From firewalls-owner Sun Dec 1 11:25:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA09975 for firewalls-outgoing; Sun, 1 Dec 1996 11:13:12 -0800 (PST) Received: from relay.ashton.csc.com (relay.ashton.csc.com [20.2.54.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id LAA09948 for ; Sun, 1 Dec 1996 11:12:57 -0800 (PST) Received: by relay.ashton.csc.com; id OAA08018; Sun, 1 Dec 1996 14:13:45 -0500 Received: from mccoy.ashton.csc.com(20.2.51.2) by relay.ashton.csc.com via smap (g3.0.1) id sma008013; Sun, 1 Dec 96 14:13:30 -0500 Received: (from jhkerr@localhost) by mccoy.ashton.csc.com (8.6.12/8.6.9) id PAA03231; Sun, 1 Dec 1996 15:11:30 -0500 Date: Sun, 1 Dec 1996 15:11:30 -0500 (EST) From: "John H. Kerr" To: "Steve M. Dussault" cc: firewalls@GreatCircle.COM, daveh@bscg.com, jonhb@bscg.com Subject: Re: FW-1 Authentication with SecurID In-Reply-To: <329CEB06.5DBA@awuwi.mv.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Steve, I believe that this will be handled in version 3.0 of Firewall-1, but for right now you must go to the Firewall first authenticate yourself and once successfull you can then go ont to you desired site. >From the stuff that I have read wtih 3.0 all you will have to do is go to your final destination and the firewall will authenticate in between. Their will be no need to go to the Firewall first. On Wed, 27 Nov 1996, Steve M. Dussault wrote: > Greetings: > > I am looking for clarification on authentication with FW-1. > Specifically transparent authentication. The scenario is that an end > user needs to connect from the internal network to an external > destination. ( I know the scenario is backwards !) The requested > security implementation is that the user authenticates theirself via > SecurId and not have to go to the firewall and then to the final > destination, but directly to the final destination. > > Can this be done??? If so, how? Do you have to load the authenticating > daemons at installation time for this to work? > > Thank you in advance for your input and comments. > > Steve Dussault > From firewalls-owner Sun Dec 1 13:16:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA13094 for firewalls-outgoing; Sun, 1 Dec 1996 13:08:31 -0800 (PST) Received: from m7.sprynet.com ([165.121.2.64]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id NAA13086 for ; Sun, 1 Dec 1996 13:08:25 -0800 (PST) From: jmperez@sprynet.com Received: from [199.174.183.178] (dd52-178.compuserve.com [199.174.183.178]) by m7.sprynet.com (8.6.12/8.6.12) with SMTP id NAA19772; Sun, 1 Dec 1996 13:08:13 -0800 Date: Sun, 1 Dec 1996 13:08:13 -0800 Message-Id: <199612012108.NAA19772@m7.sprynet.com> MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit Subject: RE: V1 Smart Wall (Gauntlet) To: "To: \"firewalls@greatcircle.com\"" , "'Michael.Lazar@telos.com'" X-Mailer: SPRY Mail Version: 04.00.06.21 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi! We are looking at V1 Smart Wall which is based on TIS Took Kit (Gauntlet). 1. Is there anyone who can give us some pointers on install/config of this product? 2. Has anyone in the FW community tried any build-restore-break scenarios on this product? Would greatly appreciate any feedback/comments/suggestions from those in the security field who have tried this product. You may reply direct to: jmperez@asprynet.com. With warmest regards. J. Perez Chief Operating Officer From firewalls-owner Sun Dec 1 13:56:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA14775 for firewalls-outgoing; Sun, 1 Dec 1996 13:54:12 -0800 (PST) Received: from mesbne01.medeserv.com.au (mesbne01.medeserv.com.au [203.9.184.