al Saad cc: firewalls@GreatCircle.COM Subject: Re: [Fwd: Caution : Internet Virus] In-Reply-To: <32A27FF4.431B@admin.uob.bh> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This one came my way: Subject: SERIOUS: Computer Virus Warning Please pass this message on to anyone you know! Firm warns of INTERNET virus. CD-Rom manufacturer Chinon America, Inc. says computer vandals have ilegally put its name on a virus-ridden file and relased it on the INTERNET. Chinon warns NOT to download the file called "CD-IT.ZIP", saying it will corrupt the hard disk! In a statement from Torrance, CA., Chinon says "The program, allegedly a shareware PC utility that will convert an ordinary CD-ROM drive into a CD-Recordable (CR-R) device, which is technically impossible, instead destroys the files on the PC hard drive. The program also immediately crashed the CPU, forces the user to reboot and stays in memory. This virus has proven thus far to be -undetectable- by traditional virus checkers." Chinon says that the CD-IT.ZIP file 'promises to enable read/write to your CD-ROM drive', and lists the program as being authored by Joseph S. Shriner, couriered by HDA, and copyrighted by Chinon Products. Saying that it has no division by that name, Chinon management speculates that the vandals picked its company name to make it seem that the software was being endorsed by a well know and reputable CD-ROM manufacturer. Chinon is urging people with information that could lead to the arrest and prosecution of these associated with the CD-IT program to call the company at (310) 533-0274. Later, Ron DuFresne On Mon, 2 Dec 1996, Hisham Khalifa Al Saad wrote: > Hi members of Firewalls, > > I got this Virus alert in my mail box, and by myself i forward it to > you: > > ------------------------------------------------------------------------ > > Hi, > We just got word that there is a new virus screaming around the > internet that will wipe out your hard drive if you open the file. > Here is the word > they sent us... > > "There is a computer virus that is being sent across the internet. If > you receive an e-mail with a subject line of "Irinia", DO NOT read the > message. > Delete it immediately. Some miscreant is sending people files under the > name of "Irinia". If you receive this file or e-mail, do not download > it. > It has a virus that rewrites your hard drive, obliterating anything on > it. > Please be careful and forward this e-mail to anyone you care about." > > This information was received from Professor Edward Prideaux, College of > Salvonic Studies, London. > > This virus appears to be much more aggressive than the irritating > Microsoft word virus. Be alert. > > ----------------------- END OF ALERT MESSAGE > ---------------------------------- > > > Thank you, > Take Care, > > Hisham Al Saad > University of Bahrain > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. From firewalls-owner Mon Dec 2 19:25:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA13694 for firewalls-outgoing; Mon, 2 Dec 1996 19:18:01 -0800 (PST) Received: from snth.stph.net (snth.snth.stph.net [196.12.33.107]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id TAA13680 for ; Mon, 2 Dec 1996 19:17:52 -0800 (PST) Received: by snth.stph.net id ; Tue, 3 Dec 1996 08:47:56 +0530 Date: Tue, 3 Dec 1996 08:47:56 +0530 From: Venkata Ramakrishna R Message-Id: <199612030317.IAA10371@snth.stph.net> Received: from simla.snth.stph.net(196.12.56.141) by snth.snth.stph.net via smap (V1.3) id sma010369; Tue Dec 3 08:47:53 1996 To: firewalls@greatcircle.com Subject: POP3 for TIS firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, Where can I get POP3 proxy for TIS firewall ?? Please guide me.... Thanks, -Ramu. From firewalls-owner Mon Dec 2 20:41:53 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA18912 for firewalls-outgoing; Mon, 2 Dec 1996 20:39:45 -0800 (PST) Received: from rxk.India.Fluent.COM ([192.233.231.28]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id UAA18880 for ; Mon, 2 Dec 1996 20:39:32 -0800 (PST) Received: by rxk.India.Fluent.COM (931110.SGI/930416.SGI.AUTO) for firewalls@greatcircle.com id AA16452; Tue, 3 Dec 96 10:07:59 +0530 From: "Rajeev Kumar" Message-Id: <9612031007.ZM16450@rxk.India.Fluent.COM> Date: Tue, 3 Dec 1996 10:07:58 +0000 In-Reply-To: heiser@world.std.com (Bill Heiser) "restricting OUTBOUND access" (Dec 2, 5:12pm) References: <199612022212.AA11389@world.std.com> X-Mailer: Z-Mail (3.1.0 22feb94 MediaMail) To: heiser@world.std.com (Bill Heiser) Subject: Re: restricting OUTBOUND access Cc: firewalls@greatcircle.com Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, The matter is vey subjective still I would like to quote from Cheswick &Bellovin's (Firewalls and Internet Security: pp 86) " There is no point to building a very high wall against ougoing ftp, while not worrying about pocket-sized tape cassettes that hols several gigabytes of data." and the last point on the same page "Our gateway only minimizes the considerable threat from the masses on the Internet. THERE ARE NUMEROUS OTHER SECURITY THREATS TO THE COMPANY". In my personal opinion if people are smart enough they can dig holes down the wall and you keep on watching the height of the wall and trying to make as high as possible. The harder you become for user, more curious they become to peep other side of the wall, wasting your time and the users both to get involed in Secure-Cold-War. Better not to allow dig holes under the wall if somebody crosses your short walls you have a freedom to watch her and curb anytime. If not satisfied , read the quote from my signature, That is also borrowed once but I mean it! Rajeev On Dec 2, 5:12pm, Bill Heiser wrote: > Subject: restricting OUTBOUND access > > An associate of mine is trying to convince me that it's safe > to restrict only inbound traffic thru a firewall, but to > allow completely unrestricted traffic outbound. I'm looking > for concrete examples of why this is a Bad Thing. I guess > I'm thinking in terms of inside users connecting to evil > services on the outside, with the established connections > being used to do Bad Things to inside systems. However > I don't have any concrete examples. Also, since > presumably once someone is "inside" they can do anything > they want anyway (put stuff on a floppy, fax, etc), that > makes a case for his argument that allowing outbound > unrestricted access isn't so bad. But I'm not convinced. > > Any feedback on what kinds of bad things can happen (by users > on the OUTSIDE) with this kind of firewall setup would be > appreciated. > > Thanks in advance, > Bill > > > -- > Bill Heiser heiser@world.std.com >-- End of excerpt from Bill Heiser -- ######################################################################### Rajeev Kumar | Phone: +91-212-771923 Flow Consultants India | Fax : +91-212-771928 E-mail:rxk@india.fluent.com | Home Ph. No: +91-1332-71281 A-1 Tech. Park, M.I.D.C. | http://www.fluent.com Talwade, PUNE |---------------------------------------- INDIA |IF ANYTHING CAN GO WRONG, IT WILL ######################################################################### From firewalls-owner Mon Dec 2 21:10:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA19511 for firewalls-outgoing; Mon, 2 Dec 1996 20:55:57 -0800 (PST) Received: from cih-gw.cih.com (cih-gw.cih.com [204.69.206.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id UAA19497 for ; Mon, 2 Dec 1996 20:55:50 -0800 (PST) Received: (from mail@localhost) by cih-gw.cih.com (8.7.6/8.6.9) id XAA25427; Mon, 2 Dec 1996 23:59:02 -0500 X-Authentication-Warning: cih-gw.cih.com: mail set sender to using -f Received: from cih-gw(204.69.206.1) by cih-gw.cih.com via smap (V2.0alpha) id sma025423; Mon Dec 2 23:58:58 1996 Date: Mon, 2 Dec 1996 23:58:58 -0500 (EST) From: "Craig I. Hagan" Reply-To: hagan@cih.com To: Nick Keenan cc: Bill Heiser , firewalls@GreatCircle.COM Subject: Re: restricting OUTBOUND access In-Reply-To: <23514668534765@gsionline.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Unlikely, yes. This is a hypothetical. But the point is that Windows 95 > allows you to compromise the network via outgoing modem calls. And you can > use TCP/IP to access a modem. worse....what about PPTP? bad guy(tm) can create a hostile application which you access, causing a PPTP tunnel to be initiated by you against his happy fun server. from there, he gets to unlease god only know what sort of insanity onto your network. -- craig ------------------------------------------------------------------------------- Craig I. Hagan "It's a small world, but I wouldn't want to back it up" hagan@cih.com "True hackers don't die, their ttl expires" From firewalls-owner Mon Dec 2 23:25:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA27723 for firewalls-outgoing; Mon, 2 Dec 1996 23:20:07 -0800 (PST) Received: from mail.pixi.com (phoenix.pixi.com [204.182.46.82]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id XAA27716 for ; Mon, 2 Dec 1996 23:19:59 -0800 (PST) Received: from thoth (netsurfer2.pixi.com [204.188.76.196]) by mail.pixi.com (8.8.3/8.8.3/PIXI-5.0) with ESMTP id VAA11221; Mon, 2 Dec 1996 21:19:41 -1000 (HST) Message-Id: <199612030719.VAA11221@mail.pixi.com> From: "James D. Wilson" To: "Ron DuFresne" , "Hisham Khalifa Al Saad" Cc: Subject: Re: [Fwd: Caution : Internet Virus] Date: Mon, 2 Dec 1996 21:16:27 -0000 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Report it to CIAC #include _ __ __ _____ ____ / | / /__ / /_/ ___/__ _______/ __/__ _____ / |/ / _ \/ __/\__ \/ / / / ___/ /_/ _ \/ ___/ / /| / __/ /_ ___/ / /_/ / / / __/ __/ / ================/_/=|_/\___/\__//____/\__,_/_/==/_/==\___/_/========== ===== ---------- > From: Ron DuFresne > To: Hisham Khalifa Al Saad > Cc: firewalls@GreatCircle.COM > Subject: Re: [Fwd: Caution : Internet Virus] > Date: Monday, December 02, 1996 4:38 PM > > > This one came my way: > > Subject: SERIOUS: Computer Virus Warning > > Please pass this message on to anyone you know! > > Firm warns of INTERNET virus. > > CD-Rom manufacturer Chinon America, Inc. says computer vandals have > ilegally put its name on a virus-ridden file and relased it on the > INTERNET. > > Chinon warns NOT to download the file called "CD-IT.ZIP", saying > it will corrupt the hard disk! > > In a statement from Torrance, CA., Chinon says "The program, allegedly > a shareware PC utility that will convert an ordinary CD-ROM drive into > a CD-Recordable (CR-R) device, which is technically impossible, instead > destroys the files on the PC hard drive. > > The program also immediately crashed the CPU, forces the user to reboot > and stays in memory. This virus has proven thus far to be > -undetectable- by traditional virus checkers." > > Chinon says that the CD-IT.ZIP file 'promises to enable read/write to > your CD-ROM drive', and lists the program as being authored by Joseph S. > Shriner, couriered by HDA, and copyrighted by Chinon Products. > Saying that it has no division by that name, Chinon management > speculates that the vandals picked its company name to make it seem > that the software was being endorsed by a well know and reputable > CD-ROM manufacturer. > > Chinon is urging people with information that could lead to the arrest > and prosecution of these associated with the CD-IT program to call the > company at (310) 533-0274. > > Later, > > Ron DuFresne > > On Mon, 2 Dec 1996, Hisham Khalifa Al Saad wrote: > > > Hi members of Firewalls, > > > > I got this Virus alert in my mail box, and by myself i forward it to > > you: > > > > ---------------------------------------------------------------------- -- > > > > Hi, > > We just got word that there is a new virus screaming around the > > internet that will wipe out your hard drive if you open the file. > > Here is the word > > they sent us... > > > > "There is a computer virus that is being sent across the internet. If > > you receive an e-mail with a subject line of "Irinia", DO NOT read the > > message. > > Delete it immediately. Some miscreant is sending people files under the > > name of "Irinia". If you receive this file or e-mail, do not download > > it. > > It has a virus that rewrites your hard drive, obliterating anything on > > it. > > Please be careful and forward this e-mail to anyone you care about." > > > > This information was received from Professor Edward Prideaux, College of > > Salvonic Studies, London. > > > > This virus appears to be much more aggressive than the irritating > > Microsoft word virus. Be alert. > > > > ----------------------- END OF ALERT MESSAGE > > ---------------------------------- > > > > > > Thank you, > > Take Care, > > > > Hisham Al Saad > > University of Bahrain > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > "Cutting the space budget really restores my faith in humanity. It > eliminates dreams, goals, and ideals and lets us get straight to the > business of hate, debauchery, and self-annihilation." -- Johnny Hart > ***testing, only testing, and damn good at it too!*** > > OK, so you're a Ph.D. Just don't touch anything. > From firewalls-owner Mon Dec 2 23:40:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA28454 for firewalls-outgoing; Mon, 2 Dec 1996 23:37:58 -0800 (PST) Received: from upshield.uniq.com.au (upstop.uniq.com.au [192.195.152.113]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id XAA28418 for ; Mon, 2 Dec 1996 23:37:45 -0800 (PST) Received: (from smtp@localhost) by upshield.uniq.com.au id SAA11565 (8.7.6/IDA-1.6); Tue, 3 Dec 1996 18:37:27 +1100 (EST) Received: from upshoo.uniq.com.au(192.195.152.130) by upshield via smap (V1.3) id ./smaAAAa002of; Tue Dec 3 18:36:56 1996 Received: from basil.uniq.com.au (basil.uniq.com.au [192.168.3.1]) by upserv.uniq.com.au with ESMTP id SAA11839 (8.7.6/IDA-1.6); Tue, 3 Dec 1996 18:33:23 +1100 (EST) Received: (from pauline@localhost) by basil.uniq.com.au id SAA07796 (8.7.6/IDA-1.6); Tue, 3 Dec 1996 18:35:22 +1100 (EST) Date: Tue, 3 Dec 1996 18:35:22 +1100 (EST) From: Pauline van Winsen - Uniq Professional Services Message-ID: <199612030735.SAA07796@basil.uniq.com.au> To: firewalls@GreatCircle.COM, heiser@world.std.com Subject: Re: restricting OUTBOUND access Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-MD5: XHaBZVdJE7VYYkM7sTZDeQ== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > An associate of mine is trying to convince me that it's safe > to restrict only inbound traffic thru a firewall, but to > allow completely unrestricted traffic outbound. I'm looking > for concrete examples of why this is a Bad Thing. I guess > I'm thinking in terms of inside users connecting to evil > services on the outside, with the established connections > being used to do Bad Things to inside systems. However > I don't have any concrete examples. Also, since > presumably once someone is "inside" they can do anything > they want anyway (put stuff on a floppy, fax, etc), that > makes a case for his argument that allowing outbound > unrestricted access isn't so bad. But I'm not convinced. > > Any feedback on what kinds of bad things can happen (by users > on the OUTSIDE) with this kind of firewall setup would be > appreciated. apart from the reasons you list above... the reason i routinely restrict all outgoing traffic to a known set of IP address & protocols is that you significantly reduce the chance of one of your own users launching attacks on other sites on the Internet. the risks to your organisation from this sort of activity may be quite large. damage to reputation being the major risk. if all sites restricted outgoing traffic to a known set of IP addresses, the risk of attacks such as the TCP SYN denial of service attack would be reduced as the perpertrators would be easier to track down. this requires co-operation from all internet users, but you have to start somewhere. cheers, pauline Pauline van Winsen pauline@uniq.com.au Uniq Professional Services Pty Ltd www.uniq.com.au PO Box 70, Paddington, NSW 2021, (Sydney) Australia Phone: +61-2-9380-6360 Fax: +61-2-9380-6416 Pager: 016 287 000 "Never try to flirt with your boss... he's your bread & butter and not your honey." The boss is not your honey - Book 3, Woman's World, circa 1964. From firewalls-owner Tue Dec 3 00:40:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA02617 for firewalls-outgoing; Tue, 3 Dec 1996 00:28:41 -0800 (PST) Received: from pinky.junction.net (pinky.junction.net [199.166.227.12]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id AAA02606 for ; Tue, 3 Dec 1996 00:28:34 -0800 (PST) Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by pinky.junction.net (8.6.12/8.6.12) with ESMTP id AAA26838; Tue, 3 Dec 1996 00:44:28 -0800 Received: from localhost (michael@localhost) by sidhe.memra.com (8.6.12/8.6.12) with SMTP id AAA07628; Tue, 3 Dec 1996 00:24:28 -0800 Date: Tue, 3 Dec 1996 00:24:27 -0800 (PST) From: Michael Dillon To: firewalls@GreatCircle.COM cc: Hisham Khalifa Al Saad Subject: Re: [Fwd: Caution : Internet Virus] In-Reply-To: Message-ID: Organization: Memra Software Inc. - Internet consulting MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 2 Dec 1996, Ron DuFresne wrote: > CD-Rom manufacturer Chinon America, Inc. says computer vandals have > ilegally put its name on a virus-ridden file and relased it on the > INTERNET. This is old news and is also an interesting study in social engineering. > In a statement from Torrance, CA., Chinon says "The program, allegedly > a shareware PC utility that will convert an ordinary CD-ROM drive into > a CD-Recordable (CR-R) device, which is technically impossible, instead > destroys the files on the PC hard drive. > Chinon says that the CD-IT.ZIP file 'promises to enable read/write to > your CD-ROM drive', and lists the program as being authored by Joseph S. > Shriner, couriered by HDA, and copyrighted by Chinon Products. > Saying that it has no division by that name, Chinon management > speculates that the vandals picked its company name to make it seem > that the software was being endorsed by a well know and reputable > CD-ROM manufacturer. Not so fast Chinon. This was a trojan horse targetted at specific individuals. Who were some of the first people to buy CD-R devices when they came on the market? Warez dealers, of course! And lots of little warez collectors out there were drooling and waiting for the price of CD-R devices to drop low enough that they could start making a few bucks selling CD-ROM's. But there is an additional clue that this was targetted at the warez people. The software claimed to be "couriered" by HDA. Warez people use the word "courier" to refer to the process of stealing a copy of commercial or not-for-distribution software and quickly distributing it around the world. As I remember it, Chinon was a fairly popular brand of cheap CD-ROM at one time so this trojan was trying to pretend it was a top-secret program stolen from Chinon and it was targetted at a specific group who desperately wanted a cheap way to record CD-ROM's. Hunt around IRC and you will find that in this day and age of cheap CD-R devices there are quite a lot of warez entrepreneurs selling you everything you could imagine. If you ask the right folks I'm told that full copies of NT's source code are available too although I can't be too sure if I believe the source of that info. Michael Dillon - Internet & ISP Consulting Memra Software Inc. - Fax: +1-604-546-3049 http://www.memra.com - E-mail: michael@memra.com From firewalls-owner Tue Dec 3 00:55:26 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA03105 for firewalls-outgoing; Tue, 3 Dec 1996 00:41:21 -0800 (PST) Received: from zeus ([194.242.64.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id AAA03098 for ; Tue, 3 Dec 1996 00:41:08 -0800 (PST) Received: (from root@localhost) by zeus (8.6.11/8.6.9) id JAA00750 for ; Tue, 3 Dec 1996 09:41:06 +0100 Received: from pc_erik(172.16.10.232) by zeus via smap (V2.0alpha) id sma000745; Tue Dec 3 09:40:31 1996 Message-ID: <32A3F618.639D@beauvalot.com> Date: Tue, 03 Dec 1996 10:42:48 +0100 From: Erik BEAUVALOT Reply-To: erik@beauvalot.com Organization: AT&T Labs. X-Mailer: Mozilla 3.0 (Win95; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: Re: POP3 for TIS firewall References: <199612030317.IAA10371@snth.stph.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Venkata Ramakrishna R wrote: > > Hi, > > Where can I get POP3 proxy for TIS firewall ?? > > Please guide me.... > > Thanks, > -Ramu. Use the Plug-gw on the port 110 (pop3) Ex of a /usr/local/etc/netperm-table : plug-gw: port pop3 -plug-to -port pop3 You shoud be able to connect with that all the inside machine on a pop3 Server -- ------------------------------------------------- Erik BEAUVALOT AT&T R&D Lab Manager of Paris/EMEA Tel : +(33)1 47 67 46 06 GSM: +(33) 09 48 32 11 E-Mail : erik@beauvalot.com http://www.labs.emea.att.com/~erik ------------------------------------------------- From firewalls-owner Tue Dec 3 01:25:40 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA03845 for firewalls-outgoing; Tue, 3 Dec 1996 01:00:46 -0800 (PST) Received: from nsco.network.com (nsco.network.com [129.191.1.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id BAA03776 for ; Tue, 3 Dec 1996 01:00:16 -0800 (PST) Received: from mnbp.network.com (ushub.network.com) by nsco.network.com (4.1/1.34) id AA20383; Tue, 3 Dec 96 03:09:00 CST Received: by mnbp.network.com with Microsoft Mail id <32A3EC34@mnbp.network.com>; Tue, 03 Dec 96 03:00:36 CST From: Paul Mason To: "'Firewalls '" Subject: Outbound Restrictions. Date: Tue, 03 Dec 96 03:00:00 CST Message-Id: <32A3EC34@mnbp.network.com> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Just food for thought. I recently caught an open back door at a customers site by auditing outbound traffic for the internal source address. Turns out someone was dialing out to the internet from their PC while still connected to the corporate backbone ( It seems this user felt they should not have to login to the firewall before using the internet ). The dial out connection allowed someone from the outside get in to the enterprise ( IP routing is a wonderful thing ). The outbound audit triggered when this unwanted system then tried to leave the site though the firewall, thus notifying security department of the back doors existence. Talk about a major violation of site security policy. If I am not mistaken there have been several cases where firewalls were toppled from the inside by using this same occurrence. Paul Mason Systems Engineer Network Systems Canada paul.mason@network.com P.S. You can never hope to find anything unless your looking!! Audit, Audit, Audit.!! On Dec 2, 5:12pm, Bill Heiser wrote: > Subject: restricting OUTBOUND access > > An associate of mine is trying to convince me that it's safe > to restrict only inbound traffic thru a firewall, but to > allow completely unrestricted traffic outbound. I'm looking > for concrete examples of why this is a Bad Thing. I guess > I'm thinking in terms of inside users connecting to evil > services on the outside, with the established connections > being used to do Bad Things to inside systems. However > I don't have any concrete examples. Also, since > presumably once someone is "inside" they can do anything > they want anyway (put stuff on a floppy, fax, etc), that > makes a case for his argument that allowing outbound > unrestricted access isn't so bad. But I'm not convinced. > > Any feedback on what kinds of bad things can happen (by users > on the OUTSIDE) with this kind of firewall setup would be > appreciated. > > Thanks in advance, > Bill > > > -- > Bill Heiser heiser@world.std.com >-- End of excerpt from Bill Heiser From firewalls-owner Tue Dec 3 01:39:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA03144 for firewalls-outgoing; Tue, 3 Dec 1996 00:42:45 -0800 (PST) Received: from coal.ksc.net.th (coal.ksc.net.th [202.44.144.54]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id AAA03128 for ; Tue, 3 Dec 1996 00:42:26 -0800 (PST) Received: from localhost by coal.ksc.net.th (SMI-8.6/SMI-SVR4) id PAA04783; Tue, 3 Dec 1996 15:37:12 -0700 Date: Tue, 3 Dec 1996 15:37:12 -0700 (GMT) From: Zayar To: "Gary G. Christoph" cc: Eric Wieling , isdnsec@markettech.com, firewalls@GreatCircle.COM Subject: Re: In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dear sir , Can anyone tell me the mailing lists of Sun Solaris security system Deeply appreciate for your help . best regards , zayar On Mon, 2 Dec 1996, Gary G. Christoph wrote: > Date: Mon, 2 Dec 1996 09:44:18 -0700 > From: "Gary G. Christoph" > To: Eric Wieling , isdnsec@markettech.com, > firewalls@GreatCircle.COM > Subject: Re: > > Eric- > > Does the offer still hold? :-) > > Thanks, > > Gary > > > At 10:26 -0700 7/29/96, Eric Wieling wrote: > >ISDN Secrets wrote: > >> > >> Most places in the country are charged by the minute > >> for ISDN access even for local calls. Some areas as > >> much as 2 cents per B channel (that's 4 cents per minute > >> with 128KB access) during primetime hours. Where I live, > >> in the month of July alone I would have paid $1279.20 > >> for dedicated access (unless you know the secret the > >> phone company will not share with you). I only paid > >> $45. > > > >It's called Data Over Voice Bearer Service (DOVBS) and I'll tell you > >about it for free, if you e-mail me. 8-) > > > >-- > >Eric Wieling > >Advanced Network Research > >InterCommerce Corporation > >Pager: 800-758-3680 > > > >If you consistently take an antagonistic approach, however, people are > >going to start thinking you're from New York. :-) > > --Larry Wall to Dan Bernstein > > > > ---------------------------------------------------------------------- > Gary G. Christoph, Ph.D. > Systems Security Research and Development Team Leader > Computer Research and Applications Group, CIC-3, MS-B265 > Computing, Information and Communications Division > University of California, Los Alamos National Laboratory > Los Alamos, NM 87545 > ggc@lanl.gov (505) 667-3709 FAX (505) 665-5520 > ---------------------------------------------------------------------- > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ MR. Zayar Maungmaungkhin , \ "****@@@@****" \ ABAC NETWORK-OPERATION-CENTRE \--------------------\ KSC Internet Group <><><><><><><><><><><> ComputerLab ( E buldg 5th floor ) Assumption University . Tel: +662719-1946-8 +6623004543 x-3674 Fax: +662 719-1945 e-mail: zayar@maia.au.ac.th zayar@coal.ksc.net.th ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From firewalls-owner Tue Dec 3 01:39:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA04643 for firewalls-outgoing; Tue, 3 Dec 1996 01:13:13 -0800 (PST) Received: from vine.vine.net (ns1.vine.net [206.138.85.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id BAA04614 for ; Tue, 3 Dec 1996 01:13:00 -0800 (PST) Received: from localhost (security@localhost) by vine.vine.net (8.7/8.6.9) with SMTP id EAA18120; Tue, 3 Dec 1996 04:06:30 -0600 Date: Tue, 3 Dec 1996 04:06:30 -0600 (CST) From: Security Mail To: Denis Valois cc: firewalls@GreatCircle.COM, webmaster@internic.uob.bh Subject: RE: [Fwd: Caution : Internet Virus] In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 2 Dec 1996, Denis Valois wrote: > This is a hoax. > > Anyway, just by saying that "reading" a mailgram wipes out > your hard drive is of utmost foolishness. Denis, In the message he said it was a file attach. If the virus was sent attached in a .zip or .exe and the infected file was run it would infect the computer. I believe he was talking here of a Word Macro Virus, attached as a .DOC file, that when opened by Microsoft Word would trash the hard disk. Some users use a program CC Mail that would automagicly open Microsoft Word and load the file sent in the e-mail. This could result in the loss of the hard disk if the Macro Virus was opened in Microsoft word. I do have a large collection of Word Viruses, one in my collection, (FORMAT-C Word Macro Virus) will do just this in CC-Mail or if opened in Microsoft Word. There was a wide spread message that went out about 'The Good Times Virus' This indeed was a Hoax! No Virus can wipe the hard disk just by reading an e-mail message. BUT, this message below told of an attachment that if run would cause dammage! > "There is a computer virus that is being sent across the internet. > If you receive an e-mail with a subject line of "Irinia", DO NOT read > the message. Delete it immediately. Some miscreant is sending people > files under the name of "Irinia". If you receive this file or e-mail, > do not download it. It has a virus that rewrites your hard drive, > obliterating anything on it. Please be careful and forward this e-mail > to anyone you care about." Michael Paris *********************************************************** InVircible Support Staff support@invircible.com Vine Computer Industry vine@invircible.com Computer Anti-Virus Sales sales@invircible.com E-MAIL UPGRADES: Auto-Upgrade InVircible Manual manual@invircible.com Title message: IV-MANUAL Auto-Upgrade Invircible upgrade@invircible.com Title Message: IV-UPGRADE FTP : ftp.invircible.com Invircible Anti-Virus Web Page : http://invircible.com Sales : 800-422-5130 BBS : 708-863-6348 Support : 708-863-1464 FAX : 708-863-1917 *********************************************************** From firewalls-owner Tue Dec 3 02:55:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA08877 for firewalls-outgoing; Tue, 3 Dec 1996 02:28:28 -0800 (PST) Received: from sghms.ac.uk (s1.sghms.ac.uk [192.153.12.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id CAA08829 for ; Tue, 3 Dec 1996 02:27:51 -0800 (PST) Received: from gillettpc.sghms.ac.uk by sghms.ac.uk (SGHMSV1.0) ID AA10698; Tue, 3 Dec 96 10:25:40 GMT Date: Tue, 3 Dec 1996 11:33:20 PST From: Mark Gillett Subject: Re: POP3 for TIS firewall To: Venkata Ramakrishna R Cc: firewalls@greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk There is a POP3 proxy in the standard TIS toolkit, although your installation may not include it or it may not be setup to allow connections. See your netperm-table for confirmation of this. Hope that helps ! On Tue, 3 Dec 1996 08:47:56 +0530 Venkata Ramakrishna R wrote: > From: Venkata Ramakrishna R > Date: Tue, 3 Dec 1996 08:47:56 +0530 > Subject: POP3 for TIS firewall > To: firewalls@greatcircle.com > > > Hi, > > Where can I get POP3 proxy for TIS firewall ?? > > Please guide me.... > > Thanks, > -Ramu. ================================================================ Mark Gillett, Computer Unit, St. Georges Hospital Medical School ---------------------------------------------------------------- Contrary to popular belief, Unix is user friendly. It just happens to be very selective about who it decides to make friends with. ---------------------------------------------------------------- e-mail : mgillett@sghms.ac.uk web : http://www.sghms.ac.uk ================================================================ From firewalls-owner Tue Dec 3 04:25:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA15132 for firewalls-outgoing; Tue, 3 Dec 1996 04:00:24 -0800 (PST) Received: from cosmos.kaist.ac.kr (maple.kaist.ac.kr [143.248.185.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id DAA14883 for ; Tue, 3 Dec 1996 03:59:10 -0800 (PST) Received: (from chang@localhost) by cosmos.kaist.ac.kr (8.6.12h2/8.6.12) id UAA02796 for firewalls@greatcircle.com; Tue, 3 Dec 1996 20:56:57 +0900 From: Changmin Park Message-Id: <199612031156.UAA02796@cosmos.kaist.ac.kr> Subject: Hi, dear guru. To: firewalls@greatcircle.com Date: Tue, 3 Dec 1996 20:56:56 +0900 (KST) X-Mailer: ELM [version 2.4 PL21-h4] MIME-Version: 1.0 Content-Type: text/plain; charset=iso-2022-kr Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, security guru. I have some questions about the type of On Guard firewalls. Tell me some useful things about "On Guard" Firewall. 1. Does "On Guard" depend on only Unix, or Windows NT, or other OS? 2. If there are some more better aspects than Checkpoint's Firewall-1, What are they? 3. Someone told me that "On Guard" can filter packets through IPX protocol, is it true? then.. How can it be established in technology? 4. How about the performance/cost, I need some comparison data with other Firewalls. 5. How about the occupancy in the world, especially in the ASIA. 6. What are the best features in the "On Guard". If you have some useful informations, please tell me them. We would buy some firewall boxes, but we don't have enough informations about them. Thank you in advance. -- mmmmmmm chang@cosmos.kaist.ac.kr finger me for pgp key ^-O-O-^ pager: 012-737-0721 tel: 042-879-2838 ====oOOo===oOOo=========/Life/Sucks/Shit/======== K/U/S ============= ---Making love out of Nothing at all--- From firewalls-owner Tue Dec 3 06:25:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA21959 for firewalls-outgoing; Tue, 3 Dec 1996 06:15:14 -0800 (PST) Received: from cbisinet.cbis.com (cbisinet.cbis.com [206.230.22.18]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA21950 for ; Tue, 3 Dec 1996 06:15:03 -0800 (PST) Received: from notes.cbis.com by cbisinet.cbis.com (5.x/SMI-SVR4) id AA07285; Tue, 3 Dec 1996 09:14:59 -0500 Received: by notes.cbis.com (IBM OS/2 SENDMAIL VERSION 1.3.17/2.12um) id AA8512; Tue, 03 Dec 96 09:14:51 -0500 Message-Id: <9612031414.AA8512@notes.cbis.com> Received: by CBIS (Lotus Notes Mail Gateway for SMTP V1.1) id F9CDC69C46B16EBD852563F5004E1113; Tue, 3 Dec 96 09:14:51 To: firewalls-digest From: Warren Moore Date: 3 Dec 96 9:08:44 Subject: Strange Virus... Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Probably off-subject, but considering what's been on here for the last day or so, maybe not...funny regardless. Free Money!!! There is a computer virus that is being sent across the Internet. If you receive an e-mail message with the subject line "Free Money," DO NOT read the message. DELETE it immediately, UNPLUG your computer, then BURN IT to ASHES in a government-approved toxic waste disposal INCINERATOR. Once a computer is infected, it will be TOO LATE. Your computer will begin to emit a vile ODOR. Then it will secrete a foul, milky DISCHARGE. Verily, it shall SCREECH with the tortured, monitor-shattering SCREAM of 1,000 hell-scorched souls, drawing unwanted attention to your cubicle from co-workers and supervisors alike. After violently ripping itself from the wall, your computer will punch through your office window as it STREAKS into the night, HOWLING like a BANSHEE. Once free, it will spend the rest of its days CRUSHING household PETS and MOCKING the POPE. Some filthy, disgusting miscreant... some no-good, low-down, good-for -nothing DIRTY SNAKE, in twisted pursuit of his own sadistic dreams, is sending this virus across the Net via an e-mail entitled "Free Money." What is so terrifying about this virus is that you do not even to have to open the e-mail for it to activate. In fact, you do not even need to RECEIVE the e-mail. You do not even need to OWN a COMPUTER. "Free Money" can infect even minor HOUSEHOLD APPLIANCES. How it does this with straight ASCII code is, franky, a matter of some debate... but BELIEVE YOU US, if this weren't a SERIOUS situation, WE WOULDN'T BE DISCUSSING IT IN 'ALL CAPS'. So for the LOVE OF GOD, forward this e-mail to all those you claim to care about, all those you purport to love. Don't do it later! Do it NOW! Now! Now! NOW! NOW! NOW! Attachment converted: deathlab:free_money_virus.sea (VIRUS/VRS) 0003D961 Content-Type: virus/sea; name="Free_Money_Virus" (SUCKER/SKR) (SRC:WTBR) Auto-Infect: enabled --- Warren S. Moore, CISSP Information Security Specialist Cincinnati Bell Information Systems Inc. ---also--- Mayor, City of Union, KY Jack of All Trades, Master of Damn Few! From firewalls-owner Tue Dec 3 06:26:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA20988 for firewalls-outgoing; Tue, 3 Dec 1996 05:54:58 -0800 (PST) Received: from emout17.mail.aol.com (emout17.mx.aol.com [198.81.11.43]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id FAA20979 for ; Tue, 3 Dec 1996 05:54:52 -0800 (PST) From: WarRoom2@aol.com Received: by emout17.mail.aol.com (8.6.12/8.6.12) id IAA20214 for firewalls@greatcircle.com; Tue, 3 Dec 1996 08:54:52 -0500 Date: Tue, 3 Dec 1996 08:54:52 -0500 Message-ID: <961203085451_1651011832@emout17.mail.aol.com> To: firewalls@greatcircle.com Subject: WarRoom ISS Survey -- Gembicki's Comments Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Anyone interested in WarRoom Research's comments on the 1996 Information Systems Security Survey should contact me directly at ; Tue, 3 Dec 1996 06:31:33 -0800 (PST) Received: from coltano.stortek.com by stortek.com with SMTP id AA16497 (5.65c/IDA-1.4.4 for ); Tue, 3 Dec 1996 07:31:31 -0700 Received: (from jim@localhost) by coltano.stortek.com (8.8.3/8.7.3) id HAA08003 for firewalls@GreatCircle.COM; Tue, 3 Dec 1996 07:29:58 -0700 (MST) Date: Tue, 3 Dec 1996 07:29:58 -0700 (MST) From: Jim Wamsley 303-673-8163 Message-Id: <199612031429.HAA08003@coltano.stortek.com> To: firewalls@GreatCircle.COM Subject: RE: [Fwd: Caution : Internet Virus] X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Dec 3 Michael Paris wrote > > In the message he said it was a file attach. > > If the virus was sent attached in a .zip or .exe and the infected file was > run it would infect the computer. > > I believe he was talking here of a Word Macro Virus, attached as a .DOC > file, that when opened by Microsoft Word would trash the hard disk. > Hey guys, is everyone forgetting that Microsquish put out a macro protection script called ScanProt that scanned every document before it was opened looking for certain known 'macro virus' and warned you if the document contained anything suspicous? I beleive it also compares your normal.dot against what the doc had . This goes a long way toward _stopping_ an infected document from doing any damage. Works very well. Have received a few _infected_ attachments that were caught. ______________________________________________________________ [ Jim Wamsley, Network Engineering ] [ StorageTek 2270 S. 88th St, M.S. 4379, Louisville, CO 80028 ] [ Audible: (303) 673-8163 Logical jim_wamsley@stortek.com ] [ Everything to Excess! ] [ To enjoy life to the fullest, you must take big bites. ] [ Moderation is for monks. ] [ Lazarus Long ] [______________________________________________________________] From firewalls-owner Tue Dec 3 06:55:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA22931 for firewalls-outgoing; Tue, 3 Dec 1996 06:41:32 -0800 (PST) Received: from bworld.com.ph ([203.177.6.33]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA22917 for ; Tue, 3 Dec 1996 06:41:21 -0800 (PST) Received: by bworld.com.ph (SMI-8.6/SMI-SVR4) id WAA13877; Tue, 3 Dec 1996 22:41:17 -0800 Date: Tue, 3 Dec 1996 22:41:17 -0800 From: root@bworld.com.ph (Super-User) Message-Id: <199612040641.WAA13877@bworld.com.ph> To: firewalls@greatcircle.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-MD5: li0EXXBwC8TLrOJN4Ai89g== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk hello, Please let me know where I may access FAQS of this mailing list... thanks, miguel From firewalls-owner Tue Dec 3 07:10:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA23935 for firewalls-outgoing; Tue, 3 Dec 1996 07:00:33 -0800 (PST) Received: from lab58-12.ims.advantis.com (pony-express.ims.advantis.com [192.231.11.167]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA23928 for ; Tue, 3 Dec 1996 07:00:26 -0800 (PST) Received: (from hfarkas@localhost) by lab58-12.ims.advantis.com (8.6.9/95.10.11) id JAA30273 for ; Tue, 3 Dec 1996 09:57:55 -0500 Received: from carfax.ims.advantis.com(164.120.32.46) by lab58_12 via smap (V1.3) id sma027967; Tue Dec 3 09:57:46 1996 Received: by carfax.ims.advantis.com (8.6.9/4.03) id KAA83332; Tue, 3 Dec 1996 10:07:36 -0500 Date: Tue, 3 Dec 1996 10:07:36 -0500 (EST) From: Peter Yau To: FireWalls@GreatCircle.com Subject: NetBios over IP Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Are there security concerns for NetBIOS over IP? Is it a danger that because it is a messaging protocol which uses names as opposed to addresses that it'd be more easy to spoof? With NetBIOS encapsulated in IP traversing (from outside) the FW-1, are we only abled to filter on IP only? Once IP filtering takes place, the packet then gets unencapsulated before it gets sent to its final destination? The proper port needs to be open in FW-1 to accomodate NetBIOS, of course. Where exactly does unencapsulation take place, at the last Router hop prior to the final destination? Thanks in advance. From firewalls-owner Tue Dec 3 07:40:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA24736 for firewalls-outgoing; Tue, 3 Dec 1996 07:15:21 -0800 (PST) Received: from smtp.msp.tsg-usa.com (mntsg.tsg-usa.com [206.185.177.223]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA24687 for ; Tue, 3 Dec 1996 07:15:06 -0800 (PST) From: uhaas@tsg-usa.com Received: by smtp.msp.tsg-usa.com(Lotus SMTP MTA v1.01 (214.1 9-9-1996)) id 862563F5.0054370B ; Tue, 3 Dec 1996 09:19:51 -0500 X-Lotus-FromDomain: TSG To: suntiver@mem.gob.pe cc: firewalls@greatcircle.com Message-ID: <862563F0:0004939E.00@smtp.msp.tsg-usa.com> Date: Wed, 27 Nov 1996 18:56:36 -0500 Subject: Re: IP numbers end Mime-Version: 1.0 Content-type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ministerio, One way is to acquire another subnet and route that to you. Another way (that I like) is to use NAT software, get another IP ragne and route that to you. We do this. The NAT approach has some advantages. The major one I like is to define a pool of addresses from the new subnet and they are assinged to computers as they are needed. This means that 256 addresses will result in 256 address available for use. When they are not used for a specific period of time, they are released back into the pool. This is more efficient use of the subnet because all addresses will be used for Internet use, intead of having many addresses reserved, but not used. This way it takes longer to run out again. NAT handles the internet subnet you aquire. For the addresses on the inside, I prefer to use RFC 1918 style addresses. I have done this with the IBM SNG product, but several others on the mailing list also claim to do the same thing. Pricing and miliage may vary. Urban suntiver @ mem.gob.pe 11-27-96 03:29 AM To: Firewalls @ GreatCircle.COM cc: Subject: IP numbers end Hi friends. I write from Peru South America. My question is follow: How Can we have more IP numbers in our site?, becuse the 254 numbers are used. We not have subnets. Thanks for your help. Ministerio de Energia y Minas Sergio Untiveros Adm. de Red Telf. 4750064 Anexo 223, 403 Telf: 9946059 ------------------------------------------------------------ Urban A. Haas Open Systems and Network Consulting Total Solutions Group Phone: (800) 423-8741 Ext. 133; Fax: (612) 831-0509 Internet: uhaas@tsg-usa.com -or- mailto:uhaas@tsg-usa.com ------------------------------------------------------------ From firewalls-owner Tue Dec 3 07:40:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA25548 for firewalls-outgoing; Tue, 3 Dec 1996 07:26:10 -0800 (PST) Received: from europa.lif.icnet.uk (europa.lif.icnet.uk [143.65.1.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA25513 for ; Tue, 3 Dec 1996 07:25:47 -0800 (PST) From: harley@icrf.icnet.uk Message-Id: <199612031525.HAA25513@miles.greatcircle.com> Received: by europa.lif.icnet.uk; Tue, 3 Dec 1996 15:26:03 GMT Subject: Internet virus yet again To: firewalls@GreatCircle.COM Date: Tue, 3 Dec 1996 15:26:03 +0000 (GMT) X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > I believe he was talking here of a Word Macro Virus, attached as a .DOC > > file, that when opened by Microsoft Word would trash the hard disk. > > > > Hey guys, is everyone forgetting that Microsquish put out a macro protection > script called ScanProt that scanned every document before it was opened looking for certain known 'macro virus' and warned you if the document contained > anything suspicous? I beleive it also compares your normal.dot against what > the doc had . This goes a long way toward _stopping_ an infected document from > doing any damage. Works very well. Have received a few _infected_ attachments > that were caught. > Aargh! Stop it! Yes, ScanProt can help. But it only actually recognises WM.Concept, and it's quite possible, in good faith, to open a document in ways which will bypass it. The same applies to the equivalent tool built into Word 7. I remember when this list was about firewalls.... (whimper). -- David Harley \ | / alt.comp.virus FAQ D.Harley@icrf.icnet.uk \ | / & Anti-Virus Web Page Support & Security Analyst \ | / Folk London On-Line gig-list Imperial Cancer Research Fund ____\|/____ http://webworlds.co.uk/dharley/ From firewalls-owner Tue Dec 3 07:56:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA27828 for firewalls-outgoing; Tue, 3 Dec 1996 07:50:23 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA27810 for ; Tue, 3 Dec 1996 07:50:15 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-961106) id HAA08090; Tue, 3 Dec 1996 07:49:45 -0800 Received: from dax.sai.com(207.95.117.66) by mycroft via smap (V1.3mjr) id sma008086; Tue Dec 3 07:49:05 1996 Received: from dax.sai.com by dax.sai.com with smtp (Smail3.1.29.1 #2) id m0vUx3x-003pk7C; Tue, 3 Dec 96 10:47 EST Date: Tue, 3 Dec 1996 10:47:12 -0500 (EST) From: Darryl Wagoner To: Security Mail cc: Denis Valois , firewalls@GreatCircle.COM, webmaster@internic.uob.bh Subject: RE: [Fwd: Caution : Internet Virus] In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 3 Dec 1996, Security Mail wrote: > This indeed was a Hoax! No Virus can wipe the hard disk just by reading > an e-mail message. BUT, this message below told of an attachment that if > run would cause dammage! This is not true on Unix! Many Unix mailers and pagers will send escape codes to the tty. The good ones will not, but many of the old ones will. This will allow a mail message to control the terminal. Many terminals has escape codes to send text back to the host. QED the mail message can do anything the user has privs to do. -- Darryl Wagoner darryl@sai.com http://www.sai.com/ Office: 603.672.0736 Fax: 603-672-4846 Beware of self-styled experts: an ex is a has-been, and a spurt is a drip under pressure. From firewalls-owner Tue Dec 3 08:03:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA21431 for firewalls-outgoing; Tue, 3 Dec 1996 06:02:43 -0800 (PST) Received: from gauntlet-1.trusted.com (gauntlet-1.trusted.com [204.254.155.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA21424 for ; Tue, 3 Dec 1996 06:02:36 -0800 (PST) Received: by gauntlet-1.trusted.com; id JAA22778; Tue, 3 Dec 1996 09:11:39 -0500 Received: from dira.rv.tis.com(10.0.1.43) by gauntlet-1.trusted.com via smap (V3.1.1) id xma022769; Tue, 3 Dec 96 09:11:18 -0500 Received: from unit65.rv.tis.com (dyn105.hq.tis.com [10.33.10.105]) by dira.rv.tis.com (8.7.4/8.7.3) with SMTP id IAA04693; Tue, 3 Dec 1996 08:57:42 -0500 (EST) Message-Id: <3.0.32.19961203085259.006a46ec@pop.rv.tis.com> X-Sender: avolio@pop.rv.tis.