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id NAA14759 for ; Sun, 1 Dec 1996 13:54:03 -0800 (PST) Received: (from mail@localhost) by mesbne01.medeserv.com.au (8.7.4/8.7.3) id HAA29607 for ; Mon, 2 Dec 1996 07:53:56 +1000 (EST) Received: from tooh199.medeserv.com.au(203.9.187.199) by mesbne01 via smap (V1.3) id /mail/incoming/sma029579; Mon Dec 2 07:53:30 1996 Message-ID: <32A20036.60BA@medeserv.com.au> Date: Mon, 02 Dec 1996 08:01:39 +1000 From: Steven Herod Reply-To: sherod@medeserv.com.au Organization: Med-E-Serv Pty Ltd X-Mailer: Mozilla 3.0 (WinNT; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: (MSIE3.0) - Re: ActiveX and Risks References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > This *can* be done. Microsoft provides (for the cost of shipping the > CD-ROM) an administration kit that can be used to create an install > set The cost of distribution is more than the $20 shipping fee. You must change your web site to use IE specific features, issue press releases aligning youself with Microsofts internet strategy, install it on all the machines on your site and more..... I still prefer IE's mail & news over Netscape and think ActiveX beats Java anyday in producing something actually *useful*. If they didn't force you to sell your soul, everything would be okay :). Best Regards Steven Herod (And I like Microsoft products) From firewalls-owner Sun Dec 1 14:29:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA15314 for firewalls-outgoing; Sun, 1 Dec 1996 14:12:46 -0800 (PST) Received: from ns1.genuity.net (ns1.genuity.net [204.74.114.93]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id OAA15305 for ; Sun, 1 Dec 1996 14:12:35 -0800 (PST) Received: from x-files.genuity.net (x-files.genuity.net [204.74.125.103]) by ns1.genuity.net (8.7.3/8.7.3) with SMTP id PAA18204 for ; Sun, 1 Dec 1996 15:12:32 -0700 (MST) Received: by x-files.genuity.net with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BBDF9A.11907CA0@x-files.genuity.net>; Sun, 1 Dec 1996 15:12:29 -0700 Message-ID: From: Douglas Cheline To: "'Firewalls@GreatCircle.COM'" Subject: Firewalls over NT vs. UNIX Date: Sun, 1 Dec 1996 15:12:27 -0700 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The various Firewall vendors that I have spoken to have repeatedly stated that, eventhough their product does run over NT, running firewalls over UNIX is much more secure. The reasoning I get is that NT has some inherent vulnerabilities that cannot be plugged since the code is proprietary and closed. UNIX on the other hand is standard based and open, plus it has been on the market much longer and more efforts have been placed in plugging the holes there. This sounds nice but not very convincing unless some hard facts are revealed. Can knowledgable members of this forum tell me what those 'holes' in NT are? and is this a valid argument? disclaimer: I, myself, prefer UNIX based applications but I don't have a facts based argument for that preference when it comes to firewalls. Thanks in advance for your responses. Regards, >Douglas Cheline >Senior Consultant Business Solutions > >G E N U I T Y, Inc. >a Bechtel company > >dcheline@genuity.net http://www.genuity.net From firewalls-owner Sun Dec 1 15:24:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA17994 for firewalls-outgoing; Sun, 1 Dec 1996 15:09:19 -0800 (PST) Received: from diablo.cisco.com (diablo.cisco.com [171.68.223.106]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id PAA17974 for ; Sun, 1 Dec 1996 15:09:09 -0800 (PST) Received: from mhoward-pc.cisco.com (mhoward-isdn1.cisco.com [171.68.19.2]) by diablo.cisco.com (8.6.12/CISCO.SERVER.1.1) with SMTP id PAA27456; Sun, 1 Dec 1996 15:09:03 -0800 Message-Id: <2.2.32.19961201225549.008d362c@diablo.cisco.com> X-Sender: mhoward@diablo.cisco.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 01 Dec 1996 14:55:49 -0800 To: "Robert J. Brown" , Mike Shaver From: Matthew Howard Subject: Re: Cisco PIX Cc: Firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 02:22 AM 11/28/96 -0500, Robert J. Brown wrote: > > >On Thu, 28 Nov 1996, Mike Shaver wrote: > >> Thus spake Robert J. Brown: >> > And no, it is not a good idea to put the mailhub in the DMZ. Regardless of >> > where you put it, sensitive corporate data is located on that machine. It >> > should be inside the perimiter and incoming and outgoing mail proxied. >> >> Only if you've got sensitive corporate data travelling outside your >> firewall in the clear. Which is, as you would say, bad bad bad. >> > >If it is your corporate mailhub, I would assume it contains sensitive >information. If you aren't using some form of an smtp proxy, an evil >attacker can talk to your mailhub. If they can talk to your mailhub, odds >are they can wreck havoc on sendmail. Mail has to get to the inside >somehow, and without something to mitigate the risk you are asking for >trouble. > >Again, I'm