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Tue, 03 Dec 1996 09:00:09 -0500 To: Venkata Ramakrishna R , firewalls@greatcircle.com From: Frederick M Avolio Subject: Re: POP3 for TIS firewall Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The Gauntlet Internet Firewall comes with a POP3 proxy. Fred At 08:47 AM 12/3/96 +0530, Venkata Ramakrishna R wrote: > >Hi, > > Where can I get POP3 proxy for TIS firewall ?? > > Please guide me.... > >Thanks, >-Ramu. > > From firewalls-owner Tue Dec 3 09:24:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA03922 for firewalls-outgoing; Tue, 3 Dec 1996 08:46:08 -0800 (PST) Received: from lab58-12.ims.advantis.com (pony-express.ims.advantis.com [192.231.11.167]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id IAA03907 for ; Tue, 3 Dec 1996 08:45:58 -0800 (PST) Received: (from hfarkas@localhost) by lab58-12.ims.advantis.com (8.6.9/95.10.11) id LAA23931 for ; Tue, 3 Dec 1996 11:43:31 -0500 Received: from carfax.ims.advantis.com(164.120.32.46) by lab58_12 via smap (V1.3) id sma031097; Tue Dec 3 11:43:21 1996 Received: by carfax.ims.advantis.com (8.6.9/4.03) id LAA119799; Tue, 3 Dec 1996 11:53:12 -0500 Date: Tue, 3 Dec 1996 11:53:11 -0500 (EST) From: Peter Yau To: firewalls@GreatCircle.com Subject: NetBios over IP (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ---------- Forwarded message ---------- Date: Tue, 3 Dec 1996 10:07:36 -0500 (EST) From: Peter Yau To: FireWalls@GreatCircle.COM Subject: NetBios over IP Are there security concerns for NetBIOS over IP? Is it a danger that because it is a messaging protocol which uses names as opposed to addresses that it'd be more easy to spoof? With NetBIOS encapsulated in IP traversing (from outside) the FW-1, are we only abled to filter on IP only? Once IP filtering takes place, the packet then gets unencapsulated before it gets sent to its final destination? The proper port needs to be open in FW-1 to accomodate NetBIOS, of course. Where exactly does unencapsulation take place, at the last Router hop prior to the final destination? Thanks in advance. From firewalls-owner Tue Dec 3 09:26:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA05713 for firewalls-outgoing; Tue, 3 Dec 1996 09:09:25 -0800 (PST) Received: from vm.stlawu.edu (vm.stlawu.edu [199.0.76.25]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id JAA05704 for ; Tue, 3 Dec 1996 09:09:18 -0800 (PST) Received: from VM.STLAWU.EDU by vm.stlawu.edu (IBM VM SMTP V2R3) with BSMTP id 6115; Tue, 03 Dec 96 12:06:13 EST Received: from MUSIC.STLAWU.EDU (NJE origin MUSIC@STLAWU) by VM.STLAWU.EDU (LMail V1.2c/1.8c) with BSMTP id 9684; Tue, 3 Dec 1996 12:06:13 -0500 Message-Id: <03DEC96.13071906.0090.MUSIC@MUSIC.STLAWU.EDU> Date: Tue, 03 Dec 1996 12:06:13 EST From: Giant Tuna To: Subject: Re: Fwd:Caution : Internet Virus X-Mailer: MUSIC/SP V5.1.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Do not worry about the "irinia" virus it is a hoax that was spred by penguin books to promote a book in September. CIAC already is aware of the possible virus check any AV company's virus list to review the hoax or CIAC at http://ciac.llnl.gov/ciac/bulletins/h-05.shtml clarke ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +Contact: x9o2@music.stlawu.edu or pthomas@northnet.org+ +------------------------------------------------------+ +WWW: http://music.stlawu.edu/x9o2:http/clarke.html + +======================================================++++++++++++++++ +"Just as the strength of the Internet is chaos, so is the strength of+ +of our liberty depends upon the chaos and cacophony of the unfettered+ +speech th First Amendment protects." +++++++++++++++++++++++++++++++++ + --JUDGE STEWART DALZELL + Guinness = "Pure Genius" + +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ From firewalls-owner Tue Dec 3 09:55:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA08643 for firewalls-outgoing; Tue, 3 Dec 1996 09:37:00 -0800 (PST) Received: from free-me.marben.be (gatekeeper.marben.be [194.78.27.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id JAA08475 for ; Tue, 3 Dec 1996 09:34:56 -0800 (PST) Received: (from smap@localhost) by free-me.marben.be (8.7.5/8.7.3) id SAA07419 for <@gatekeeper.marben.be:firewalls@GreatCircle.COM>; Tue, 3 Dec 1996 18:34:58 +0100 (MET) X-Authentication-Warning: free-me.marben.be: smap set sender to using -f Received: from tarifa.marben.be(172.20.0.254) by free-me.marben.be via smap (V1.3) id sma007416; Tue Dec 3 18:34:57 1996 Received: from tarifa.marben.be by tarifa via SMTP (940816.SGI.8.6.9/940406.SGI.AUTO) for id SAA15089; Tue, 3 Dec 1996 18:27:52 +0100 Message-ID: <32A46318.6231@marben.be> Date: Tue, 03 Dec 1996 18:27:52 +0100 From: Jean-Pierre Morant Organization: Marben SA-NV X-Mailer: Mozilla 3.0Gold (X11; I; IRIX 5.3 IP22) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: SNMP and firewalls Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all ! I would like to find an application - level gateway for SNMP, so that specific users can or cannot use specific commands. Do anybody know of such a beast (free or not so free) ? Thanks JPM -- Jean-Pierre Morant c/o MARBEN S.A./N.V. La vie serait tellement Boulevard du Souverain,400, Vorstlaan plus facile 1160 Bruxelles Si seulement Belgium nous avions les sources.... + 32 2 663 1130 (phone) + 32 2 663 1199 (fax) http://www.marben.be jpm@marben.be From firewalls-owner Tue Dec 3 10:03:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA01523 for firewalls-outgoing; Tue, 3 Dec 1996 08:28:12 -0800 (PST) Received: from smtp.connectnet.com (smtp.connectnet.com [207.110.0.12]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA01473 for ; Tue, 3 Dec 1996 08:27:50 -0800 (PST) Received: from max-nc-83.connectnet.com (max-nc-83.connectnet.com [206.64.43.83]) by smtp.connectnet.com (8.8.3/Connectnet-2.2) with SMTP id IAA12809; Tue, 3 Dec 1996 08:28:14 -0800 (PST) Received: by max-nc-83.connectnet.com with Microsoft Mail id <01BBE0F4.D896BCA0@max-nc-83.connectnet.com>; Tue, 3 Dec 1996 08:34:49 -0800 Message-ID: <01BBE0F4.D896BCA0@max-nc-83.connectnet.com> From: Jamey Kirby To: firewalls-digest , "'Warren Moore'" Subject: RE: Strange Virus... Date: Tue, 3 Dec 1996 08:30:07 -0800 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What a moron! ---------- From: Warren Moore[SMTP:warren.moore@cbis.com] Sent: Tuesday, December 03, 1996 1:09 AM To: firewalls-digest Subject: Strange Virus... Probably off-subject, but considering what's been on here for the last day or so, maybe not...funny regardless. Free Money!!! There is a computer virus that is being sent across the Internet. If you receive an e-mail message with the subject line "Free Money," DO NOT read the message. DELETE it immediately, UNPLUG your computer, then BURN IT to ASHES in a government-approved toxic waste disposal INCINERATOR. Once a computer is infected, it will be TOO LATE. Your computer will begin to emit a vile ODOR. Then it will secrete a foul, milky DISCHARGE. Verily, it shall SCREECH with the tortured, monitor-shattering SCREAM of 1,000 hell-scorched souls, drawing unwanted attention to your cubicle from co-workers and supervisors alike. After violently ripping itself from the wall, your computer will punch through your office window as it STREAKS into the night, HOWLING like a BANSHEE. Once free, it will spend the rest of its days CRUSHING household PETS and MOCKING the POPE. Some filthy, disgusting miscreant... some no-good, low-down, good-for -nothing DIRTY SNAKE, in twisted pursuit of his own sadistic dreams, is sending this virus across the Net via an e-mail entitled "Free Money." What is so terrifying about this virus is that you do not even to have to open the e-mail for it to activate. In fact, you do not even need to RECEIVE the e-mail. You do not even need to OWN a COMPUTER. "Free Money" can infect even minor HOUSEHOLD APPLIANCES. How it does this with straight ASCII code is, franky, a matter of some debate... but BELIEVE YOU US, if this weren't a SERIOUS situation, WE WOULDN'T BE DISCUSSING IT IN 'ALL CAPS'. So for the LOVE OF GOD, forward this e-mail to all those you claim to care about, all those you purport to love. Don't do it later! Do it NOW! Now! Now! NOW! NOW! NOW! Attachment converted: deathlab:free_money_virus.sea (VIRUS/VRS) 0003D961 Content-Type: virus/sea; name="Free_Money_Virus" (SUCKER/SKR) (SRC:WTBR) Auto-Infect: enabled --- Warren S. Moore, CISSP Information Security Specialist Cincinnati Bell Information Systems Inc. ---also--- Mayor, City of Union, KY Jack of All Trades, Master of Damn Few! From firewalls-owner Tue Dec 3 10:23:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA09018 for firewalls-outgoing; Tue, 3 Dec 1996 09:43:17 -0800 (PST) Received: from LIVEDGAR.gsionline.com (livedgar.gsionline.com [204.254.209.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id JAA08999 for ; Tue, 3 Dec 1996 09:43:02 -0800 (PST) Received: from LIVEDGAR.gsionline.com by LIVEDGAR.gsionline.com (NTMail 3.02.09) with ESMTP id da054057 for ; Tue, 3 Dec 1996 12:44:51 -0500 X-Sender: nick#204.254.209.2@192.168.0.22 X-Mailer: Windows Eudora Version 1.4.3 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Russ From: nkeenan@gsionline.com (Mr. Nick Keenan) Subject: RE: restricting OUTBOUND access Cc: firewalls@greatcircle.com Date: Tue, 3 Dec 1996 12:44:51 -0500 Message-Id: <17445102935420@gsionline.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Come now, its extremely tricky to set up Windows '95 to act as a >router. You mind explaining to me how you could do that easily in your >scenario? OK. I thought Win 95 gave NetBEUI access by default, but I haven't worked with it enough to bet on it. So replace Windows 95 with Windows NT, and replace Dial-Up Networking with Remote Access Service. RAS does TCP-IP routing by default. Or use Windows 3.1 RAS, and check the box "Allow access to entire network" during setup. Or even if you don't allow network access, your own computer is still vulnerable. Which means, incidentally, that the intruder can alter your configuration to allow network access -- particularly on 3.1 and 95, which don't have OS-level security on the disk or configurations files. The point is that under Windows, outgoing modem connections are a security liability. Internet connections can be used to establish modem connections. Ergo, outgoing Internet connections are a security liability. Nick Keenan Global Securities Information nkeenan@gsionline.com http://www.gsionline.com LIVEDGAR(TM) -- The EDGAR(TM) Experts. From firewalls-owner Tue Dec 3 10:55:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA13602 for firewalls-outgoing; Tue, 3 Dec 1996 10:36:04 -0800 (PST) Received: from lab58-12.ims.advantis.com (pony-express.ims.advantis.com [192.231.11.167]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA13588 for ; Tue, 3 Dec 1996 10:35:56 -0800 (PST) Received: (from hfarkas@localhost) by lab58-12.ims.advantis.com (8.6.9/95.10.11) id NAA30135 for ; Tue, 3 Dec 1996 13:33:24 -0500 Received: from carfax.ims.advantis.com(164.120.32.46) by lab58_12 via smap (V1.3) id sma029365; Tue Dec 3 13:33:19 1996 Received: by carfax.ims.advantis.com (8.6.9/4.03) id NAA129738; Tue, 3 Dec 1996 13:43:10 -0500 Date: Tue, 3 Dec 1996 13:43:10 -0500 (EST) From: Peter Yau To: firewalls@GreatCircle.COM Subject: NetBios over IP Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ---------- Forwarded message ---------- Date: Tue, 3 Dec 1996 10:07:36 -0500 (EST) From: Peter Yau To: FireWalls@GreatCircle.COM Subject: NetBios over IP Are there security concerns for NetBIOS over IP? Is it a danger that because it is a messaging protocol which uses names as opposed to addresses that it'd be more easy to spoof? With NetBIOS encapsulated in IP traversing (from outside) the FW-1, are we only abled to filter on IP only? Once IP filtering takes place, the packet then gets unencapsulated before it gets sent to its final destination? The proper port needs to be open in FW-1 to accomodate NetBIOS, of course. Where exactly does unencapsulation take place, at the last Router hop prior to the final destination? Thanks in advance. From firewalls-owner Tue Dec 3 11:40:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA15884 for firewalls-outgoing; Tue, 3 Dec 1996 10:59:49 -0800 (PST) Received: from relay.hq.tis.com (relay.hq.tis.com [192.94.214.100]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA15875 for ; Tue, 3 Dec 1996 10:59:41 -0800 (PST) Received: by relay.hq.tis.com; id NAA11381; Tue, 3 Dec 1996 13:57:52 -0500 Received: from clipper.hq.tis.com(10.33.1.2) by relay.tis.com via smap (V3.1.1) id xma011346; Tue, 3 Dec 96 13:57:29 -0500 Received: from jupiter.hq.tis.com (jupiter.hq.tis.com [10.33.112.189]) by clipper.hq.tis.com (8.7.5/8.7.3) with SMTP id NAA19787; Tue, 3 Dec 1996 13:58:07 -0500 (EST) From: Jody C Patilla Message-Id: <199612031858.NAA19787@clipper.hq.tis.com> Subject: Re: Strange Virus... To: jkirby@connectnet.com (Jamey Kirby) Date: Tue, 3 Dec 1996 13:58:05 -0500 (EST) Cc: firewalls-digest@greatcircle.com, warren.moore@cbis.com In-Reply-To: <01BBE0F4.D896BCA0@max-nc-83.connectnet.com> from "Jamey Kirby" at Dec 3, 96 08:30:07 am Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > What a moron! > > ---------- > From: Warren Moore[SMTP:warren.moore@cbis.com] > Sent: Tuesday, December 03, 1996 1:09 AM > To: firewalls-digest > Subject: Strange Virus... > > There is a computer virus that is being sent across the Internet. > If you receive an e-mail message with the subject line "Free Money," > DO NOT read the message. DELETE it immediately, UNPLUG your computer, > then BURN IT to ASHES in a government-approved toxic waste disposal > INCINERATOR. [satirical rant deleted] Actually, I thought it was rather funny. And just think, if everyone who actually BELIEVED it, followed the instructions, network security would have been improved by a huge margin in one fell stroke. - jcp -- ========================================================================= Jody C. Patilla jcp@tis.com Trusted Information Systems Glenwood, Md. From firewalls-owner Tue Dec 3 11:40:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA16415 for firewalls-outgoing; Tue, 3 Dec 1996 11:05:54 -0800 (PST) Received: from relay-7.mail.demon.net (relay-7.mail.demon.net [194.217.242.9]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id LAA16396 for ; Tue, 3 Dec 1996 11:05:41 -0800 (PST) Received: from youngman.demon.co.uk ([158.152.67.147]) by relay-7.mail.demon.net id aa701913; 3 Dec 96 18:20 GMT Message-ID: <32A46EA8.58C3@youngman.demon.co.uk> Date: Tue, 03 Dec 1996 18:17:12 +0000 From: Jeremy Youngman X-Mailer: Mozilla 3.0Gold (Win16; I) MIME-Version: 1.0 To: firewalls-digest@greatcircle.com Subject: Unexpected inbound TCP to our port 4144 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I sometimes see inbound TCP packets to our port 4144, eg: SUMMARY: 4 of TCP [195.232.6.60]->[xxx.xxx.xxx.xxx](1083->4144) SUMMARY: 4 of TCP [195.232.6.60]->[xxx.xxx.xxx.xxx](1084->4144) I believe these are people trying to connect to us as if we were running a Compuserve service (people connect to Compuserve on port 4144). Have other people found packets like this? Any idea what's happening? I think the packets are SYN's, but screend doesn't show because they are SUMMARY records (i'd like screend to summarise by flag type too if poss). Thanks Jeremy -- jeremy@youngman.demon.co.uk | ("`-/")_.-'"``-. http://www.youngman.demon.co.uk | . . `; -._ )-;-,_`) Tel: +44 (0)1603 686258 | (v_,)' _ )`-.\ ``-' PGP: Key avail on request (JSAS) | _.- _..-_/ / ((.' - All cats look grey in the dark - ((,.-' ((,/ From firewalls-owner Tue Dec 3 11:44:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA16171 for firewalls-outgoing; Tue, 3 Dec 1996 11:02:26 -0800 (PST) Received: from darkstar.sysinfo.com (darkstar.sysinfo.com [204.246.65.62]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA16129 for ; Tue, 3 Dec 1996 11:02:07 -0800 (PST) Received: from parka.winternet.com (dufresne@parka.winternet.com [198.174.169.9]) by darkstar.sysinfo.com (8.8.2/8.8.2) with SMTP id NAA02109; Tue, 3 Dec 1996 13:03:45 -0600 Date: Tue, 3 Dec 1996 12:56:13 -0600 (CST) From: Ron DuFresne To: Jim Wamsley 303-673-8163 cc: firewalls@GreatCircle.COM Subject: RE: [Fwd: Caution : Internet Virus] In-Reply-To: <199612031429.HAA08003@coltano.stortek.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hmm, we run scanprot.dot here. Thing is, it only works when run, it does not run in the 'background' scanning every new file or attachment. You have to open scanprot.dot, run it, for it to do it's thing, then close it. Scanprot is not in anyway that we are aware of virus protection, but is a valuable cleanup tool once someones been infrected... Later, Ron DuFresne On Tue, 3 Dec 1996, Jim Wamsley 303-673-8163 wrote: > On Dec 3 Michael Paris wrote > > > > In the message he said it was a file attach. > > > > If the virus was sent attached in a .zip or .exe and the infected file was > > run it would infect the computer. > > > > I believe he was talking here of a Word Macro Virus, attached as a .DOC > > file, that when opened by Microsoft Word would trash the hard disk. > > > > Hey guys, is everyone forgetting that Microsquish put out a macro protection > script called ScanProt that scanned every document before it was opened looking for certain known 'macro virus' and warned you if the document contained > anything suspicous? I beleive it also compares your normal.dot against what > the doc had . This goes a long way toward _stopping_ an infected document from > doing any damage. Works very well. Have received a few _infected_ attachments > that were caught. > > ______________________________________________________________ > [ Jim Wamsley, Network Engineering ] > [ StorageTek 2270 S. 88th St, M.S. 4379, Louisville, CO 80028 ] > [ Audible: (303) 673-8163 Logical jim_wamsley@stortek.com ] > [ Everything to Excess! ] > [ To enjoy life to the fullest, you must take big bites. ] > [ Moderation is for monks. ] > [ Lazarus Long ] > [______________________________________________________________] > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. From firewalls-owner Tue Dec 3 11:57:26 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA17605 for firewalls-outgoing; Tue, 3 Dec 1996 11:21:55 -0800 (PST) Received: from hidata.com (hidata.com [205.158.61.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id LAA17582 for ; Tue, 3 Dec 1996 11:21:45 -0800 (PST) Received: by hidata.com; id AA23167; Tue, 3 Dec 96 11:21:45 PST Received: from osc.hidata.com(205.158.62.10) by hds-gw.hidata.com via smap (V3.1.1) id xma023162; Tue, 3 Dec 96 11:21:18 -0800 Received: from sysadmin by osc.osc.hidata.com (SMI-8.6/SMI-SVR4) id LAA01883; Tue, 3 Dec 1996 11:21:17 -0800 Message-Id: <2.2.32.19961203191650.00c5539c@osc.hidata.com> X-Sender: bstout@osc.hidata.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 03 Dec 1996 11:16:50 -0800 To: Peter Yau , FireWalls@GreatCircle.com From: Bill Stout Subject: Re: NetBios over IP Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Just say no. At 10:07 AM 12/3/96 -0500, Peter Yau wrote: >Are there security concerns for NetBIOS over IP? Is it a danger that because >it is a messaging protocol which uses names as opposed to addresses that it'd >be more easy to spoof? Yes. Weaknesses same as DNS or other non-authenticated naming systems. >With NetBIOS encapsulated in IP traversing (from outside) the FW-1, are >we only abled to filter on IP only? Once IP filtering takes place, the >packet then gets unencapsulated before it gets sent to its final destination? Don't confuse encapsulation with encryption. Encapsulating commands within TCP does not protect them or the systems you send commands to. >The proper port needs to be open in FW-1 to accomodate NetBIOS, of course. >Where exactly does unencapsulation take place, at the last Router hop >prior to the final destination? >Thanks in advance. Just a few tidbits: NetBIOS over TCP/IP is a 'cool thing'. If you have port 137 open, it gives you more targets to hack at than finger when probing a system for data. Nbtstat -A 'ipaddress', tells you (example): C:\> nbtstat -A xxx.xxx.xxx.xxx NetBIOS Remote Machine Name Table Name Type Status --------------------------------------------- Registered Registered Registered Registered Registered Registered Registered Registered Registered MAC Address = 08-00-2B-A3-DA-D5 WWW2 <00> UNIQUE Computer name INETSERVERS <00> GROUP Domain name WWW2 <20> UNIQUE Share service name INETSERVERS <1C> GROUP WINS Domain Group name WWW2 <03> UNIQUE WINS Messenger name INETSERVERS <1E> GROUP Browser group INet~Services <1C> GROUP IIS group name IS~WWW2........<00> UNIQUE IIS unique name WWW2 <01> UNIQUE Service Username ADMINISTRATOR <03> UNIQUE Username WWW2+++++++++++ GROUP Netmon agent A 'large software company' disabled NetBIOS on their webservers after they saw output like that above. I think from a whitepaper I wrote. Also another 'cool thing' to note is that Netbios file sharing security (LanManager 2.0 and earlier) can force your computer to send cleartext username/password/domain information to the server. If a user attempts to connect to a foreign server, file/print/other_unknown services. NetBIOS only needs a username/password/domain when first connecting to a system, and uses that data to generate a User ID (UID). All following data transfers use that plaintext UID to access files with your priviledges ("Honey, it's 'me'"). NetBIOS sesssions thereafter have a timeout value of about 45 minutes. If you stop talking to your server, the server you've been talking to keeps a session open waiting for a request with your UID to reconnect, no additional username/password information required to get to your files. The above also applies to accessing administrative shares (root directory and all files on all drives) on NT systems. I am not sure if NetBIOS SMB sessions are tied to an IP address, I am testing connecting to administrative shares from random IP addresses by scanning UIDs. In theory, one could connect to any NT/IIS share on the internet with administrative access to all files. Even cooler if the server is dual-homed, and they're running 'netmon'(NT sniffer). You could then remotely sniff their internal network using their own sniffer. For documented attacks, see: ftp://ietf.cnri.reston.va.us/internet-drafts/draft-heizer-cifs-v1-spec-00.txt IMNSHO, NetBIOS is not a 'good thing' across the internet. Bill Stout _______________________________________________________________________________ Senior Systems Admin NT/Backoffice/Solaris/WWW-Db/Firewalls/Cisco/VM-UNIX/VMS Hitachi Data Systems 408-970-4822 --- Disclaimer: I speak only for myself From firewalls-owner Tue Dec 3 12:13:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA21719 for firewalls-outgoing; Tue, 3 Dec 1996 12:06:12 -0800 (PST) Received: from palrel3.hp.com (palrel3.hp.com [15.253.88.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id MAA21696; Tue, 3 Dec 1996 12:06:02 -0800 (PST) Received: from borg.mayfield.hp.com (borg.mayfield.hp.com [15.13.216.4]) by palrel3.hp.com with ESMTP (8.7.5/8.7.3) id MAA20855; Tue, 3 Dec 1996 12:05:59 -0800 (PST) Message-Id: <199612032005.MAA20855@palrel3.hp.com> Received: by borg.mayfield.hp.com (1.39.111.2/16.2) id AA010793066; Tue, 3 Dec 1996 11:57:46 -0800 From: Frank Beall Subject: RE: [Fwd: Caution : Internet Virus] To: firewalls@GreatCircle.COM Date: Tue, 03 Dec 1996 11:57:45 PST Cc: darryl@sai.com X-Mailer: Elm [revision: 112.2] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk check out pratical Unix Security by O'Reilly & Associates. on Unix Mail. Frank > > On Tue, 3 Dec 1996, Security Mail wrote: > > > This indeed was a Hoax! No Virus can wipe the hard disk just by reading > > an e-mail message. BUT, this message below told of an attachment that if > > run would cause dammage! > > This is not true on Unix! Many Unix mailers and pagers will send > escape codes to the tty. The good ones will not, but many of > the old ones will. This will allow a mail message to control the > terminal. Many terminals has escape codes to send text back to > the host. QED the mail message can do anything the user has privs > to do. > > -- > Darryl Wagoner darryl@sai.com http://www.sai.com/ > Office: 603.672.0736 Fax: 603-672-4846 > Beware of self-styled experts: an ex is a has-been, and a spurt is a > drip under pressure. > > > From firewalls-owner Tue Dec 3 12:57:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA24912 for firewalls-outgoing; Tue, 3 Dec 1996 12:44:07 -0800 (PST) Received: from mentor.co.nz (mentor.co.nz [202.20.113.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id MAA24750 for ; Tue, 3 Dec 1996 12:42:40 -0800 (PST) Received: from adonis.mentor.co.nz by zeus.mentor.co.nz id aa29959; 4 Dec 96 9:39 NZST From: Mark Clayton Message-Id: <961204093436.ZM7398@adonis> Date: Wed, 4 Dec 1996 09:34:31 +1245 In-Reply-To: Jamey Kirby "RE: Strange Virus..." (Dec 3, 8:30am) References: <01BBE0F4.D896BCA0@max-nc-83.connectnet.com> X-Mailer: Z-Mail 4.0.1 (4.0.1 Apr 9 1996) To: Jamey Kirby , firewalls-digest , "'Warren Moore'" Subject: Re: Strange Virus... Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Atleast it was entertaining !! Considering most people on this list are supposed to be professionals in the computer industry, you would think that mindless discussion over whether a virus was real or not would be kept to a minimum. Guess not... On Dec 3, 8:30am, Jamey Kirby wrote: > Subject: RE: Strange Virus... > What a moron! > > ---------- > From: Warren Moore[SMTP:warren.moore@cbis.com] > Sent: Tuesday, December 03, 1996 1:09 AM > To: firewalls-digest > Subject: Strange Virus... > > Probably off-subject, but considering what's been on here for the last day or > so, maybe not...funny regardless. > > Free Money!!! > > [SNIP HUMOR] > > There is a computer virus that is being sent across the Internet. > Jack of All Trades, Master of Damn Few! >-- End of excerpt from Jamey Kirby Marcus. From firewalls-owner Tue Dec 3 14:26:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA02184 for firewalls-outgoing; Tue, 3 Dec 1996 14:16:11 -0800 (PST) Received: from hermes.hurwitz.com (hermes.hurwitz.com [206.234.77.20]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id OAA02177 for ; Tue, 3 Dec 1996 14:16:03 -0800 (PST) Received: from pheonix.hurwitz.com (desktop_25.hurwitz.com [206.234.77.45]) by hermes.hurwitz.com (8.7.4/8.7.3) with SMTP id RAA23633 for ; Tue, 3 Dec 1996 17:58:14 -0500 Message-Id: <1.5.4.32.19961203221401.006a5a38@smtp.hurwitz.com> X-Sender: abrenton@smtp.hurwitz.com X-Mailer: Windows Eudora Light Version 1.5.4 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 03 Dec 1996 17:14:01 -0500 To: Firewalls@GreatCircle.COM From: Andrea Brenton Subject: Re: Strange Virus... Sender: firewalls-owner@GreatCircle.COM Precedence: bulk There is a virus newsgroup at comp.virus! At 01:58 PM 12/3/96 -0500, you wrote: * > * > What a moron! * > * > ---------- * > From: Warren Moore[SMTP:warren.moore@cbis.com] * > Sent: Tuesday, December 03, 1996 1:09 AM * > To: firewalls-digest * > Subject: Strange Virus... * > * > There is a computer virus that is being sent across the Internet. * > If you receive an e-mail message with the subject line "Free Money," * > DO NOT read the message. DELETE it immediately, UNPLUG your computer, * > then BURN IT to ASHES in a government-approved toxic waste disposal * > INCINERATOR. * * [satirical rant deleted] * * Actually, I thought it was rather funny. And just think, if everyone who * actually BELIEVED it, followed the instructions, network security would have * been improved by a huge margin in one fell stroke. * * - jcp * * -- * ========================================================================= * Jody C. Patilla jcp@tis.com * Trusted Information Systems Glenwood, Md. * xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Disclaimer: Any errors in spelling, tact, or fact are transmission errors. Andrea Brenton Hurwitz Group, Inc IS Manager 29 Crafts St abrenton@hurwitz.com Newton, MA 02158 "The time you enjoy wasting is not wasted time." - Bertrand Russell Views expressed are my own and not that of my employer or clients. From firewalls-owner Tue Dec 3 15:55:54 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA06282 for firewalls-outgoing; Tue, 3 Dec 1996 15:41:55 -0800 (PST) Received: from osceola.gate.net (osceola.gate.net [199.227.0.18]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id PAA06264 for ; Tue, 3 Dec 1996 15:41:43 -0800 (PST) Received: from gate.net.gate.net (orlfl2-25.gate.net [199.227.3.152]) by osceola.gate.net (8.8.3/8.6.12) with ESMTP id SAA59242; Tue, 3 Dec 1996 18:41:19 -0500 Message-Id: <199612032341.SAA59242@osceola.gate.net> From: "William Beem" To: "Russ" , "Mr. Nick Keenan" Cc: Subject: Re: restricting OUTBOUND access Date: Tue, 3 Dec 1996 18:39:15 -0500 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Windows 95 will warn you of this type of security breach. For example, I had Dial-up access on my machine working fine. Later, I installed the network client. Windows 95 warned me of the possible security problem and suggested that I not allow anyone to roam my drive. It's not rocket science. --William ---------- > From: Mr. Nick Keenan > To: Russ > Cc: firewalls@GreatCircle.COM > Subject: RE: restricting OUTBOUND access > Date: Tuesday, December 03, 1996 12:44 PM > > >Come now, its extremely tricky to set up Windows '95 to act as a > >router. You mind explaining to me how you could do that easily in your > >scenario? > > OK. I thought Win 95 gave NetBEUI access by default, but I haven't worked > with it enough to bet on it. > > So replace Windows 95 with Windows NT, and replace Dial-Up Networking with > Remote Access Service. RAS does TCP-IP routing by default. > > Or use Windows 3.1 RAS, and check the box "Allow access to entire network" > during setup. > > Or even if you don't allow network access, your own computer is still > vulnerable. Which means, incidentally, that the intruder can alter your > configuration to allow network access -- particularly on 3.1 and 95, which > don't have OS-level security on the disk or configurations files. > > The point is that under Windows, outgoing modem connections are a security > liability. Internet connections can be used to establish modem connections. > Ergo, outgoing Internet connections are a security liability. > > > Nick Keenan > Global Securities Information > nkeenan@gsionline.com > http://www.gsionline.com > > LIVEDGAR(TM) -- The EDGAR(TM) Experts. From firewalls-owner Tue Dec 3 16:12:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA07713 for firewalls-outgoing; Tue, 3 Dec 1996 16:08:29 -0800 (PST) Received: from ns1.genuity.net (ns1.genuity.net [204.74.114.93]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id QAA07684 for ; Tue, 3 Dec 1996 16:08:19 -0800 (PST) Received: from x-files.genuity.net (x-files.genuity.net [204.74.125.103]) by ns1.genuity.net (8.7.3/8.7.3) with SMTP id RAA09387 for ; Tue, 3 Dec 1996 17:08:19 -0700 (MST) Received: by x-files.genuity.net with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BBE13C.936ECC60@x-files.genuity.net>; Tue, 3 Dec 1996 17:08:17 -0700 Message-ID: From: Douglas Cheline To: "'Firewalls@GreatCircle.COM'" Subject: RE: Firewalls over NT vs. UNIX Date: Tue, 3 Dec 1996 17:08:15 -0700 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I guess no-one really wants to touch this subject. Is it perhaps because NT really is "very secure" and we can trust it to do security firewalling? grin;-) >Douglas Cheline >Senior Consultant Business Solutions > >G E N U I T Y, Inc. >a Bechtel company > >dcheline@genuity.net http://www.genuity.net >---------- >From: Douglas Cheline >Sent: Sunday, December 01, 1996 3:12 PM >To: 'Firewalls@GreatCircle.COM' >Subject: Firewalls over NT vs. UNIX > >The various Firewall vendors that I have spoken to have repeatedly stated >that, eventhough their product does run over NT, running firewalls over UNIX >is much more secure. The reasoning I get is that NT has some inherent >vulnerabilities that cannot be plugged since the code is proprietary and >closed. UNIX on the other hand is standard based and open, plus it has been >on the market much longer and more efforts have been placed in plugging the >holes there. > >This sounds nice but not very convincing unless some hard facts are revealed. > Can knowledgable members of this forum tell me what those 'holes' in NT are? > and is this a valid argument? > >disclaimer: I, myself, prefer UNIX based applications but I don't have a >facts based argument for that preference when it comes to firewalls. > >Thanks in advance for your responses. > >Regards, > >Douglas Cheline >Senior Consultant Business Solutions > >G E N U I T Y, Inc. >a Bechtel company > >dcheline@genuity.net >http://www.genuity.net > From firewalls-owner Tue Dec 3 16:40:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA08446 for firewalls-outgoing; Tue, 3 Dec 1996 16:30:06 -0800 (PST) Received: from relay3.UU.NET (relay3.UU.NET [192.48.96.8]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id QAA08436 for ; Tue, 3 Dec 1996 16:29:57 -0800 (PST) From: dcarlos@sunat.gob.pe Received: from rcp.net.pe by relay3.UU.NET with SMTP (peer crosschecked as: rcp.net.pe [161.132.5.20]) id QQbsof24158; Tue, 3 Dec 1996 19:29:53 -0500 (EST) Received: from sunat.gob.pe(really [161.132.37.1]) by rcp.net.pe via sendmail with smtp id for ; Tue, 3 Dec 1996 19:32:11 -0500 (EST) (Smail-3.2 1996-Jul-4 #3 built 1996-Oct-4) Received: from WS06_07 by sunat.gob.pe with smtp (Smail3.1.28.1 #9) id m0vV7kZ-0002FqC; Tue, 3 Dec 96 19:11 PST Message-Id: Comments: Authenticated sender is To: firewalls@GreatCircle.COM Date: Tue, 3 Dec 1996 19:53:34 +0000 Subject: FIREWALL Evaluation X-mailer: Pegasus Mail for Windows (v2.42a) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please sendl me your opinions about the following firewalls: 1.- IBM Internet Conection Secured Network Gateway for AIX version 2.2 2.- SUN SOLSTICE Firewall-1 Version 2.0 (Is the same of Checkpoint??) 3.- Borderware Thanks Damaso Carlos Tay From firewalls-owner Tue Dec 3 17:40:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA12738 for firewalls-outgoing; Tue, 3 Dec 1996 17:26:43 -0800 (PST) Received: from osceola.gate.net (osceola.gate.net [199.227.0.18]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id RAA12731 for ; Tue, 3 Dec 1996 17:26:35 -0800 (PST) Received: from gate.net.gate.net (orlfl2-6.gate.net [199.227.3.133]) by osceola.gate.net (8.8.3/8.6.12) with ESMTP id UAA52496; Tue, 3 Dec 1996 20:26:33 -0500 Message-Id: <199612040126.UAA52496@osceola.gate.net> From: "William Beem" To: "Douglas Cheline" , "'Firewalls@GreatCircle.COM'" Subject: Re: Firewalls over NT vs. UNIX Date: Tue, 3 Dec 1996 20:24:31 -0500 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk More likely that most folks don't know about the security holes in NT yet. UNIX holes receive a fair amount of attention, which often causes a furor and a fix. Microsoft remains rather tight-lipped about holes in Windows NT. I rather prefer the UNIX approach of knowing what's wrong with it, so I can make a reasonably intelligent assessment regarding the security of my servers. Microsoft seems unwilling to tell me what's wrong with NT. Maybe that's why I have more UNIX boxes at work than NT servers. --William ---------- > From: Douglas Cheline > To: 'Firewalls@GreatCircle.COM' > Subject: RE: Firewalls over NT vs. UNIX > Date: Tuesday, December 03, 1996 7:08 PM > > I guess no-one really wants to touch this subject. Is it perhaps > because NT really is "very secure" and we can trust it to do security > firewalling? grin;-) > > >Douglas Cheline > >Senior Consultant Business Solutions > > > >G E N U I T Y, Inc. > >a Bechtel company > > > >dcheline@genuity.net > http://www.genuity.net > > >---------- > >From: Douglas Cheline > >Sent: Sunday, December 01, 1996 3:12 PM > >To: 'Firewalls@GreatCircle.COM' > >Subject: Firewalls over NT vs. UNIX > > > >The various Firewall vendors that I have spoken to have repeatedly stated > >that, eventhough their product does run over NT, running firewalls over UNIX > >is much more secure. The reasoning I get is that NT has some inherent > >vulnerabilities that cannot be plugged since the code is proprietary and > >closed. UNIX on the other hand is standard based and open, plus it has been > >on the market much longer and more efforts have been placed in plugging the > >holes there. > > > >This sounds nice but not very convincing unless some hard facts are revealed. > > Can knowledgable members of this forum tell me what those 'holes' in NT are? > > and is this a valid argument? > > > >disclaimer: I, myself, prefer UNIX based applications but I don't have a > >facts based argument for that preference when it comes to firewalls. > > > >Thanks in advance for your responses. > > > >Regards, > > > >Douglas Cheline > >Senior Consultant Business Solutions > > > >G E N U I T Y, Inc. > >a Bechtel company > > > >dcheline@genuity.net > >http://www.genuity.net > > From firewalls-owner Tue Dec 3 18:11:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA13544 for firewalls-outgoing; Tue, 3 Dec 1996 17:55:27 -0800 (PST) Received: from ptes.com ([138.112.199.5]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id RAA13537 for ; Tue, 3 Dec 1996 17:55:20 -0800 (PST) Received: by ptes.com (4.1/JMA.3) id AA12668; Tue, 3 Dec 96 16:55:38 PST Received: from mike.ptes.com(138.112.190.103) by newshost via smap (V1.3mjr) id sma012666; Tue Dec 3 16:55:10 1996 X-Sender: mike@pescadero.ptes.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 3 Dec 1996 17:55:48 -0900 To: firewalls@GreatCircle.COM From: mike@ptes.com (Mike Bernhardt) Subject: PIX and Gauntlet Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I question as a relative newcomer: Right now the internet connection at this location is protected with packet filtering with a Cisco router. I want to put a real firewall product in place. I'd like opinions on which y'all think is better and why (price aside): a Cisco PIX, or Gauntlet on an Ultra1 with 2 Ethernet cards. ------------------------------------------------------------- "He who dies with the most toys, still dies." From firewalls-owner Tue Dec 3 18:25:26 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA14730 for firewalls-outgoing; Tue, 3 Dec 1996 18:22:29 -0800 (PST) Received: from shifra.info.umoncton.ca ([139.103.16.13]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id SAA14723 for ; Tue, 3 Dec 1996 18:22:22 -0800 (PST) Received: from localhost (musta@localhost) by shifra.info.umoncton.ca (8.6.11/8.6.9) with SMTP id WAA08563; Tue, 3 Dec 1996 22:26:42 -0400 Date: Tue, 3 Dec 1996 22:26:42 -0400 (AST) From: Mustapha Reply-To: Mustapha To: Jamey Kirby cc: firewalls-digest , "'Warren Moore'" Subject: RE: Strange Virus... In-Reply-To: <01BBE0F4.D896BCA0@max-nc-83.connectnet.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 3 Dec 1996, Jamey Kirby wrote: > What a moron! Not at all! :-) In fact I found Warren's Joke so funny that I forwarded to five other people yet. Come on Jamey! Reading a joke or two each now and then would not do any harm, or pain, or both! :) Best wishes, -Mustapha -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Mustapha Obeid Student Computer Science Department, "Universite de Moncton" Moncton, NB, Canada - E1A 3E9 Fields of Interest: Network Security & Operating Systems *Life would be much easier if we could just look at the source code* -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= From firewalls-owner Tue Dec 3 19:41:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA19025 for firewalls-outgoing; Tue, 3 Dec 1996 19:37:29 -0800 (PST) Received: from pexpress.indcomp.com ([198.182.182.252]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id TAA19018 for ; Tue, 3 Dec 1996 19:37:23 -0800 (PST) Received: from hbr (user-168-121-26-74.dialup.mindspring.com [168.121.26.74]) by pexpress.indcomp.com (8.6.12/8.6.9) with SMTP id WAA14694; Tue, 3 Dec 1996 22:35:19 -0500 Message-ID: <32A4F171.7797@indcomp.com> Date: Tue, 03 Dec 1996 22:35:13 -0500 From: Howard Richter Organization: Richter @home Computing X-Mailer: Mozilla 2.02 (Win95; I) MIME-Version: 1.0 To: Darryl Wagoner CC: Security Mail , Denis Valois , firewalls@GreatCircle.COM, webmaster@internic.uob.bh Subject: Re: [Fwd: Caution : Internet Virus] References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Darryl Wagoner wrote: > > On Tue, 3 Dec 1996, Security Mail wrote: > > > This indeed was a Hoax! No Virus can wipe the hard disk just by reading > > an e-mail message. BUT, this message below told of an attachment that if > > run would cause dammage! > > This is not true on Unix! Many Unix mailers and pagers will send > escape codes to the tty. The good ones will not, but many of > the old ones will. This will allow a mail message to control the > terminal. Many terminals has escape codes to send text back to > the host. QED the mail message can do anything the user has privs > to do. > > -- > Darryl Wagoner darryl@sai.com http://www.sai.com/ > Office: 603.672.0736 Fax: 603-672-4846 > Beware of self-styled experts: an ex is a has-been, and a spurt is a > drip under pressure. But the editor would keep the message from the rest of the system. From firewalls-owner Tue Dec 3 19:55:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA19042 for firewalls-outgoing; Tue, 3 Dec 1996 19:39:07 -0800 (PST) Received: from dax.sai.com (dax.sai.com [207.95.117.66]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id TAA19035 for ; Tue, 3 Dec 1996 19:38:54 -0800 (PST) Received: from dax.sai.com by dax.sai.com with smtp (Smail3.1.29.1 #2) id m0vV8AO-003pahC; Tue, 3 Dec 96 22:38 EST Date: Tue, 3 Dec 1996 22:38:35 -0500 (EST) From: Darryl Wagoner To: Howard Richter cc: Security Mail , Denis Valois , firewalls@GreatCircle.COM, webmaster@internic.uob.bh Subject: Re: [Fwd: Caution : Internet Virus] In-Reply-To: <32A4F171.7797@indcomp.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 3 Dec 1996, Howard Richter wrote: > But the editor would keep the message from the rest of the system. No, all unix editors and pagers have shell command functions. -- Darryl Wagoner darryl@sai.com http://www.sai.com/ Office: 603.672.0736 Fax: 603-672-4846 Beware of self-styled experts: an ex is a has-been, and a spurt is a drip under pressure. From firewalls-owner Tue Dec 3 20:10:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA18719 for firewalls-outgoing; Tue, 3 Dec 1996 19:25:29 -0800 (PST) Received: from isl.sri.com (sheffield.isl.SRI.COM [128.18.23.46]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id TAA18702 for ; Tue, 3 Dec 1996 19:25:19 -0800 (PST) Received: by isl.sri.com (SMI-8.6/SMI-SVR4) id TAA06224; Tue, 3 Dec 1996 19:25:16 -0800 Received: from babylon(128.18.23.47) by sheffield via smap (V2.0beta) id xma006207; Tue, 3 Dec 96 19:25:09 -0800 Received: from gollum.isl.sri.com by babylon (SMI-8.6/SMI-SVR4) id TAA29925; Tue, 3 Dec 1996 19:25:07 -0800 Message-Id: <3.0.32.19961203191637.0068adb4@sheffield.isl.sri.com> X-Sender: terry@sheffield.isl.sri.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Tue, 03 Dec 1996 19:18:06 -0800 To: mike@ptes.com (Mike Bernhardt) From: "Terry L. Bernstein" Subject: Re: PIX and Gauntlet Cc: firewalls@GreatCircle.COM Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk It depends on what you mean by better. When I evaluate firewalls, I consider a number of things, including: * Basic security * Flexibility. Number/type of services currently supported. * Expendability. Ease of adding new services * Manageability. GUI, centralized management of multiple firewalls/routers * VPN Support. * Authentication support. Does it support token cards There are other items you could add, depending on your situation. The point is that one cannot say that one firewall is always better than another. My take on the two firewalls you mentioned is as follows: PIX: Marketed as a plug and play firewall that you can throw in to a relatively simple architecture with little configuration on your part. It will provide decent security through smart packet filtering. I wouldn't use it to protect a financial institution, but I would consider it a good choice for a small/medium office with one Internet connection and few if any Internet servers (i.e. Web or FTP servers). Gauntlet: This is marketed as a high end application proxy. It is much harder to configure and uses cryptic text files (at least in the last version I saw). It will provide better overall security, but will take more effort to install. Also, the reporting is much better. I recommend you also take a look at firewall-1 as a product that has many of the best features of both of these. The bottom line is that the firewall you choose depends on your situation. -- terry -- At 05:55 PM 12/3/96 -0900, Mike Bernhardt wrote: >I question as a relative newcomer: >Right now the internet connection at this location is protected with packet >filtering with a Cisco router. I want to put a real firewall product in >place. > >I'd like opinions on which y'all think is better and why (price aside): a >Cisco PIX, or Gauntlet on an Ultra1 with 2 Ethernet cards. > Terry Bernstein SRI Consulting TBernstein@sri.com http://www.ice.sri.com/~terry From firewalls-owner Tue Dec 3 20:31:30 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA21120 for firewalls-outgoing; Tue, 3 Dec 1996 20:18:41 -0800 (PST) Received: from www.cyberbound.net (www.cyberbound.net [204.119.16.16]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id UAA21113 for ; Tue, 3 Dec 1996 20:18:34 -0800 (PST) Received: from rmalone.iquest.net (ind-0007-2.iquest.net [206.246.171.34]) by www.cyberbound.net (8.6.12/8.6.9) with ESMTP id UAA27804 for ; Tue, 3 Dec 1996 20:18:31 -0800 Message-Id: <199612040418.UAA27804@www.cyberbound.net> From: "Ron Malone" To: Subject: Firewall User Group's Date: Tue, 3 Dec 1996 23:12:42 -0600 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_01BBE16F.7C139C20" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is a multi-part message in MIME format. ------=_NextPart_000_01BBE16F.7C139C20 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Does anyone know if there is a user group for Firewall-1 or Raptor Eagle? Are there any companies that have purchased direct support for Firewall-1 from Checkpoint Software? My company is looking to purchase a firewall product, but find that most software companies want to shield themselves behind a reseller. They claim to want to use reseller's distribution system to sell and support the product. The problem is that purchasing the firewall software via a middleman allows the firewall company to have less responsibility in supporting their product. If your 3rd party support is not strong, then you have a problem obtaining quality support and cannot contact the software maker to provide direct support. Any comments regarding how to get the software maker to support the product that created. Ron ------=_NextPart_000_01BBE16F.7C139C20 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable

Does anyone know if there is a = user group for Firewall-1 or Raptor Eagle?

Are there any = companies that have purchased direct support for Firewall-1 from = Checkpoint Software?

My company is looking to purchase a firewall = product, but find that most software companies want to shield themselves = behind a reseller.  They claim to want to use reseller's = distribution system to sell and support the product.  The problem = is that purchasing the firewall software via a middleman allows the = firewall company to have less responsibility in supporting their = product. If your 3rd party support is not strong, then you have a = problem obtaining quality support and cannot contact the software maker = to provide direct support.  Any comments regarding how to get the = software maker to support the product that created.

Ron

------=_NextPart_000_01BBE16F.7C139C20-- From firewalls-owner Tue Dec 3 20:40:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA22081 for firewalls-outgoing; Tue, 3 Dec 1996 20:28:21 -0800 (PST) Received: from mesbne01.medeserv.com.au (mesbne01.medeserv.com.au [203.9.184.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id UAA22053 for ; Tue, 3 Dec 1996 20:28:10 -0800 (PST) Received: (from mail@localhost) by mesbne01.medeserv.com.au (8.7.4/8.7.3) id OAA12075; Wed, 4 Dec 1996 14:25:45 +1000 (EST) Received: from tooh199.medeserv.com.au(203.9.187.199) by mesbne01 via smap (V1.3) id /mail/incoming/sma012068; Wed Dec 4 14:25:37 1996 Message-ID: <32A4FF2F.40D7@medeserv.com.au> Date: Wed, 04 Dec 1996 14:33:51 +1000 From: Steven Herod Reply-To: sherod@medeserv.com.au Organization: Med-E-Serv Pty Ltd X-Mailer: Mozilla 3.0 (WinNT; I) MIME-Version: 1.0 To: William Beem CC: firewalls@greatcircle.com Subject: Re: Firewalls over NT vs. UNIX References: <199612040126.UAA52496@osceola.gate.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk William Beem wrote: > > More likely that most folks don't know about the security holes in NT yet. > UNIX holes receive a fair amount of attention, which often causes a furor > and a fix. Microsoft remains rather tight-lipped about holes in Windows NT. I'd have to disagree with that, a hole in NT would cause just as large a furor as one in Solaris or Netware for that matter. After all it's Microsofts flagship OS. "The way of the future...". I'd certainly yell loudly. > I rather prefer the UNIX approach of knowing what's wrong with it, so > I can make a reasonably intelligent assessment regarding the security > of my servers. Microsoft seems unwilling to tell me what's wrong with > NT. Maybe that's why I have more UNIX boxes at work than NT servers. Perhaps we need to ask some questions.... To decide if NT4.0 is insecure: What holes are in it? What holes have been patched in past versions? What do you have to do to a base NT system to secure it as a firewall? As an apps server? As a file Server? To decide is Unix (brand X) is insecure: What holes are in it? What holes have been patched in past versions? What do you have to do to a base Unix system to secure it as a firewall? As an apps server? As a file Server? I dare say if Unix wasn't around, and Microsoft launched one of the early implementations of Unix as SuperNT 1.0 the general consensus would have been to avoid it like the plague because of it's security problems. Please correct me if I'm wrong (politely if possible) - I don't intend to cause offence on this prickly subject. From firewalls-owner Tue Dec 3 22:40:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA24304 for firewalls-outgoing; Tue, 3 Dec 1996 22:34:59 -0800 (PST) Received: from mippet.ci.com.au (mippet.ci.COM.AU [192.65.182.30]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id WAA24297 for ; Tue, 3 Dec 1996 22:34:52 -0800 (PST) Received: from fgh.fgh.oz.au (daemon@localhost) by mippet.ci.com.au (8.8.3/8.7.3/CE) with MHSnet id RAA27452 for firewalls@greatcircle.com; Wed, 4 Dec 1996 17:34:43 +1100 (EST) Received: by fgh.oz.au (5.0) from localhost id AA00761; Wed, 4 Dec 1996 17:33:14 --1000 Date: Wed, 4 Dec 1996 17:33:13 +1100 (EST) From: Dave Horsfall To: Firewalls List Subject: Re: [Fwd: Caution : Internet Virus] In-Reply-To: Message-Id: X-Witty-Saying: "Klein Bottle - open other end" X-Disclaimer: "Me, speak for us?" Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 3 Dec 1996, Darryl Wagoner wrote: > > But the editor would keep the message from the rest of the system. > > No, all unix editors and pagers have shell command functions. Editor counter-example: PICO. -- Dave Horsfall VK2KFU dave@fgh.oz.au Ph: +61 2 9957-4224 Fx: +61 2 9922-5286 FGH Decision Support Systems P/L, 77 Pacific Hwy, Nth. Sydney, 2060, Australia From firewalls-owner Wed Dec 4 00:41:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA03047 for firewalls-outgoing; Wed, 4 Dec 1996 00:26:30 -0800 (PST) Received: from snoopy.ncku.edu.tw (snoopy.ncku.edu.tw [140.116.2.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id AAA02831 for ; Wed, 4 Dec 1996 00:18:11 -0800 (PST) Received: (from antony@localhost) by snoopy.ncku.edu.tw (8.6.12/8.6.12) id QAA14604 for Firewalls@GreatCircle.COM; Wed, 4 Dec 1996 16:22:39 +0800 Date: Wed, 4 Dec 1996 16:22:39 +0800 From: "<>" Message-Id: <199612040822.QAA14604@snoopy.ncku.edu.tw> To: Firewalls@GreatCircle.COM Subject: Q: Free NAT packages for FreeBSD ?? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I am looking for a package which would do the functionality of NAT(Network Address Translation ) on FreeBSD or some other platforms. I am wondering if there is any one which is freeware or shareware ? Thanks for reply. +----------------------------|\ /|--------------------------------------+ |Antony Y.R. Lu | ``''' | 886-6-2757575-62311| |Distributed System Lab. \(O) (O)/ antony@snoopy.ncku.edu.tw| |E.E. Institute of NCKU __ \ / __ http://snoopy.ncku.edu.tw/~antony| +-------------------------oooO--(_)--Oooo-----------------------------------+ From firewalls-owner Wed Dec 4 00:57:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA03972 for firewalls-outgoing; Wed, 4 Dec 1996 00:45:54 -0800 (PST) Received: from jupiter.kleline.fr (jupiter.kleline.fr [194.250.17.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id AAA03965 for ; Wed, 4 Dec 1996 00:45:44 -0800 (PST) Received: by jupiter.kleline.fr; id JAA01410; Wed, 4 Dec 1996 09:47:59 +0100 (MET) Received: from unknown(172.25.200.22) by jupiter.kleline.fr via smap (V3.1.1) id xma001406; Wed, 4 Dec 96 09:47:34 +0100 Received: from sirene. by zeus.kleline.fr (SMI-8.6/SMI-SVR4) id JAA14342; Wed, 4 Dec 1996 09:43:04 +0100 Received: from sirene by sirene. (SMI-8.6/SMI-SVR4) id JAA29120; Wed, 4 Dec 1996 09:43:45 +0100 Message-ID: <32A539C1.5CAD@kleline.fr> Date: Wed, 04 Dec 1996 09:43:45 +0100 From: Gilbert Soueidy Organization: KLELine X-Mailer: Mozilla 3.0Gold (X11; I; SunOS 5.5 sun4m) MIME-Version: 1.0 To: Great Circle Firewall Mailing List Subject: Sockd on TIS Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, Is there is a Sockd package by default on Gauntlet TIS proxy ? thanlx for help; -- Gilbert Soueidy KLELine; 8 Rue Galilee-BP 437 System Engineer 75769 Paris Cedex 16-FRANCE Voice: + 33 1 53 57 00 75 mailto:gsoueidy@kleline.fr Fax : + 33 1 53 57 00 50 http://www.kleline.fr From firewalls-owner Wed Dec 4 01:20:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA03170 for firewalls-outgoing; Wed, 4 Dec 1996 00:29:15 -0800 (PST) Received: from redmare.com ([198.247.223.126]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id AAA03158 for ; Wed, 4 Dec 1996 00:29:08 -0800 (PST) Received: (from brian@localhost) by redmare.com (8.7.4/8.7.3) id CAA04412; Wed, 4 Dec 1996 02:25:10 -0600 (CST) Date: Wed, 4 Dec 1996 02:25:09 -0600 (CST) From: Brian Mitchell X-Sender: brian@redmare.com To: Security Mail cc: firewalls@greatcircle.com Subject: RE: [Fwd: Caution : Internet Virus] Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk To me, this message sounds almost identical to the good times 'virus', with the same sort of panic-warning as the original (although no microprocessor-destroying nth complexity binary loop garbage). On Tue, 3 Dec 1996, Security Mail wrote: > On Mon, 2 Dec 1996, Denis Valois wrote: > > > This is a hoax. > > > > Anyway, just by saying that "reading" a mailgram wipes out > > your hard drive is of utmost foolishness. > > Denis, > > In the message he said it was a file attach. > > If the virus was sent attached in a .zip or .exe and the infected file was > run it would infect the computer. > > I believe he was talking here of a Word Macro Virus, attached as a .DOC > file, that when opened by Microsoft Word would trash the hard disk. From firewalls-owner Wed Dec 4 01:25:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA03392 for firewalls-outgoing; Wed, 4 Dec 1996 00:34:22 -0800 (PST) Received: from jupiter.kleline.fr (jupiter.kleline.fr [194.250.17.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id AAA03385 for ; Wed, 4 Dec 1996 00:34:13 -0800 (PST) Received: by jupiter.kleline.fr; id JAA01262; Wed, 4 Dec 1996 09:36:28 +0100 (MET) Received: from unknown(172.25.200.22) by jupiter.kleline.fr via smap (V3.1.1) id xma001260; Wed, 4 Dec 96 09:35:58 +0100 Received: from sirene. by zeus.kleline.fr (SMI-8.6/SMI-SVR4) id JAA14282; Wed, 4 Dec 1996 09:31:27 +0100 Received: from sirene by sirene. (SMI-8.6/SMI-SVR4) id JAA29111; Wed, 4 Dec 1996 09:32:08 +0100 Message-ID: <32A53707.365E@kleline.fr> Date: Wed, 04 Dec 1996 09:32:07 +0100 From: Gilbert Soueidy Organization: KLELine X-Mailer: Mozilla 3.0Gold (X11; I; SunOS 5.5 sun4m) MIME-Version: 1.0 To: Great Circle Firewall Mailing List Subject: IRINA is a Hoax Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi folks; Irina seems to be a Hoax; Look what says the issue 85 of the computer underground digest; ------------ The "Irina" virus warnings are a hoax. The former head of an electronic publishing company circulated the warning to create publicity for a new interactive book by the same name. The publishing company has apologized for the publicity stunt that backfired and panicked Internet users worldwide. The original warning claimed to be from a Professor Edward Pridedaux of the College of Slavic Studies in London; there is no such person or college. However, London's School of Slavonic and East European Studies has been inundated with calls. This poorly thought-out publicity stunt was highly irresponsible. For more information pertaining to this hoax, reference the UK Daily Telegraph at http://www.telegraph.co.uk. -- Gilbert Soueidy KLELine; 8 Rue Galilee-BP 437 System Engineer 75769 Paris Cedex 16-FRANCE Voice: + 33 1 53 57 00 75 mailto:gsoueidy@kleline.fr Fax : + 33 1 53 57 00 50 http://www.kleline.fr From firewalls-owner Wed Dec 4 01:40:39 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA07075 for firewalls-outgoing; Wed, 4 Dec 1996 01:24:09 -0800 (PST) Received: from svp_ci_00.svp-consult.com (svp_ci_nt1.svp-consult.com [207.78.246.98]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id BAA07043 for ; Wed, 4 Dec 1996 01:23:56 -0800 (PST) From: Michael.Kespohl@svp-consult.com Received: by svp_ci_00.svp-consult.com(Lotus SMTP MTA v1.01.02 (238.7 10-8-1996)) id 852563F6.0033D0AD ; Wed, 4 Dec 1996 04:25:57 -0400 X-Lotus-FromDomain: SVP_CONSULT To: firewalls@GreatCircle.COM Message-ID: Date: Wed, 4 Dec 1996 10:28:34 +0200 Subject: NT firewalls / Eagle Mime-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello everybody, are there any firewall systems for Windows NT (commercial or not) besides the Eagle system? Thanks for your help Michael.Kespohl@svp-consult.com From firewalls-owner Wed Dec 4 01:55:31 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA07088 for firewalls-outgoing; Wed, 4 Dec 1996 01:24:18 -0800 (PST) Received: from svp_ci_00.svp-consult.com (svp_ci_nt1.svp-consult.com [207.78.246.98]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id BAA07052 for ; Wed, 4 Dec 1996 01:23:59 -0800 (PST) From: Michael.Kespohl@svp-consult.com Received: by svp_ci_00.svp-consult.com(Lotus SMTP MTA v1.01.02 (238.7 10-8-1996)) id 852563F6.0033D045 ; Wed, 4 Dec 1996 04:25:56 -0400 X-Lotus-FromDomain: SVP_CONSULT To: firewalls@GreatCircle.COM Message-ID: Date: Wed, 4 Dec 1996 10:22:36 +0200 Subject: TIS FWTK and Linux 2.0 Mime-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello out there! I recently read that there's a patch necessary for using the TIS FWTK with Linux systems, unfortunately there was no source given. Could anyone help me getting further information about this? And are there any negative experiences with TIS based firewalls? ...sorry if this is the 1.0e20th question on this - I just joined this list a few days ago. Thanks for your help, Michael Michael.Kespohl@svp-consult.com From firewalls-owner Wed Dec 4 02:20:17 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA07293 for firewalls-outgoing; Wed, 4 Dec 1996 01:26:20 -0800 (PST) Received: from jupiter.kleline.fr (jupiter.kleline.fr [194.250.17.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id BAA07224 for ; Wed, 4 Dec 1996 01:25:46 -0800 (PST) Received: by jupiter.kleline.fr; id KAA01808; Wed, 4 Dec 1996 10:28:00 +0100 (MET) Received: from unknown(172.25.200.22) by jupiter.kleline.fr via smap (V3.1.1) id xma001806; Wed, 4 Dec 96 10:27:54 +0100 Received: from sirene. by zeus.kleline.fr (SMI-8.6/SMI-SVR4) id KAA14606; Wed, 4 Dec 1996 10:23:23 +0100 Received: from sirene by sirene. (SMI-8.6/SMI-SVR4) id KAA29174; Wed, 4 Dec 1996 10:24:05 +0100 Message-ID: <32A54335.4B6D@kleline.fr> Date: Wed, 04 Dec 1996 10:24:05 +0100 From: Gilbert Soueidy Organization: KLELine X-Mailer: Mozilla 3.0Gold (X11; I; SunOS 5.5 sun4m) MIME-Version: 1.0 To: firewalls@GreatCircle.com Subject: Sockd on TIS Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, Is there is a sockd package on Gauntlet TIS proxy by default ? Thanks for help -- Gilbert Soueidy KLELine; 8 Rue Galilee-BP 437 System Engineer 75769 Paris Cedex 16-FRANCE Voice: + 33 1 53 57 00 75 mailto:gsoueidy@kleline.fr Fax : + 33 1 53 57 00 50 http://www.kleline.fr From firewalls-owner Wed Dec 4 02:43:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA10196 for firewalls-outgoing; Wed, 4 Dec 1996 01:59:57 -0800 (PST) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id BAA10019 for ; Wed, 4 Dec 1996 01:59:06 -0800 (PST) Message-Id: <199612040959.BAA10019@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA054353528; Wed, 4 Dec 1996 20:58:49 +1100 From: Darren Reed Subject: Re: Firewalls over NT vs. UNIX To: wrbeem@gate.net (William Beem) Date: Wed, 4 Dec 1996 20:58:48 +1100 (EDT) Cc: dcheline@genuity.net, Firewalls@GreatCircle.COM In-Reply-To: <199612040126.UAA52496@osceola.gate.net> from "William Beem" at Dec 3, 96 08:24:31 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from William Beem, sie said: > > More likely that most folks don't know about the security holes in NT yet. > UNIX holes receive a fair amount of attention, which often causes a furor > and a fix. Microsoft remains rather tight-lipped about holes in Windows NT. > > > I rather prefer the UNIX approach of knowing what's wrong with it, so I can > make a reasonably intelligent assessment regarding the security of my > servers. Microsoft seems unwilling to tell me what's wrong with NT. Maybe > that's why I have more UNIX boxes at work than NT servers. Considering the last 12 weeks, would you build a firewall using HP-UX ? I'm working on setting up a secure system and one of the first things I did after installation was: find / -type f \( -perm -02000 -o -perm -04000 \) -print sorted out what I wanted to set setuid/setgid and the rest went off! Prior to this 3 months ago, HP-UX had been "quiet" compared to Solaris2 so far as security problems are concerned, but now I guess the push to make it easier to manage for non-root is showing. The number of programs and the list itself of setuid-root things is puzzling, indeed! Maybe when some of us have replaced all the NT progarms with GNU versions, rewritten their network daemons and have more options than the COTS product, it'll be taken more seriously. To give you an example of problems that are possible, I've seen a custom screenlock written for Windows 3.11 that was vulnerable to a buffer overrun problem. Also, who wants to run a GUI on their Firewall ? Do all those application proxies need that fancy screen stuff ? Probably not. Are they safe ? Who knows. Can you take it away ? No. Compared to Unix, where all systems by default will work quite well without any GUI so building a Firewall on a stripped-down system becomes much easier. Darren From firewalls-owner Wed Dec 4 03:10:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA14917 for firewalls-outgoing; Wed, 4 Dec 1996 02:48:44 -0800 (PST) Received: from reflections.mindspring.com (reflections.mindspring.com [204.180.142.192]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id CAA14865 for ; Wed, 4 Dec 1996 02:48:05 -0800 (PST) Received: from localhost (lists@localhost) by reflections.mindspring.com (8.7.1/8.7.1) with SMTP id FAA27669; Wed, 4 Dec 1996 05:47:38 -0500 Date: Wed, 4 Dec 1996 05:47:38 -0500 (EST) From: Todd Graham Lewis To: "<>" cc: Firewalls@GreatCircle.COM Subject: Re: Q: Free NAT packages for FreeBSD ?? In-Reply-To: <199612040822.QAA14604@snoopy.ncku.edu.tw> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 4 Dec 1996, <> wrote: > > Hi, I am looking for a package which would do the functionality > of NAT(Network Address Translation ) on FreeBSD or some other > platforms. I am wondering if there is any one which is freeware > or shareware ? Check out IP_Masquerade under Linux. It was among the first NATs available, and from my recollection, it was the first one that worked. It does a good job. > Thanks for reply. No problem. __ Todd Graham Lewis Linux! Core Engineering Mindspring Enterprises tlewis@mindspring.com (800) 719 4664, x2804 From firewalls-owner Wed Dec 4 03:25:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA15005 for firewalls-outgoing; Wed, 4 Dec 1996 02:50:16 -0800 (PST) Received: from reflections.mindspring.com (reflections.mindspring.com [204.180.142.192]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id CAA14963 for ; Wed, 4 Dec 1996 02:49:39 -0800 (PST) Received: from localhost (lists@localhost) by reflections.mindspring.com (8.7.1/8.7.1) with SMTP id FAA27684; Wed, 4 Dec 1996 05:49:40 -0500 Date: Wed, 4 Dec 1996 05:49:39 -0500 (EST) From: Todd Graham Lewis To: Michael.Kespohl@svp-consult.com cc: firewalls@GreatCircle.COM Subject: Re: TIS FWTK and Linux 2.0 In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 4 Dec 1996 Michael.Kespohl@svp-consult.com wrote: > Hello out there! Hi. > I recently read that there's a patch necessary for using the TIS FWTK with > Linux systems, unfortunately there was no source given. Could anyone help > me getting further information about this? And are there any negative > experiences with TIS based firewalls? I'm aware of no such patch; the most recent version of the FWTK works fine for me under the latest 2.0. It might be flocking under smap, but if so it'll only produce annoying warnings. > Thanks for your help, No problem. If you do find a problem, please let the list (and me) know. __ Todd Graham Lewis Linux! Core Engineering Mindspring Enterprises tlewis@mindspring.com (800) 719 4664, x2804 From firewalls-owner Wed Dec 4 03:57:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA16672 for firewalls-outgoing; Wed, 4 Dec 1996 03:15:13 -0800 (PST) Received: from srv2.persocom.com.br ([200.239.60.5]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id DAA16654 for ; Wed, 4 Dec 1996 03:14:40 -0800 (PST) Received: from oswaldo40 ([200.239.46.76]) by srv2.persocom.com.br (post.office MTA v2.0 0813 ID# 0-12327) with ESMTP id AAA154; Wed, 4 Dec 1996 08:48:40 +0000 From: "Oswaldo Gomes" To: "Douglas Cheline" , "'Firewalls@GreatCircle.COM'" Subject: Re: Firewalls over NT vs. UNIX Date: Wed, 4 Dec 1996 08:45:23 -0300 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Message-ID: <19961204084840622.AAA154@oswaldo40> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I don´t think so... If I use a Windows NT with MS Proxy Server, I´m sure that my network is secure... I can even use IPX on my private LAN... Can you hack this? ;-) Oswaldo Gomes ---------- > From: Douglas Cheline > To: 'Firewalls@GreatCircle.COM' > Subject: RE: Firewalls over NT vs. UNIX > Date: Tuesday, December 03, 1996 9:08 PM > > I guess no-one really wants to touch this subject. Is it perhaps > because NT really is "very secure" and we can trust it to do security > firewalling? grin;-) > > >Douglas Cheline > >Senior Consultant Business Solutions > > > >G E N U I T Y, Inc. > >a Bechtel company > > > >dcheline@genuity.net > http://www.genuity.net > > >---------- > >From: Douglas Cheline > >Sent: Sunday, December 01, 1996 3:12 PM > >To: 'Firewalls@GreatCircle.COM' > >Subject: Firewalls over NT vs. UNIX > > > >The various Firewall vendors that I have spoken to have repeatedly stated > >that, eventhough their product does run over NT, running firewalls over UNIX > >is much more secure. The reasoning I get is that NT has some inherent > >vulnerabilities that cannot be plugged since the code is proprietary and > >closed. UNIX on the other hand is standard based and open, plus it has been > >on the market much longer and more efforts have been placed in plugging the > >holes there. > > > >This sounds nice but not very convincing unless some hard facts are revealed. > > Can knowledgable members of this forum tell me what those 'holes' in NT are? > > and is this a valid argument? > > > >disclaimer: I, myself, prefer UNIX based applications but I don't have a > >facts based argument for that preference when it comes to firewalls. > > > >Thanks in advance for your responses. > > > >Regards, > > > >Douglas Cheline > >Senior Consultant Business Solutions > > > >G E N U I T Y, Inc. > >a Bechtel company > > > >dcheline@genuity.net > >http://www.genuity.net > > From firewalls-owner Wed Dec 4 04:03:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA17834 for firewalls-outgoing; Wed, 4 Dec 1996 03:37:15 -0800 (PST) Received: from deere-bh.dx.deere.com (deere-bh.dx.deere.com [207.122.201.66]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id DAA17685 for ; Wed, 4 Dec 1996 03:36:03 -0800 (PST) Received: (from uucp@localhost) by deere-bh.dx.deere.com (8.6.12/8.6.11) id FAA28318; Wed, 4 Dec 1996 05:36:13 -0600 Received: from deere.com by deere-bh.dx.deere.com via smap (V1.3) id sma028279; Wed Dec 4 05:36:04 1996 Received: from 90.deere.com (dts.90.deere.com) by deere.dx.deere.com (4.1/SMI-4.0) id AA00372; Wed, 4 Dec 96 05:35:52 CST Received: from bc17684.deere.com by 90.deere.com (SMI-8.6/SMI-SVR4) id FAA25545; Wed, 4 Dec 1996 05:34:25 -0600 Message-Id: <32A4B1FC.41C0@90.deere.com> Date: Tue, 03 Dec 1996 17:04:28 -0600 From: Bertrum Carroll Organization: Deere & Company X-Mailer: Mozilla 2.01Gold (Win95; I) Mime-Version: 1.0 To: Nick Keenan Cc: Bill Heiser , firewalls@GreatCircle.COM Subject: Re: restricting OUTBOUND access References: <23514668534765@gsionline.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Unrestricted outbound isn't really that bad. Are your users the only ones on your network? Else you become an internet provider to those connected to your network. Not a really big deal unless your a lawyer. From firewalls-owner Wed Dec 4 04:40:29 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA21188 for firewalls-outgoing; Wed, 4 Dec 1996 04:19:49 -0800 (PST) Received: from sam.networx.ie (ts17-04.dublin.indigo.ie [194.125.134.120]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id EAA21141 for ; Wed, 4 Dec 1996 04:19:09 -0800 (PST) Received: from mip1.networx.ie (mip1.networx.ie [194.9.12.1]) by sam.networx.ie (8.6.12/8.6.12) with SMTP id LAA15501; Wed, 4 Dec 1996 11:14:49 GMT X-Organisation: I.T. NetworX Ltd X-Business: Network Consultancy and Training X-Address: 67 Merrion Square, Dublin 2, Ireland X-Voice: +353-1-676-8866 X-Fax: +353-1-676-8868 Received: from mike.networx.ie by mip1.networx.ie Date: Wed, 4 Dec 1996 12:05:52 GMT From: Michael Ryan Reply-To: mike@NetworX.ie Subject: Re: Q: Free NAT packages for FreeBSD ?? To: "" Cc: Firewalls@GreatCircle.COM Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 4 Dec 1996 16:22:39 +0800 wrote: > Hi, I am looking for a package which would do the functionality > of NAT(Network Address Translation ) on FreeBSD or some other > platforms. I am wondering if there is any one which is freeware > or shareware ? http://cheops.anu.edu.au/~avalon/ip-filter.html Bye, Mike --- From firewalls-owner Wed Dec 4 04:59:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA21844 for firewalls-outgoing; Wed, 4 Dec 1996 04:37:19 -0800 (PST) Received: from wormhole.tds.de (wormhole.tds.de [193.28.100.9]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id EAA21806 for ; Wed, 4 Dec 1996 04:36:57 -0800 (PST) Received: (from uucp@localhost) by wormhole.tds.de (8.8.0/8.6.9) id NAA14748 for ; Wed, 4 Dec 1996 13:32:34 +0100 Received: from nv6000x.hn.tds.de(193.28.102.69) by wormhole.hn.tds.de via smap (V2.0beta) id xma014744; Wed, 4 Dec 96 13:32:22 +0100 Message-ID: <32A56FAE.59E2@dat.tds.de> Date: Wed, 04 Dec 1996 13:33:50 +0100 From: Christopher Tighe Organization: Tele-Daten Service GmbH X-Mailer: Mozilla 3.0 (X11; I; AIX 2) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: Ip Routing on a SUN Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk hi, does anyone know how to turn _OFF_ ip routing (forwarding or whatever else SUN wants to call it) on Solaris 2.5.1??? Do I need to regenerate the Kernal, or is there an option hidden somewhere that I can't find??? any help would be appreciated, thanks chris -- +------------------------------------------------------------+ | Christopher Tighe BSc.(Hons) Tel: ++49 (0)7131 6235-119 | | Network Services Fax: ++49 (0)7131 6235-115 | | tele-daten service GmbH E-Mail: ctighe@tds.de | | Titotstr. 7-9 | | 74072 Heilbronn \"""/ | | Germany (o o) | +------------------------------------.ooO(_)Ooo.-------------+ From firewalls-owner Wed Dec 4 05:26:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA24905 for firewalls-outgoing; Wed, 4 Dec 1996 05:20:17 -0800 (PST) Received: from relay.interserv.com (relay.interserv.com [165.121.1.67]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id FAA24886 for ; Wed, 4 Dec 1996 05:20:05 -0800 (PST) From: x1967@iktmail.cph.ih.dk Received: from 194.182.127.135 ([194.182.127.135]) by relay.interserv.com with SMTP id AA11037 (5.67b/IDA-1.5 for Firewalls@GreatCircle.COM); Wed, 4 Dec 1996 05:20:01 -0800 Date: Wed, 4 Dec 1996 05:20:01 -0800 Message-Id: <199612041320.AA11037@relay.interserv.com> Subject: How do I get off the list ? To: Firewalls@GreatCircle.COM X-Mailer: AIR Mail 3.X (SPRY, Inc.) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, Can anyone help me to get off the list ? Please help me. From firewalls-owner Wed Dec 4 05:40:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA25051 for firewalls-outgoing; Wed, 4 Dec 1996 05:24:40 -0800 (PST) Received: from www.valuu.net (www.valuu.net [204.252.40.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id FAA25043 for ; Wed, 4 Dec 1996 05:24:27 -0800 (PST) Received: from fd.valuu.net ([204.252.40.3]) by www.valuu.net (post.office MTA v1.9.1 ID# 0-11837) with SMTP id AAA492 for ; Wed, 4 Dec 1996 08:25:45 -0500 Received: by fd.valuu.net with Microsoft Mail id <01BBE1BB.EE8D6B40@fd.valuu.net>; Wed, 4 Dec 1996 08:19:56 -0500 Message-ID: <01BBE1BB.EE8D6B40@fd.valuu.net> From: rabbi@www.valuu.net (Rabbi Haim Cassorla) To: "'firewalls@greatcircle.com'" Subject: RE: Firewalls over NT vs. UNIX Date: Wed, 4 Dec 1996 08:19:54 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am, admittedly, not extremely knowledgeable in matters firewallian, = however, this thread returns me to my farming days on the collective. 1. Am I correctly understanding that a firewall is designed to stand = between a "protected" region and a "suspect" region?" 2. Am I correctly understanding that said firewall should/does/(is = designed to) "stand alone?" 3. Did I miss some important piece of data which caused you = professionals to begin slinging that farm product, (fertilizer, = organic, bovine, male), at each other with regard to the vulnerabilities = of the "protected" region, being the dominant determinant as to whether = the firewall can hold back the "fire?" Please enlighten me as to why the firewall should care if it is = protecting unix, nt, cpm, or the farmer's underware. Thank you, =20 "Happy Hanukah to all, and to all eight good nights!!!!" Rabbi ---------- From: Steven Herod[SMTP:sherod@medeserv.com.au] Sent: Tuesday, December 03, 1996 11:33 PM To: William Beem Cc: firewalls@greatcircle.com Subject: Re: Firewalls over NT vs. UNIX William Beem wrote: >=20 > More likely that most folks don't know about the security holes in NT = yet. > UNIX holes receive a fair amount of attention, which often causes a = furor > and a fix. Microsoft remains rather tight-lipped about holes in = Windows NT. I'd have to disagree with that, a hole in NT would cause just as large a furor as one in Solaris or Netware for that matter. After all it's Microsofts flagship OS. "The way of the future...". I'd certainly yell loudly. > I rather prefer the UNIX approach of knowing what's wrong with it, so=20 > I can make a reasonably intelligent assessment regarding the security = > of my servers. Microsoft seems unwilling to tell me what's wrong with = > NT. Maybe that's why I have more UNIX boxes at work than NT servers. Perhaps we need to ask some questions....=20 To decide if NT4.0 is insecure: What holes are in it? What holes have been patched in past versions? What do you have to do to a base NT system to secure it as a firewall?=20 As an apps server?=20 As a file Server? To decide is Unix (brand X) is insecure: What holes are in it? What holes have been patched in past versions? What do you have to do to a base Unix system to secure it as a firewall? = As an apps server?=20 As a file Server? I dare say if Unix wasn't around, and Microsoft launched one of the early implementations of Unix as SuperNT 1.0 the general consensus would have been to avoid it like the plague because of it's security problems. =20 Please correct me if I'm wrong (politely if possible) - I don't intend to cause offence on this prickly subject. From firewalls-owner Wed Dec 4 06:11:17 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA28183 for firewalls-outgoing; Wed, 4 Dec 1996 06:03:39 -0800 (PST) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA28153 for ; Wed, 4 Dec 1996 06:03:23 -0800 (PST) Message-Id: <199612041403.GAA28153@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA106258190; Thu, 5 Dec 1996 01:03:10 +1100 From: Darren Reed Subject: Re: Firewalls over NT vs. UNIX To: rabbi@www.valuu.net (Rabbi Haim Cassorla) Date: Thu, 5 Dec 1996 01:03:10 +1100 (EDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <01BBE1BB.EE8D6B40@fd.valuu.net> from "Rabbi Haim Cassorla" at Dec 4, 96 08:19:54 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Rabbi Haim Cassorla, sie said: > > Please enlighten me as to why the firewall should care if it is = > protecting unix, nt, cpm, or the farmer's underware. You've missed the point of the discussion. The Unix/NT/CPM or farmer's underware is part of the firewall. Firewall software is one part, the hardware is another and the OS yet another. If they can compromise your HW, you've got other problems but if they can compromise your firewall because your OS can't provide the required support for the f/w, do you stick with thatt OS ? Darren From firewalls-owner Wed Dec 4 06:25:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA29620 for firewalls-outgoing; Wed, 4 Dec 1996 06:17:38 -0800 (PST) Received: from srv2.persocom.com.br ([200.239.60.5]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA29553 for ; Wed, 4 Dec 1996 06:17:17 -0800 (PST) Received: from oswaldo40 ([200.239.46.76]) by srv2.persocom.com.br (post.office MTA v2.0 0813 ID# 0-12327) with ESMTP id AAA196; Wed, 4 Dec 1996 11:47:22 +0000 From: "Oswaldo Gomes" To: , Subject: Re: NT firewalls / Eagle Date: Wed, 4 Dec 1996 11:47:03 -0300 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Message-ID: <19961204114721668.AAA196@oswaldo40> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Yes... Microsoft Proxy Server, for example.. ;-) Oswaldo Gomes ---------- > From: Michael.Kespohl@svp-consult.com > To: firewalls@GreatCircle.COM > Subject: NT firewalls / Eagle > Date: Wednesday, December 04, 1996 5:28 AM > > > > > > Hello everybody, > > are there any firewall systems for Windows NT (commercial or not) besides > the Eagle system? > > Thanks for your help > > Michael.Kespohl@svp-consult.com > From firewalls-owner Wed Dec 4 07:12:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA29461 for firewalls-outgoing; Wed, 4 Dec 1996 06:15:11 -0800 (PST) Received: from gw.iai.com (gw.iai.com [206.64.157.62]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA29434 for ; Wed, 4 Dec 1996 06:14:57 -0800 (PST) Received: by gw.iai.com; id JAA21373; Wed, 4 Dec 1996 09:14:52 -0500 (EST) Received: from milford.iai.com(192.206.185.2) by gw.iai.com via smap (3.2) id xma021371; Wed, 4 Dec 96 09:14:34 -0500 Received: by milford.iai.com (AIX 4.1/UCB 5.64/4.03) id AA20162; Wed, 4 Dec 1996 09:14:48 -0500 From: jegan@iai.com (James Egan) Message-Id: <9612041414.AA20162@milford.iai.com> Subject: Re: NT firewalls / Eagle To: Michael.Kespohl@svp-consult.com Date: Wed, 4 Dec 1996 09:14:48 -0500 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Michael.Kespohl@svp-consult.com" at Dec 4, 96 10:28:34 am Reply-To: Jim.Egan@iai.com Organization: Integrated Architectures, Inc. Pgp-Fingerprint: 64 47 DC 51 D9 11 1D FF 31 43 9C 4C E2 A1 FC 04 Pgp-Public-Key: public-key-server@martigny.ai.mit.edu (subject: GET jegan) X-Mailer: ELM [version 2.4 PL24 ME5a] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Michael.Kespohl@svp-consult.com recently wrote: > > > > > > Hello everybody, > > are there any firewall systems for Windows NT (commercial or not) besides > the Eagle system? > > Thanks for your help > > Michael.Kespohl@svp-consult.com > > > Trusted Information Systems (TIS) just announced Gauntlet NT. /Jim/ -- James P. Egan | Jim.Egan@iai.com Integrated Architectures, Inc. | http://www.iai.com 300 East Main Street, Suite 207 | Tel: 508-634-3200 x209 Milford, MA 01757 | Fax: 508-634-8381 Use PGP for more secure email From firewalls-owner Wed Dec 4 07:15:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA00721 for firewalls-outgoing; Wed, 4 Dec 1996 06:31:22 -0800 (PST) Received: from gate.ups.com (gate.ups.com [198.80.14.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA00714 for ; Wed, 4 Dec 1996 06:31:13 -0800 (PST) Received: by gate.ups.com id AA08752 (InterLock SMTP Gateway 3.0 for firewalls@greatcircle.com); Wed, 4 Dec 1996 09:31:10 -0500 Received: by gate.ups.com (Protected-side Proxy Mail Agent-2); Wed, 4 Dec 1996 09:31:10 -0500 Received: by gate.ups.com (Protected-side Proxy Mail Agent-1); Wed, 4 Dec 1996 09:31:10 -0500 Date: Wed, 4 Dec 1996 09:31:06 -0500 (EST) From: Dave Wreski X-Sender: tel1dvw@butthead To: Christopher Tighe Cc: firewalls@greatcircle.com Subject: Re: Ip Routing on a SUN In-Reply-To: <32A56FAE.59E2@dat.tds.de> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I think this will do what you want: # ndd -set /dev/tcp ip_forwarding 0 You can see a list of available tunable parameters by typing: # ndd /dev/tcp \? Dave On Wed, 4 Dec 1996, Christopher Tighe wrote: > hi, > > does anyone know how to turn _OFF_ ip routing (forwarding or > whatever else SUN wants to call it) on Solaris 2.5.1??? Do > I need to regenerate the Kernal, or is there an option > hidden somewhere that I can't find??? ----------------------------------------------------------------------- "The opinions expressed here are my own and do not represent the views or opinions of United Parcel Service, Inc." ----------------------------------------------------------------------- echo '16i[q]sa[ln0=aln100%Pln100/snlbx]sb20293A2058554E494Csnlbxq'|dc From firewalls-owner Wed Dec 4 07:17:56 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA00430 for firewalls-outgoing; Wed, 4 Dec 1996 06:26:45 -0800 (PST) Received: from Arbitrade.COM (iafsrv.arbitrade.com [204.242.156.130]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA00413 for ; Wed, 4 Dec 1996 06:26:31 -0800 (PST) Received: from andrews.Arbitrade.COM (andrews.arbitrade.com [204.242.156.137]) by Arbitrade.COM (8.7.5/8.6.9) with ESMTP id IAA01632; Wed, 4 Dec 1996 08:30:20 -0600 (CST) Received: (from andrew@localhost) by andrews.Arbitrade.COM (SMI-8.6/8.6.9) id IAA01599; Wed, 4 Dec 1996 08:23:24 -0600 From: "Andrew A. Benson" Message-Id: <199612041423.IAA01599@andrews.Arbitrade.COM> Subject: Re: Ip Routing on a SUN To: ctighe@dat.tds.de (Christopher Tighe) Date: Wed, 4 Dec 1996 08:23:24 -0600 (CST) Cc: firewalls@GreatCircle.COM In-Reply-To: <32A56FAE.59E2@dat.tds.de> from "Christopher Tighe" at Dec 4, 96 01:33:50 pm X-Mailer: ELM [version 2.4 PL25] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > hi, > > does anyone know how to turn _OFF_ ip routing (forwarding or > whatever else SUN wants to call it) on Solaris 2.5.1??? Do > I need to regenerate the Kernal, or is there an option > hidden somewhere that I can't find??? > > any help would be appreciated, > > thanks > chris Hi Chris, Try this: /usr/sbin/ndd -set /dev/ip ip_forwarding 0 No kernal rebuild is necessary. Andrew > -- > +------------------------------------------------------------+ > | Christopher Tighe BSc.(Hons) Tel: ++49 (0)7131 6235-119 | > | Network Services Fax: ++49 (0)7131 6235-115 | > | tele-daten service GmbH E-Mail: ctighe@tds.de | > | Titotstr. 7-9 | > | 74072 Heilbronn \"""/ | > | Germany (o o) | > +------------------------------------.ooO(_)Ooo.-------------+ > -- Andrew Benson System & Network Administrator andrew@arbitrade.com Arbitrade, LLC From firewalls-owner Wed Dec 4 07:53:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA04107 for firewalls-outgoing; Wed, 4 Dec 1996 07:23:07 -0800 (PST) Received: from mail13.digital.com (mail13.digital.com [192.208.46.30]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA04076 for ; Wed, 4 Dec 1996 07:22:46 -0800 (PST) From: chen@ibg.ljo.dec.com Received: from vanna.ljo.dec.com by mail13.digital.com (8.7.5/UNX 1.5/1.0/WV) id KAA29424; Wed, 4 Dec 1996 10:14:37 -0500 (EST) Received: from ibgcore1.ibg.ljo.dec.com by vanna.ljo.dec.com; (5.65v3.2/1.1.8.2/07Oct96-0216PM) id AA18102; Wed, 4 Dec 1996 10:15:38 -0500 Received: from tracy.ibg.ljo.dec.com by ibgcore1.ibg.ljo.dec.com; (5.65v3.2/1.1.8.2/18Apr96-1020AM) id AA06657; Wed, 4 Dec 1996 10:14:35 -0500 Message-Id: <9612041514.AA06657@ibgcore1.ibg.ljo.dec.com> To: Michael.Kespohl@svp-consult.com Cc: firewalls@GreatCircle.COM, chen@ibg.ljo.dec.com Subject: Re: NT firewalls / Eagle In-Reply-To: Your message of "Wed, 04 Dec 96 10:28:34 +0200." Date: Wed, 04 Dec 96 10:23:40 -0500 X-Mts: smtp Sender: firewalls-owner@GreatCircle.COM Precedence: bulk AltaVista Firewall for NT, visit http://www.altavista.software.digital.com/firewall/index.htm Tracy From firewalls-owner Wed Dec 4 08:03:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA01347 for firewalls-outgoing; Wed, 4 Dec 1996 06:38:44 -0800 (PST) Received: from gauntlet-1.trusted.com (gauntlet-1.trusted.com [204.254.155.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA01296 for ; Wed, 4 Dec 1996 06:38:11 -0800 (PST) Received: by gauntlet-1.trusted.com; id JAA16119; Wed, 4 Dec 1996 09:47:22 -0500 Received: from dira.rv.tis.com(10.0.1.43) by gauntlet-1.trusted.com via smap (V3.1.1) id xma016073; Wed, 4 Dec 96 09:46:59 -0500 Received: from unit65.rv.tis.com (dyn173.trusted.com [10.0.1.173]) by dira.rv.tis.com (8.7.4/8.7.3) with SMTP id JAA22979; Wed, 4 Dec 1996 09:33:15 -0500 (EST) Message-Id: <3.0.32.19961204092903.006e5088@pop.rv.tis.com> X-Sender: avolio@pop.rv.tis.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Wed, 04 Dec 1996 09:35:44 -0500 To: "Terry L. Bernstein" , mike@ptes.com (Mike Bernhardt) From: Frederick M Avolio Subject: Re: PIX and Gauntlet Cc: firewalls@greatcircle.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Gauntlet: > ... It is much harder to >configure and uses cryptic text files (at least in the last version I saw). > ... will take more effort to install. You must have looked at an old version. GUI interface, installs in a short while. f From firewalls-owner Wed Dec 4 08:04:27 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA03229 for firewalls-outgoing; Wed, 4 Dec 1996 07:11:30 -0800 (PST) Received: from omsk.quadrix.com (omsk.yourtown.com [205.246.66.7]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA03215 for ; Wed, 4 Dec 1996 07:11:23 -0800 (PST) Received: by omsk.quadrix.com (4.1/SMI-4.1) id AA02625; Wed, 4 Dec 96 10:21:53 EST Date: Wed, 4 Dec 96 10:21:53 EST From: bve@yourtown.com (BVE) Message-Id: <9612041521.AA02625@omsk.quadrix.com> To: firewalls@greatcircle.com Subject: Re: Firewalls over NT vs. UNIX Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Date: Wed, 04 Dec 1996 14:33:51 +1000 From: Steven Herod William Beem wrote: > More likely that most folks don't know about the security holes in NT yet > UNIX holes receive a fair amount of attention, which often causes a furor > and a fix. Microsoft remains rather tight-lipped about holes in Windows > NT. I'd have to disagree with that, a hole in NT would cause just as large a furor as one in Solaris or Netware for that matter. After all it's Microsofts flagship OS. "The way of the future...". I'd certainly yell loudly. The problem, IMHO, is finding the bugs, and then advertising their existence, and their fix. MS doesn't let you see the source; Unix does. While you or I may not care to look at it, there are many who do. If you watch some other security lists (like Bugtraq), you will find that people regularly scour the various Unix sources for buffer-overruns, etc. They then report on a "weakness, which may or may not be exploitable." Often, someone else then creates the exploit code, and a fix to prevent the problem (if the fix wasn't already provided by the discoverer). This is good. There is also an extensive reporting system for Unix bugs, and Unix vendors have been trained to respond quickly. My perception is that MS, on the other hand, does not work quite so hard to disseminate bug fixes. They certainly don't like to tell you what problems exist. For other reasons, they don't release their source (except at high cost). This prevents the easy discovery of theoretical problems, which would otherwise be corrected. Don't be fooled by security through obscurity! The hackers find the holes -- we might as well, too! Remember, the MS coders are human, too. Their code contains bugs, just like Unix. It's just a matter of finding them, so the decision is about the difficulties in finding and fixing them.... -- Bill Van Emburg Phone: 908-235-2335 Quadrix Solutions, Inc. Fax: 908-235-2336 (bve@quadrix.com) Check out http://yourtown.com! (http://quadrix.com) "You do what you want, and if you didn't, you don't" From firewalls-owner Wed Dec 4 08:16:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA01346 for firewalls-outgoing; Wed, 4 Dec 1996 06:38:44 -0800 (PST) Received: from gauntlet-1.trusted.com (gauntlet-1.trusted.com [204.254.155.