not saying Cisco didn't implement something like this. I don't >know for sure. That's why I posed the question. What DOES PIX do to >protect your internal network's sendmail? What type of proxying is done? >Can an outside host EVER directly speak with sendmail? We use a static conduit that is stateful. Matt > >Robert J. Brown >rjb@calyx.com > > > > > From firewalls-owner Sun Dec 1 15:39:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA18014 for firewalls-outgoing; Sun, 1 Dec 1996 15:09:34 -0800 (PST) Received: from diablo.cisco.com (diablo.cisco.com [171.68.223.106]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id PAA17996 for ; Sun, 1 Dec 1996 15:09:21 -0800 (PST) Received: from mhoward-pc.cisco.com (mhoward-isdn1.cisco.com [171.68.19.2]) by diablo.cisco.com (8.6.12/CISCO.SERVER.1.1) with SMTP id PAA27494; Sun, 1 Dec 1996 15:09:06 -0800 Message-Id: <2.2.32.19961201225552.0087fa90@diablo.cisco.com> X-Sender: mhoward@diablo.cisco.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 01 Dec 1996 14:55:52 -0800 To: hagan@cih.com, "Robert J. Brown" From: Matthew Howard Subject: Re: Cisco PIX Cc: Mike Shaver , Firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 11:06 AM 11/28/96 -0500, Craig I. Hagan wrote: >> Again, I'm not saying Cisco didn't implement something like this. I don't >> know for sure. That's why I posed the question. What DOES PIX do to >> protect your internal network's sendmail? What type of proxying is done? >> Can an outside host EVER directly speak with sendmail? > >can i try rewording some of this to the following: what if my security >policy requires that certain applications not allow a direct circuit to an >internet (hostile) host due to the potential risk of damage should the >implementing software contain potential holes? Also, what is my security >policy requires that not all features of certain applications be allowed, >for example http is cool, java and/or activeX are not. > >>From what i've heard (cisco, et al, please correct me should i be wrong), >the PIX firewall doesn't handle the second situation (application layer >filtering). heck, very few firewalls out of the box handle it, especially >in quickly evolving application spaces like the web. we do use proxy technology as a way of doing authentication. As with our multimedia support, we can handle some policy at the application layer. Since our OS is actually a realtime embedded OS, we have high performance (the kernal is approx. 10k bytes, we run from flash). The key is we are stateful and on many protocols peek into the application layer, like vdo live, cuseeme, IRC, ftp... Our cut-through technology gives us lots of future flexibilities.. > >could someone from cisco give an opinion on whether the following >would be a reasonable use for their PIX firewall, and whether >this is the intended use: > >'net ---- PIX --- proxy app server > | > | > internal net > >thus the PIX machine (or competing product) could give me protocal layer >protection for both the internal net and the proxy app server. the proxy >app server would then handle certain applications which required >additional action above and beyond what PIX,et al, provides -- http >proxying/activeX blocking, perhaps it would might be a java VM which could >execute java and relay display information to the desktop, etc, process >mail to reduce the chance that someone could ship tainted binaries or >whatever in attachments, etc etc etc. [note: if you want to argue the >merits of the above kooky ideas, lets make it an offline thread, i'm >making them up as i go] we have some customers that do this. Matt > > >-- craig > >------------------------------------------------------------------------------- >Craig I. Hagan "It's a small world, but I wouldn't want to back it up" >hagan@cih.com "True hackers don't die, their ttl expires" > > > > > > > > Matthew Howard Product Line Manager mhoward@cisco.com Internet Business Unit 408-526-4720 (voice) Cisco Systems Inc. 408-527-8122 (fax) 170 West Tasman Drive Building VM2 (corner of First & Vista Montana) San Jose, CA 95134 From firewalls-owner Sun Dec 1 17:59:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA23340 for firewalls-outgoing; Sun, 1 Dec 1996 17:24:00 -0800 (PST) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id RAA23326 for firewalls@greatcircle.com; Sun, 1 Dec 1996 17:23:42 -0800 (PST) Received: from dfw-ix12.ix.netcom.com (dfw-ix12.ix.netcom.com [206.214.98.12]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id PAA25318 for ; Thu, 28 Nov 1996 15:29:20 -0800 (PST) Received: from (eusvcs@tfx-us6-08.ix.netcom.com [204.30.67.200]) by dfw-ix12.ix.netcom.com (8.6.13/8.6.12) with SMTP id PAA22707; Thu, 28 Nov 1996 15:28:09 -0800 Date: Thu, 28 Nov 1996 15:28:09 -0800 Message-Id: <199611282328.PAA22707@dfw-ix12.ix.netcom.com> From: eusvcs@ix.netcom.com (Bill Grover) Subject: RE: Machine reboots on starting Firewall-1 To: kashif.rashid@cressoft.com.pk Cc: firewalls@GreatCircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk While I don't have an answer to why your machine reboots there is a Firewall-1 mailing list. To subscribe send a message of the form: subscribe firewall-1 to majordomo@applicom.co.il There is also an archive of messages you can retrieve. Send the message: "help" (without the quotes)to majordomo@applicom.co.il for further information. There is also a we page you can receive information on. The page is: http://www.qualix.com/support.d/firewall-1.d/ and includes a pretty good FAQ and help section. I hope this helps. Bill Grover Systems Manager EU Services, Inc. Phone : 301-424-3300 x396 FAX : 301-838-9639 E-Mail: eusvcs@ix.netcom.com From firewalls-owner Sun Dec 1 18:41:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA26204 for firewalls-outgoing; Sun, 1 Dec 1996 18:38:01 -0800 (PST) Received: from bam.nuri.net (bam.nuri.net [203.255.112.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id SAA26187 for ; Sun, 1 Dec 1996 18:37:48 -0800 (PST) Received: from ns.nuri.net (angel.inet.co.kr [203.255.113.32]) by bam.nuri.net (8.8.3/8.8.3) with ESMTP id LAA07497 for ; Mon, 2 Dec 1996 11:37:15 +0900 (KST) Message-Id: <199612020237.LAA07497@bam.nuri.net> From: "Young-jin Hong" To: Subject: =?EUC-KR?B?USkgV2hhdCBpcyBDSVJDVUlUIEdBVEVXQVkoPUNJUkNVSVQgTEVWRUwg?= =?EUC-KR?B?UFJPWFkpPw==?= Date: Mon, 2 Dec 1996 11:38:32 +0900 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-2022-KR Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk $)CDear list members. I'd like to know what 'circuit gateway(=circuit level proxy)' is or how different from application gateway and packet-filtering in generic firewalls. Let me know what it is or where i can find it out. Thanx in advance. Young-jin Hong -- E-mail : wits@nuri.net WWW : http://www.iworld.net/~wits From firewalls-owner Sun Dec 1 18:54:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA26171 for firewalls-outgoing; Sun, 1 Dec 1996 18:37:23 -0800 (PST) Received: from RSA.COM (chirality.rsa.com [192.80.211.33]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id SAA26155 for ; Sun, 1 Dec 1996 18:37:10 -0800 (PST) Received: from lobester.rsa.com by RSA.COM with SMTP id AA16419; Sun, 1 Dec 96 17:38:16 PST Received: by LOBESTER.rsa.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5) id <01BBDFB6.CCFDFD20@LOBESTER.rsa.com>; Sun, 1 Dec 1996 18:38:09 -0800 Message-Id: From: Kurt Stammberger To: "'cat-ietf@mit.edu'" , "'e-payment@bellcore.com'" , "'firewalls@greatcircle.com'" , "'ids@uow.edu.au'" , "'ietf-otp@bellcore.com'" , "'ietf-pkix@tandem.com'" To: "'ietf-tls@w3.org'" , "'ietf@cnri.reston.va.us'" , "'ipsec@ans.net'" , "'pem-dev@tis.com'" , "'psrg@isi.edu'" , "'sndss-authors@isi.edu'" To: "'sndss-chairs@tis.com'" , "'spki@c2.net'" , "'virus-l@lehigh.edu'" , "'www-buyinfo@allegra.att.com'" , "'www-security@ns2.rutgers.edu'" , "'David M. Balenson'" Subject: ANNOUNCEMENT: 1997 RSA Data Security Conference Date: Sun, 1 Dec 1996 18:38:08 -0800 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk 28-31 January, 1997 NOB HILL, SAN FRANCISCO 1997 marks RSA's fifteenth anniversary and our sixth annual conference. Two days of general sessions and two days of classes will provide over 100 different classes to choose from, with separate tracks for mathematicians and cryptographers, developers, industry analysts and business people. We invite you to join us. Find out more information, view the class syllabi and register online at http://www.rsa.com Thanks Kurt Stammberger RSADSI > From firewalls-owner Sun Dec 1 19:39:56 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA29435 for firewalls-outgoing; Sun, 1 Dec 1996 19:31:39 -0800 (PST) Received: from gdut.edu.cn (ggdn.gdut.edu.cn [202.116.128.