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA01295 for ; Wed, 4 Dec 1996 06:38:10 -0800 (PST) Received: by gauntlet-1.trusted.com; id JAA16093; Wed, 4 Dec 1996 09:47:21 -0500 Received: from dira.rv.tis.com(10.0.1.43) by gauntlet-1.trusted.com via smap (V3.1.1) id xma016074; Wed, 4 Dec 96 09:46:59 -0500 Received: from unit65.rv.tis.com (dyn173.trusted.com [10.0.1.173]) by dira.rv.tis.com (8.7.4/8.7.3) with SMTP id JAA22982; Wed, 4 Dec 1996 09:33:16 -0500 (EST) Message-Id: <3.0.32.19961204093035.006e5ffc@pop.rv.tis.com> X-Sender: avolio@pop.rv.tis.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Wed, 04 Dec 1996 09:35:44 -0500 To: Gilbert Soueidy , Great Circle Firewall Mailing List From: Frederick M Avolio Subject: Re: Sockd on TIS Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:43 AM 12/4/96 +0100, Gilbert Soueidy wrote: >Hi, > >Is there is a Sockd package by default on Gauntlet TIS proxy ? No. Is there a need for one? (I am serious. Wow... my second serious note to this mailing list today! I apologize to those who anxiously read my postings for my wit and whimsy. There, that's better. :-)) Fred From firewalls-owner Wed Dec 4 08:48:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA03591 for firewalls-outgoing; Wed, 4 Dec 1996 07:15:41 -0800 (PST) Received: from ereapp.erenj.com (ereapp.ERENJ.COM [159.70.31.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA03486 for ; Wed, 4 Dec 1996 07:15:13 -0800 (PST) Received: (from smap@localhost) by ereapp.erenj.com (8.8.3/8.8.3) id KAA11427 for ; Wed, 4 Dec 1996 10:15:14 -0500 Received: from eredns.erenj.com(159.70.1.252) by ereapp.erenj.com via smap (V1.3) id sma011408; Wed Dec 4 10:14:53 1996 Received: from clmail1.erenj.com (clmail1.erenj.com [159.70.1.22]) by eredns.erenj.com (8.7.4/8.7.3) with ESMTP id KAA27260 for ; Wed, 4 Dec 1996 10:14:52 -0500 Received: from tiger ([159.129.116.3]) by clmail1.erenj.com (post.office MTA v1.9.3 ID# 0-11437) with SMTP id AAA184; Wed, 4 Dec 1996 09:55:42 -0500 Message-ID: <32A5953E.63DECDAD@erenj.com> Date: Wed, 04 Dec 1996 09:14:06 -0600 From: Andy Howard Organization: Exxon Computing Services X-Mailer: Mozilla 3.0Gold (X11; I; SunOS 4.1.4 sun4c) MIME-Version: 1.0 To: Rabbi Haim Cassorla CC: firewalls@greatcircle.com Subject: Re: Firewalls over NT vs. UNIX References: <01BBE1BB.EE8D6B40@fd.valuu.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Rabbi Haim Cassorla wrote: > > I am, admittedly, not extremely knowledgeable in matters firewallian, however, this thread returns me to my farming days on the collective. > > 1. Am I correctly understanding that a firewall is designed to stand between a "protected" region and a "suspect" region?" Sounds good, so far. > 2. Am I correctly understanding that said firewall should/does/(is designed to) "stand alone?" Uuhhh, okay, it stands alone, but is still subject to the weaknesses of its operating system... from this viewpoint, it is just another device to be attacked. > 3. Did I miss some important piece of data which caused you professionals to begin slinging that farm product, (fertilizer, organic, bovine, male), at each other with regard to the vulnerabilities of the "protected" region, being the dominant determinant as to whether the firewall can hold back the "fire?" > The slinging/discussion is about the operating system of the firewall and its vulnerabilities, I believe, not the protected or unprotected regions. (see #2) > Please enlighten me as to why the firewall should care if it is protecting unix, nt, cpm, or the farmer's underware. > Correct, firewall doesn't care what it is protecting. < rest of msg snipped> -- Andy Howard 713-656-4396 achowar@erenj.com "Think hard! Think Fast! Think Often! But Think!" The contents of this note are my opinion and should be treated only as that. From firewalls-owner Wed Dec 4 09:04:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA09974 for firewalls-outgoing; Wed, 4 Dec 1996 08:33:14 -0800 (PST) Received: from mail-out2.apple.com (mail-out2.apple.com [17.254.0.51]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA09964 for ; Wed, 4 Dec 1996 08:33:05 -0800 (PST) Received: from scv1.apple.com (A17-128-100-119.apple.com [17.128.100.119]) by mail-out2.apple.com (8.7.5/8.7.3) with ESMTP id IAA74756 for ; Wed, 4 Dec 1996 08:31:41 -0800 Received: from [17.221.23.212] (syedri.apple.com [17.221.23.212]) by scv1.apple.com (8.7.5/8.7.3) with SMTP id IAA10244 for ; Wed, 4 Dec 1996 08:33:45 -0800 X-Sender: syed1@mail.apple.com (Unverified) Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 4 Dec 1996 08:33:12 -0800 To: Firewalls@GreatCircle.COM From: syed1@apple.com (riaz syed) Subject: get off the list? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi: Can anyone advise me how to get off the list. I'd appreciate a quick response. Thanks -Riaz From firewalls-owner Wed Dec 4 09:08:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA01085 for firewalls-outgoing; Wed, 4 Dec 1996 06:35:47 -0800 (PST) Received: from gate.ups.com (gate.ups.com [198.80.14.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA01057 for ; Wed, 4 Dec 1996 06:35:35 -0800 (PST) Received: by gate.ups.com id AA08886 (InterLock SMTP Gateway 3.0 for firewalls@greatcircle.com); Wed, 4 Dec 1996 09:35:26 -0500 Received: by gate.ups.com (Protected-side Proxy Mail Agent-2); Wed, 4 Dec 1996 09:35:26 -0500 Received: by gate.ups.com (Protected-side Proxy Mail Agent-1); Wed, 4 Dec 1996 09:35:26 -0500 Date: Wed, 4 Dec 1996 09:35:23 -0500 (EST) From: Dave Wreski X-Sender: tel1dvw@butthead To: Christopher Tighe Cc: firewalls@greatcircle.com Subject: Re: Ip Routing on a SUN In-Reply-To: <32A56FAE.59E2@dat.tds.de> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ah shoot. You ever wish you could take a message back? :) Correction: # ndd -set /dev/ip ip_fowarding 0 will turn it off. Dave ----------------------------------------------------------------------- "The opinions expressed here are my own and do not represent the views or opinions of United Parcel Service, Inc." ----------------------------------------------------------------------- echo '16i[q]sa[ln0=aln100%Pln100/snlbx]sb20293A2058554E494Csnlbxq'|dc From firewalls-owner Wed Dec 4 09:12:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA10041 for firewalls-outgoing; Wed, 4 Dec 1996 08:34:16 -0800 (PST) Received: from mn1.swip.net (mn1.swip.net [192.71.180.97]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA10033 for ; Wed, 4 Dec 1996 08:34:00 -0800 (PST) Received: by mn1.swip.net (8.8.2/2.01) id QAA09674; Wed, 4 Dec 1996 16:31:44 GMT Message-ID: <199612041631.QAA09674@mn1.swip.net> Received: by scc.se (MG PM3-Waf 3.41); Wed, 4 Dec 96 17:01:55 +0100 (GMT) From: KNNSCC@scc.se (Klas Nilsson) To: firewalls@GreatCircle.COM Date: Wed, 4 Dec 1996 10:11:49 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: AltaVista Firewall !? Reply-to: SCCAB_STH1/KNNSCC X-mailer: Pegasus Mail for Windows (v2.23SE) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Howdy ya all... I have followed this group for about one week, havn't heard any of you mention the AltaVista Firewall. I'm evaluating the AltaVista Firewall, for a major company i Sweden. And I'm kind'a new on this territory, of Firewalls. Have YOU any good or bad experience of the AltaVista Firewall (Digital), please send me a line. I'm also evaluating the estimated need for bandwidth, what do you think of this. A company with 1100+ e-mail accounts, and about 50 persons need to surf on this line. Would 256Kbit/s be enough, or does this company need higher capacity? YOU can help me, by telling me what you think. klas@pseci.se Scandiaconsult AB / IT-Avdelningen Klas "Nisse fran TeamWork" Nilsson Tel: 08-615 60 41 Fax: 08-702 19 16 prv i-maejl: klas@pseci.se From firewalls-owner Wed Dec 4 09:14:26 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA05398 for firewalls-outgoing; Wed, 4 Dec 1996 07:44:19 -0800 (PST) Received: from INET-03-IMC.itg.microsoft.com (mail3.microsoft.com [131.107.3.23]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA05382 for ; Wed, 4 Dec 1996 07:44:12 -0800 (PST) Received: by INET-03-IMC.itg.microsoft.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BBE1B7.13848FA0@INET-03-IMC.itg.microsoft.com>; Wed, 4 Dec 1996 07:45:10 -0800 Message-ID: From: Wendy Hedgpeth To: "'firewalls@greatcircle.com'" Cc: Steve Pogge Subject: Netbios proxy Date: Wed, 4 Dec 1996 07:42:26 -0800 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone know of a firewall package that has a netbios proxy? Please reply directly to me. I am not on this alias. thanks, Wendy Hedgpeth Microsoft Premier technical account manager wendyhe@microsoft.com (704)-582-8522 From firewalls-owner Wed Dec 4 09:38:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA05444 for firewalls-outgoing; Wed, 4 Dec 1996 07:44:50 -0800 (PST) Received: from mail-e2b.gnn.com (mail-e2b.gnn.com [204.148.102.170]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA05405 for ; Wed, 4 Dec 1996 07:44:34 -0800 (PST) Received: from 66-7.client.gnn.com (66-7.client.gnn.com [205.188.66.7]) by mail-e2b.gnn.com (8.7.6/8.7.3/GNN-1.0.7) with SMTP id KAA11800; Wed, 4 Dec 1996 10:44:30 -0500 (EST) Date: Wed, 4 Dec 1996 10:44:30 -0500 (EST) Message-Id: <199612041544.KAA11800@mail-e2b.gnn.com> X-Sender: FSymington@pop.gnn.com X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: WarRoom2@aol.com From: "F.S. Symington" Subject: Re: WarRoom ISS Survey -- Gembicki's Comments Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 08:54 AM 12/3/96 -0500, WarRoom2@aol.com wrote: >Anyone interested in WarRoom Research's comments on the 1996 Information >Systems Security Survey should contact me directly at the numbers listed below. I would be happy to discuss the project's >objectives, methodology, and analysis as well as some of the data/information >that was NOT released. > I would be quite interested in reading any papers developed from the survey results. Please let me know what is available and how I would locate such information. Thanks fss ===================================================== Fred Symington || FSymington@gnn.com WYLE Electronics || Voice 203.269.1765 1062 Barnes Road #300 || Fax 203.269.1879 Wallingford, CT 06492 || or .7507 ===================================================== From firewalls-owner Wed Dec 4 09:38:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA01336 for firewalls-outgoing; Wed, 4 Dec 1996 06:38:38 -0800 (PST) Received: from gauntlet-1.trusted.com (gauntlet-1.trusted.com [204.254.155.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA01293 for ; Wed, 4 Dec 1996 06:38:10 -0800 (PST) Received: by gauntlet-1.trusted.com; id JAA16092; Wed, 4 Dec 1996 09:47:20 -0500 Received: from dira.rv.tis.com(10.0.1.43) by gauntlet-1.trusted.com via smap (V3.1.1) id xma016069; Wed, 4 Dec 96 09:46:57 -0500 Received: from unit65.rv.tis.com (dyn173.trusted.com [10.0.1.173]) by dira.rv.tis.com (8.7.4/8.7.3) with SMTP id JAA22976; Wed, 4 Dec 1996 09:33:14 -0500 (EST) Message-Id: <3.0.32.19961204092604.006c0720@pop.rv.tis.com> X-Sender: avolio@pop.rv.tis.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Wed, 04 Dec 1996 09:35:43 -0500 To: mike@ptes.com (Mike Bernhardt), firewalls@greatcircle.com From: Frederick M Avolio Subject: Re: PIX and Gauntlet Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Well, you can imagine my opinion, so I won't give it. I have a question for you though. What do you define as a "real firewall?" I'd not define a packet filter -- dynamic, stateful, or otherwise -- as a real firewall in some discussions. In other discussions, I'd say a router, even without filtering is a firewall. (It depends on your definition of "fire," and I am not being facetious here.) Fred At 05:55 PM 12/3/96 -0900, Mike Bernhardt wrote: >I question as a relative newcomer: >Right now the internet connection at this location is protected with packet >filtering with a Cisco router. I want to put a real firewall product in >place. > >I'd like opinions on which y'all think is better and why (price aside): a >Cisco PIX, or Gauntlet on an Ultra1 with 2 Ethernet cards. > > > >------------------------------------------------------------- >"He who dies with the most toys, still dies." > > > From firewalls-owner Wed Dec 4 09:44:30 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA09580 for firewalls-outgoing; Wed, 4 Dec 1996 08:27:05 -0800 (PST) Received: from litle.net (wizard.litle.com [205.139.20.20]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id IAA09563 for ; Wed, 4 Dec 1996 08:26:55 -0800 (PST) Received: from s_khan.litle.net by litle.net (SMI-8.6/SMI-SVR4) id LAA03217; Wed, 4 Dec 1996 11:23:26 -0500 Message-Id: <2.2.32.19961204164508.009c9820@litle.net> X-Sender: s_khan@litle.net X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 04 Dec 1996 11:45:08 -0500 To: Christopher Tighe , firewalls@greatcircle.com From: "Saqib A. Khan" Subject: Re: Ip Routing on a SUN Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Take a look @ - /etc/init.d/inetinit it'll say something like - ndd -set /dev/ip ip_forwarding 1 1= on, 2=off Change it to 0 ot turn it off. At 01:33 PM 12/4/96 +0100, Christopher Tighe wrote: >hi, > > does anyone know how to turn _OFF_ ip routing (forwarding or >whatever else SUN wants to call it) on Solaris 2.5.1??? Do >I need to regenerate the Kernal, or is there an option >hidden somewhere that I can't find??? > >any help would be appreciated, > >thanks >chris PS: Pls CC all mail to me @ - --------------------------------------------------- Saqib A. Khan, Principal Secure Networks Corporation Main: 800-357-0208 Fax: 617-738-6060 Direct: 617-872-8865 Saqib_Khan@snc-net.com --------------------------------------------------- "Sed quis custodiet ipsos custodes?" -Juvenal, c. 100 C.E. _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ From firewalls-owner Wed Dec 4 09:59:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA01794 for firewalls-outgoing; Wed, 4 Dec 1996 06:47:05 -0800 (PST) Received: from jupiter.kleline.fr (jupiter.kleline.fr [194.250.17.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA01787 for ; Wed, 4 Dec 1996 06:46:55 -0800 (PST) Received: by jupiter.kleline.fr; id PAA04186; Wed, 4 Dec 1996 15:49:10 +0100 (MET) Received: from unknown(172.25.200.22) by jupiter.kleline.fr via smap (V3.1.1) id xma004177; Wed, 4 Dec 96 15:48:46 +0100 Received: from sirene. by zeus.kleline.fr (SMI-8.6/SMI-SVR4) id PAA15786; Wed, 4 Dec 1996 15:44:14 +0100 Received: from sirene by sirene. (SMI-8.6/SMI-SVR4) id PAA09611; Wed, 4 Dec 1996 15:44:55 +0100 Message-ID: <32A58E67.55A5@kleline.fr> Date: Wed, 04 Dec 1996 15:44:55 +0100 From: Gilbert Soueidy Organization: KLELine X-Mailer: Mozilla 3.0Gold (X11; I; SunOS 5.5 sun4m) MIME-Version: 1.0 To: Great Circle Firewall Mailing List Subject: Re: Sockd on TIS References: <3.0.32.19961204093035.006e5ffc@pop.rv.tis.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Frederick M Avolio wrote: > > At 09:43 AM 12/4/96 +0100, Gilbert Soueidy wrote: > >Hi, > > > >Is there is a Sockd package by default on Gauntlet TIS proxy ? > > No. Is there a need for one? (I am serious. Wow... my second serious note > to this mailing list today! I apologize to those who anxiously read my > postings for my wit and whimsy. There, that's better. :-)) > > Fred Well, I don't know there is really a need for one, but some applications that run under win95 and that remote-telnet, have only the socks configuration in their options; they don't support proxy configuration; what is the solution in this case ? -- Gilbert Soueidy KLELine; 8 Rue Galilee-BP 437 System Engineer 75769 Paris Cedex 16-FRANCE Voice: + 33 1 53 57 00 75 mailto:gsoueidy@kleline.fr Fax : + 33 1 53 57 00 50 http://www.kleline.fr From firewalls-owner Wed Dec 4 10:26:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA07642 for firewalls-outgoing; Wed, 4 Dec 1996 08:04:56 -0800 (PST) Received: from efreeti.trigraph.on.ca (trigraph.interlog.com [199.212.152.228]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA07592 for ; Wed, 4 Dec 1996 08:04:33 -0800 (PST) Received: from titan.trigraph.on.ca (titan [199.246.215.1]) by efreeti.trigraph.on.ca (8.7.5/8.7.3) with SMTP id LAA21395; Wed, 4 Dec 1996 11:04:17 -0500 (EST) Received: (from les@localhost) by titan.trigraph.on.ca (8.6.12/8.6.12) id LAA04459; Wed, 4 Dec 1996 11:04:09 -0500 From: Les Gondor Message-Id: <199612041604.LAA04459@titan.trigraph.on.ca> Subject: Re: Ip Routing on a SUN To: firewalls@greatcircle.com Date: Wed, 4 Dec 1996 11:04:08 -0500 (EST) Cc: ctighe@dat.tds.de In-Reply-To: <199612041423.IAA01599@andrews.Arbitrade.COM> from "Andrew A. Benson" at Dec 4, 96 08:23:24 am X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > hi, > > > > does anyone know how to turn _OFF_ ip routing (forwarding or > > whatever else SUN wants to call it) on Solaris 2.5.1??? Do > > I need to regenerate the Kernal, or is there an option > > hidden somewhere that I can't find??? [ snip ] > Hi Chris, > > Try this: > > /usr/sbin/ndd -set /dev/ip ip_forwarding 0 [snip] > -- > Andrew Benson System & Network Administrator > andrew@arbitrade.com Arbitrade, LLC > Besides the use of ndd (which would have to go in /etc/init.d/inetinit), you could also touch /etc/notrouter. Minor surgery performed on inetinit will also prevent routing from coming up. Beware upgrades that may overwrite your changes to inetinit. --- Les Gondor, Gandalf Graphics. les@trigraph.on.ca Let a smile be your umbrella and you'll wind up with a mouthful of rain. From firewalls-owner Wed Dec 4 10:45:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA07797 for firewalls-outgoing; Wed, 4 Dec 1996 08:06:45 -0800 (PST) Received: from relay3.UU.NET (relay3.UU.NET [192.48.96.8]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA07729 for ; Wed, 4 Dec 1996 08:06:13 -0800 (PST) Received: from cwiz.com by relay3.UU.NET with SMTP (peer crosschecked as: [208.194.52.10]) id QQbsqq24061; Wed, 4 Dec 1996 11:06:13 -0500 (EST) Received: by cwiz.com (SMI-8.6/SMI-SVR4) id KAA21301; Wed, 4 Dec 1996 10:05:46 -0600 Date: Wed, 4 Dec 1996 10:05:46 -0600 From: mdb@dosmanos.cwiz.com (Martin D. Baldenegro) Message-Id: <199612041605.KAA21301@cwiz.com> To: ctighe@dat.tds.de Subject: Re: Ip Routing on a SUN Cc: firewalls@greatcircle.com X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Chris, From the man pages for Solaris 2.5.1: The following command sets the value of the parameter ip_forwarding in the IP driver to zero. This disables IP packet forwarding. example% ndd -set /dev/ip ip_forwarding 0 To view the current IP forwarding table, use the following command: example% ndd /dev/ip ip_ire_status You can do a man on ndd to get the information. Martin " Been there, Done it, got a T-shirt " ----- Begin Included Message ----- From ctighe@dat.tds.de Wed Dec 4 08:01:39 1996 Date: Wed, 04 Dec 1996 13:33:50 +0100 From: Christopher Tighe Mime-Version: 1.0 To: firewalls@greatcircle.com Subject: Ip Routing on a SUN Content-Transfer-Encoding: 7bit hi, does anyone know how to turn _OFF_ ip routing (forwarding or whatever else SUN wants to call it) on Solaris 2.5.1??? Do I need to regenerate the Kernal, or is there an option hidden somewhere that I can't find??? any help would be appreciated, thanks chris -- +------------------------------------------------------------+ | Christopher Tighe BSc.(Hons) Tel: ++49 (0)7131 6235-119 | | Network Services Fax: ++49 (0)7131 6235-115 | | tele-daten service GmbH E-Mail: ctighe@tds.de | | Titotstr. 7-9 | | 74072 Heilbronn \"""/ | | Germany (o o) | +------------------------------------.ooO(_)Ooo.-------------+ ----- End Included Message ----- From firewalls-owner Wed Dec 4 10:55:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA06407 for firewalls-outgoing; Wed, 4 Dec 1996 07:54:55 -0800 (PST) Received: from landfield.com (rkive.landfield.com [208.196.145.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA06346 for ; Wed, 4 Dec 1996 07:54:34 -0800 (PST) Received: (from kent@localhost) by landfield.com (8.7.5/8.7.3) id JAA20663; Wed, 4 Dec 1996 09:54:18 -0600 (CST) From: Kent Landfield Message-Id: <199612041554.JAA20663@landfield.com> Subject: Re: Firewalls over NT vs. UNIX To: sherod@medeserv.com.au Date: Wed, 4 Dec 1996 09:54:18 -0600 (CST) Cc: wrbeem@gate.net, firewalls@GreatCircle.COM In-Reply-To: <32A4FF2F.40D7@medeserv.com.au> from "Steven Herod" at Dec 4, 96 02:33:51 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk # > More likely that most folks don't know about the security holes in NT yet. # > UNIX holes receive a fair amount of attention, which often causes a furor # > and a fix. Microsoft remains rather tight-lipped about holes in Windows NT. # # I'd have to disagree with that, a hole in NT would cause just as large a # furor # as one in Solaris or Netware for that matter. After all it's Microsofts # flagship # OS. "The way of the future...". I'd certainly yell loudly. If you knew about it. The point is that the Unix sources which formed the basis for most commercial versions are publicly available. The community can, has, and is reviewing those sources looking for potential vunerabilities. Armed with a base knowledge, some then attempt to exploit them on their favorite verions of Unix. There is no basis for this type of "research" in NT and only after you stumble on a serious problem has any mention been forthcoming from Microsoft. # To decide if NT4.0 is insecure: # What holes are in it? What holes have been patched in past versions? # What do you have to do to a base NT system to secure it as a firewall? # As an apps server? # As a file Server? # # To decide is Unix (brand X) is insecure: # What holes are in it? What holes have been patched in past versions? # What do you have to do to a base Unix system to secure it as a firewall? # As an apps server? # As a file Server? Please compare apples with apples. Unix has been around many years and for the most part, developed within an open community. There will have been many more problems in a 25 year old operating system versus a 5 (??) year old operating system. Then there is the number of different Unix versions versus the tightly controlled Microsoft source baseline. # I dare say if Unix wasn't around, and Microsoft launched one of the # early implementations of Unix as SuperNT 1.0 the general consensus would # have been to avoid it like the plague because of it's security # problems. They did, remember Microsoft's Xenix.. ? ;-) No, if Unix had not been around, the model for open OS development would not have occurred as it did. The reality based attitude towards security (security by obscurity versus security by evalutaion) would have been different. -- Kent Landfield Phone: 1-817-545-2502 The Landfield Group FAX: 1-817-545-7650 Email: kent@landfield.com http://www.landfield.com/ Please send comp.sources.misc related mail to kent@uunet.uu.net. From firewalls-owner Wed Dec 4 11:00:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA01100 for firewalls-outgoing; Wed, 4 Dec 1996 06:35:58 -0800 (PST) Received: from mail.clark.net (mail.clark.net [168.143.0.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA01050 for ; Wed, 4 Dec 1996 06:35:34 -0800 (PST) Received: from mjr.clark.net (mjr.clark.net [168.143.19.61]) by mail.clark.net (8.7.3/8.6.5) with SMTP id JAA26664; Wed, 4 Dec 1996 09:35:09 -0500 (EST) Message-Id: <199612041435.JAA26664@mail.clark.net> Comments: Authenticated sender is From: "Marcus J. Ranum" Organization: V-ONE Corp Baltimore office To: firewalls@GreatCircle.COM Date: Wed, 4 Dec 1996 09:36:02 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Firewalls over NT CC: mjr@clark.net X-mailer: Pegasus Mail for Win32 (v2.42a) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I guess no-one really wants to touch this subject. Is it perhaps > because NT really is "very secure" and we can trust it to do security > firewalling? grin;-) In some firewall architectures, if reasonably implemented, the operating system on which the firewall runs is irrelevant, from a security perspective. Let me try and explain why I believe this - and please bear with a kind of lengthy explanation because it is subtle. I'll use product names as examples but this is not a product plug nor am I saying any approach is better or worse - just different. Firewall software running on an O/S can exist at different levels within the O/S. For example, a FWTK firewall exists purely above and outside of the O/S. A Checkpoint firewall exists (except for its user interface) between the packet input/output queueing code and the routing layer in the kernel's IP stack. A Firewall/Plus replaces the packet input/output queuing code and talks directly to the network interface cards. Those are 3 totally different approaches, and each approach, you'll notice, is "closer to the wire" and takes increasingly less advantage of the O/S. Early versions of Firewall/Plus ran on DOS and used to completely replace the "kernel" while it was running. In the case of a FWTK firewall, the kernel is providing complete services up to the applications. Indeed, the person setting the firewall up needs to know enough to make sure that the hand-off between kernel services (connect system call) and application services (inetd) is coordinated with firewall services (proxies). It's not hard, fortunately, to get that right, because the mechanism in question is simple, well-understood, and reasonably "trustworthy." In the case of a Checkpoint, the kernel is providing a virtual interface to packet buffering and network cards. Other than that, the only thing the kernel does for the Checkpoint is supports logging (filesystem) and user interface (X). What's interesting is that the firewall software, if it works correctly, should be able to completely protect the layers above, using the same technology and code that it uses to protect the network behind the firewall. Unless you tell the firewall layer it's OK for outsiders to talk to the X server on the firewall box, they can't. So, if the firewall is configured sanely, it's a non-issue whether the firewall has an X server running, or even an old buggy version of sendmail. There is a big advantage in this approach because you develop a service/network screening ability for the firewall, which protects the firewall as well. Assuming it's implemented right and configured so nobody can talk to it, you could be running the buggiest, holiest O/S on the planet above that firewall layer, and still be safe. Firewall/Plus (and probably SunScreen) takes matters a step farther down the stack and deals with packets directly. This case is very similar to the Checkpoint approach. From a security perspective, the only major difference is that it doesn't even rely on the O/S having gotten the packet queuing/dequeuing layer right. I don't think that's a big deal, but who knows? Another nice thing it lets you do is not have an IP address for the firewall at all -- it's more like a bridge. In that case, you *REALLY* know an outsider's not going to mess with the applications on that firewall -- it won't recognize packets destined for it, and even if it did it won't propagate them up the IP stack to an application that's listening. In this case, the O/S is really a program loader and file system and GUI sitting above a packet queuing filter. What does this have to do with NT or any other O/S for that matter? Well, depending on where the firewall sits in relation to the O/S, the O/S may be irrelevant to the security of the system. So it could be NT, DOS, UNIX, or whatever, and make no real difference. The one area where the choice of O/S makes a difference is that each firewall, depending on where it sits, relies on the layers below it, as they are provided by the vendor. That means, I suppose, that a clueless vendor *might* have a hole in their packet queuing/dequeuing layer. Suppose Microsoft had a hook in their packet driver that recognized certain packets as undocumented remote management packets. Then, that would be a Bad Thing. Of course the same could happen in UNIX. This is why I worry that a firewall vendor who supports every platform under the sun may not be taking the time to diligently research the peculiarities of the implementation below their firewall level. The only approach that makes the O/S completely, totally irrelevant is the firewall at the packet driver level. As you move up the stack to the purely application firewalls like FWTK then the O/S becomes increasingly relevant. Another issue, of course, is whether the O/S is "ready for prime time." Since the firewall is relying on services below the level where it sits, kludginess and performance flaws at those levels may affect its normal function. A memory leak in the connect() system call with eventually crash a pure application layer firewall like FWTK but won't bother a Checkpoint. A buffer overrun in the mbuf routines will crash both FWTK and Checkpoint-type firewalls but will not affect a packet driver level firewall. And so it goes. I'm not convinced that NT's IP stack is "ready for prime time" yet so I'd hesitate to try to build a pure application level firewall on it. A routing/queueing level firewall would probably be OK since the only things NT would be doing is GUI and filesystem and it doesn't have to do that particularly well. A packet driver level firewall will not give a darn about any of the implementation flaws in the O/S above it -- as long as it stays running. I hope this helps clarify some of my thinking on this matter. A lot of you have grabbed me at conferences and asked this same question and gotten (probably less organized) variations of this response. I know that a number of people have felt that I was somehow repudiating an earlier stated position that "application level firewalls are the best" -- I still believe that with all these things, marketing aside, the key factor is the skills of the people who build them, how well they know their platform, and how clean/generic the design is. mjr. ----- Marcus J. Ranum, Chief Scientist, V-ONE Corporation Work: http://www.v-one.com Personal: http://www.clark.net/pub/mjr From firewalls-owner Wed Dec 4 11:06:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA23651 for firewalls-outgoing; Wed, 4 Dec 1996 10:31:51 -0800 (PST) Received: from news.rc.on.ca ([207.176.151.6]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA23612 for ; Wed, 4 Dec 1996 10:31:34 -0800 (PST) Received: by mail.rc.on.ca with IMAIL 2.0 id <01BBE1E7.22B65410@mail.rc.on.ca>; Wed, 4 Dec 1996 13:29:11 -0500 Message-ID: From: Russ To: "'firewalls@greatcircle.com'" Subject: RE: Firewalls over NT vs. UNIX Date: Wed, 4 Dec 1996 13:29:11 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Connector (Beta) (4.5.1280.0) Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Well, I don't like to get into NT vs. Unix stuff on this list, but I thought of a few comments that might add to the discussion without being religious about it. * If you strip down NT, replace its processes with trusted ones, and build up a Firewall, I'd say you're nuts. That, IMO, is a complete waste of your obvious intelligence, go do it on a Unix box since its been done that way for years and there's lots of instructions on how to do it. * If you are going to use NT as a Firewall platform, there should be only one reason you would do that. You want to integrate your Firewall into your existing NT environment (for any of a number of reasons). If that's not your reasoning, then you shouldn't be considering NT as a Firewall. I do not/will not believe any vendor's claim today that their NT version (or their NT product if they don't have a Unix version) is *more secure* than an existing Unix Firewall product. Its stupid to believe that NT is inherently more secure than brand X Unix, it isn't. It's inherently less secure because of all the bells and whistles that are included and the openness with which things have been implemented. Couple that with the legacy compatibility's it must support and you have an extremely insecure base product. * And this is what you'd think to start with when building a Firewall??? I don't think so. * Now with all that said, that doesn't mean that NT shouldn't/couldn't be secured and built to be a very robust and extremely secure Firewall product, it can, and many vendors are out and about staking their reputations on the fact that they can prove it. Venture Capitalists are a strange lot at the best of times, but if you had a solid Unix product and a good reputation, would you gamble all that against Microsoft's penchant for making subtle unadvertised changes to your underlying OS...without first having a solid understanding of what your dealing with and ensuring you can protect yourself from the Borg? I don't think so. * So I'd venture to suggest that the NT Firewalls that are available are *as secure* as their Unixen brethren, *or*, they are less secure due to NT features which the NT community want to have and have (or can) accept as additional risks. Yes, this might be construed as a bastardization of Firewalls (lowering the security threshold), but as opposed to no Firewall at all its a significant increase in the overall level of security on the Internet. (This isn't to say that a vendor's NT implementation might not be more secure than a Unix version *when protecting an NT environment*, I believe its definitely possible to provide better NT security using some NT Firewalls than some Unix Firewalls). * I'm seeing NT Firewalls deployed in sites where they want to minimize the risk, not eliminate it. They don't want to devote the resources to managing a complete Firewall, they want to re-use existing resources (network admin resources) as Firewall resources. They don't want to introduce a box, that to them, seems obscure and foreign, they'd rather use something their more familiar with. They believe, typically falsely, that an NT Firewall will somehow protect their use of NT services and allow them to extend their NT models beyond their local nets better than if they used a Unix Firewall. They often come from a background that says "if it doesn't do it today, can it do it in the next version?" and buy into the concept that if they build it, Microsoft will come. A lot of people think that because NT is in the headlines, this translates into better NT products vs. Unix (Unix is old, NT is new, new must be better than old)...obvious delusions but beliefs none-the-less. * But beyond this, I've met nobody who thinks that NT is more securable than Unix. I've met nobody who believes they will be more secure behind an NT Firewall rather than a Unix one. I've met nobody who believes that their desktop insecurity will go away because of an NT Firewall. * So NT Firewalls have their place, and Unix Firewalls have theirs. Both, typically, can be configured to be as strong as the other. Both, typically, can be configured to leak like a sieve. Both, typically, can be configured to work with third-party authentication tools, but if your third-party authentication is an NT PDC, you need an NT Firewall to talk to it (today). Now debating the value of the NT SAM as an authentication database, or NT Challenge/Response as an authentication protocol, is a different matter. If the company has already made the investment in that dB, and chooses not to change that, integration with it is very desirable to many. * Also, smaller sites who don't have the time, intelligence, or patience to configure a Linux or FreeBSD box as a complete Internet server with *some protection* see NT Firewalls as a way to get what they want. Of course most of these people believe they can put everything on their Firewall (SMTP, HTTP, POP3, etc...) cause NT can run lots of things and has simple GUI installation programs to get these things up and running. Typically not a very good idea, but at least one vendor of a recently announce NT Firewall actually says that they are happy to run underneath other NT Application services, so the trend may be changing there. * As for this buffer-overrun stuff, could someone please point me to a single example of an NT process overrunning its buffers? I don't mean CMD.EXE, but an actual NT process which is constrained by the Kernel or the Executive to stay within its memory bounds. Its so easy today for people to throw out the "buffer overrun" attack as a latent threat and never have to back it up. NT's memory leaks, to my knowledge, are limited to not recovering its own allocated memory, thereby dwindling resources. Comparisons between NT and any other Windows platform is just plain lack of knowledge. NT does memory management completely differently. * Cheers, Russ R.C. Consulting, Inc. - NT/Internet Security Consulting mailto:Russ.Cooper@RC.on.ca <-- *note the new address* From firewalls-owner Wed Dec 4 11:12:17 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA24373 for firewalls-outgoing; Wed, 4 Dec 1996 10:38:25 -0800 (PST) Received: from relay3.UU.NET (relay3.UU.NET [192.48.96.8]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA24364 for ; Wed, 4 Dec 1996 10:38:17 -0800 (PST) Received: from cwiz.com by relay3.UU.NET with SMTP (peer crosschecked as: [208.194.52.10]) id QQbsra00498; Wed, 4 Dec 1996 13:38:16 -0500 (EST) Received: by cwiz.com (SMI-8.6/SMI-SVR4) id MAA21808; Wed, 4 Dec 1996 12:38:00 -0600 Date: Wed, 4 Dec 1996 12:38:00 -0600 From: mdb@dosmanos.cwiz.com (Martin D. Baldenegro) Message-Id: <199612041838.MAA21808@cwiz.com> To: syed1@apple.com Subject: Re: get off the list? Cc: Firewalls@GreatCircle.COM X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Riaz, Please save this message for future reference. Thank you. If you ever want to remove yourself from this mailing list, you can send mail to with the following command in the body of your email message: unsubscribe firewalls user@domainname Martin " Been there, Done it, got a T-shirt " ----- Begin Included Message ----- From syed1@apple.com Wed Dec 4 12:31:01 1996 X-Sender: syed1@mail.apple.com (Unverified) Mime-Version: 1.0 Date: Wed, 4 Dec 1996 08:33:12 -0800 To: Firewalls@GreatCircle.COM From: syed1@apple.com (riaz syed) Subject: get off the list? Hi: Can anyone advise me how to get off the list. I'd appreciate a quick response. Thanks -Riaz ----- End Included Message ----- From firewalls-owner Wed Dec 4 11:43:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA13391 for firewalls-outgoing; Wed, 4 Dec 1996 09:06:07 -0800 (PST) Received: from mail.baileynm.com (fw.baileynm.com [206.109.159.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id JAA13362 for ; Wed, 4 Dec 1996 09:05:51 -0800 (PST) Received: (qmail 19606 invoked from smtpd); 4 Dec 1996 17:05:51 -0000 Received: from web.nmti.com (root@198.178.0.201) by fw.nmti.com with SMTP; 4 Dec 1996 17:05:51 -0000 Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id LAA11516; Wed, 4 Dec 1996 11:05:50 -0600 Received: by sonic.nmti.com; id AA25301; Wed, 4 Dec 1996 11:05:42 -0600 From: peter@baileynm.com (Peter da Silva) Message-Id: <9612041705.AA25301@sonic.nmti.com.nmti.com> Subject: Re: Firewalls over NT vs. UNIX To: sherod@medeserv.com.au Date: Wed, 4 Dec 1996 11:05:41 -0600 (CST) Cc: wrbeem@gate.net, firewalls@greatcircle.com In-Reply-To: <32A4FF2F.40D7@medeserv.com.au> from "Steven Herod" at Dec 4, 96 02:33:51 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I'd have to disagree with that, a hole in NT would cause just as large a > furor > as one in Solaris or Netware for that matter. After all it's Microsofts > flagship > OS. "The way of the future...". I'd certainly yell loudly. I've posted about several holes in NT that are the precise equivalents of holes in UNIX that NT apologists are always howling about. For example, people always poke at sendmail. But you can *easily* replace sendmail with secure equivalents... it simply happens to be the default configuration. Yet the default configuration of NT is so insecure that the C2 tool in the resource kit lists a dozen security holes that need to be closed... and you can't close them all without breaking applications that depend on being able to, for example, write their INI files in the WINNT directory. Oh, sure, they shouldn't be doing that... but you buy computers to run apps not operating systems and if the app you need to run does things like that what alternative have you got? So you leave WINNT writable. So someone replaces a DLL or installs a CPL file with a trojan horse, you log in as Administrator, and pow... so much for NTFS security. Hell, NT still has the "at" hole, where anyone who has the rights to schedule tasks can run any task they want with system privilege. That's a higher privilege level than administrator since it grants you read-write access to the SAM. Try running REGEDT32.EXE at 1 minute from now and have a look. I last heard of a UNIX box having that hole in 1985, and it took more than that to use it. No doubt I'll get a bunch of flames back saying I don't understand the NT security model, or that these aren't really holes because you have to have an account on the box to use them. Gentlemen... most of the CERT announcements are about security holes you have to have an account to use! From firewalls-owner Wed Dec 4 11:48:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA28563 for firewalls-outgoing; Wed, 4 Dec 1996 11:15:17 -0800 (PST) Received: from pepper.PLU.edu (pepper.PLU.edu [152.117.1.6]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA28495 for ; Wed, 4 Dec 1996 11:14:45 -0800 (PST) Received: from plu.edu by plu.edu (PMDF V5.1-5 #17589) id <01ICLZ59KHG0008TT4@plu.edu> for firewalls@greatcircle.com; Wed, 4 Dec 1996 11:14:32 PST Date: Wed, 04 Dec 1996 11:14:31 -0800 (PST) From: JEFF BAUMAN Subject: need firewall? To: firewalls@greatcircle.com Message-id: <01ICLZ59OJFM008TT4@plu.edu> X-VMS-To: IN%"firewalls@greatcircle.com" X-VMS-Cc: BAUMANJA MIME-version: 1.0 Content-type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk WHAT WE ARE: a public radio station licensed to and housed at a university. WHAT WE HAVE: a small (about 50-node) "free standing" LAN with 2 file servers, running Netware 4.1. (Not a UNIX or NT box in sight.) WHAT WE WANT TO DO: Connect our LAN to the university's fiber backbone to provide Internet access from each workstation on the KPLU LAN. SECURITY REQUIREMENT: something placed between our LAN and the connection to fiber that blocks external (from on-campus or elsewhere on the Internet) access to our LAN, to help protect confidential information on our file servers. QUESTIONS: Can a router, alone, provide reasonable (?!) protection? Is a PIX (or similar) firewall more appropriate/necessary? What kind of up-front cost range am I looking at for this barrier? I like the basic idea of a firewall, and joined this list to learn more about them. After reading posts here for sometime, I'm not sure which way KPLU should go. My education continues... Any assistance would be greatly appreciated. +========================================================================+ | Jeff Bauman Internet: baumanja@PLU.edu | | Director of Computing _/\_ Voice: (206) 536-5009 | | KPLU jb (800) NPR-KPLU | | Tacoma WA 98447 Fax: (206) 535-8332 | +========================================================================+ From firewalls-owner Wed Dec 4 12:41:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA26962 for firewalls-outgoing; Wed, 4 Dec 1996 11:01:11 -0800 (PST) Received: from emout01.mail.aol.com (emout01.mx.aol.com [198.81.11.92]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id LAA26911 for ; Wed, 4 Dec 1996 11:00:54 -0800 (PST) From: B0GDAN@aol.com Received: by emout01.mail.aol.com (8.6.12/8.6.12) id OAA26088 for firewalls@greatcircle.com; Wed, 4 Dec 1996 14:00:53 -0500 Date: Wed, 4 Dec 1996 14:00:53 -0500 Message-ID: <961204140052_939854543@emout01.mail.aol.com> To: firewalls@greatcircle.com Subject: Proxy & illegal IP numbers Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I need help ! I need to allow hosts from the internet connect to our internal hosts. We use a firewall that does proxying and filtering. The problem is that we use illegal IP addresses inside the company so we can not be addressed from the internet. Does anyone knows about a program that will listen to a port on the firewall, and forward that traffic to a specified host (by changeing the IP hedear maybe) ? Thanks, for you help ! DAn From firewalls-owner Wed Dec 4 13:16:01 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA20409 for firewalls-outgoing; Wed, 4 Dec 1996 10:04:15 -0800 (PST) Received: from hidata.com (hidata.com [205.158.61.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA20190 for ; Wed, 4 Dec 1996 10:02:52 -0800 (PST) Received: by hidata.com; id AA27938; Wed, 4 Dec 96 10:02:53 PST Received: from osc.hidata.com(205.158.62.10) by hds-gw.hidata.com via smap (V3.1.1) id xma027936; Wed, 4 Dec 96 10:02:23 -0800 Received: from sysadmin by osc.osc.hidata.com (SMI-8.6/SMI-SVR4) id KAA05751; Wed, 4 Dec 1996 10:02:22 -0800 Message-Id: <2.2.32.19961204175800.012cac44@osc.hidata.com> X-Sender: bstout@osc.hidata.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 04 Dec 1996 09:58:00 -0800 To: Firewalls@GreatCircle.COM From: Bill Stout Subject: Re: NT firewalls / Eagle Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 11:47 AM 12/4/96 -0300, you wrote: >Yes... Microsoft Proxy Server, for example.. ;-) >> are there any firewall systems for Windows NT (commercial or not) besides >> the Eagle system? That's not a firewall. That's a proxy that needs IIS and NT 4.0 to run. Early marketing efforts by MS tried to give the impression that Catapult was a firewall. Firewalls are built, not added to a computer. Next we'll have to deal with 'Steel Head', where MS tries to make NT PCs into a Cisco-level Routers(12/2 Computer World) by adding software over existing exposed and secret security holes. Bill Stout From firewalls-owner Wed Dec 4 13:21:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA21578 for firewalls-outgoing; Wed, 4 Dec 1996 10:15:49 -0800 (PST) Received: from darkstar.sysinfo.com (darkstar.sysinfo.com [204.246.65.62]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA21559 for ; Wed, 4 Dec 1996 10:15:30 -0800 (PST) Received: from parka.winternet.com (dufresne@parka.winternet.com [198.174.169.9]) by darkstar.sysinfo.com (8.8.2/8.8.2) with SMTP id MAA05067; Wed, 4 Dec 1996 12:17:34 -0600 Date: Wed, 4 Dec 1996 12:10:03 -0600 (CST) From: Ron DuFresne To: riaz syed cc: Firewalls@GreatCircle.COM Subject: Re: get off the list? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm reposting this to the list as there have been such a number of folks requesting this info once again: >From vbaca@Coded.COMSat Nov 23 17:25:55 1996 Date: Mon, 25 Mar 1996 09:08:49 -0800 From: "Virginia L. Baca" To: firewalls@GreatCircle.COM Subject: How To get off <--- god I love that subject I know there are lots of you out there who want off this list and are afraid to ask how. Well here it is. Please save this message for future reference. Thank you. Send mail to: Majordomo@GreatCircle.COM To subscribe: subscribe firewalls subscribe firewalls-digest subscribe firewalls-performance-digest To unsubscribe: unsubscribe firewalls unsubscribe firewalls-digest unsubscribe firewalls-performance-digest If you want to subscribe or unsubscribe something other than the account the mail is coming from, such as a local redistribution list, then append that address to the command; for example, to subscribe "local-firewalls": subscribe firewalls-performance-digest local-firewalls@your.domain.net ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. From firewalls-owner Wed Dec 4 13:24:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA20191 for firewalls-outgoing; Wed, 4 Dec 1996 10:02:56 -0800 (PST) Received: from gw.garrison.com (gw.garrison.com [205.241.58.147]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA20151 for ; Wed, 4 Dec 1996 10:02:22 -0800 (PST) Received: by gw.garrison.com; id FAA02156; Wed, 4 Dec 1996 05:54:46 -0600 (CST) Received: from ukn0.garrison.com(10.0.0.2) by gw.garrison.com via smap (3.2) id xma002151; Wed, 4 Dec 96 05:54:34 -0600 Received: by garrison.com. (4.1/Surrogate Sendmail hack) id AA01646; Wed, 4 Dec 96 11:55:22 CST Date: Wed, 4 Dec 96 11:55:22 CST From: jeromie@garrison.com (Jeromie Jackson) Message-Id: <9612041755.AA01646@garrison.com.> To: firewalls@GreatCircle.COM, dochin@cisco.com Subject: Re: Cisco's PIX Firewall Cc: lazar@netevolve.com, mhoward@cisco.com, froys@cisco.com, jlw@cisco.com, afoss@cisco.com, amittal@cisco.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > To clarify the PIX Firewall, it is not a packet filter. It is a dedicated > security device, built with one purpose in mind -- securing the private LAN > to the Internet. > Hmm, from what I've seen, it certainly does qualify as an IP filtering device. It bases its ACLs on header information, namely src,port,dst,port.flags It obviously is not an application level gateway, therefore you may be competing with TIS/Raptor for market share, although it is quite different technology. It appears to be a packet filtering device that has NAT capabilities... > We are in fact directly in competition with Checkpoint, Raptor, TIS, etc. > The "cut-through proxy" feature provides a significant performance > enhancement to the security function since users are authenticated at the > application layer. Once authenticated, the process flow shifts back to the > network layer which provides the high performance. I would have to agree that most likely there is a performance enhancement by using PIX instead of an application level gateway. My question would be, if the PIX product is a firewall, how it it securing the sendmail/mail transport agent for the customers? When mail comes inbound, it has to speak to something.. Since PIX does not have a MTA itself, obviously another box is required. If this is so, the level of security of the MTA is crutial... This seems to be a bad thing. Also, using something like PIX, is there features that allow filtering of data such as email-content, or java/javascript? What about time based access control? Or what about data reduction utilities to utilize the syslog information that I would assume the PIX can provide...? Jeromie Jackson Garrison Technologies jeromie@garrison.com From firewalls-owner Wed Dec 4 13:27:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA26203 for firewalls-outgoing; Wed, 4 Dec 1996 10:54:48 -0800 (PST) Received: from NTWRK1.NETWORK-1.COM (Network-1.com [192.246.254.133]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA26151 for ; Wed, 4 Dec 1996 10:54:31 -0800 (PST) Message-Id: <199612041854.KAA26151@miles.greatcircle.com> Received: from scarlett ([192.246.254.180]) by NTWRK1.NETWORK-1.COM with SMTP; Wed, 4 Dec 1996 12:12:50 -0600 (CST) From: "Kimber Cooper" To: Subject: Re: Support of Firewalls Date: Wed, 4 Dec 1996 11:58:59 -0600 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ron: What do you mean by "support," exactly? When it comes to implementing firewalls, "support" has many, many forms. First, there's basic education; you would be surprised (or not, maybe) to hear how many people are looking to implement a firewall just because they keep reading about them--they actually don't know the definition and don't understand the implications of implementation. Should tech support have that role? Or would you rather have the opportunity to query technically knowledgeable sales reps about this? Or do you, the consumer, have the responsibility to educate yourself, thereby giving the company the right to assume that education? What about implementation of the firewall? I'm talking topology here, not configuration. Not all firewalls are routers; not all firewalls are compatible w/ every piece of hardware. Firewalls won't do diddly to protect the LAN if there are backdoors. Do you expect tech support to look at a topology map and tell you where your holes are and where to place the firewall? Now--after hours of consideration and topological tinkering--now we're ready to talk about the configuration of the software: is _that_ the role you expect out of tech support? I pose these questions to the world at large because I manage a tech support department and would really like to hear what the answers are. When I think about relying on resellers, etc. I have to consider the possibility of a huge margin of error for all of these categories, which, quite frankly, makes my stomach clench. Is there a real issue out there with software companies outsourcing first-level support? Looking forward to hearing from you, --Kimber Cooper "Silliness is the last resort of the doomed." --Opus ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Kimberly Hebert Cooper Manager, Technical Services Network-1 Software & Technology khcooper@network-1.com >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>origina l follows: > Date: Tue, 3 Dec 1996 23:12:42 -0600 > From: "Ron Malone" > Subject: Firewall User Group's *snip* > My company is looking to purchase a firewall product, but find that most > software companies want to shield themselves behind a reseller. They claim > to want to use reseller's distribution system to sell and support the > product. The problem is that purchasing the firewall software via a > middleman allows the firewall company to have less responsibility in > supporting their product. If your 3rd party support is not strong, then you > have a problem obtaining quality support and cannot contact the software > maker to provide direct support. Any comments regarding how to get the > software maker to support the product that created. > *snip* From firewalls-owner Wed Dec 4 13:29:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA04324 for firewalls-outgoing; Wed, 4 Dec 1996 12:03:27 -0800 (PST) Received: from gw.research.megasoft.com (gw.research.megasoft.com [206.230.35.93]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id MAA04099 for ; Wed, 4 Dec 1996 12:01:46 -0800 (PST) Received: (from uucp@localhost) by gw.research.megasoft.com (8.7.5/8.7.3-cmcurtin) id PAA25126; Wed, 4 Dec 1996 15:01:38 -0500 (EST) Received: from goffette.research.megasoft.com(192.168.1.2) by gw.research.megasoft.com via smap (V1.3) id sma025122; Wed Dec 4 15:01:26 1996 Received: by goffette.research.megasoft.com (940816.SGI.8.6.9/940406.SGI) id OAA03818; Wed, 4 Dec 1996 14:54:37 -0500 Date: Wed, 4 Dec 1996 14:54:37 -0500 Message-Id: <199612041954.OAA03818@goffette.research.megasoft.com> From: C Matthew Curtin To: Douglas Cheline Cc: "'Firewalls@GreatCircle.COM'" Subject: Re: Firewalls over NT vs. UNIX In-Reply-To: References: X-Face: "&>g(&eGr?u^F:nFihL%BsyS1[tCqG7}I2rGk4{aKJ5I_5A\*6RYn4"N.`1pPF9LO!Fa<(gj:12)?=uP2l01e10Gij"7j&-)torL^iBrNf\s7PDLm=rf[PjxtSbZ{J(@@j"q2/iV9^Mx>>>> "Douglas" == Douglas Cheline writes: Douglas> The various Firewall vendors that I have spoken to have Douglas> repeatedly stated that, eventhough their product does run Douglas> over NT, running firewalls over UNIX is much more secure. Douglas> The reasoning I get is that NT has some inherent Douglas> vulnerabilities that cannot be plugged since the code is Douglas> proprietary and closed. UNIX on the other hand is standard Douglas> based and open, plus it has been on the market much longer Douglas> and more efforts have been placed in plugging the holes Douglas> there. Running anything on Windows NT isn't necessarily insecure. It certainly can be, if it's configured poorly. However, security cannot be proven. It is only by time and standing up to test after test does anything in security reach a level of probable security. The biggest problem with NT is that it is closed, and its code isn't available to the world to be examined and have bugs eradicated. As a result, the level of security that NT will provide is, at best, unknown. Along these lines, mjr posted a while back that he sent some folks off to Microsoft for NT developer training or something like that. His post noted that the Microsoft trainer asserted that there are 'administrative hooks' in NT that only Microsoft knows about. What are these hooks? Are they really there? What do they do? What happens if someone with a black hat finds one of 'em out? Is that enough to compromise the security of the OS? We can't possibly know without having the source or reverse engineering the whole thing to hell and back. (Which is forbidden by Microsoft by their wonderfully restrictive totalitarian licenses.) That's strike one. Consider something else: Windows NT isn't the subject of advisories like that from CERT simply because Microsoft refuses to participate with the security organiations like CERT. CERT, in its desire to be a white-hat organization that doesn't aid any people wearing black hats, will not release an advisory on a problem to which there is no solution. (Generally, they seem to not stick so closely by this policy anymore, as they published a vulnerability in SATAN before a fix was available. Very strange, that.) Refusing to participate with the security folks is strike two in my book. Furthermore, why would you want to run a firewall on NT? So you can pay $1000 for an operating system that allows you to have more than 10 simultaneous IP connections? Microsoft used to claim that there was a difference between NT workstation and NT server. They were caught in that lie by InfoWorld. A company that is so marketing-driven (as opposed to technology-driven) as Microsoft, has a proven track record of lies and deceit, and makes claims like their proxy server is analogous to the level of security provided by many firewalls, is NOT the kind of vendor that I want to give my company's front door keys to. Also consider the great speed with which NT is developed. They're so hot to get the next version out that things like security can't possibly be scrutinized very carefully, even within their own organization. Back to my question as to why someone would want to run a firewall on NT. It doesn't scale as high as Unix (compare its scalability to Solaris, for example.) It doesn't perform as well as Unix (for 0% of the price, FreeBSD will outperform NT in socket performance), and it doesn't have even a fraction of the security tools available in the Unix world. Things that ARE available for NT typically don't include the source, so you're back to having things that you can't trust running on your firewall again. The only thing that I've ever heard is that they want to run it on NT so that "anyone" can run it. Sorry, but when you're talking about a firewall, it isn't JimBob's home network. You need someone with a clue guarding the front door. Strike three, it's less functional, less scalable, and locks you into a vendor that wants to take over the world. I'm not just bashing, but why in the world would anyone want to make themselves dependant upon an EXTERNAL VENDOR to guard the entry point to the Internet? Firewalls are necessarily technical, folks. Anyone looking for a black box to plug into the wall "and just work" is asking for trouble. -- Matt Curtin cmcurtin@research.megasoft.com Megasoft, Inc Chief Scientist http://www.research.megasoft.com/people/cmcurtin/ I speak only for myself. Hacker Security Firewall Crypto PGP Privacy Unix Perl Java Internet Intranet From firewalls-owner Wed Dec 4 13:31:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA19570 for firewalls-outgoing; Wed, 4 Dec 1996 09:57:39 -0800 (PST) Received: from grab (grab.coslabs.com [199.233.92.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id JAA19530 for ; Wed, 4 Dec 1996 09:57:18 -0800 (PST) Received: from future.mulligan.com by grab (SMI-8.6/SMI-SVR4) id KAA24127; Wed, 4 Dec 1996 10:57:15 -0700 Received: from future by future.mulligan.com (SMI-8.6/SMI-SVR4) id KAA12417; Wed, 4 Dec 1996 10:57:12 -0700 Message-Id: <199612041757.KAA12417@future.mulligan.com> X-Mailer: exmh version 1.6.9 8/22/96 To: Christopher Tighe cc: firewalls@greatcircle.com Subject: Re: Ip Routing on a SUN In-reply-to: Your message of "Wed, 04 Dec 1996 09:35:23 EST." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 04 Dec 1996 10:57:11 -0700 From: Geoff Mulligan Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Don't forget # ndd -set /dev/ip ip_forward_src_routed 0 to turn off source routing. geoff From firewalls-owner Wed Dec 4 13:34:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA03683 for firewalls-outgoing; Wed, 4 Dec 1996 11:56:40 -0800 (PST) Received: from manukau.govt.nz ([202.14.82.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA03563 for ; Wed, 4 Dec 1996 11:56:04 -0800 (PST) Received: by kotuku.manukau.govt.nz id <35726>; Thu, 5 Dec 1996 09:06:12 +1300 Message-Id: <96Dec5.090612nzdt.35726@kotuku.manukau.govt.nz> From: Matthew Thompson To: "'BVE'" , "'firewalls@greatcircle.com'" Subject: RE: Firewalls over NT vs. UNIX Date: Fri, 6 Dec 1996 10:51:33 +1300 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >and their fix. MS doesn't let you see the source; Unix does. While you or I Can someone tell me where I get the source for HP-UX, AIX and Solaris 2, and Borderware's modified BSDI Unix then? Bearing in mind I don't want to sign any agreements of the type I'd have to sign to see the source for NT, or pay any significant money, or do anything lllegal? And no, I don't want source for Linux, I want source for the currently shipping vendor versions of these OS's. --------------------------------------------------------------------- Kiwitech Marine Solutions Ltd. RaceTech, SailTech, PowerTech, Marine Software & Hardware Web: http://www.kiwitech.co.nz, Email: mthomps1@kiwitech.co.nz Phone: +64-9-307-0819 Fax: +64-9-307-6685 Mobile: +64-21-998-600 PO Box 5909, Wellesley Street, Auckland, New Zealand From firewalls-owner Wed Dec 4 13:37:09 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA19472 for firewalls-outgoing; Wed, 4 Dec 1996 09:56:48 -0800 (PST) Received: from smtp1.interramp.com (smtp1.interramp.com [38.8.45.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id JAA19335 for ; Wed, 4 Dec 1996 09:56:13 -0800 (PST) Received: from davidh.interramp.com by smtp1.interramp.com (8.8.1/SMI-4.1.3-PSI-irsmtp) id MAA00759; Wed, 4 Dec 1996 12:56:06 -0500 (EST) Message-ID: <32A5AB1C.1AA4@checkpoint.com> Date: Wed, 04 Dec 1996 10:47:24 -0600 From: David Helms Reply-To: david.helms@checkpoint.com Organization: CheckPoint Software Technologies X-Mailer: Mozilla 3.0 (Win95; I) MIME-Version: 1.0 To: Michael.Kespohl@svp-consult.com CC: firewalls@GreatCircle.COM Subject: Re: NT firewalls / Eagle References: <9612041514.AA06657@ibgcore1.ibg.ljo.dec.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Michael, The December issue of LAN magazine just did a big firewall evaluation that you may want to look at. I obviously point this out because Check Point's FireWall-1 for NT was rated very highly. David chen@ibg.ljo.dec.com wrote: > > AltaVista Firewall for NT, visit > > http://www.altavista.software.digital.com/firewall/index.htm > > Tracy -- __________________________________ David Helms Senior Technical Consultant CheckPoint Software Technologies ph 703.684.4824 fx 703.684.4847 davidh@checkpoint.com __________________________________ From firewalls-owner Wed Dec 4 13:39:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA16285 for firewalls-outgoing; Wed, 4 Dec 1996 09:34:36 -0800 (PST) Received: from ptes.com ([138.112.199.5]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id JAA16251 for ; Wed, 4 Dec 1996 09:34:14 -0800 (PST) Received: by ptes.com (4.1/JMFrom firewalls-owner Wed Dec 4 22:52:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA12213 for firewalls-outgoing; Wed, 4 Dec 1996 21:58:22 -0800 (PST) Received: from translation.com (paoglobal.translation.com [204.30.204.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id VAA12199 for ; Wed, 4 Dec 1996 21:58:13 -0800 (PST) Received: (from audit@localhost) by translation.com (8.6.12/8.6.12) id VAA03069; Wed, 4 Dec 1996 21:58:30 -0800 Received: from bureaucrat.translation.com(10.8.8.2) by pao via smap (V1.3mjr) id sma003065; Wed Dec 4 21:57:41 1996 Message-Id: <2.2.32.19961205055157.00cd6860@politician.translation.com> X-Sender: johnson@politician.translation.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 04 Dec 1996 21:51:57 -0800 To: jeromie@garrison.com (Jeromie Jackson), ahuger@secnet.com From: Johnson Wu Subject: Re: Cisco's PIX Firewall Cc: firewalls@GreatCircle.COM, dochin@cisco.com, mhoward@cisco.com, lazar@netevolve.com, froys@cisco.com, afoss@cisco.com, amittal@cisco.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk To all: PLease use caution when reading the following to avoid confusion. I posted he original statement of "opens up UDP ports 7648 and 7649 BLINDLY to all traffic including attacks" criticizing packet filtering routers. I also contrasted it with the PIX'es adaptive security. I hope readers do not mistake this stateless opening of udp ports applies what the PIX does. As of today, the current official release of PIX still does not have Java filtering or any SMAPd type of mail wrappers. But that does not prevent it from being a stateful firewall being capable of thwarting spoofing and hijacking. Going against IP spoofing, The PIX has cut-through proxies authenticating inbound sessions from trusted hosts to selected internal hosts. This is user-based authentication. It also randomizes TCP sequence numbers to further minimize the chance of a successful spoofing. A packet filtering router exposes internal hosts and is not protocol aware. To allow ftp clients inside going out you basically have to open up TCP SRC=20 and DST gt 1023 for everyone in the whole world. The PIX makes an inside network totally invisible to the outside and only reveals certain IP addresses to the destination host when connections go outbound and only allows the requested data coming in. With due respect, I challenge Mr. Jackson's point saying: >> > As far as being >> > 'spoof proof', that is just not correct. If you are talking to '1.2.3.4', I >> > can send you a packet appearing as though it is originating from '1.2.3.4' In the case where the the client starts a connection from SRC port 2345 to 1.2.3.4's port 80 to get a webpage and then ends the connection. The PIX immediately closes the connection object after that and even if the hacker succeeds in impersonating 1.2.3.4 ( the dest. host ) and tries to come in via SRC=80 dest=2345 with the ACK bit set, the PIX will not let the packets come through. ( Interested PIX owners can try it themselves) -Johnson At 10:35 PM 12/4/96 CST, Jeromie Jackson wrote: >> On Wed, 4 Dec 1996, Jeromie Jackson wrote: >> >> > > >> > > This opens up UDP ports 7648 and 7649 BLINDLY to all traffic including >> > > attacks. Also there's that infamous estab statement where someone who >> > > knows how to doctor the ACK bit can inject TCP packets into the customers' >> > > net. >> > >> > Hmm, That certainly looks like packet filtering to me. Yes you are right. It was my example of a packet filter, not the PIX. >> > Based on header >> > information, you are making decisions about packet flow. As far as being >> > 'spoof proof', that is just not correct. If you are talking to '1.2.3.4', I >> > can send you a packet appearing as though it is originating from '1.2.3.4', >> > you would believe me, because there is no authenticion built into IPV4. I would >> > agree, that the filtering mentioned above is better than that done w/ a standard >> > IP filtering device, although because decisions are being made on objects that >> > are not authenticated (header information), ACL's can, and will be vulerable to >> > spoofing/hijacking. >> > >> >Ahuger@secnet.com wrote: > >> ACL's being vulnerable to spoofing/hijacking..... I am not sure if I am >> reading you clear on this, but what I think I see you saying is that you >> can still spoof Source IP addresses to a Cisco PIX firewall. Also you >> state, trusted connections to the firewall can be hijacked. If this is >> what you are saying, my reply would be such. >> >> Your correct in saying IP4 has no built in authentication, the only thing >> in IPV4, related to security is the Security Field (which denotes how >> classified a datagram is). This being said, anyone, anywhere can slap >> and Source Address on a packet and fire it off their wire. *No* Firewall >> can protect you from this. Cisco PIX or otherwise. If you need to speak >> the outside world (which if you have a Firewall I assume you do) then you >> are subject to packets with questionable Source Addresses. I don't see >> this as a real weakness of any given Firewall, just shortcomings of IPV4. >> > > Agreed. I brought this up, to show the inherent weakness in ACLs. >Obviously both methanisms, ip filtering devices, and application level gateways, are vulerable to such data. An IP filtering device uses this as its primary >access control mechanism though, whereas an application level gateway would >also implement things to force RFC conformance of the protocols, most likely >have data reduction tools, and be able to address issues such as the Mail >Transport Agent problems. App. gateways also have the capability to do things >such as Java/Javascript filtering, Mail filtering, whereas strictly IP filtering >mechanisms do not have such capabilities. > >> As to streams of data (TCP presumably) being open to hijacking. That again >> is another problem which cannot really be addressed by a Firewall itself. >> If an attacker has breached a host whom your firewall allows *unencrypted* >> or even *encrypted* connections from, your had. And it's not your >> Firewalls fault. >> >> Both of these issues are policy issues, Both require a Firewall Admin to >> ask himself how much of the outside world he/she trusts. In the case of >> spoofable addresses, Admins must realize that not all packets coming in >> off the net, are really coming from where they say they are. In respects >> to TCP hijacking, an Admin has to ask his/herself if they want to allow >> TCP connections through their firewall. >> > > Agreed. > > >Jeromie Jackson >Garrison Technologies >jeromie@garrison.com > > Johnson L. Wu Cisco Systems 2464 Embarcadero Way 415/842-2114 voice 415/843-1111 fax jlw@cisco.com so long: johnson@translation.com private: johnson@snoopy.ORG From firewalls-owner Wed Dec 4 23:12:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA15463 for firewalls-outgoing; Wed, 4 Dec 1996 22:25:43 -0800 (PST) Received: from shoukui.pku.edu.cn (shoukui.pku.edu.cn [162.105.127.171]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id WAA15402 for ; Wed, 4 Dec 1996 22:25:19 -0800 (PST) Received: (from ccdzh@localhost) by shoukui.pku.edu.cn (8.6.12/8.6.9) id OAA02144; Thu, 5 Dec 1996 14:27:00 +0900 Date: Thu, 5 Dec 1996 14:27:00 +0900 (JST) From: Duan Zhenhai To: firewalls@greatcircle.com Subject: Firewall on FTP Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Can anybody tell me some information(Documents or Source code) about the packet filter implementing on some specific service, like FTP, X11, etc. or where can I find them? I know that there are some consideration about FTP-Packet Filter. 1. Let the in-bounded packet through if their destination port>1023 but it is not safe for X11,etc. 2. Let the ftp-client issue PASV, that is let the both connection open from internal host. But we have to change the client code. I do think it is useful if We write down some information about the out- bounded packet if it is ftp control connection request. Any comment is appreciated Duan Zhenhai From firewalls-owner Wed Dec 4 23:41:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA21647 for firewalls-outgoing; Wed, 4 Dec 1996 23:18:13 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id XAA20933 for ; Wed, 4 Dec 1996 23:16:04 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-961106) id WAA25101; Wed, 4 Dec 1996 22:46:51 -0800 Received: from stargate.compuware.com(199.186.21.253) by mycroft via smap (V1.3mjr) id sma024990; Wed Dec 4 22:45:08 1996 Received: by stargate.compuware.com id AA06152 (InterLock SMTP Gateway 3.0 for Firewalls@GreatCircle.COM); Thu, 5 Dec 1996 01:44:57 -0500 Message-Id: <199612050644.AA06152@stargate.compuware.com> Received: by stargate.compuware.com (Protected-side Proxy Mail Agent-1); Thu, 5 Dec 1996 01:44:57 -0500 Date: Thu, 05 Dec 96 09:38:17 EDT From: "JOHN CHIN" To: Firewalls@GreatCircle.COM Subject: I-WAYONE Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi firewall folks, I am looking for any information about a software called I-WAYONE. If anybody has used it or know anything about this software, please let me know.. Thanks in Advance .... Regards .. JC From firewalls-owner Wed Dec 4 23:55:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA25585 for firewalls-outgoing; Wed, 4 Dec 1996 23:38:29 -0800 (PST) Received: from omsk.quadrix.com (omsk.yourtown.com [205.246.66.7]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id XAA25528 for ; Wed, 4 Dec 1996 23:38:11 -0800 (PST) Received: by omsk.quadrix.com (4.1/SMI-4.1) id AA05695; Thu, 5 Dec 96 02:48:44 EST Date: Thu, 5 Dec 96 02:48:44 EST From: bve@yourtown.com (BVE) Message-Id: <9612050748.AA05695@omsk.quadrix.com> To: firewalls@greatcircle.com In-Reply-To: <96Dec5.090612nzdt.35726@kotuku.manukau.govt.nz> (message from Matthew Thompson on Fri, 6 Dec 1996 10:51:33 +1300) Subject: Re: RE: Firewalls over NT vs. UNIX Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From: Matthew Thompson Can someone tell me where I get the source for HP-UX, AIX and Solaris 2, and Borderware's modified BSDI Unix then? Bearing in mind I don't want to sign any agreements of the type I'd have to sign to see the source for NT, or pay any significant money, or do anything lllegal? While you may not have the source to a specific vendor version, They're all derived from a relatively small number of places (to which the source *is* available), and they all operate in a similar fashion. Thus, a bug found in the free sources can be tried on the non-free sources. The advantages aren't as good as the real source, but they're better than MS.... -- Bill Van Emburg Phone: 908-235-2335 Quadrix Solutions, Inc. Fax: 908-235-2336 (bve@quadrix.com) Check out http://yourtown.com! (http://quadrix.com) "You do what you want, and if you didn't, you don't" From firewalls-owner Thu Dec 5 00:26:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA29408 for firewalls-outgoing; Thu, 5 Dec 1996 00:14:10 -0800 (PST) Received: from sunrise (sunrise.solmelia.es [194.179.70.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id AAA29401 for ; Thu, 5 Dec 1996 00:14:02 -0800 (PST) Received: from (firewall) by sunrise (5.x/SMI-SVR4) id AA13146; Thu, 5 Dec 1996 09:15:45 +0100 Message-Id: <9612050815.AA13146@sunrise> From: israel.serrano@solmelia.es Date: Thu, 05 Dec 96 08:58:23 To: Firewalls@GreatCircle.COM Subject: VPNs X-Mailer: Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=__===-=-634986872921631734905361273089572987933635179-=-==-_==" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk --=-=__===-=-634986872921631734905361273089572987933635179-=-==-_== Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: QUOTED-PRINTABLE X-Object-Type:"Tun*Mail2-TED" Buenas=2E Hi everyone out there! I just joined the list a couple of weeks ago and maybe you've already discu= ssed the following subject=2E I apologize, just in case=2E My concern, right now, consists basically in the possibity to set up Virtua= l Private Networks in order to reduce the high costs of maintaining a leased = line with some of our international offices (US and Singapore, basically)=2E The= problem we face is the chance to expose confidential information to the Internet=2E= I've read a bunch of stuff about the VPNs and also some 'press release' abo= ut SunScreen device (I don't remember righ now the name, something like s=2E= =2E-100) and Checkpoint's FW-1 VPN=2E IS anyone able to tell me some experiences with this kind of Nets? Which device suits best the VPN deployment, FW-1 or SunScreen? (I guess the= later) Are they really (REALLY) secure? (Technicians! Help!) >From my point of view, I guess that when you expose your Network to the Int= ernet (even through a Firewall device) you can have assume the risks of deploying= a VPN=2E Am I wrong?!?!? Please (again) experiences on VPN (real ones) Thanks a lot=2E Muchas Gracias=2E --=-=__===-=-634986872921631734905361273089572987933635179-=-==-_== Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: QUOTED-PRINTABLE X-Object-Type:"Tun*Mail2-TED" Luis Israel Serrano Barge Departamento de Sistemas de Informaci=F3n / Information Technology Departme= nt Sol Meli=E1 (http://www=2Esolmelia=2Ees) email: israel=2Eserrano@solmelia=2Ees Tlf: +34 (9)71 43 70 57 Fax: +34 (9)71 43 70 52 --=-=__===-=-634986872921631734905361273089572987933635179-=-==-_==-- From firewalls-owner Thu Dec 5 01:28:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA05916 for firewalls-outgoing; Thu, 5 Dec 1996 01:18:06 -0800 (PST) Received: from iq.pvv.ntnu.no (iq.pvv.ntnu.no [129.241.210.223]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id BAA05909 for ; Thu, 5 Dec 1996 01:17:49 -0800 (PST) Received: from ra.pvv.ntnu.no (ra.pvv.ntnu.no [129.241.210.205]) by iq.pvv.ntnu.no (8.7.5/8.7.3) with ESMTP id KAA25600; Thu, 5 Dec 1996 10:17:30 +0100 (MET) Received: from localhost (pladsen@localhost) by ra.pvv.ntnu.no (8.7.5/8.7.3) with SMTP id KAA16808; Thu, 5 Dec 1996 10:17:29 +0100 (MET) X-Authentication-Warning: ra.pvv.ntnu.no: pladsen owned process doing -bs Date: Thu, 5 Dec 1996 10:17:28 +0100 (MET) From: Jan Ivar Pladsen To: Firewalls@GreatCircle.COM cc: pladsen@pvv.ntnu.no Subject: rcp _out_ through firewall, how? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We use rcp to transfer files _from_ our machine _to_ a distant host. Now we are going to install a firewall. *Can we still use rcp? *How do we configure the firewall? *Is it possible using the FWTK? Anyone capable of explaining me what packets and ports rcp use? References to literature are also very much appreciated. TIA Jan Ivar Pladsen From firewalls-owner Thu Dec 5 02:10:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA08116 for firewalls-outgoing; Thu, 5 Dec 1996 01:56:39 -0800 (PST) From: firewalls-owner Received: from mobile.bam.com (mobile.banm.com [199.74.157.50]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id BAA08109 for ; Thu, 5 Dec 1996 01:56:33 -0800 (PST) Received: FROM BAMX400.mobile.bam.com BY mobile.bam.com ; 5 DEC 96 04:56:55 EST Date: 5 DEC 96 04:55:43 EST Subject: Undeliverable Message To: Firewalls@GreatCircle.COM MIME-Version: 1.0 Message-ID: <0005cuamaagg.0005amuoigey@mobile.bam.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk To: Dean E Vaccher@IS_WBRHQ@BAMSWB BAMX400@MGate@BAM [C=US/A=INTERNET/DDA=ID/firewalls-digest(a)GreatCircle.COM] Cc: Subject: Firewalls-Digest V5 #648 Message not delivered to recipients below. VNM3043: Dean E Vaccher@IS_WBRHQ@BAMSWB **** Attachment message(s) will follow in 1 separate transmissions. From firewalls-owner Thu Dec 5 03:10:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA12788 for firewalls-outgoing; Thu, 5 Dec 1996 03:05:03 -0800 (PST) Received: from dns0.ccn.ac.uk (dns0.ccn.ac.uk [194.66.185.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id DAA12768 for ; Thu, 5 Dec 1996 03:04:55 -0800 (PST) Received: from [194.66.185.35] by dns0.ccn.ac.uk (NTMail 3.01.03) id la106325; Thu, 5 Dec 1996 11:05:12 +0100 Received: by mailgate.ccn.ac.uk with Microsoft Mail id <32A71C9D@mailgate.ccn.ac.uk>; Thu, 05 Dec 96 11:03:57 PST From: "Marriage, Michael" To: "'firewalls@greatcircle.com'" Cc: "Bock-Brown, Jeff" Subject: Telnet and AGS + socks/cisco Win95 + MS Netmeeting Date: Thu, 05 Dec 96 11:06:00 PST Message-ID: <32A71C9D@mailgate.ccn.ac.uk> X-Mailer: Microsoft Mail V3.0 X-Info: City College Norwich - SMTP server Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have a number of questions I have bundeled together: How to program AGS+ for telnet only Socks and non socks Telent access Microsoft Netmeeting and security I have a requirement to let Telnet access out of our network in the short term I may have to reprogram our AGS+ router to let telnet access out for specific PC's but last time I tried this although I could specify an individual machine I couldn't specify Telnet only despite using eq 23. It's possible I need to specify something for inbound and outbound telnet but I would be grateful for any example configs. In the long term I am looking for something a bit better and I have been interested in socks and use with Windows 95. The problem I can forsee is some users may wish to access internal unix systems without using the socks server can this be configured ? One of the reasons for looking at socks as a generic way of permitting and monitoring network traffic is because of Microsofts Net meeting and ULS ( now Internet Location Server ). I have seen little information on how to filter these and any newer products and perhaps socks will allow a more general way of dealing with this. Any pointers to information on Netmeeting and use of transports appreciated. I'm not a purist in the firewalls debate I am attempting to implement a flexible security system with good security and a reasonable cost. ( they still think I'm paranoid ). Mike Marriage Systems Engineering Team Leader City College Norwich ( England ) From firewalls-owner Thu Dec 5 04:29:53 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA18521 for firewalls-outgoing; Thu, 5 Dec 1996 04:18:51 -0800 (PST) Received: from gdut.edu.cn (ggdn.gdut.edu.cn [202.116.128.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id EAA17778 for ; Thu, 5 Dec 1996 04:15:01 -0800 (PST) Received: from pentium.ggdn.gdut.edu.cn ([202.116.130.6]) by gdut.edu.cn (5.x/SMI-SVR4) id AA07857; Thu, 5 Dec 1996 20:11:28 +0800 Date: Thu, 5 Dec 1996 20:11:28 +0800 Message-Id: <9612051211.AA07857@ gdut.edu.cn> X-Sender: weijz@gdut.edu.cn (Unverified) X-Mailer: Windows Eudora Version 2.0.3 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: weijz@gdut.edu.cn (Wei Jizhou) Subject: Question? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I have some questions to ask for your help.I want to attend a video conferencing News Group,but I do not know it's IP.Can you tell me that? And would you please tell me some good News Groups about computer science and it's IP?And I also have a question,the question is that how can I realize to transmit audio between two computers? With best regards! Wei Jizhou Dec.5 __ Wei Jizhou Computer Science Department email: weijz@gdut.edu.cn Guangdong University of Technology URL: http://202.116.128.26/wjz/ GuangZhou,China (510090) phone:(86)+(20)+87766069-6553(Lab.) From firewalls-owner Thu Dec 5 04:40:50 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA18453 for firewalls-outgoing; Thu, 5 Dec 1996 04:18:20 -0800 (PST) Received: from gdut.edu.cn (ggdn.gdut.edu.cn [202.116.128.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id EAA17850 for ; Thu, 5 Dec 1996 04:15:32 -0800 (PST) Received: from pentium.ggdn.gdut.edu.cn ([202.116.130.6]) by gdut.edu.cn (5.x/SMI-SVR4) id AA07861; Thu, 5 Dec 1996 20:13:48 +0800 Date: Thu, 5 Dec 1996 20:13:48 +0800 Message-Id: <9612051213.AA07861@ gdut.edu.cn> X-Sender: weijz@gdut.edu.cn (Unverified) X-Mailer: Windows Eudora Version 2.0.3 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: weijz@gdut.edu.cn (Wei Jizhou) Subject: Question? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I have some questions to ask for your help.I want to attend a video conferencing News Group,but I do not know it's IP.Can you tell me that? And would you please tell me some good News Groups about computer science and it's IP?And I also have a question,the question is that how can I realize to transmit audio between two computers? With best regards! Wei Jizhou Dec.5 __ Wei Jizhou Computer Science Department email: weijz@gdut.edu.cn Guangdong University of Technology URL: http://202.116.128.26/wjz/ GuangZhou,China (510090) phone:(86)+(20)+87766069-6553(Lab.) From firewalls-owner Thu Dec 5 04:55:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA18717 for firewalls-outgoing; Thu, 5 Dec 1996 04:23:15 -0800 (PST) Received: from reflections.mindspring.com (reflections.mindspring.com [204.180.142.192]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id EAA18692 for ; Thu, 5 Dec 1996 04:22:57 -0800 (PST) Received: from localhost (lists@localhost) by reflections.mindspring.com (8.7.1/8.7.1) with SMTP id HAA02726; Thu, 5 Dec 1996 07:22:50 -0500 Date: Thu, 5 Dec 1996 07:22:50 -0500 (EST) From: Todd Graham Lewis To: Matthew Thompson cc: "'BVE'" , "'firewalls@greatcircle.com'" Subject: RE: Firewalls over NT vs. UNIX In-Reply-To: <96Dec5.090612nzdt.35726@kotuku.manukau.govt.nz> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 6 Dec 1996, Matthew Thompson wrote: > Can someone tell me where I get the source for HP-UX, AIX and Solaris 2, > and Borderware's modified BSDI Unix then? Bearing in mind I don't want to > sign any agreements of the type I'd have to sign to see the source for NT, > or pay any significant money, or do anything lllegal? > > And no, I don't want source for Linux, I want source for the currently > shipping vendor versions of these OS's. I'd like to stay out of this, given that I've made my views on the topic clear in the past. However, I'll just note that, IMO, Linux and FreeBSD both make very acceptable firewalls. The IPFW packet filtering mechanism is simple and clean, and proxies are a bewwze to set up as chroot'ed and as non-root. Plus, there's always IP Masquerading (and equivs) for NAT. Of course, you have to (gasp!) understand your needs exactly and build them yourself from well-known and -tested tools out there. You have to be able to solve your own problems when they arrise. You have to understand enough about security to be able to pull it off. But isn't that the way it should be for all firewall administrators? $0.02 __ Todd Graham Lewis Linux! Core Engineering Mindspring Enterprises tlewis@mindspring.com (800) 719 4664, x2804 From firewalls-owner Thu Dec 5 06:00:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA25207 for firewalls-outgoing; Thu, 5 Dec 1996 05:55:09 -0800 (PST) Received: from scruz.net (nic.scruz.net [165.227.1.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id FAA25188 for ; Thu, 5 Dec 1996 05:54:58 -0800 (PST) From: raf@ezunx.com Received: from histar2.csxt.csx.com by scruz.net (8.7.3/1.34) id FAA15595; Thu, 5 Dec 1996 05:54:59 -0800 (PST) Date: Thu, 5 Dec 96 08:52:54 PST Subject: network access through wall w/tokens To: firewalls@greatcircle.com X-PRIORITY: 3 (Normal) X-Mailer: Chameleon 4.6.3, TCP/IP for Windows, NetManage Inc. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ok, I know someone will know this --- I remember sometime ago, in a trade show, far far away, I came across an access-token vendor that had a product that was a little different than most. It uses light patterns on a screen and a special device to read them. Question -- Does anyone know of this product, and can it be used in conjunction with a fw to provide something like vpn access?? -rich o' |,=./ `o (o o) -----ooO--(_)--Ooo------- ** Remember -- If you can keep your head when all others around you are losing theirs... You're probably not paying attention! From firewalls-owner Thu Dec 5 06:33:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA26183 for firewalls-outgoing; Thu, 5 Dec 1996 06:09:14 -0800 (PST) Received: from mail.baileynm.com (fw.baileynm.com [206.109.159.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA26115 for ; Thu, 5 Dec 1996 06:08:43 -0800 (PST) Received: (qmail 24081 invoked from smtpd); 5 Dec 1996 14:08:42 -0000 Received: from web.nmti.com (root@198.178.0.201) by fw.nmti.com with SMTP; 5 Dec 1996 14:08:42 -0000 Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id IAA11447; Thu, 5 Dec 1996 08:08:42 -0600 Received: by sonic.nmti.com; id AA24426; Thu, 5 Dec 1996 08:08:33 -0600 From: peter@baileynm.com (Peter da Silva) Message-Id: <9612051408.AA24426@sonic.nmti.com.nmti.com> Subject: Re: Firewalls over NT vs. UNIX To: Russ.Cooper@RC.on.ca (Russ) Date: Thu, 5 Dec 1996 08:08:33 -0600 (CST) Cc: peter@baileynm.com, firewalls@GreatCircle.COM In-Reply-To: from "Russ" at Dec 4, 96 05:51:57 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >If you can feed a program enough data that it starts executing opcodes > >that you've fed it in a carefully constructed command line the > security > >game is lost unless the operating system can prevent that program > >from further compromising the system or opening further holes. > Assuming the process you've done your buffer overrun attack on is > running as SYSTEM (NT's equivalent to root). Not on a firewall. On a firewall it can run as any user and perform a SATAN style attack on hosts beyond the firewall. Whether it can subvert internal security on the firewall is less critical. But even there, the gaps Microsoft has created in NT security (bypassing traverse checking, for example, and the lax permissions you need on system directories) make a trojan horse attack (via the file system or the registry rather than the secured portions of the proxy, for example) quite credible. A similar attack in UNIX, from a chrooted environment, is orders of magnitude more difficult. > I hate to think all the other answers I gave you about this were > fake...;-]...but this isn't actually correct. Its not NT that isn't > built that way, its the application its running that might not be built > that way. NT is not just the kernel and subsystems, it's got to include the applications as well. Just as people consider sendmail holes to be a UNIX security problem, the configuration problems and problems in Microsoft applications and utilities are NT security problems. NT, as a system, has not been given the same overall attention to security as UNIX. And that's truly scary, because UNIX was not originally designed with high levels of security as a goal! > It should be remembered that NT is re-written by each of the different > processor groups from the HAL through the Kernel on up. Much of its > isn't, but its all scrutinized by the programming teams for the Alpha, > PowerPC, and soon to be defunct MIPs vendors. These are not small teams > of programmers sitting waiting to be told what to do by Microsoft, nor > are they Microsoft employees. These people have a vested interest in > examining the code and do so with diligence. To say it doesn't get > scrutiny outside of Microsoft is a fallacy. I didn't say that. What I said is that *I* can not scrutinize the source. Whether some programmer subject to a nondisclosure agreement has seen it is utterly irrelevant to me: his study doesn't benefit me any more than a similar study by a Microsoft programmer... unless I'm already a criminal and are willing to coerce him into violating his NDA. That is, Microsoft's secrecy regarding their source, while completely understandable, does benefit the black hats by keeping most of the white hats away. Most especially, it keeps away the people who will perform the same sort of hostile reviews that have publicised AND CLOSED so many UNIX holes. From firewalls-owner Thu Dec 5 06:42:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA27455 for firewalls-outgoing; Thu, 5 Dec 1996 06:26:44 -0800 (PST) Received: from mail.baileynm.com (fw.baileynm.com [206.109.159.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA27448 for ; Thu, 5 Dec 1996 06:26:33 -0800 (PST) Received: (qmail 24151 invoked from smtpd); 5 Dec 1996 14:26:30 -0000 Received: from web.nmti.com (root@198.178.0.201) by fw.nmti.com with SMTP; 5 Dec 1996 14:26:30 -0000 Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id IAA14787; Thu, 5 Dec 1996 08:26:29 -0600 Received: by sonic.nmti.com; id AA25253; Thu, 5 Dec 1996 08:26:20 -0600 From: peter@baileynm.com (Peter da Silva) Message-Id: <9612051426.AA25253@sonic.nmti.com.nmti.com> Subject: Re: PIX and Gauntlet To: jeromie@garrison.com (Jeromie Jackson) Date: Thu, 5 Dec 1996 08:26:20 -0600 (CST) Cc: tbernstein@sri.com, mike@ptes.com, avolio@tis.com, firewalls@greatcircle.com In-Reply-To: <9612042227.AA01909@garrison.com.> from "Jeromie Jackson" at Dec 4, 96 04:27:53 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > The GUI is useful, however, many administrative type processes still > require manual hacking. For example, if adding a generic proxy the users now > have to go in and modify /usr/local/etc/mgmt/rc/* files. If there is a good editor available, why is this a problem? Novell administration requires manual editing of files now and then, but it seems to be quite within the grasp of PC network admin types. Just because there's not a specific GUI editor that doesn't make it "too hard" for naive users. (IMHO the biggest advantage of GUIs for administrative work is it lets your sales reps give impressive demonstrations. For systems bigger than a single workstation the fact that you're unable to do editing tasks that weren't explicitly programmed into the GUI is a big hindrance. For example, in NT's User Mangler... what if I want to just list the users with disabled accounts?) ((I gave up and added a (disabled) entry to the comment field)) From firewalls-owner Thu Dec 5 06:55:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA28913 for firewalls-outgoing; Thu, 5 Dec 1996 06:51:56 -0800 (PST) Received: from www.cz (www.cz [193.165.192.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA28888 for ; Thu, 5 Dec 1996 06:51:40 -0800 (PST) Received: by www.cz (940816.SGI.8.6.9/940406.SGI.AUTO) id PAA11224; Thu, 5 Dec 1996 15:51:52 -0100 From: pepa@www.cz (Josef Pojsl) Message-Id: <199612051651.PAA11224@www.cz> Subject: Re: rcp _out_ through firewall, how? To: pladsen@pvv.ntnu.no (Jan Ivar Pladsen) Date: Thu, 5 Dec 1996 15:51:48 -0100 (CET) Cc: Firewalls@GreatCircle.COM, pladsen@pvv.ntnu.no In-Reply-To: from "Jan Ivar Pladsen" at Dec 5, 96 10:17:28 am X-Mailer: ELM [version 2.4 PL23-hack] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk hello, > > We use rcp to transfer files _from_ our machine _to_ a distant host. > Now we are going to install a firewall. > > *Can we still use rcp? > > *How do we configure the firewall? > > *Is it possible using the FWTK? > > Anyone capable of explaining me what packets and ports rcp use? > References to literature are also very much appreciated. > > TIA > > Jan Ivar Pladsen rcp uses BSD rsh (Remote SHell) for executing. It runs on "shell" 514 port, and you can conviniently use it in Gauntlet (it comes with "rsh-gw"). However, I am not sure if this could be managed in FWTK. Hope this helps. Josef Pojsl -- -------------------------------------------------------------------------- Josef Pojsl e-mail: Josef.Pojsl@www.cz http://www.cz SkyNet, s.r.o. Internet services provider Kabatnikova 5 tel: +42 5 74 97 75, (749778, 749781, 749786, 748611) 602 00 Brno fax: +42 5 74 97 52 Czech Republic From firewalls-owner Thu Dec 5 07:45:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA28033 for firewalls-outgoing; Thu, 5 Dec 1996 06:38:58 -0800 (PST) Received: from fiji.dna.com (fiji.dna.com [198.135.17.204]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA28015 for ; Thu, 5 Dec 1996 06:38:47 -0800 (PST) From: jsluzewski@dna.com Received: (uucp@localhost) by fiji.dna.com (8.6.9/8.6.5) id JAA20826 for ; Thu, 5 Dec 1996 09:38:14 -0500 Received: from dnanycsmtp.dna.com(198.135.16.205) by fiji.dna.com via smap (V1.3) id sma020823; Thu Dec 5 09:38:07 1996 Received: by dnanycsmtp.dna.com with Network-Courier id <32A6DE8A@dnanycsmtp.dna.com>; Thu, 05 Dec 96 09:39:06 EST Subject: Secondary IP address To: Date: Thu, 05 Dec 96 09:39:00 EST Message-ID: <32A6DE8A@dnanycsmtp.dna.com> X-Mailer: Network Courier V2.1b Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have hard that it is possible to configure secondary IP address on Solaris 2.5.1? If that's true, how it can be done? Thanks for any help. jsluzewski@dna.com From firewalls-owner Thu Dec 5 07:50:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA27520 for firewalls-outgoing; Thu, 5 Dec 1996 06:28:18 -0800 (PST) Received: from calamari.Progressive-Systems.Com (calamari.Progressive-Systems.Com [206.236.37.16]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA27500 for ; Thu, 5 Dec 1996 06:27:57 -0800 (PST) Received: from chumley (chumley.MorningStar.Com [137.175.48.100]) by calamari.Progressive-Systems.Com (8.7.5/8.7.3) with SMTP id JAA09443 for ; Thu, 5 Dec 1996 09:27:58 -0500 (EST) Message-Id: <3.0.32.19961205092752.0090c4e0@calamari.morningstar.com> X-Sender: ge@calamari.morningstar.com X-Mailer: Windows Eudora Pro Version 3.0 Demo (32) Date: Thu, 05 Dec 1996 09:27:56 -0500 To: Firewalls@GreatCircle.COM From: =?iso-8859-1?Q?G=E9_?= Weijers Subject: Re: need firewall? Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jeff, You might get away with a relatively simple solution to protect your network if you use IPX in stead of IP to access files on the Netware systems. Just make sure your router does not pass IPX. This way no one can get at your servers _directly_, they have to go through a PC. A set of static filter rules in a router might be enough to prevent that from happening. You do need to understand the limitations of using a static packet filter for a firewall, though. Read Chapman and Zwicky's firewalls book before you spend money. It's called "Building Internet Firewalls", I think. >SECURITY REQUIREMENT: something placed between our LAN and >the connection to fiber that blocks external (from on-campus >or elsewhere on the Internet) access to our LAN, to help >protect confidential information on our file servers. I don't think this security policy needs to be refined :-). Do you need inbound access to your LAN for e-mail?=20 >QUESTIONS: Can a router, alone, provide reasonable (?!) >protection? Is a PIX (or similar) firewall more >appropriate/necessary? What kind of up-front cost range am I >looking at for this barrier? You won't get a straight answer to this question. It can be anything from, say $1000 to $50,000. The $1000 solution is to buy a cheap but decent PC, a pair of network cards and a $20 Linux CD-ROM, and get somebody knowledgable to configure it as a packet filtering router. The $50k solution is to hire a consultant and let them purchase the hardware.=20 Actually, if you only need outbound access to the Internet Linux can be configured as a decent dynamic firewall using the 'masquerading' feature. The machines on your LAN won't be visible from the outside world, all the packets going out will have the Linux machine's address on it. Ge' _____________________________________________________________ G=E9 Weijers tel. +1(614)326 4600 Progressive Systems, Inc. fax +1(614)326 4601 http://www.progressive-systems.com From firewalls-owner Thu Dec 5 07:52:54 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA00175 for firewalls-outgoing; Thu, 5 Dec 1996 07:07:48 -0800 (PST) Received: from nebula.online.ee (nebula.online.ee [194.106.96.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA00133 for ; Thu, 5 Dec 1996 07:07:12 -0800 (PST) Received: from localhost (jk@localhost) by nebula.online.ee (8.8.3/8.8.3) with SMTP id RAA16409 for ; Thu, 5 Dec 1996 17:06:50 +0200 (EET) Date: Thu, 5 Dec 1996 17:06:48 +0200 (EET) From: Jyri Kaljundi X-Sender: jk@nebula To: Firewalls@GreatCircle.COM Subject: Re: VPNs In-Reply-To: <199612050900.BAA03960@miles.greatcircle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 5 Dec 1996, Firewalls-Digest wrote: > Date: Thu, 05 Dec 96 08:58:23 > From: israel.serrano@solmelia.es > Subject: VPNs > > I've read a bunch of stuff about the VPNs and also some 'press release' abo= > ut > SunScreen device (I don't remember righ now the name, something like s=2E= > =2E-100) > and Checkpoint's FW-1 VPN=2E > IS anyone able to tell me some experiences with this kind of Nets? > Which device suits best the VPN deployment, FW-1 or SunScreen? (I guess the= > later) > Are they really (REALLY) secure? (Technicians! Help!) If you are located in Spain, you can get only the version of FW-1 with weak encryption algorithms. US export restrictions do not allow for real encryption to be exported from US. I would suggest you have a look at F-Secure VPN software, made by Data Fellows in Finland (http://www.datafellows.fi/f-secure/), which is one of the few (if not the only) really strong VPN software products available in Europe (or Africa/Asia etc). Juri Kaljundi jk@stallion.ee From firewalls-owner Thu Dec 5 07:59:29 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA28517 for firewalls-outgoing; Thu, 5 Dec 1996 06:44:36 -0800 (PST) Received: from thewall.harding.edu (thewall.harding.edu [192.133.129.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA28454 for ; Thu, 5 Dec 1996 06:44:10 -0800 (PST) Received: from piggy.harding.edu ([10.1.11.5]) by thewall.harding.edu via smtpd (for miles.greatcircle.com [198.102.244.34]) with SMTP; 5 Dec 1996 14:47:17 UT Received: from Harding.edu by Harding.edu (PMDF V5.0-7 #15469) id <01ICN8BMY2DCAKTJ7I@Harding.edu> for Firewalls@GreatCircle.COM; Thu, 05 Dec 1996 08:46:46 -0500 (CDT) Date: Thu, 05 Dec 1996 08:46:46 -0500 (CDT) From: Adrian Knight Subject: Why would someone want an NT firewall? To: Firewalls@GreatCircle.COM Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've read for over a year about the Unix vs NT messages. For what it's worth, here are the reasons why, after 6 months of research and training, our site specifically chose an NT firewall instead of a Unix firewall. (FYI, we're running Eagle NT by Raptor) 1) We only have 3 Unix computers on our campus. I manage one of them, and after two years still know very little about it. Yes, if I spent "enough time" on it I would probably be a Unix expert by now, but I don't want to spend that much time, nor do I have the option of spending that much time on it. 2) We don't want to hire a rocket scientist to manage our firewall. A message earlier referred to firewalls being "necessarilly technical." That's bogus. I think it's possible that a lot of people making money off of firewalls might want to keep them that way, but there are a lot of average people out there who want to AND CAN handle managing a firewall right along with the MANY other types of systems that are also included in our job responsibilities. In this age of computers, it is no longer valid to try to convince people that computers are just too complicated for the average person. I'm not a Microsoft Groupie or anything, but the reason their company is where they are today is that they realized that! Because our firewall is on an NT platform and has a good GUI, I can be gone for a couple of weeks and even my boss, a manager, can sit down and make changes to the firewall comfortably. Several other people in the computing department with the passowrd could do the same if they had to. After two years, nobody else could sit down to my Solaris box and do anything except manage to shut things down. 3) At the time of my research a year ago, most mainstream firewalls ran on minicomputer-class machines like Sun Sparc, HPUX, AIX. For an educational site with good discounts, a platform like that ran around $15,000. We put our firewall on a well-endowed NT PC for $5,000. Hardware and software maintenance is also much cheaper There are many other reasons that I chose NT over Unix, but I'll leave it here. Adrian Knight | Network Manager Harding University | Internet: KNIGHT@HARDING.EDU 900 E. Center, Box 2264 | Phone: (501) 279-4440 Searcy, AR 72149-0001 | From firewalls-owner Thu Dec 5 08:05:30 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA02298 for firewalls-outgoing; Thu, 5 Dec 1996 07:38:11 -0800 (PST) Received: from dns.ottawa.net (dns.ottawa.net [205.211.4.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA02276 for ; Thu, 5 Dec 1996 07:37:55 -0800 (PST) Received: from slip-ppp27.ottawa.net (slip-ppp27.ottawa.net [205.211.5.27]) by dns.ottawa.net (8.8.4/1.2) with SMTP id KAA03859; Thu, 5 Dec 1996 10:37:22 -0500 (EST) Date: Thu, 5 Dec 1996 10:37:22 -0500 (EST) Message-Id: <199612051537.KAA03859@dns.ottawa.net> X-Sender: bjm@ottawa.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: raf@ezunx.com, firewalls@GreatCircle.COM From: bjm@ottawa.com (Brian McIntosh) Subject: Re: network access through wall w/tokens Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Rich, The product you're thinking of is the AccessKey from Vasco Data Security Inc. It can be used in any situation where authentication is needed including VPN access. Several commercial firewall vendors have integrated the AccessKey 'server' code in their products. Check out www.vdsi.com. Regards, Brian At 08:52 AM 96/12/5 PST, raf@ezunx.com wrote: >Ok, I know someone will know this --- > >I remember sometime ago, in a trade show, far far away, I came across >an access-token vendor that had a product that was a little different >than most. It uses light patterns on a screen and a special device to >read them. > >Question -- Does anyone know of this product, and can it be used in >conjunction with a fw to provide something like vpn access?? > >-rich > > o' |,=./ `o > (o o) > -----ooO--(_)--Ooo------- > >** Remember -- If you can keep your head when all others around > you are losing theirs... > >You're probably not paying attention! > > ======================================================== Brian J. McIntosh UniSol Inc. 53 Courtney Road Tel: 613 831 6373 Kanata, Ontario Fax: 613 831 4739 Canada, K2L 1M1 Email: bjm@ottawa.net ======================================================== From firewalls-owner Thu Dec 5 08:45:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA04886 for firewalls-outgoing; Thu, 5 Dec 1996 08:14:58 -0800 (PST) Received: from ayax.uniandes.edu.co (ayax.uniandes.edu.co [157.253.50.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id IAA04819 for ; Thu, 5 Dec 1996 08:14:11 -0800 (PST) Received: from odin.uniandes.edu.co by ayax.uniandes.edu.co (SMI-8.6/SMI-SVR4) id LAA15426; Thu, 5 Dec 1996 11:17:56 +0500 Received: from odin.uniandes.edu.co by odin.uniandes.edu.co; (5.65/1.1.8.2/04Feb96-0101AM) id AA23249; Thu, 5 Dec 1996 11:18:57 -0500 Message-Id: <32A6F5F0.15FB@uniandes.edu.co> Date: Thu, 05 Dec 1996 11:18:56 -0500 From: Carlos Marlon Coral Ortiz Organization: Universidad de los Andes X-Mailer: Mozilla 3.0Gold (X11; I; OSF1 V3.0 alpha) Mime-Version: 1.0 To: firewalls@GreatCircle.COM Subject: Firewall performance??? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Can anyone recommend me good papers or readings about studies comparing the firewall performance and the general impact on network performance. If it is possible that those papers speaks about typical delay times (e.g packet screening delays in mseg)!! -- Thank you!! +--------------------------------------------------+ Carlos Marlon Coral Ortiz - Ing. de sistemas y comp. Est. Magister Sistemas y Computacion (GI:HIDRA) Centro de computo Departamento de Sistemas (MiniMOX) H.Page: http://odin.uniandes.edu.co/marlon.html Tel: 2869211 ext. 2847 Uniandes (Bogota - Colombia) +--------------------------------------------------+ From firewalls-owner Thu Dec 5 08:56:01 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA05095 for firewalls-outgoing; Thu, 5 Dec 1996 08:23:05 -0800 (PST) Received: from cypress.cycon.com (cypress.CYCON.COM [204.5.16.32]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA05080 for ; Thu, 5 Dec 1996 08:22:51 -0800 (PST) Received: from localhost (carlson@localhost) by cypress.cycon.com (8.7.5/8.7.3) with SMTP id LAA27583; Thu, 5 Dec 1996 11:31:19 -0500 Date: Thu, 5 Dec 1996 11:30:52 -0500 (EST) From: Chris Carlson To: raf@ezunx.com cc: firewalls@GreatCircle.COM Subject: Re: network access through wall w/tokens In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk VASCO Data Security (http://www.vasco.com) makes a product called AccessKey II that uses a Java app to receive light pulses for authentication. Chris P.S. I have no affliation with VASCO. -- --------------------------------------------------------------------- Chris Carlson http://www.cycon.com CYCON Technologies info@cycon.com carlson@cycon.com (703) 383-0247 CYCON Labyrinth Firewall - Stateful Inspection & Address Translation --------------------------------------------------------------------- On Thu, 5 Dec 1996 raf@ezunx.com wrote: > Ok, I know someone will know this --- > > I remember sometime ago, in a trade show, far far away, I came across > an access-token vendor that had a product that was a little different > than most. It uses light patterns on a screen and a special device to > read them. > > Question -- Does anyone know of this product, and can it be used in > conjunction with a fw to provide something like vpn access?? > > -rich > > o' |,=./ `o > (o o) > -----ooO--(_)--Ooo------- > > ** Remember -- If you can keep your head when all others around > you are losing theirs... > > You're probably not paying attention! > From firewalls-owner Thu Dec 5 08:59:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA04719 for firewalls-outgoing; Thu, 5 Dec 1996 08:12:14 -0800 (PST) Received: from gw.garrison.com (gw.garrison.com [205.241.58.147]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA04682 for ; Thu, 5 Dec 1996 08:11:49 -0800 (PST) Received: by gw.garrison.com; id EAA05217; Thu, 5 Dec 1996 04:05:46 -0600 (CST) Received: from ukn0.garrison.com(10.0.0.2) by gw.garrison.com via smap (3.2) id xma005211; Thu, 5 Dec 96 04:05:20 -0600 Received: by garrison.com. (4.1/Surrogate Sendmail hack) id AA03136; Thu, 5 Dec 96 10:06:31 CST Date: Thu, 5 Dec 96 10:06:31 CST From: jeromie@garrison.com (Jeromie Jackson) Message-Id: <9612051606.AA03136@garrison.com.> To: peter@baileynm.com Subject: Re: PIX and Gauntlet Cc: tbernstein@sri.com, mike@ptes.com, avolio@tis.com, firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > The GUI is useful, however, many administrative type processes still > > require manual hacking. For example, if adding a generic proxy the users now > > have to go in and modify /usr/local/etc/mgmt/rc/* files. > > If there is a good editor available, why is this a problem? > > Novell administration requires manual editing of files now and then, but it > seems to be quite within the grasp of PC network admin types. Just because > there's not a specific GUI editor that doesn't make it "too hard" for naive > users. > I would agree, I actually like guantlet quite, a bit. Although I would have to say that the documentation on how to write policy for the firewall is quite limited. The Syntax information is contained in the back of the manual, although no real good discussion/documentation is written on netperm-table hacks. I would however have to say, that TIS has done better work on the docs this time (3.2) than previously released manuals. Jeromie Jackson Garrison Technologies jeromie@garrison.com > (IMHO the biggest advantage of GUIs for administrative work is it lets your > sales reps give impressive demonstrations. For systems bigger than a single > workstation the fact that you're unable to do editing tasks that weren't > explicitly programmed into the GUI is a big hindrance. For example, in NT's > User Mangler... what if I want to just list the users with disabled accounts?) > > ((I gave up and added a (disabled) entry to the comment field)) > One advantage I see in GUIs is integrity. If you have used Gauntlet much, you are probably aware of the several syntatical problems that were in the previous manuals, making modification of policy quite difficult. If a GUI were present to implement these tasks, the user community would not have had these problems, & TIS support would not have received as many calls. From firewalls-owner Thu Dec 5 09:25:54 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA07987 for firewalls-outgoing; Thu, 5 Dec 1996 09:07:56 -0800 (PST) Received: from Arbitrade.COM (iafsrv.arbitrade.com [204.242.156.130]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id JAA07649 for ; Thu, 5 Dec 1996 09:05:43 -0800 (PST) Received: from andrews.Arbitrade.COM (andrews.arbitrade.com [204.242.156.137]) by Arbitrade.COM (8.7.5/8.6.9) with ESMTP id LAA07906; Thu, 5 Dec 1996 11:09:35 -0600 (CST) Received: (from andrew@localhost) by andrews.Arbitrade.COM (SMI-8.6/8.6.9) id LAA13850; Thu, 5 Dec 1996 11:02:36 -0600 From: "Andrew A. Benson" Message-Id: <199612051702.LAA13850@andrews.Arbitrade.COM> Subject: Re: Secondary IP address To: jsluzewski@dna.com Date: Thu, 5 Dec 1996 11:02:35 -0600 (CST) Cc: firewalls@GreatCircle.COM In-Reply-To: <32A6DE8A@dnanycsmtp.dna.com> from "jsluzewski@dna.com" at Dec 5, 96 09:39:00 am X-Mailer: ELM [version 2.4 PL25] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I have hard that it is possible to configure secondary IP address on Solaris > 2.5.1? > If that's true, how it can be done? > Thanks for any help. Sure. ifconfig le0:1 aaa.bbb.ccc.ddd netmask eee.fff.ggg.hhh up Replace le0 with whatever your interface is called. You'll have to put the command in an rc file so it happens automatically of course. > jsluzewski@dna.com Andrew From firewalls-owner Thu Dec 5 10:34:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA08956 for firewalls-outgoing; Thu, 5 Dec 1996 09:16:36 -0800 (PST) Received: from hunter.pomona.edu (hunter.pomona.edu [134.173.64.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id JAA08907 for ; Thu, 5 Dec 1996 09:16:15 -0800 (PST) Received: from POMADM.POMONA.EDU by HUNTER.POMONA.EDU (PMDF V5.0-7 #18014) id <01ICN9A3MNY80005V7@HUNTER.POMONA.EDU>; Thu, 05 Dec 1996 09:15:18 -0700 (PDT) Received: from POMADM.POMONA.EDU by POMADM.POMONA.EDU (PMDF V5.0-6 #18021) id <01ICN94VD40O000125@POMADM.POMONA.EDU>; Thu, 05 Dec 1996 09:10:20 -0700 (PDT) Date: Thu, 05 Dec 1996 09:10:20 -0700 (PDT) From: "Dr. Stephan L. Moss" Subject: Re: .edu w/ firewalls In-reply-to: To: Sameer R Manek Cc: Paonia Ezrine , firewalls@GreatCircle.COM Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I think Sameer is right, the greatest threat is already on campus. In addition to our own clever students, the science and engineering school up the street is full of bright, talented kids quite capable of hacking a system. Our network places all of the administrtive machines (servers, main computer, PC's) on one side of the firewall and the rest of the campus and the other schoolls on the other side. ! ! Dr. Stephan L. Moss stevem@pomadm.pomona.edu ! ! Administrative Computing Pomona College ! Claremont, CA 91711 ! (909) 607-1734 From firewalls-owner Thu Dec 5 11:04:19 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA05334 for firewalls-outgoing; Thu, 5 Dec 1996 08:28:37 -0800 (PST) Received: from gw.garrison.com (gw.garrison.com [205.241.58.147]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA05320 for ; Thu, 5 Dec 1996 08:28:21 -0800 (PST) Received: by gw.garrison.com; id EAA05255; Thu, 5 Dec 1996 04:22:15 -0600 (CST) Received: from ukn0.garrison.com(10.0.0.2) by gw.garrison.com via smap (3.2) id xma005250; Thu, 5 Dec 96 04:21:48 -0600 Received: by garrison.com. (4.1/Surrogate Sendmail hack) id AA03141; Thu, 5 Dec 96 10:23:02 CST Date: Thu, 5 Dec 96 10:23:02 CST From: jeromie@garrison.com (Jeromie Jackson) Message-Id: <9612051623.AA03141@garrison.com.> To: firewalls@GreatCircle.COM, Ryan.Russell@sybase.com Subject: Re: Cisco's PIX Firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Fair warning: Probably most reader of this > list know by now that I favor the PIX/Firewall-1/SPF/NAT > type solutions..though I am just a user. I have no > stake in Cisco or Checkpoint. > > The case you mentioned below about the mail server.. > Yes, out of the box, you are reliant totally on the built-in > security of the mail server, so keep up on your sendmail > hole-of-the-week. In most cases, for FW-1 or PIX, for servers, > you need to rely on the host security of the server for the > ports you are "publishing." PIX and FW-1 will block all > the other ports, same as router ACLs. > Food for thought for people like Cisco/FW1... If you were to just make a Mail Transport Agent for the hub, and provide it along with the product, people like me could not bitch, and you could say you covered the bases. I did note in one of the earlier posts from Cisco that they are indeed working on it. > However, I did say out of the box... Apparantly PIX and FW-1 > can go "deeper" into the connection if need be.. they can > deal with protocols that embed the addresses in the data field, > like FTP. FW-1 has add-ons that will do things like virus > scanning, stripping out java and active-x code, content > censoring etc.. So they *can* do the equivalent of an > application proxy..if you ask them to. But, basically by default > it will do the lowest level filtering that it has to for speed reasons. > Also, you don't get things like a log of URLs (by default) like > you can easily do with a traditional proxy. Hmm, I would be interested in comparing audit data to see where, if any data is lacking between the 2 technologies. > > So, back to the mail question, it doesn't check for evil > things in the connection stream, but it could. I think this > is the complaint the most of the people who prefer > proxy-like things have... that PIX and FW-1 don't > assume they have to do a full-blown proxy for > most connection types. A full proxy that > assumes the worst should be more secure than > a PIX or FW-1 that assumes the least, if you consider > one connection only. > > In my case, I prefer FW-1, because I allow a whole > lot of protocols out..and one cohesive solution > makes better security sense than the equivalent > number of proxies. If I was doing just HTTP, a proxy > would make better sense..but it would be hard to convince > me that a whole bank of different proxies in parallel would > have fewer security holes than the FW-1. > > Sorry to babble on...this SPF vs. Proxy issue comes up a lot. > Should we write a FAQ, perhaps debate style, that deals > with the issue? > Hmm, That is a great idea.. We should put one together, and toss it around the list until it is made clear. Jeromie Jackson Garrison Technologies jeromie@garrison.com > Ryan > ---------- Previous Message ---------- > To: firewalls, dochin > cc: lazar, mhoward, froys, jlw, afoss, amittal > From: jeromie @ garrison.com (Jeromie Jackson) @ smtp > Date: 12/04/96 11:55:22 AM > Subject: Re: Cisco's PIX Firewall > > > To clarify the PIX Firewall, it is not a packet filter. It is a dedicated > > security device, built with one purpose in mind -- securing the private LAN > > to the Internet. > > > > Hmm, from what I've seen, it certainly does qualify as an IP filtering > device. It bases its ACLs on header information, namely src,port,dst,port.flags > It obviously is not an application level gateway, therefore you may be competing > with TIS/Raptor for market share, although it is quite different technology. > It appears to be a packet filtering device that has NAT capabilities... > > > We are in fact directly in competition with Checkpoint, Raptor, TIS, etc. > > The "cut-through proxy" feature provides a significant performance > > enhancement to the security function since users are authenticated at the > > application layer. Once authenticated, the process flow shifts back to the > > network layer which provides the high performance. > > I would have to agree that most likely there is a performance > enhancement by using PIX instead of an application level gateway. My question > would be, if the PIX product is a firewall, how it it securing the > sendmail/mail transport agent for the customers? When mail comes inbound, > it has to speak to something.. Since PIX does not have a MTA itself, obviously > another box is required. If this is so, the level of security of the MTA is > crutial... This seems to be a bad thing. > > Also, using something like PIX, is there features that allow filtering > of data such as email-content, or java/javascript? What about time based > access control? Or what about data reduction utilities to utilize the syslog > information that I would assume the PIX can provide...? > > Jeromie Jackson > Garrison Technologies > jeromie@garrison.com > > > > From firewalls-owner Thu Dec 5 11:34:29 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA15524 for firewalls-outgoing; Thu, 5 Dec 1996 10:31:38 -0800 (PST) Received: from mail.ka.inka.de (quechua.inka.de [193.197.84.5]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA15508 for ; Thu, 5 Dec 1996 10:31:19 -0800 (PST) Received: from sapa.inka.de(really [193.197.84.6]) by mail.ka.inka.de via smail with smtp (ident root using rfc1413) id for ; Thu, 5 Dec 1996 19:30:31 +0100 (MET) (Smail-3.2 1996-Jul-4 #3 built 1996-Oct-28) Received: from uu.inka.de ([193.197.84.8]) by sapa.inka.de with smtp (S3.1.29.1) id ; Thu, 5 Dec 96 19:31 MET Received: from lina (lists@lina.inka.de) by uu.inka.de with bsmtp (S3.1.29.1) id ; Thu, 5 Dec 96 19:31 MET Received: by lina id m0vViGT-0004inC (Debian Smail-3.2 1996-Jul-4 #2); Thu, 5 Dec 1996 19:11:17 +0100 (MET) Message-Id: From: lists@lina.inka.de (Bernd Eckenfels) Subject: Re: VPNs To: israel.serrano@solmelia.es Date: Thu, 5 Dec 1996 19:11:15 +0100 (MET) Cc: Firewalls@GreatCircle.COM In-Reply-To: <9612050815.AA13146@sunrise> from "israel.serrano@solmelia.es" at Dec 5, 96 08:58:23 am X-Mailer: ELM [version 2.4 PL25 PGP2] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, > My concern, right now, consists basically in the possibity to set up Virtual > Private Networks in order to reduce the high costs of maintaining a leased > line > with some of our international offices (US and Singapore, basically) The > problem > we face is the chance to expose confidential information to the Internet And expose yourself to attacks from the Internet, yes. > Which device suits best the VPN deployment, FW-1 or SunScreen? (I guess the= > later) > Are they really (REALLY) secure? (Technicians! Help!) There are quite a few more VPN Solutions. The main question is: which data are you going to transfer how often, and which firewall solution do u have? Which know-how do u have to maintain one, and how many money you want to spend? You might consider using alternative transports like: PGP encrypted mail-attachements or ssh's scp, SSLed WWW Server or ssl-ftp. Those are much cheaper and it's security is IMHO often better than the usual on-the-fly IP Packet encryption. If other ppl's are interested: there is a small kernel and userspace solution for Linux for crypted IP tunnels (IDEA based). Its a design study but works well for small bandwith. It's called CIPE an can be obtained from Olaf Titz at . I know the author would like to receive some discusson sof his basiv Design. For now you ave to grab the tar archive, an info page will follow. Greetings Bernd -- (OO) -- Bernd_Eckenfels@Wittumstrasse13.76646Bruchsal.de -- ( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/ o--o *plush* 2048/93600EFD eckes@irc +4972573817 BE5-RIPE (O____O) If privacy is outlawed only Outlaws have privacy From firewalls-owner Thu Dec 5 11:34:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA14549 for firewalls-outgoing; Thu, 5 Dec 1996 10:21:01 -0800 (PST) Received: from gate.csi.co.nz (gate.csi.co.nz [202.49.197.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA14530 for ; Thu, 5 Dec 1996 10:20:43 -0800 (PST) Received: (from root@localhost) by gate.csi.co.nz (8.6.11/8.6.9) id FAA17408 for ; Fri, 6 Dec 1996 05:59:18 GMT Received: from csi6001.csi.co.nz(202.36.193.98) by gate via smap (V1.3) id sma017406; Fri Dec 6 05:58:55 1996 Received: from csiwndm.csi.co.nz by csi6001.csi.co.nz; Fri, 6 Dec 1996 07:24:39 +1200 Received: by csiwndm.csi.co.nz with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5) id <01BBE345.ED2E6570@csiwndm.csi.co.nz>; Fri, 6 Dec 1996 07:20:15 +1300 Message-Id: From: Bevan Thomson To: "'firewalls@GreatCircle.COM'" Subject: RE: Firewall performance??? Date: Fri, 6 Dec 1996 07:20:13 +1300 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is one place that doesn't seem to bad at a glance. http://www.crpht.lu/CNS/html/PubServ/Security/Documents/Data_Comm/Firewa lls.html (Even the performance is really only just one graph) >---------- >From: Carlos Marlon Coral Ortiz[SMTP:c-coral@uniandes.edu.co] >Sent: Friday, 6 December 1996 05:18 >To: firewalls@GreatCircle.COM >Subject: Firewall performance??? > >Can anyone recommend me good papers or readings about studies comparing >the firewall performance and the general impact on network performance. >If it is possible that those papers speaks about typical delay times >(e.g packet screening delays in mseg)!! >-- >Thank you!! >+--------------------------------------------------+ >Carlos Marlon Coral Ortiz - Ing. de sistemas y comp. >Est. Magister Sistemas y Computacion (GI:HIDRA) >Centro de computo Departamento de Sistemas (MiniMOX) >H.Page: http://odin.uniandes.edu.co/marlon.html >Tel: 2869211 ext. 2847 Uniandes (Bogota - Colombia) >+--------------------------------------------------+ > From firewalls-owner Thu Dec 5 11:34:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA16785 for firewalls-outgoing; Thu, 5 Dec 1996 10:47:33 -0800 (PST) Received: from gauntlet-1.trusted.com (gauntlet-1.trusted.com [204.254.155.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA16721 for ; Thu, 5 Dec 1996 10:47:07 -0800 (PST) Received: by gauntlet-1.trusted.com; id NAA14032; Thu, 5 Dec 1996 13:56:24 -0500 Received: from dira.rv.tis.com(10.0.1.43) by gauntlet-1.trusted.com via smap (V3.1.1) id xma014020; Thu, 5 Dec 96 13:55:57 -0500 Received: from unit65.rv.tis.com (dyn116.hq.tis.com [10.33.10.116]) by dira.rv.tis.com (8.7.4/8.7.3) with SMTP id NAA13903; Thu, 5 Dec 1996 13:41:50 -0500 (EST) Message-Id: <3.0.32.19961205134415.006f024c@pop.rv.tis.com> X-Sender: avolio@pop.rv.tis.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Thu, 05 Dec 1996 13:44:17 -0500 To: Terry Bernstein , peter@baileynm.com (Peter da Silva) From: Frederick M Avolio Subject: Re: PIX and Gauntlet Cc: jeromie@garrison.com (Jeromie Jackson), mike@ptes.com, firewalls@greatcircle.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 10:05 AM 12/5/96 -0800, Terry Bernstein wrote: >Also, I believe that if you have multiple TIS firewalls, you'll need to >move these files between machines and manually reconfigure them. If that >is the case, then this introduces yet another place for a possible >misconfiguration. This is probably getting to TIS centric now (not that I mind), but we give you the ability to configure and then remotely load other Gauntlet firewalls. f From firewalls-owner Thu Dec 5 11:35:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA14687 for firewalls-outgoing; Thu, 5 Dec 1996 10:23:02 -0800 (PST) Received: from relay3.UU.NET (relay3.UU.NET [192.48.96.8]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA14667 for ; Thu, 5 Dec 1996 10:22:45 -0800 (PST) Received: from cwiz.com by relay3.UU.NET with SMTP (peer crosschecked as: dosmanos.tx.qualix.com [208.194.52.10]) id QQbsur00558; Thu, 5 Dec 1996 13:22:46 -0500 (EST) Received: by cwiz.com (SMI-8.6/SMI-SVR4) id MAA25836; Thu, 5 Dec 1996 12:22:25 -0600 Date: Thu, 5 Dec 1996 12:22:25 -0600 From: mdb@dosmanos.cwiz.com (Martin D. Baldenegro) Message-Id: <199612051822.MAA25836@cwiz.com> To: jsluzewski@dna.com Subject: Re: Secondary IP address Cc: firewalls@GreatCircle.com X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Are you asking about configuring a secondary IP address on the same physical network card? That would be configuring for virtual networks. Example would be to have two IP addresses on say the same Ethernet interface, like 198.164.2.100 and 192.194.3.100, you would do the following as described from man pages: ifconfig le1 plumb Once a physical interface has been "plumbed", additional local interfaces can be configured by simply naming them in subsequent ifconfig commands. Logical interfaces do not need to be "plumbed". Simply mentioning their name in an ifconfig command is sufficient. For example, the command: ifconfig le1 198.164.2.100 ifconfig le1:1 192.194.3.100 will allocate a logical interface associated with the physi- cal interface le0. A logical interface can be configured with parameters (address, netmask, etc.) different from the physical interface that it is associated with. And logical interfaces that are associated with the same physical inter- face can be given different parameters as well. Each logi- cal interface must be associated with a physical interface. So, for example, the logical interface le0:1 can only be configured after the physical interface le0 has been plumbed. Hope this helps, Martin " Been there, Done it, got a T-shirt " ----- Begin Included Message ----- From jsluzewski@dna.com Thu Dec 5 10:58:32 1996 From: jsluzewski@dna.com Subject: Secondary IP address To: Date: Thu, 05 Dec 96 09:39:00 EST I have hard that it is possible to configure secondary IP address on Solaris 2.5.1? If that's true, how it can be done? Thanks for any help. jsluzewski@dna.com ----- End Included Message ----- From firewalls-owner Thu Dec 5 12:04:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA04338 for firewalls-outgoing; Thu, 5 Dec 1996 08:06:49 -0800 (PST) Received: from gw.garrison.com (gw.garrison.com [205.241.58.147]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA04283 for ; Thu, 5 Dec 1996 08:06:17 -0800 (PST) Received: by gw.garrison.com; id EAA05192; Thu, 5 Dec 1996 04:00:16 -0600 (CST) Received: from ukn0.garrison.com(10.0.0.2) by gw.garrison.com via smap (3.2) id xma005180; Thu, 5 Dec 96 03:59:49 -0600 Received: by garrison.com. (4.1/Surrogate Sendmail hack) id AA03133; Thu, 5 Dec 96 10:01:00 CST Date: Thu, 5 Dec 96 10:01:00 CST From: jeromie@garrison.com (Jeromie Jackson) Message-Id: <9612051601.AA03133@garrison.com.> To: ahuger@secnet.com, jlw@cisco.com Subject: Re: Cisco's PIX Firewall Cc: firewalls@GreatCircle.COM, dochin@cisco.com, mhoward@cisco.com, lazar@netevolve.com, froys@cisco.com, afoss@cisco.com, amittal@cisco.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > To all: > > PLease use caution when reading the following to avoid confusion. > I posted he original statement of "opens up UDP ports 7648 and 7649 > BLINDLY to all traffic including attacks" criticizing packet filtering routers. > I also contrasted it with the PIX'es adaptive security. > > I hope readers do not mistake this stateless opening of > udp ports applies what the PIX does. > > As of today, the current official release of PIX still does not have > Java filtering or any SMAPd type of mail wrappers. But that does not > prevent it from being a stateful firewall being capable of thwarting > spoofing and hijacking. > > Going against IP spoofing, The PIX has cut-through proxies authenticating > inbound sessions from trusted hosts to selected internal hosts. > This is user-based authentication. It also randomizes TCP sequence numbers > to further minimize the chance of a successful spoofing. > > A packet filtering router exposes internal hosts and is not protocol aware. > To allow ftp clients inside going out you basically have to open up > TCP SRC=20 and DST gt 1023 for everyone in the whole world. > Agreed > The PIX makes an inside network totally invisible to the outside and > only reveals certain IP addresses to the destination host when connections > go outbound and only allows the requested data coming in. > > With due respect, I challenge Mr. Jackson's point saying: > >> > As far as being > >> > 'spoof proof', that is just not correct. If you are talking to > '1.2.3.4', I > >> > can send you a packet appearing as though it is originating from '1.2.3.4' > > In the case where the the client starts a connection from SRC port 2345 > to 1.2.3.4's port 80 to get a webpage and then ends the connection. > The PIX immediately closes the connection object after that and even if the > hacker > succeeds in impersonating 1.2.3.4 ( the dest. host ) and tries to come in via > SRC=80 dest=2345 with the ACK bit set, the PIX will not let the packets come > through. > ( Interested PIX owners can try it themselves) > Ok.. Here's the scenario, where you cannot stop the spoof, it it not because of a flaw in the firewall, but a flaw in IPV4... 1) external user requests an inbound telnet connection. 2) User gets Authenticated. 3) User reaches the destination & logs in 4) Hacker find out what sequence number is being used 5) Hacker sends RSTs to the real user, thus causing his session to close 6) Hacker continues sending packets to the internal machine, incrementing the sequence number as necessary. This is obviously a scenario of Hijacking. Your box cannot stop it, Thus, saying it is 'spoof proof' is just _NOT_ correct. Jeromie Jackson Garrison Technologies jeromie@garrison.com > -Johnson > > At 10:35 PM 12/4/96 CST, Jeromie Jackson wrote: > >> On Wed, 4 Dec 1996, Jeromie Jackson wrote: > >> > >> > > > >> > > This opens up UDP ports 7648 and 7649 BLINDLY to all traffic including > >> > > attacks. Also there's that infamous estab statement where someone who > >> > > knows how to doctor the ACK bit can inject TCP packets into the > customers' > >> > > net. > >> > > >> > Hmm, That certainly looks like packet filtering to me. > > Yes you are right. It was my example of a packet filter, not the PIX. > > >> > Based on header > >> > information, you are making decisions about packet flow. As far as being > >> > 'spoof proof', that is just not correct. If you are talking to > '1.2.3.4', I > >> > can send you a packet appearing as though it is originating from '1.2.3.4', > >> > you would believe me, because there is no authenticion built into IPV4. > I would > >> > agree, that the filtering mentioned above is better than that done w/ a > standard > >> > IP filtering device, although because decisions are being made on > objects that > >> > are not authenticated (header information), ACL's can, and will be > vulerable to > >> > spoofing/hijacking. > >> > > >> > >Ahuger@secnet.com wrote: > > > >> ACL's being vulnerable to spoofing/hijacking..... I am not sure if I am > >> reading you clear on this, but what I think I see you saying is that you > >> can still spoof Source IP addresses to a Cisco PIX firewall. Also you > >> state, trusted connections to the firewall can be hijacked. If this is > >> what you are saying, my reply would be such. > >> > >> Your correct in saying IP4 has no built in authentication, the only thing > >> in IPV4, related to security is the Security Field (which denotes how > >> classified a datagram is). This being said, anyone, anywhere can slap > >> and Source Address on a packet and fire it off their wire. *No* Firewall > >> can protect you from this. Cisco PIX or otherwise. If you need to speak > >> the outside world (which if you have a Firewall I assume you do) then you > >> are subject to packets with questionable Source Addresses. I don't see > >> this as a real weakness of any given Firewall, just shortcomings of IPV4. > >> > > > > Agreed. I brought this up, to show the inherent weakness in ACLs. > >Obviously both methanisms, ip filtering devices, and application level > gateways, are vulerable to such data. An IP filtering device uses this as > its primary > >access control mechanism though, whereas an application level gateway would > >also implement things to force RFC conformance of the protocols, most likely > >have data reduction tools, and be able to address issues such as the Mail > >Transport Agent problems. App. gateways also have the capability to do things > >such as Java/Javascript filtering, Mail filtering, whereas strictly IP > filtering > >mechanisms do not have such capabilities. > > > >> As to streams of data (TCP presumably) being open to hijacking. That again > >> is another problem which cannot really be addressed by a Firewall itself. > >> If an attacker has breached a host whom your firewall allows *unencrypted* > >> or even *encrypted* connections from, your had. And it's not your > >> Firewalls fault. > >> > >> Both of these issues are policy issues, Both require a Firewall Admin to > >> ask himself how much of the outside world he/she trusts. In the case of > >> spoofable addresses, Admins must realize that not all packets coming in > >> off the net, are really coming from where they say they are. In respects > >> to TCP hijacking, an Admin has to ask his/herself if they want to allow > >> TCP connections through their firewall. > >> > > > > Agreed. > > > > > >Jeromie Jackson > >Garrison Technologies > >jeromie@garrison.com > > > > > Johnson L. Wu > Cisco Systems > 2464 Embarcadero Way > 415/842-2114 voice > 415/843-1111 fax > jlw@cisco.com > so long: johnson@translation.com > private: johnson@snoopy.ORG > > From firewalls-owner Thu Dec 5 12:15:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA21857 for firewalls-outgoing; Thu, 5 Dec 1996 11:51:10 -0800 (PST) Received: from iceland.it.earthlink.net (iceland-c.it.earthlink.net [204.119.177.28]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA21847 for ; Thu, 5 Dec 1996 11:51:02 -0800 (PST) Received: from Cust31.Max15.San-Francisco.CA.MS.UU.NET (Cust31.Max15.San-Francisco.CA.MS.UU.NET [153.35.240.159]) by iceland.it.earthlink.net (8.7.5/8.7.3) with SMTP id LAA10953 for ; Thu, 5 Dec 1996 11:50:58 -0800 (PST) Received: by Cust31.Max15.San-Francisco.CA.MS.UU.NET with Microsoft Mail id <01BBE2A2.848971C0@Cust31.Max15.San-Francisco.CA.MS.UU.NET>; Thu, 5 Dec 1996 11:50:31 -0800 Message-ID: <01BBE2A2.848971C0@Cust31.Max15.San-Francisco.CA.MS.UU.NET> From: "John L. Hamilton" To: "firewalls@GreatCircle.COM" Subject: Get me off of this list!!!!!!! Date: Thu, 5 Dec 1996 11:50:24 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I sent the message to majordomo and got verification that I was removed but I'm still receiving posts. From firewalls-owner Thu Dec 5 12:34:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA23206 for firewalls-outgoing; Thu, 5 Dec 1996 12:11:28 -0800 (PST) Received: from ftp.com (ftp.com [128.127.2.122]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id MAA23129 for ; Thu, 5 Dec 1996 12:10:47 -0800 (PST) Received: from ftp.com by ftp.com ; Thu, 5 Dec 1996 15:10:49 -0500 Received: from mailserv-2high.ftp.com by ftp.com ; Thu, 5 Dec 1996 15:10:49 -0500 Received: by MAILSERV-2HIGH.FTP.COM (SMI-8.6/SMI-SVR4) id PAA11466; Thu, 5 Dec 1996 15:10:49 -0500 Date: Thu, 5 Dec 1996 15:10:49 -0500 Message-Id: <199612052010.PAA11466@MAILSERV-2HIGH.FTP.COM> To: firewalls@greatcircle.com Subject: Test ! please delete From: shishir@ftp.com Reply-To: shishir@ftp.com Repository: mailserv-2high.ftp.com, [message accepted at Thu Dec 5 15:10:47 1996] Originating-Client: asc-client Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Thu Dec 5 12:40:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA21291 for firewalls-outgoing; Thu, 5 Dec 1996 11:42:01 -0800 (PST) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id LAA21165 for ; Thu, 5 Dec 1996 11:41:11 -0800 (PST) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id NAA02845; Thu, 5 Dec 1996 13:30:32 -0500 Date: Thu, 5 Dec 1996 13:30:30 -0500 (EST) From: Rabid Wombat To: Michael Dillon cc: Great Circle Firewall Mailing List Subject: Re: IRINA is a Hoax In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Yup - sites I'm at get "infected" with "good times" about once a month. It only infects carbon-based systems - end-lusers. They ignore all security procedures and forward copies of the warning to everyone except the designated point of contact for computer security incidents. This behavior is best stopped by killing a few end-lusers, which forces the virus into remission for about 30 days. -r.w. On Wed, 4 Dec 1996, Michael Dillon wrote: > On Wed, 4 Dec 1996, Gilbert Soueidy wrote: > > > Hi folks; > > Irina seems to be a Hoax; Look what says the issue 85 of > > the computer underground digest; > > > The "Irina" virus warnings are a hoax. > > Leave it to the techno-wizards to come up with an idiotic statement like > this. The most effective viruses ever created are the Good Times virus and > its variations such as Deeyenda and Irina. These viruses have propogated > to more systems and people than any other, bypassing just about every > existing virus safeguard. > > Obviously these viruses are not the same sort of organism as the > Pakistani Brain virus or Michaelangelo but they are certainly not > hoaxes. > > It is widely understood that social engineering is the most effective way > to penetrate secure computer networks. We should not be surprised that > viruses based on these techniques are so effective. > > > Michael Dillon - Internet & ISP Consulting > Memra Software Inc. - Fax: +1-604-546-3049 > http://www.memra.com - E-mail: michael@memra.com > > From firewalls-owner Thu Dec 5 12:45:00 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA22780 for firewalls-outgoing; Thu, 5 Dec 1996 12:05:14 -0800 (PST) Received: from habanero.jmu.edu (habanero.jmu.edu [134.126.71.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id MAA22754; Thu, 5 Dec 1996 12:04:51 -0800 (PST) Message-Id: <199612052004.MAA22754@miles.greatcircle.com> Received: by habanero.jmu.edu (1.37.109.16/16.2) id AA064746004; Thu, 5 Dec 1996 15:00:04 -0500 Date: Thu, 5 Dec 1996 15:00:04 -0500 From: gary flynn To: Firewalls@GreatCircle.COM, firewalls-owner@GreatCircle.COM Subject: Re: Why would someone want an NT firewall? Cc: gary@habanero.jmu.edu Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: Adrian Knight > Subject: Why would someone want an NT firewall? > > 2) We don't want to hire a rocket scientist to manage our firewall. A > message earlier referred to firewalls being "necessarilly technical." > That's bogus. I think it's possible that a lot of people making money off > of firewalls might want to keep them that way, but there are a lot of > average people out there who want to AND CAN handle managing a firewall > right along with the MANY other types of systems that are also included in > our job responsibilities. In this age of computers, it is no longer valid > to try to convince people that computers are just too complicated for the > average person. I'm not a Microsoft Groupie or anything, but the reason > their company is where they are today is that they realized that! I believe that the industry's efforts to make computers appear that anyone can operate them has resulted in our present support and security nightmare. Computers are not toasters no matter how many GUIs you lay on top of them. I don't believe it possible to put enough artificial intelligence on a mass-produced, end user administered machine to make it either secure or easily supported in today's environment where the latest applications are downloaded from the Internet at the user's discretion, multivendor hardware and software components are constantly mixed, matched, and updated, and ten or more layers of drivers, protocols, clients, and applications "coexist" each with their own idiosycrocies, bugs, and versions. Windows and particularly MacIntosh machines are absolutely wonderful at making a user friendly DESKTOP environment. But today's PC is no longer a "personal computer". It is a portal into a much larger networked information system. That larger system is getting more complex, layered, and interactive day by day. The security ramifications of that architecture are not easily reduced to a point and click paradigm nor is that type of interface easily kept current with new applications and problems. > Because our firewall is on an NT platform and has a good GUI, I can be > gone for a couple of weeks and even my boss, a manager, can sit down and > make changes to the firewall comfortably. Several other people in the > computing department with the passowrd could do the same if they had to. > After two years, nobody else could sit down to my Solaris box and do > anything except manage to shut things down. Windows promised point and click computing. Yet people are still dealing with INI files, registry editors, and multiple driver and DLL updates. It may be that the product was designed to be point and click but in actual practice it rarely happens that way. Also, the GUI can often cover up an oversimplification of a complex technical issue. When this happens on a device protecting an entire network... My $0.02 worth. Gary Flynn Network Analyst James Madison University From firewalls-owner Thu Dec 5 12:52:53 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA14053 for firewalls-outgoing; Thu, 5 Dec 1996 10:15:29 -0800 (PST) Received: from isl.sri.com (sheffield.isl.SRI.COM [128.18.23.46]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA14046 for ; Thu, 5 Dec 1996 10:15:14 -0800 (PST) Received: by isl.sri.com (SMI-8.6/SMI-SVR4) id KAA06947; Thu, 5 Dec 1996 10:14:05 -0800 Received: from tlb.isl.sri.com(128.18.23.66) by sheffield via smap (V2.0beta) id xmaa06899; Thu, 5 Dec 96 10:13:59 -0800 X-Sender: terry@128.18.23.46 Message-Id: In-Reply-To: <9612051426.AA25253@sonic.nmti.com.nmti.com> References: <9612042227.AA01909@garrison.com.> from "Jeromie Jackson" at Dec 4, 96 04:27:53 pm Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 5 Dec 1996 10:05:41 -0800 To: peter@baileynm.com (Peter da Silva) From: Terry Bernstein Subject: Re: PIX and Gauntlet Cc: jeromie@garrison.com (Jeromie Jackson), mike@ptes.com, avolio@tis.com, firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The problem is not with the manual editing per se, but with the possibility that you could make a mistake and open services on your firewall that you really don't want opened. I just had the impression that the file was a bit complicated and that it would be relatively easy for someone to screw up. This is similar to the problem with Cisco access lists. Yes, you CAN configure them correctly, but in 75% of the security reviews I've done, there was at least 1 mistake in the Cisco ACL. Also, I believe that if you have multiple TIS firewalls, you'll need to move these files between machines and manually reconfigure them. If that is the case, then this introduces yet another place for a possible misconfiguration. -- terry -- At 6:26 AM -0800 12/5/96, Peter da Silva wrote: >> The GUI is useful, however, many administrative type processes still >> require manual hacking. For example, if adding a generic proxy the >>users now >> have to go in and modify /usr/local/etc/mgmt/rc/* files. > >If there is a good editor available, why is this a problem? > >Novell administration requires manual editing of files now and then, but it >seems to be quite within the grasp of PC network admin types. Just because >there's not a specific GUI editor that doesn't make it "too hard" for naive >users. > >(IMHO the biggest advantage of GUIs for administrative work is it lets your >sales reps give impressive demonstrations. For systems bigger than a single >workstation the fact that you're unable to do editing tasks that weren't >explicitly programmed into the GUI is a big hindrance. For example, in NT's >User Mangler... what if I want to just list the users with disabled accounts?) > >((I gave up and added a (disabled) entry to the comment field)) ---------- Terry Bernstein SRI Consulting terry_bernstein@sri.com http://www.ice.sri.com/~terry From firewalls-owner Thu Dec 5 13:15:50 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA11946 for firewalls-outgoing; Thu, 5 Dec 1996 09:53:39 -0800 (PST) Received: from mail.baileynm.com (fw.baileynm.com [206.109.159.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id JAA11933 for ; Thu, 5 Dec 1996 09:53:22 -0800 (PST) Received: (qmail 25296 invoked from smtpd); 5 Dec 1996 17:53:24 -0000 Received: from web.nmti.com (root@198.178.0.201) by fw.nmti.com with SMTP; 5 Dec 1996 17:53:24 -0000 Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id LAA19383; Thu, 5 Dec 1996 11:53:24 -0600 Received: by sonic.nmti.com; id AA01717; Thu, 5 Dec 1996 11:53:15 -0600 From: peter@baileynm.com (Peter da Silva) Message-Id: <9612051753.AA01717@sonic.nmti.com.nmti.com> Subject: Re: Firewalls over NT vs. UNIX To: mthomps1@kiwitech.co.nz (Matthew Thompson) Date: Thu, 5 Dec 1996 11:53:15 -0600 (CST) Cc: bve@yourtown.com, firewalls@greatcircle.com In-Reply-To: <96Dec5.090612nzdt.35726@kotuku.manukau.govt.nz> from "Matthew Thompson" at Dec 6, 96 10:51:33 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Can someone tell me where I get the source for HP-UX, AIX and Solaris 2, > and Borderware's modified BSDI Unix then? Bearing in mind I don't want to > sign any agreements of the type I'd have to sign to see the source for NT, > or pay any significant money, or do anything lllegal? Why, are you planning on running a "crystal box" firewall on them? If so, I'd recommend that you run it on FreeBSD or NetBSD instead, for that very reason. From firewalls-owner Thu Dec 5 14:37:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA12798 for firewalls-outgoing; Thu, 5 Dec 1996 10:01:14 -0800 (PST) Received: from main.geminisecure.com (main.geminisecure.com [205.179.16.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA12771 for ; Thu, 5 Dec 1996 10:01:01 -0800 (PST) Received: (from leonard@localhost) by main.geminisecure.com (8.6.9/8.6.9) id KAA06061; Thu, 5 Dec 1996 10:00:44 -0800 Date: Thu, 5 Dec 1996 10:00:44 -0800 (PST) From: Leonard Miyata To: raf@ezunx.com cc: firewalls@GreatCircle.COM Subject: Re: network access through wall w/tokens In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This sounds like the French ActivCard, a challenge and response token. There is custom software available, that will draw and flash three squares on the screen. Holding the token directly against the screen can receive the challenge, but I've only seen this available for Windows platforms. For more conventional (and secure) platforms you can always enter the challenge on the keypad. The ActivCard also supports multiple personalities (keys). Commerical software support is limited. BSDI does support it as one if its authentication mechanisms. My documentation states their web page is at http://www.francenet.fr/activcard Personal Opinions provided by Leonard Miyata aka leonard@geminisecure.com GEMINI COMPUTERS INC. On Thu, 5 Dec 1996 raf@ezunx.com wrote: > Ok, I know someone will know this --- > > I remember sometime ago, in a trade show, far far away, I came across > an access-token vendor that had a product that was a little different > than most. It uses light patterns on a screen and a special device to > read them. > > Question -- Does anyone know of this product, and can it be used in > conjunction with a fw to provide something like vpn access?? > > -rich > > o' |,=./ `o > (o o) > -----ooO--(_)--Ooo------- > > ** Remember -- If you can keep your head when all others around > you are losing theirs... > > You're probably not paying attention! > From firewalls-owner Thu Dec 5 14:44:19 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA26162 for firewalls-outgoing; Thu, 5 Dec 1996 12:53:59 -0800 (PST) Received: from charon.pjm.com (pjm-gate.pjm.com [198.56.5.30]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id MAA26048 for ; Thu, 5 Dec 1996 12:53:17 -0800 (PST) X-Organization: PJM Interconnection Association X-Complain-To: postmaster@pjm.com Received: from mailman.pjm.com (pjmpost.pjm.com [172.16.0.230]) by charon.pjm.com (8.6.12/8.6.12) with SMTP id PAA15214 for ; Thu, 5 Dec 1996 15:53:09 -0500 Received: by mailman.pjm.com with Microsoft Mail id <32A73630@mailman.pjm.com>; Thu, 05 Dec 96 15:53:04 EST From: "Mix, S.R." To: "'firewalls'" Subject: Serially connected firewalls and FTP Date: Thu, 05 Dec 96 15:54:00 EST Message-ID: <32A73630@mailman.pjm.com> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi: We are attempting to determine how to get FTP sessions established end-to-end between multiple networks, each protected by a firewall: +-----+ +------------+ +--------+ | | | | | | +--+ | +----------+ | | +----------+ | +------------+ |PC| +---|FireWall a|---+ +---|FireWall b|---+ | FTP server | +--+ +----------+ +----------+ +------------+ FireWall b is a TIS Firewall Toolkit Version 2.0 FireWall a so far has been an Eagle Raptor or another TIS FWTK. The question is: how does a user on the "PC" (which might include a UNIX command line) connect through the two firewalls to the FTP server? Thanks, Scott R. Mix PJM Interconnection Association From firewalls-owner Thu Dec 5 14:46:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA28195 for firewalls-outgoing; Thu, 5 Dec 1996 13:15:47 -0800 (PST) Received: from kcsun3.kcstar.com (kcsun3.kcstar.com [207.15.4.13]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id NAA28129 for ; Thu, 5 Dec 1996 13:15:23 -0800 (PST) Received: from kcsun3.kcstar.com (kcsun3.kcstar.com [207.15.4.13]) by kcsun3.kcstar.com (8.7.5/8.7.3) with SMTP id PAA17284 for ; Thu, 5 Dec 1996 15:18:18 -0600 (CST) Date: Thu, 5 Dec 1996 15:18:17 -0600 (CST) From: elroy X-Sender: elroy@kcsun3.kcstar.com To: firewalls@greatcircle.com Subject: Netscape gold ?! Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi everybody - I'm trying to make Netscape Gold publish to a webserver outside of our firewall, but having problems. I know that Netscape Gold can publish either via PASV ftp, or http put. My question is WHAT PORT(S)? This is driving me crazy - I've searched through firewalls-archive, and on the Web, but no joy. Has anyone allowed Netscape Gold to publish outbound through their firewall? Can it be done safely? Thanks to all, in advance - -elroy (elroy@kcstar.com) From firewalls-owner Thu Dec 5 14:49:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA02288 for firewalls-outgoing; Thu, 5 Dec 1996 13:59:54 -0800 (PST) Received: from vrml. (vrml.boulder.vni.com [192.147.250.69]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id NAA02276 for ; Thu, 5 Dec 1996 13:59:42 -0800 (PST) Received: from vrml by vrml. (SMI-8.6/SMI-SVR4) id CAA10007; Thu, 5 Dec 1996 02:57:52 -0700 Message-ID: <32A69C9F.2FDC@ix.netcom.com> Date: Thu, 05 Dec 1996 02:57:52 -0700 From: Christian Kuhtz X-Mailer: Mozilla 3.0Gold (X11; I; SunOS 5.5 sun4u) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: Q: BorderWare Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello: I am implementing a slew of services which are to be offered in the SSN portion of a BorderWare SSN firewall setup and would like to pick someone's brain about it. Please drop me a note via replying to this eMail if you think you have cycles to do that. I am currently not subscribed to the list. Thanks in advance! Best regards, Chris -- Christian Kuhtz Network/UNIX Specialist Paranet, Inc. From firewalls-owner Thu Dec 5 15:19:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA28705 for firewalls-outgoing; Thu, 5 Dec 1996 13:21:39 -0800 (PST) Received: from magneto.acquion.com (magneto.acquion.com [206.154.17.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id NAA28679 for ; Thu, 5 Dec 1996 13:21:12 -0800 (PST) Received: from wolverine (wolverine.acquion.com [206.154.17.12]) by magneto.acquion.com (post.office MTA v2.0 0813 ID# 0-11944) with SMTP id AAA238 for ; Thu, 5 Dec 1996 16:25:58 -0500 Message-Id: <2.2.32.19961205212237.008ff974@mail.acqic.org> X-Sender: oolid@mail.acqic.org X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 05 Dec 1996 16:22:37 -0500 To: firewalls@greatcircle.com From: oolid@acqic.org (Joseph L. Moll) Subject: Vunerabilities in Microsoft's IIS 2.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello all: We have noticed a little problem with IIS 2.0 and were wondering if the problem also exists in IIS 3.0. It seems that anyone can browse the any files in the cgi-bin directory on the server. For example, browse this on your IIS web host: http://your.domain.here/cgi-bin/my_cgi.ini The only catch is that you have to know the name of the file. Good ole security by obscurity? IIS 2.0 in conjunction with M$ Internet Exploder passes the end users domain and username to the IIS for access. Get's logged in the log file as DOMAIN\USERNAME. Anyone else observed this slight problem? Regards, --- Joseph L. (Joe) Moll -- Network and Communications Engineering mailto:jmoll@acquion.com http://www.acquion.com ACQUION, Inc. Greenville, SC USA -- Specialists in Electronic Commerce PGP Fingerprint = 8D E7 F0 E8 8D 67 A8 19 02 CB 83 0F 19 41 D3 A9 From firewalls-owner Thu Dec 5 15:54:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA08706 for firewalls-outgoing; Thu, 5 Dec 1996 09:12:37 -0800 (PST) Received: from poss.com (boole.poss.com [198.70.184.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id JAA08642 for ; Thu, 5 Dec 1996 09:12:13 -0800 (PST) Received: from sunfire (wheat-53.nb.net [204.255.176.153]) by poss.com (8.7/8.7) with ESMTP id MAA19417; Thu, 5 Dec 1996 12:06:33 -0500 Received: from localhost (wilcox@localhost) by sunfire (8.6.12/8.6.9) with ESMTP id MAA10887; Thu, 5 Dec 1996 12:12:34 -0500 Message-Id: <199612051712.MAA10887@sunfire> X-Mailer: exmh version 1.6.2 7/18/95 To: jsluzewski@dna.com cc: firewalls@GreatCircle.COM Subject: Re: Secondary IP address In-reply-to: Message <32A6DE8A@dnanycsmtp.dna.com> from "Thu, 05 Dec 1996 09:39:00 EST." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 05 Dec 1996 12:12:31 -0500 From: Ken Wilcox Sender: firewalls-owner@GreatCircle.COM Precedence: bulk jsluzewski@dna.com writes: > > I have hard that it is possible to configure secondary IP address on Solaris > 2.5.1? > If that's true, how it can be done? > Thanks for any help. > > jsluzewski@dna.com > I think this is what you are referring to. Use ifconfig to bring up a pseudo interface with a different IP address. For example: if you have le0 and want another IP address, do this example% ifconfig le0:1 some-ip netmask some-netmask broadcast + up The :1 is the pseudo interface and if you do an ifconfig -a it will show up like this: example% ifconfig -a lo0: flags=849 mtu 8232 inet 127.0.0.1 netmask ff000000 le0: flags=863 mtu 1500 inet 123.70.146.6 netmask ffffffc0 broadcast 123.70.146.63 le0:1: flags=863 mtu 1500 inet 123.70.146.14 netmask ffffffc0 broadcast 123.70.146.63 le0:2: flags=863 mtu 1500 inet 123.70.146.16 netmask ffffffc0 broadcast 123.70.146.63 le0:3: flags=843 mtu 1500 inet 123.70.146.1 netmask ffffffc0 broadcast 123.70.146.63 I don't know what the limit is but you should have as many as you need. Ken Wilcox Perfect Order Inc. Account Representative Authorized Sun Reseller 2212 Eagles Nest Lane Monroeville PA 15146 Phone: +1 412 373 1528 Email: wilcox@poss.com Fax: +1 412 373 1722 From firewalls-owner Thu Dec 5 16:09:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA02586 for firewalls-outgoing; Thu, 5 Dec 1996 14:01:54 -0800 (PST) Received: from deepeddy.com (DeepEddy.Com [192.12.3.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id OAA02532 for ; Thu, 5 Dec 1996 14:01:26 -0800 (PST) Received: (qmail 14346 invoked from network); 5 Dec 1996 22:01:16 -0000 Received: from localhost (HELO deepeddy.DeepEddy.Com) (@127.0.0.1) by localhost with SMTP; 5 Dec 1996 22:01:15 -0000 X-Mailer: exmh version 2.0alpha 12/3/96 To: Adrian Knight Cc: Firewalls@GreatCircle.COM Subject: Re: Why would someone want an NT firewall? In-Reply-To: Your message of "Thu, 05 Dec 1996 08:46:46 EST." X-Url: http://www.DeepEddy.Com/~cwg From: cwg@DeepEddy.Com Cc: cwg@DeepEddy.Com Mime-Version: 1.0 Content-Type: multipart/signed; boundary="==_Exmh_-710954688P"; micalg=pgp-md5; protocol="application/pgp-signature" Content-Transfer-Encoding: 7bit Date: Thu, 05 Dec 1996 16:01:13 -0600 Message-ID: <14343.849823273@deepeddy.DeepEddy.Com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk --==_Exmh_-710954688P Content-Type: text/plain; charset=us-ascii > Because our firewall is on an NT platform and has a good GUI, I can be > gone for a couple of weeks and even my boss, a manager, can sit down and > make changes to the firewall comfortably. Several other people in the > computing department with the passowrd could do the same if they had to. > After two years, nobody else could sit down to my Solaris box and do > anything except manage to shut things down. While you're at it, do you care to announce to the list when your next vacation is? Personally, I don't *want* just anybody to be able to modify the firewall. I also don't want "several other people" to have the password to the firewall. That said, I do understand why a MS based environment would want to run an NT firewall. However, you should note that your policies aren't the tightest I've seen. Chris -- Chris Garrigues O- cwg@DeepEddy.Com Deep Eddy Internet Consulting +1 512 432 4046 609 Deep Eddy Avenue Austin, TX 78703-4513 http://www.DeepEddy.Com/~cwg/ --==_Exmh_-710954688P Content-Type: application/pgp-signature -----BEGIN PGP MESSAGE----- Version: 2.6.2 iQB1AwUBMqdGI5aQnaaFII2dAQG0OAL7BADHemTZPaVA+ffHldppsYmkczP4/UWA AYsP+XEOymSoWOkRzcdKYyIW63+FWcT7tGn4rMelmWSzn8mhS4UUtjIjKlbz0NkS tdg7nK3J98HNmY0FmQLlaNenJbZ1tnpK =3+OK -----END PGP MESSAGE----- --==_Exmh_-710954688P-- From firewalls-owner Thu Dec 5 16:11:37 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA03351 for firewalls-outgoing; Thu, 5 Dec 1996 14:12:58 -0800 (PST) Received: from thewall.harding.edu (thewall.harding.edu [192.133.129.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id OAA03267 for ; Thu, 5 Dec 1996 14:12:16 -0800 (PST) Received: from piggy.harding.edu ([10.1.11.5]) by thewall.harding.edu via smtpd (for miles.greatcircle.com [198.102.244.34]) with SMTP; 5 Dec 1996 22:15:02 UT Received: from Harding.edu by Harding.edu (PMDF V5.0-7 #15469) id <01ICNNYB6FCQAKTJ7I@Harding.edu> for FIREWALLS@GREATCIRCLE.COM; Thu, 05 Dec 1996 16:14:56 -0500 (CDT) Date: Thu, 05 Dec 1996 16:14:56 -0500 (CDT) From: Adrian Knight Subject: Re: Why would someone want an NT firewall? In-reply-to: <14343.849823273@deepeddy.DeepEddy.Com> To: FIREWALLS@GREATCIRCLE.COM Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 5 Dec 1996 cwg@DeepEddy.Com wrote: > > Because our firewall is on an NT platform and has a good GUI, I can be > > gone for a couple of weeks and even my boss, a manager, can sit down and > > make changes to the firewall comfortably. Several other people in the > > computing department with the passowrd could do the same if they had to. > > After two years, nobody else could sit down to my Solaris box and do > > anything except manage to shut things down. > > While you're at it, do you care to announce to the list when your next > vacation > is? > > Personally, I don't *want* just anybody to be able to modify the firewall. I > also don't want "several other people" to have the password to the firewall. > I wholeheartedly agree! But my company does like to have the option of not being dead-in-the-water if something happens and I, their Great Security Guru, am unavailable or in Alaska. For clarification, I didn't say that several people DO make changes to our firewall. I said several other people COULD make changes if they had to. For example, if we had a hardware failure (which has happened) they could fix the hardware and have the operating system knowledge to be able to get the firewall system up and running again. If the same thing happened on our Solaris box they would be hard-pressed to do any of the above. > > Chris > > -- > Chris Garrigues O- cwg@DeepEddy.Com > Deep Eddy Internet Consulting +1 512 432 4046 > 609 Deep Eddy Avenue > Austin, TX 78703-4513 http://www.DeepEddy.Com/~cwg/ > > > From firewalls-owner Thu Dec 5 16:21:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA01473 for firewalls-outgoing; Thu, 5 Dec 1996 13:51:55 -0800 (PST) Received: from phoenix.iss.net (phoenix.iss.net [204.241.60.5]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id NAA01429 for ; Thu, 5 Dec 1996 13:51:37 -0800 (PST) Received: from localhost (davem@localhost) by phoenix.iss.net (8.8.3/8.6.12) with SMTP id QAA07596; Thu, 5 Dec 1996 16:51:10 -0500 Date: Thu, 5 Dec 1996 16:51:10 -0500 (EST) From: "David J. Meltzer" To: Adrian Knight cc: Firewalls@GreatCircle.COM Subject: Re: Why would someone want an NT firewall? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > 2) We don't want to hire a rocket scientist to manage our firewall. A > message earlier referred to firewalls being "necessarilly technical." > That's bogus. I think it's possible that a lot of people making money off > of firewalls might want to keep them that way, but there are a lot of > average people out there who want to AND CAN handle managing a firewall > right along with the MANY other types of systems that are also included in > our job responsibilities. In this age of computers, it is no longer valid > to try to convince people that computers are just too complicated for the > average person. I'm not a Microsoft Groupie or anything, but the reason > their company is where they are today is that they realized that! > > Because our firewall is on an NT platform and has a good GUI, I can be > gone for a couple of weeks and even my boss, a manager, can sit down and > make changes to the firewall comfortably. Several other people in the > computing department with the passowrd could do the same if they had to. > After two years, nobody else could sit down to my Solaris box and do > anything except manage to shut things down. I am all in favor of having an intuitive and easy to use GUI for a firewall. What I am not in favor is letting anyone sit down at your firewall and make changes. Your boss may be able to sit down in 2 minutes on a firewall and figure out how to open up all incoming connections to port 23 on NT and not Solaris (although the similarities between NT and Unix GUIs for many firewalls are very small), but that doesn't mean that he knows enough about your network and network security to determine if what he is changing is potentially opening up security holes in your network. The job of designing a firewall and then actually implementing it are two separate tasks. An intuitive GUI, based on NT or Unix, may aid you in your implementation, but it generally does nothing to help the design process. It is vitally important that a competent person design your firewall, and that whenever changes are made to the implementation, you check and double check that your currently configured firewall is still protecting you in the manner that you have designed it to. I would strongly recommend against letting anyone that does not have a good base of computer security knowledge making changes to a firewall configuration. That doesn't mean you need to be a security expert to be able to run a firewall, but it does mean that you need to have read a few books on computer security and firewalls, and that you keep current with known services and programs that may open up vulnerabilities on your network. --------------------------------+--------------------- David J. Meltzer | Email: davem@iss.net Systems Engineer | Web: www.iss.net Internet Security Systems, Inc. | Fax: (770)395-1972 From firewalls-owner Thu Dec 5 16:32:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA07604 for firewalls-outgoing; Thu, 5 Dec 1996 15:07:57 -0800 (PST) Received: from kcpgw2.kcp.com (kcpgw2.kcp.com [198.62.69.67]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id PAA07597 for ; Thu, 5 Dec 1996 15:07:45 -0800 (PST) From: dharris@kcp.com Received: by kcpgw2.kcp.com id AA12386 (InterLock SMTP Gateway 3.0 for Firewalls@GreatCircle.COM); Thu, 5 Dec 1996 17:07:43 -0600 Message-Id: <199612052307.AA12386@kcpgw2.kcp.com> Received: by kcpgw2.kcp.com (Protected-side Proxy Mail Agent-2); Thu, 5 Dec 1996 17:07:43 -0600 Received: by kcpgw2.kcp.com (Protected-side Proxy Mail Agent-1); Thu, 5 Dec 1996 17:07:43 -0600 Mime-Version: 1.0 Date: Thu, 5 Dec 1996 16:59:46 -0600 Subject: Re: Why would someone want an NT firewall? To: Firewalls@GreatCircle.COM, Adrian Knight Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Why do you consider it a "Good Thing" (TM) that your manager can sit down and modify your firewall? Is he fully aware of the impact his changes will have and how they might affect the ability of your firewall to implement your security policy? I know it reeks of "security by obscurity", but a firewall that is easy to modify is also a firewall that is easy to modify incorrectly. If you have to stop and think about what you are doing before you can do anything you are less apt to just do something to see what happens. My little experience with NT shows that even an experienced person who is just messing around with the GUI can jigger the wrong button and deny a whole LAN segment access to its server. Please notice I specifically did not say that the NT box can't be used as a firewall. It may very well be just what you need to implement your security policy. Delmer D. Harris ______________________________ Reply Separator _________________________________ Subject: Why would someone want an NT firewall? Author: Adrian Knight at INTERNET-MAIL Date: 12/5/96 8:46 AM I've read for over a year about the Unix vs NT messages. For what it's worth, here are the reasons why, after 6 months of research and training, our site specifically chose an NT firewall instead of a Unix firewall. (FYI, we're running Eagle NT by Raptor) 1) We only have 3 Unix computers on our campus. I manage one of them, and after two years still know very little about it. Yes, if I spent "enough time" on it I would probably be a Unix expert by now, but I don't want to spend that much time, nor do I have the option of spending that much time on it. 2) We don't want to hire a rocket scientist to manage our firewall. A message earlier referred to firewalls being "necessarilly technical." That's bogus. I think it's possible that a lot of people making money off of firewalls might want to keep them that way, but there are a lot of average people out there who want to AND CAN handle managing a firewall right along with the MANY other types of systems that are also included in our job responsibilities. In this age of computers, it is no longer valid to try to convince people that computers are just too complicated for the average person. I'm not a Microsoft Groupie or anything, but the reason their company is where they are today is that they realized that! Because our firewall is on an NT platform and has a good GUI, I can be gone for a couple of weeks and even my boss, a manager, can sit down and make changes to the firewall comfortably. Several other people in the computing department with the passowrd could do the same if they had to. After two years, nobody else could sit down to my Solaris box and do anything except manage to shut things down. 3) At the time of my research a year ago, most mainstream firewalls ran on minicomputer-class machines like Sun Sparc, HPUX, AIX. For an educational site with good discounts, a platform like that ran around $15,000. We put our firewall on a well-endowed NT PC for $5,000. Hardware and software maintenance is also much cheaper There are many other reasons that I chose NT over Unix, but I'll leave it here. Adrian Knight | Network Manager Harding University | Internet: KNIGHT@HARDING.EDU 900 E. Center, Box 2264 | Phone: (501) 279-4440 Searcy, AR 72149-0001 | From firewalls-owner Thu Dec 5 16:58:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA11194 for firewalls-outgoing; Thu, 5 Dec 1996 09:44:26 -0800 (PST) Received: from gate3.fmr.com (gate3.fmr.com [192.223.170.13]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id JAA11171 for ; Thu, 5 Dec 1996 09:44:14 -0800 (PST) Received: (from adm@localhost) by gate3.fmr.com (8.7.3/8.6.9) id MAA07574 for ; Thu, 5 Dec 1996 12:44:12 -0500 (EST) Message-Id: <199612051744.MAA07574@gate3.fmr.com> Received: from mail3.fmr.com(137.199.61.18) by gw01i via smap (g3.0.3) id xmaf07509; Thu, 5 Dec 96 12:43:51 -0500 Date: Thu, 05 Dec 1996 12:32 -0500 (EST) From: "Feeney, Tim" Subject: RE: Firewalls over NT To: Firewall Mailing List MIME-version: 1.0 Content-type: TEXT/PLAIN Content-transfer-encoding: 7BIT Posting-date: Thu, 05 Dec 1996 12:32 -0500 (EST) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Well I just could not hold back from jumping into the fray. I will not address the NT vs. Unix fray, or try to comment on Marcus' detailed message. I just would like to make an observation as a "far from expert" systems/firewall administrator. What platform you use comes down to how comfortable you are with the OS. I would not install a firewall on NT/AIX/BSD/Linux/DOS/etc....., not because I feel they are insecure, or not any good, but because I do not know them well enough to be comfortable with using them. The vast majority of break-ins are due to a hacker exploiting an old well known bug, or a configuration mistake. No matter what OS or firewall you use the default configuration will not (99.9%) work for your environment, and will therefore be insecure. As can be seen in the number of "what firewall do I use" posts to this mailing list, there are more and more people being thrown into the firewall administrator position due to lack of resources (bodies or money) or knowledge of scope of the task. I have only seen one post recently (past 6+months) requesting information on firewall/security training. This just bears out some of the numbers out there that show a lack of knowledge, or regard, for system/site security. These opinions are not original and have been voiced by many other more notable people (. disclaimer) in the security arena. Thanks for bearing with me while I satisfied my need. Tim Feeney {As always my opinions are mine and I have no idea at times where they emanate from} From firewalls-owner Thu Dec 5 17:02:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA15314 for firewalls-outgoing; Thu, 5 Dec 1996 16:34:30 -0800 (PST) From: firewalls-owner Received: from mobile.bam.com (mobile.banm.com [199.74.157.50]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id QAA15290 for ; Thu, 5 Dec 1996 16:34:10 -0800 (PST) Received: FROM BAMX400.mobile.bam.com BY mobile.bam.com ; 5 DEC 96 19:34:24 EST Date: 5 DEC 96 19:33:27 EST Subject: Undeliverable Message To: Firewalls@GreatCircle.COM MIME-Version: 1.0 Message-ID: <0005bdxnvttl.0005amuomwsu@mobile.bam.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk To: Dean E Vaccher@IS_WBRHQ@BAMSWB BAMX400@MGate@BAM [C=US/A=INTERNET/DDA=ID/firewalls-digest(a)GreatCircle.COM] Cc: Subject: Firewalls-Digest V5 #649 Message not delivered to recipients below. VNM3043: Dean E Vaccher@IS_WBRHQ@BAMSWB **** Attachment message(s) will follow in 1 separate transmissions. From firewalls-owner Thu Dec 5 17:50:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA11835 for firewalls-outgoing; Thu, 5 Dec 1996 09:52:04 -0800 (PST) Received: from habanero.jmu.edu (habanero.jmu.edu [134.126.71.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id JAA11771; Thu, 5 Dec 1996 09:51:24 -0800 (PST) Message-Id: <199612051751.JAA11771@miles.greatcircle.com> Received: by habanero.jmu.edu (1.37.109.16/16.2) id AA044907979; Thu, 5 Dec 1996 12:46:19 -0500 Date: Thu, 5 Dec 1996 12:46:19 -0500 From: gary flynn To: firewalls-owner@GreatCircle.COM, paonia@exon.massart.mass.edu Subject: Re: .edu w/ firewalls Cc: firewalls@GreatCircle.COM, gary@habanero.jmu.edu Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: Sameer R Manek > To: Paonia Ezrine > Cc: firewalls@GreatCircle.COM > > A firewall on campus would do almost no good as > the biggest threat to the network are already in campus. There are also threats offcampus. Oncampus ones *may* be easier to identify and track. > Using our school as an example we have 3 networks > here, administrative, instructional and student. Admin > net is the actual machines that run admin, plus the machines > in the admin building, and the machines of all the deans. Are you saying you have a firewall between the various networks? How are they three separate networks? I'd be interested in discussing the policies you used to set these up. We're wrestling with that right now. Frankly, I worry more about the risk of denial of service attacks than I do anything else. The auditors and systems administrators worry about the data confidentiality and integrity more. I help them along when I can with encryption, firewalls, etc. Given the uniqueness of the educational environment, I'd love to see a gathering of some sort between the network managers and policy folks of the various institutions. Anyone hear of such a beast? The academic-firewalls list is almost dead. > The instructional net is the machines in the instructor offices, > machines used in computer labs for instructional purposes. Which > students do have access to. And finally the student network > is where student-body owned/operated machines reside. > > Firewalling admin off sounds good but keep in mind instructors > may want to access email (pop) or telnet to admin from their > office/the lab. So firewalling off is not always possible. > > Naturally a packet filtering router is A Good Thing (TM) > > Good luck From firewalls-owner Thu Dec 5 18:12:19 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA15539 for firewalls-outgoing; Thu, 5 Dec 1996 16:37:10 -0800 (PST) Received: from silence.secnet.com (silence.secnet.com [204.191.222.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id QAA15497 for ; Thu, 5 Dec 1996 16:36:30 -0800 (PST) Received: from localhost (ahuger@localhost) by silence.secnet.com (8.8.2/secnet) with SMTP id SAA02718; Thu, 5 Dec 1996 18:37:53 -0700 (MST) Date: Thu, 5 Dec 1996 18:37:53 -0700 (MST) From: Alfred Huger To: Jeromie Jackson cc: firewalls@GreatCircle.COM, Ryan.Russell@sybase.com Subject: Re: Cisco's PIX Firewall In-Reply-To: <9612051623.AA03141@garrison.com.> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 5 Dec 1996, Jeromie Jackson wrote: > > > Food for thought for people like Cisco/FW1... If you were to just make > a Mail Transport Agent for the hub, and provide it along with the product, > people like me could not bitch, and you could say you covered the bases. I did > note in one of the earlier posts from Cisco that they are indeed working on it. > Creating an MTA does not solve the issue. Who is to say that a vendor authored MTA is any more secure than Berkeley Sendmail? At least with Berkeley Sendmail you have the source to review if you so choose. I submit that this is a luxury you would not have with a vendor supplied MTA. People tend to attack Sendmail because it's high profile as far as security errors go. However, DNS and HTTP are just as, if not more serious areas of concern. I think the real solution is to have these services made available with full source code. This being said, I think there are plenty of free software packages available to meet these needs. This software simply needs to be reviewed on a regular basis. ------------------------------------------------------------------------------ Alfred Huger ahuger@secnet.com Secure Networks Inc. ------------------------------------------------------------------------------ From firewalls-owner Thu Dec 5 19:10:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA04621 for firewalls-outgoing; Thu, 5 Dec 1996 19:00:30 -0800 (PST) Received: from mail.ka.inka.de (quechua.inka.de [193.197.84.5]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id SAA04480 for ; Thu, 5 Dec 1996 18:59:56 -0800 (PST) Received: from sapa.inka.de(really [193.197.84.6]) by mail.ka.inka.de via smail with smtp (ident root using rfc1413) id for ; Fri, 6 Dec 1996 03:59:59 +0100 (MET) (Smail-3.2 1996-Jul-4 #3 built 1996-Oct-28) Received: from uu.inka.de (root@[193.197.84.8]) by sapa.inka.de with smtp (S3.1.29.1) id ; Fri, 6 Dec 96 03:59 MET Received: from lina (lists@lina.inka.de) by uu.inka.de with bsmtp (S3.1.29.1) id ; Fri, 6 Dec 96 03:59 MET Received: by lina id m0vVqUE-0004j0C (Debian Smail-3.2 1996-Jul-4 #2); Fri, 6 Dec 1996 03:58:02 +0100 (MET) Message-Id: From: lists@lina.inka.de (Bernd Eckenfels) Subject: Re: VPNs To: jk@stallion.ee (Jyri Kaljundi) Date: Fri, 6 Dec 1996 03:58:01 +0100 (MET) Cc: Firewalls@GreatCircle.COM In-Reply-To: from "Jyri Kaljundi" at Dec 5, 96 05:06:48 pm X-Mailer: ELM [version 2.4 PL25 PGP2] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, > I would suggest you have a look at F-Secure VPN software, made by Data > Fellows in Finland (http://www.datafellows.fi/f-secure/), which is one of > the few (if not the only) really strong VPN software products available in > Europe (or Africa/Asia etc). AFAIK TIS UK is selling reimplemented Gaunteld with Crypto Stuff, but VPns are pending (last time I heared from them). Greetings Bernd From firewalls-owner Thu Dec 5 19:15:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA01804 for firewalls-outgoing; Thu, 5 Dec 1996 18:36:11 -0800 (PST) Received: from ns2.eds.com (ns2.eds.com [199.228.142.78]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id SAA01731 for ; Thu, 5 Dec 1996 18:35:50 -0800 (PST) From: MSITMI02.XZ46G8@eds.com Received: from nnsp.eds.com (nnsp.eds.com [130.174.32.78]) by ns2.eds.com (8.8.2/8.8.2) with ESMTP id VAA16189 for ; Thu, 5 Dec 1996 21:35:53 -0500 (EST) Received: from DNET.EDS.COM (dnet.eds.com [130.174.31.77]) by nnsp.eds.com (8.7.6/8.7.3) with SMTP id VAA31481 for ; Thu, 5 Dec 1996 21:35:21 -0500 (EST) X400-Originator: MSITMI02.XZ46G8@eds.com X400-Recipients: firewalls@GreatCircle.COM X400-MTS-Identifier: [/PRMD=DMN2PILOT/ADMD=TELEMAIL/C=US/;0095000008012031000002] X400-Content-Type: P2-1988 (22) Message-ID: <0095000008012031000002*@MHS> To: "firewalls(a)GreatCircle.COM":; Subject: Firewalls and RAS Date: Thu, 5 Dec 1996 21:38:50 -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Anyone have any recommendations on how to make RAS available to remote clients when the internet gateway is a firewall? Would you have PPP on the Firewall itself, a RAS server outside the Firewall, a modem bank outside the firewall? What protocols have to pass the firewall? distinti saluti/best regards Philip Kerrigan EDS Italia SpA Viale Monza, 257 Milano, Italy tel. + (0)2 2524272 msitmi02.xz46g8@eds.com fax + (0)2 27002588 From firewalls-owner Thu Dec 5 19:26:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA05111 for firewalls-outgoing; Thu, 5 Dec 1996 19:08:10 -0800 (PST) Received: from dns.networx.com.au (dns.networx.com.au [203.21.140.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id TAA05084 for ; Thu, 5 Dec 1996 19:07:55 -0800 (PST) Received: from DEMO.networx.com.au (203.21.140.5) by dns.networx.com.au (EMWAC SMTPRS 0.81) with SMTP id ; Fri, 06 Dec 1996 13:06:25 +1000 Message-ID: From: "Leon O'Brien" To: , "Joseph L. Moll" Subject: Re: Vunerabilities in Microsoft's IIS 2.0 Date: Fri, 6 Dec 1996 13:04:05 +1100 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I think you'll find that if the server turned off directory browsing, surely thats available, it shouldn't be a problem. Were you using IE or NetScape as your browser? IE allows the user to open and browse directories locally and on other servers, who knows if its a feature or what ;-). IE 3.0 can be used to be the front end to an Intranet, used to open applications and the like. Leon ---------- > From: Joseph L. Moll > To: firewalls@greatcircle.com > Subject: Vunerabilities in Microsoft's IIS 2.0 > Date: Friday, December 06, 1996 8:22 AM > > Hello all: > > We have noticed a little problem with IIS 2.0 and were wondering if the > problem also exists in IIS 3.0. > > It seems that anyone can browse the any files in the cgi-bin directory on > the server. For example, browse this on your IIS web host: > > http://your.domain.here/cgi-bin/my_cgi.ini > > The only catch is that you have to know the name of the file. Good ole > security by obscurity? > > IIS 2.0 in conjunction with M$ Internet Exploder passes the end users domain > and username to the IIS for access. Get's logged in the log file as > DOMAIN\USERNAME. > > Anyone else observed this slight problem? > > > Regards, > --- > Joseph L. (Joe) Moll -- Network and Communications Engineering > mailto:jmoll@acquion.com http://www.acquion.com > ACQUION, Inc. Greenville, SC USA -- Specialists in Electronic Commerce > PGP Fingerprint = 8D E7 F0 E8 8D 67 A8 19 02 CB 83 0F 19 41 D3 A9 From firewalls-owner Thu Dec 5 19:28:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA15280 for firewalls-outgoing; Thu, 5 Dec 1996 16:34:01 -0800 (PST) Received: from deepeddy.com (DeepEddy.Com [192.12.3.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id QAA15262 for ; Thu, 5 Dec 1996 16:33:40 -0800 (PST) Received: (qmail 15394 invoked from network); 6 Dec 1996 00:33:40 -0000 Received: from localhost (HELO deepeddy.DeepEddy.Com) (@127.0.0.1) by localhost with SMTP; 6 Dec 1996 00:33:40 -0000 X-Mailer: exmh version 2.0alpha 12/3/96 To: Rabid Wombat Cc: Michael Dillon , Great Circle Firewall Mailing List Subject: Re: IRINA is a Hoax In-Reply-To: Your message of "Thu, 05 Dec 1996 13:30:30 EST." X-Url: http://www.DeepEddy.Com/~cwg From: cwg@DeepEddy.Com Cc: cwg@DeepEddy.Com Mime-Version: 1.0 Content-Type: multipart/signed; boundary="==_Exmh_1881580802P"; micalg=pgp-md5; protocol="application/pgp-signature" Content-Transfer-Encoding: 7bit Date: Thu, 05 Dec 1996 18:33:36 -0600 Message-ID: <15391.849832416@deepeddy.DeepEddy.Com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk --==_Exmh_1881580802P Content-Type: text/plain; charset=us-ascii > > > Yup - sites I'm at get "infected" with "good times" about once a month. > It only infects carbon-based systems - end-lusers. They ignore all > security procedures and forward copies of the warning to everyone except > the designated point of contact for computer security incidents. This > behavior is best stopped by killing a few end-lusers, which forces the > virus into remission for about 30 days. Didn't you know? "XXXX is a hoax" is an anti-virus program for carbon-based systems. It's a shame it isn't more effective. Its biggest problem is that it keeps getting run on systems which are already innoculated against "Good Times" to the point where it's actually more annoying than "Good Times" itself. Chris -- Chris Garrigues O- cwg@DeepEddy.Com Deep Eddy Internet Consulting +1 512 432 4046 609 Deep Eddy Avenue Austin, TX 78703-4513 http://www.DeepEddy.Com/~cwg/ --==_Exmh_1881580802P Content-Type: application/pgp-signature -----BEGIN PGP MESSAGE----- Version: 2.6.2 iQB1AwUBMqdp2paQnaaFII2dAQGlHwMAqFduIGWUgpdvdWAYPHFcgOsocEXzD90u ftONrsYPeD9OKzC4QZPW8L8wyOfx5RxOnJcRdgXNM27G+eIYiK5WrNIkIrl0NySH yNbL8WzPMiB4cRmZ9Qk8U06w6x0vje0g =m8w9 -----END PGP MESSAGE----- --==_Exmh_1881580802P-- From firewalls-owner Thu Dec 5 19:41:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA06587 for firewalls-outgoing; Thu, 5 Dec 1996 19:30:05 -0800 (PST) Received: from silence.secnet.com (silence.secnet.com [204.191.222.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id TAA06563 for ; Thu, 5 Dec 1996 19:29:43 -0800 (PST) Received: from localhost (ahuger@localhost) by silence.secnet.com (8.8.2/secnet) with SMTP id VAA03084; Thu, 5 Dec 1996 21:32:27 -0700 (MST) Date: Thu, 5 Dec 1996 21:32:26 -0700 (MST) From: Alfred Huger To: Jeromie Jackson cc: firewalls@GreatCircle.COM, Ryan.Russell@sybase.com Subject: Re: Cisco's PIX Firewall In-Reply-To: <9612060221.AA03683@garrison.com.> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 5 Dec 1996, Jeromie Jackson wrote: > In reguards to your opinion of the code being more secure because of the > widely publicized source code, I would definitely have to DISAGREE with you. I said no such thing, I stated that it was better to have access to source than not to have access to source. And that there was no gaurentee the vendor is writing secure code. > Just because the code is made public does not make it more secure whatsoever. > Now if you would have said that the code be made public so that a formal > testing methodology be implemented upon it. I believe the last line of my message read: "This software simply needs to be reviewed on a regular basis" And I was not referring to performance tuning........ > code to the public may give random people a chance of finding a security > problem I would agree. However, providing code to the public does not > provide assurance It provides *more* assurance than letting the vendors offer up binaries with no outside body to review the source. Ask yourself how many bugs come to light from end users flipping through source code, as compared to how many bugs the vendors release information on and patch. You will find that bugs are most commonly found by the end user, who in *many* cases is reading the code and posting the bug to a forum where the vendor cannot ignore it (ie: bugtraq etc). ******************************************************************************* Alfred Huger ahuger@secnet.com Secure Networks Inc. 403.262.9211 ******************************************************************************* From firewalls-owner Fri Dec 6 00:27:50 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA05516 for firewalls-outgoing; Thu, 5 Dec 1996 19:14:51 -0800 (PST) Received: from diablo.cisco.com (diablo.cisco.com [171.68.223.106]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id TAA05498 for ; Thu, 5 Dec 1996 19:14:34 -0800 (PST) Received: from mhoward-pc.cisco.com (dhcp-vm1-2-186.cisco.com [171.68.164.186]) by diablo.cisco.com (8.6.12/CISCO.SERVER.1.1) with SMTP id TAA25301; Thu, 5 Dec 1996 19:13:37 -0800 Message-Id: <2.2.32.19961206030011.009863b4@diablo.cisco.com> X-Sender: mhoward@diablo.cisco.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 05 Dec 1996 19:00:11 -0800 To: Alfred Huger , Jeromie Jackson From: Matthew Howard Subject: Re: Cisco's PIX Firewall Cc: firewalls@GreatCircle.COM, dochin@cisco.com, jlw@cisco.com, lazar@netevolve.com, froys@cisco.com, afoss@cisco.com, amittal@cisco.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 10:20 PM 12/4/96 -0700, Alfred Huger wrote: > > >On Wed, 4 Dec 1996, Jeromie Jackson wrote: > >> > >> > This opens up UDP ports 7648 and 7649 BLINDLY to all traffic including >> > attacks. Also there's that infamous estab statement where someone who >> > knows how to doctor the ACK bit can inject TCP packets into the customers' >> > net. >> >> Hmm, That certainly looks like packet filtering to me. Based on header >> information, you are making decisions about packet flow. As far as being >> 'spoof proof', that is just not correct. If you are talking to '1.2.3.4', I >> can send you a packet appearing as though it is originating from '1.2.3.4', >> you would believe me, because there is no authenticion built into IPV4. I would >> agree, that the filtering mentioned above is better than that done w/ a standard >> IP filtering device, although because decisions are being made on objects that >> are not authenticated (header information), ACL's can, and will be vulerable to >> spoofing/hijacking. >> > >ACL's being vulnerable to spoofing/hijacking..... I am not sure if I am >reading you clear on this, but what I think I see you saying is that you >can still spoof Source IP addresses to a Cisco PIX firewall. Also you >state, trusted connections to the firewall can be hijacked. If this is >what you are saying, my reply would be such. We also track all tcp flags including tcp seq numbers. We also randomize each new session through our adaptive security algorithm (stateful). Plus we support ah/esp. Matt > >Your correct in saying IP4 has no built in authentication, the only thing >in IPV4, related to security is the Security Field (which denotes how >classified a datagram is). This being said, anyone, anywhere can slap >and Source Address on a packet and fire it off their wire. *No* Firewall >can protect you from this. Cisco PIX or otherwise. If you need to speak >the outside world (which if you have a Firewall I assume you do) then you >are subject to packets with questionable Source Addresses. I don't see >this as a real weakness of any given Firewall, just shortcomings of IPV4. > >As to streams of data (TCP presumably) being open to hijacking. That again >is another problem which cannot really be addressed by a Firewall itself. >If an attacker has breached a host whom your firewall allows *unencrypted* >or even *encrypted* connections from, your had. And it's not your >Firewalls fault. > >Both of these issues are policy issues, Both require a Firewall Admin to >ask himself how much of the outside world he/she trusts. In the case of >spoofable addresses, Admins must realize that not all packets coming in >off the net, are really coming from where they say they are. In respects >to TCP hijacking, an Admin has to ask his/herself if they want to allow >TCP connections through their firewall. > > >-------------------------------------------------------------------------- >Alfred Huger ahuger@secnet.com >Secure Networks Inc. >--------------------------------------------------------------------------- > > > From firewalls-owner Fri Dec 6 00:52:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA00151 for firewalls-outgoing; Fri, 6 Dec 1996 00:22:24 -0800 (PST) Received: from gw.garrison.com (gw.garrison.com [205.241.58.147]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id TAA08375 for ; Thu, 5 Dec 1996 19:53:26 -0800 (PST) Received: by gw.garrison.com; id PAA06622; Thu, 5 Dec 1996 15:47:16 -0600 (CST) Received: from ukn0.garrison.com(10.0.0.2) by gw.garrison.com via smap (3.2) id xma006616; Thu, 5 Dec 96 15:47:07 -0600 Received: by garrison.com. (4.1/Surrogate Sendmail hack) id AA03816; Thu, 5 Dec 96 21:48:25 CST Date: Thu, 5 Dec 96 21:48:25 CST From: jeromie@garrison.com (Jeromie Jackson) Message-Id: <9612060348.AA03816@garrison.com.> To: ahuger@secnet.com Subject: Re: Cisco's PIX Firewall Cc: firewalls@GreatCircle.COM, Ryan.Russell@sybase.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > On Thu, 5 Dec 1996, Jeromie Jackson wrote: > > > In reguards to your opinion of the code being more secure because of the > > widely publicized source code, I would definitely have to DISAGREE with you. Alfred Huger Wrote: > I said no such thing, I stated that it was better to have access to source > than not to have access to source. And that there was no gaurentee the > vendor is writing secure code. > > Just because the code is made public does not make it more secure whatsoever > > Now if you would have said that the code be made public so that a formal > > testing methodology be implemented upon it. > > I believe the last line of my message read: > > "This software simply needs to be reviewed on a regular basis" > > And I was not referring to performance tuning........ > > I was not referring to performance tuning. If you look @ my statements they are made in relation to ASSURANCE, not performance. Also, you mentioned "This software simply needs to be reviewed on a regular basis." Simple review of the code doesn't provide much whatsovever. I believe it was aparent from my remarks that it is important to have METHODOLOGY within the testing, not just 'simply...reviewing..' > > code to the public may give random people a chance of finding a security > > problem I would agree. However, providing code to the public does not > > provide assurance > > It provides *more* assurance than letting the vendors offer up binaries > with no outside body to review the source. Ask yourself how many bugs > come to light from end users flipping through source code, as compared to > how many bugs the vendors release information on and patch. You will find > that bugs are most commonly found by the end user, who in *many* cases is > reading the code and posting the bug to a forum where the vendor cannot > ignore it (ie: bugtraq etc). > > I would have to agree with you, that providing the code to the public gives a better chance of finding problems, since we know vendors don't have adequate time to prove assurance. I would also submit that if the vendors WERE to implement formal testing methodologies, that their testing would most likely provide better security than that which is found from the public @ large, who is mearly glancing @ the code. I would also like to comment that I agree with you in the fact that releasing code to the public is generally going to provide better code. The reason for this is not because of the large amount of people reviewing the code, but because of the lack of adequate testing methods within the vendor community. To summarize my comments on the usefulness of the MTA for Cisco and the other security vendors. 1. It would be a good thing for organizations such as Cisco/FW-1 to provide an MTA.. The reason I said to 'create' one was mearly so they could 'sell' it as part of their security solution w/o breaking any licensing agreements (IE: using SMAP from the FWTK as part of their commercial solution) 2. Providing code to the community as a whole is not what creates a secure MTA agent, it is formal testing methodologies. Jeromie Jackson Garrison Technologies jeromie@garrison.com From firewalls-owner Fri Dec 6 01:37:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA02188 for firewalls-outgoing; Thu, 5 Dec 1996 18:39:17 -0800 (PST) Received: from gw.iai.com (gw.iai.com [206.64.157.62]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id SAA02169 for ; Thu, 5 Dec 1996 18:38:57 -0800 (PST) Received: by gw.iai.com; id VAA28934; Thu, 5 Dec 1996 21:38:57 -0500 (EST) Received: from milford.iai.com(192.206.185.2) by gw.iai.com via smap (3.2) id xma028932; Thu, 5 Dec 96 21:38:48 -0500 Received: by milford.iai.com (AIX 4.1/UCB 5.64/4.03) id AA23338; Thu, 5 Dec 1996 21:39:04 -0500 From: jegan@iai.com (James Egan) Message-Id: <9612060239.AA23338@milford.iai.com> Subject: Re: Serially connected firewalls and FTP To: MIXSR@pjm.com (Mix, S.R.) Date: Thu, 5 Dec 1996 21:39:04 -0500 (EST) Cc: firewalls@greatcircle.com In-Reply-To: <32A73630@mailman.pjm.com> from "Mix, S.R." at Dec 5, 96 03:54:00 pm Reply-To: Jim.Egan@iai.com Organization: Integrated Architectures, Inc. Pgp-Fingerprint: 64 47 DC 51 D9 11 1D FF 31 43 9C 4C E2 A1 FC 04 Pgp-Public-Key: public-key-server@martigny.ai.mit.edu (subject: GET jegan) X-Mailer: ELM [version 2.4 PL24 ME5a] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mix, S.R. recently wrote: > > > Hi: > > We are attempting to determine how to get FTP sessions established > end-to-end between multiple networks, each protected by a firewall: > > +-----+ +------------+ +--------+ > | | | | | | > +--+ | +----------+ | | +----------+ | +------------+ > |PC| +---|FireWall a|---+ +---|FireWall b|---+ | FTP server | > +--+ +----------+ +----------+ +------------+ > > FireWall b is a TIS Firewall Toolkit Version 2.0 > > FireWall a so far has been an Eagle Raptor or another TIS FWTK. > > The question is: > > how does a user on the "PC" (which might include a UNIX command line) > connect through the two firewalls to the FTP server? > > Thanks, > Scott R. Mix > PJM Interconnection Association > I do this all the time. The procedure below assumes you are using weak authentication and anonymous FTP is OK at Server. >From PC do "ftp FW-a". At the FW-a proxy prompt logon as "ftp@FW-b". At the FW-b proxy prompt logon as "ftp@server". At Server password use "user@PC". /Jim/ -- James P. Egan | Jim.Egan@iai.com Integrated Architectures, Inc. | http://www.iai.com 300 East Main Street, Suite 207 | Tel: 508-634-3200 x209 Milford, MA 01757 | Fax: 508-634-8381 Use PGP for more secure email From firewalls-owner Fri Dec 6 01:51:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA00846 for firewalls-outgoing; Thu, 5 Dec 1996 18:27:22 -0800 (PST) Received: from gw.garrison.com (gw.garrison.com [205.241.58.147]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id SAA00768 for ; Thu, 5 Dec 1996 18:26:53 -0800 (PST) Received: by gw.garrison.com; id OAA06418; Thu, 5 Dec 1996 14:20:45 -0600 (CST) Received: from ukn0.garrison.com(10.0.0.2) by gw.garrison.com via smap (3.2) id xma006414; Thu, 5 Dec 96 14:20:27 -0600 Received: by garrison.com. (4.1/Surrogate Sendmail hack) id AA03683; Thu, 5 Dec 96 20:21:45 CST Date: Thu, 5 Dec 96 20:21:45 CST From: jeromie@garrison.com (Jeromie Jackson) Message-Id: <9612060221.AA03683@garrison.com.> To: ahuger@secnet.com Subject: Re: Cisco's PIX Firewall Cc: firewalls@GreatCircle.COM, Ryan.Russell@sybase.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > On Thu, 5 Dec 1996, Jeromie Jackson wrote: > > > > > > Food for thought for people like Cisco/FW1... If you were to just make > > a Mail Transport Agent for the hub, and provide it along with the product, > > people like me could not bitch, and you could say you covered the bases. I did > > note in one of the earlier posts from Cisco that they are indeed working on it. > > > > Creating an MTA does not solve the issue. Who is to say that a > vendor authored MTA is any more secure than Berkeley Sendmail? At least > with Berkeley Sendmail you have the source to review if you so choose. I > submit that this is a luxury you would not have with a vendor supplied > MTA. People tend to attack Sendmail because it's high profile as far as > security errors go. However, DNS and HTTP are just as, if not more serious > areas of concern. I think the real solution is to have these services made > available with full source code. This being said, I think there are plenty > of free software packages available to meet these needs. This software > simply needs to be reviewed on a regular basis. > Yes, you are right, I should not assume that the vendor of a security product would do any type of assurance testing that would superseed that of the current MTA products. In a decent security world, one might be able to assume something of the sort, but..... I would have to agree with you. In reguards to your opinion of the code being more secure because of the widely publicized source code, I would definitely have to DISAGREE with you. Just because the code is made public does not make it more secure whatsoever. Now if you would have said that the code be made public so that a formal testing methodology be implemented upon it, I would have agreed. Releasing the code to the public may give random people a chance of finding a security problem I would agree. However, providing code to the public does not provide assurance Jeromie Jackson Garrison Technologies jeromie@garrison.com From firewalls-owner Fri Dec 6 02:44:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA29936 for firewalls-outgoing; Thu, 5 Dec 1996 18:21:38 -0800 (PST) Received: from jkt01-omi.jakarta.omnes.net (jkt01-omi.jakarta.omnes.net [163.184.50.33]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id SAA29835 for ; Thu, 5 Dec 1996 18:20:58 -0800 (PST) Received: from [163.184.7.252] ([163.184.50.5]) by jkt01-omi.jakarta.omnes.net (post.office MTA v1.9.3b ID# 0-16271) with ESMTP id AAA312 for ; Fri, 6 Dec 1996 09:19:07 +0000 X-Sender: pollock@jakarta.omnes.net Message-Id: In-Reply-To: <199612052012.MAA23281@miles.greatcircle.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Fri, 6 Dec 1996 09:13:51 +0700 To: Firewalls@GreatCircle.COM From: Don Pollock - Omnes - Engineering Subject: Re: Why would someone want an NT firewall? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk RE: >2) We don't want to hire a rocket scientist to manage our firewall. A >message earlier referred to firewalls being "necessarilly technical."=20 >That's bogus. I think it's possible that a lot of people making money off >of firewalls might want to keep them that way, but there are a lot of >average people out there who want to AND CAN handle managing a firewall >right along with the MANY other types of systems that are also included in >our job responsibilities. In this age of computers, it is no longer valid >to try to convince people that computers are just too complicated for the >average person. I'm not a Microsoft Groupie or anything, but the reason >their company is where they are today is that they realized that! > >Because our firewall is on an NT platform and has a good GUI, I can be >gone for a couple of weeks and even my boss, a manager, can sit down and >make changes to the firewall comfortably. Several other people in the >computing department with the passowrd could do the same if they had to.=20 >After two years, nobody else could sit down to my Solaris box and do >anything except manage to shut things down.=20 This is not an NT vs UNIX issue, but there's a big difference between= *managing a firewall* and *managing security*. While it's easy to learn= the mechanics of how to allow file sharing from security enclave A to= security enclave B, it's harder to learn why you should or shouldn't do it. IMNSHO The proper purpose of the GUI interfaces is so that a security expert= doesn't need to be an NT expert or a UNIX expert also. Anybody who doesn't= understand the overall security implications of his actions should *never*= be allowed to modify a firewall. Manager or not! Rocket Scientist or not!= And the organization's security policy should *clearly* state that! =20 =20 Regards, Don Pollock pollock@houston.omnes.net Network Systems Engineer +1 713 513 3017 Omnes - A Schlumberger/Cable & Wireless Company http://www.omnes.net/=20 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - The true mark of intelligence is to learn from the experiences of others. ------------------------------------------------------------------------- From firewalls-owner Fri Dec 6 03:29:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA17361 for firewalls-outgoing; Thu, 5 Dec 1996 16:54:11 -0800 (PST) Received: from neon.ingenia.ca (neon.ingenia.com [205.207.220.57]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id QAA17319 for ; Thu, 5 Dec 1996 16:53:52 -0800 (PST) Received: (from shaver@localhost) by neon.ingenia.ca (8.8.4/8.7.3) id TAA20235; Thu, 5 Dec 1996 19:53:42 -0500 From: Mike Shaver Message-Id: <199612060053.TAA20235@neon.ingenia.ca> Subject: Re: Netscape gold ?! In-Reply-To: from elroy at "Dec 5, 96 03:18:17 pm" To: elroy@kcsun3.kcstar.com (elroy) Date: Thu, 5 Dec 1996 19:53:42 -0500 (EST) Cc: firewalls@GreatCircle.COM X-Mailer: ELM [version 2.4ME+ PL28 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thus spake elroy: > I know that Netscape Gold can publish either via PASV ftp, or http put. > My question is WHAT PORT(S)? The PASV FTP and HTTP ports. If they can do PASV FTP out to the box, and they can retrieve web pages from it, then there's no port issue. If you've got some application-layer logic in there between them, then you might have some problems; I don't know which proxies do/don't support HTTP PUT. Mike -- #> Mike Shaver (shaver@ingenia.com) Ingenia Communications Corporation #> Commando Developer - Whatever It Takes #> #> "See, you not only have to be a good coder to create a system like #> Linux, you have to be a sneaky bastard too." - Linus Torvalds From firewalls-owner Fri Dec 6 03:58:40 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA26014 for firewalls-outgoing; Thu, 5 Dec 1996 17:56:32 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id RAA25889 for ; Thu, 5 Dec 1996 17:55:50 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-961106) id RAA02246; Thu, 5 Dec 1996 17:55:22 -0800 Received: from panix.com(198.7.0.2) by mycroft via smap (V1.3mjr) id sma002237; Thu Dec 5 17:54:16 1996 Received: from localhost (patlee@localhost) by panix.com (8.8.2/8.7/PanixU1.3) with SMTP id UAA04596; Thu, 5 Dec 1996 20:53:19 -0500 (EST) Date: Thu, 5 Dec 1996 20:53:18 -0500 (EST) From: Patrick Lee To: "Joseph L. Moll" cc: firewalls@GreatCircle.COM Subject: Re: Vunerabilities in Microsoft's IIS 2.0 In-Reply-To: <2.2.32.19961205212237.008ff974@mail.acqic.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 5 Dec 1996, Joseph L. Moll wrote: > We have noticed a little problem with IIS 2.0 and were wondering if the > problem also exists in IIS 3.0. IIS 3.0 and 2.0 are essentially the same product. You can download a number of components (such as Active Server Pages, Index Server, etc.) that enhance the capability of IIS 2.0 -- thus making it 3.0. > It seems that anyone can browse the any files in the cgi-bin directory on > the server. For example, browse this on your IIS web host: Always associate files that are meant to be executed to be executed. If *.cgi files are meant to be executable, then by all means make that file type association. That way, when a user requests a *.cgi file by name, the server will try to execute the script instead of sending it back. Also, _always_ turn off directory browsing. Why make it any easier for anyone to snoop around. Accidents happen and you could leave a file in a publically accessible directory without knowing it. > IIS 2.0 in conjunction with M$ Internet Exploder passes the end users > domain and username to the IIS for access. Get's logged in the log file > as DOMAIN\USERNAME. Read up on the security chapter in the IIS documentation, please. That's a feature. If you don't want it, turn it off. -- Patrick Lee From firewalls-owner Fri Dec 6 04:30:29 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA14909 for firewalls-out