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id TAA29318 for ; Sun, 1 Dec 1996 19:29:18 -0800 (PST) Received: from CiscoWork.gdut.edu.cn by gdut.edu.cn (5.x/SMI-SVR4) id AA01824; Mon, 2 Dec 1996 11:27:41 +0800 Message-Id: <30C0EF82.6CFC@gdut.edu.cn> Date: Sat, 02 Dec 1995 19:29:54 -0500 From: Zheng Wenfeng Reply-To: zhengwf@gdut.edu.cn Organization: GuangDong University of Technology(NOC) X-Mailer: Mozilla 3.0b7 (Win95; I) Mime-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: Critical Message Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dear Mr. or Miss. sorry! I have encountered a critical problem, Now I don't know who can help me? I have made the critical problem when I use the tar command, the following message is my process course, first, I have sent the command when I am a supervisor, #tar -cvf /dev/dsk/c0t3d0s0 /home1/wjz/*.txt and /dev/dsk/c0t3d0s3 is the boot root disk, I know I have made a critical mistake but now I haven't any way to resolv the above problem, can you give me a help? thank you!!1 By the way, my UNIX host is Solaris 2.3 operation system. Best Regards Addr: East 729 DongFeng Road,GuangZhou, Email:lucky@gdut.edu.cn GuangDong province,China or:zhengwf@gdut.edu.cn Code:510090 Organize:Education department From firewalls-owner Sun Dec 1 21:59:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA05456 for firewalls-outgoing; Sun, 1 Dec 1996 21:49:22 -0800 (PST) Received: from grover.dataplex.com.au (grover.dataplex.com.au [203.4.207.126]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id VAA05449 for ; Sun, 1 Dec 1996 21:49:13 -0800 (PST) Received: from fnord.dataplex.com.au (203.4.207.190) by grover.dataplex.com.au (EMWAC SMTPRS 0.80) with SMTP id ; Mon, 02 Dec 1996 16:44:25 +1100 Received: by fnord.dataplex.com.au with Microsoft Exchange (IMC 4.0.837.3) id <01BBE068.80322090@fnord.dataplex.com.au>; Mon, 2 Dec 1996 15:50:11 +1000 Message-ID: From: David Allen To: "'firewalls-digest@GreatCircle.COM'" Subject: RE: Notification: Inbound Mail Failure - Address not found Date: Mon, 2 Dec 1996 15:50:07 +1000 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.837.3 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk STOP SENDING THESE BLOODY THINGS!!!!!!!!!!!!!!!! >---------- >From: System >Administrator[SMTP:postmaster@R&D_DEPT.DataplexPtyLtd.com] >Sent: Monday, 2 December 1996 04:48 >To: David Allen >Subject: Notification: Inbound Mail Failure - Address not found > >A mail message was not sent because the following address(es) could not >be found: > > wef@fnord.dataplex.com.au > >The message that caused this notification was: > > To: > From: > Subject: Firewalls-Digest V5 #639 > > > From firewalls-owner Sun Dec 1 22:57:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA08232 for firewalls-outgoing; Sun, 1 Dec 1996 22:52:20 -0800 (PST) Received: from juneau.steldyn.com ([204.76.191.254]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id WAA08225 for ; Sun, 1 Dec 1996 22:52:12 -0800 (PST) Received: by juneau.steldyn.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BBDFE2.D4FE7730@juneau.steldyn.com>; Sun, 1 Dec 1996 23:53:21 -0700 Message-ID: From: Chris Pugrud To: "'Russ'" , Firewalls Mailing list Subject: RE: NAT? Security? Date: Sun, 1 Dec 1996 23:53:19 -0700 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I can think of one king of NAT that would provide a level of security, something I've been wrestling around with in my head for a few weeks. Call this the GNAT (Global Network Address Translation) ((It's early, I'm sick, and I haven't had enough wine)). The GNAT sits on the periphery, it either is the Internet router, or is the only device connected to it. The GNAT knows the address of the few devices that it is connected to: 1. The Internet Router 2. The Web/FTP server 3. The Proxy Server 4. The SMTP Gateway The GNAT has only one address. The company only advertises one address to all of the Internet. The GNAT tracks all established connections, where they are going to, where they are coming from. When a connection request comes in (say SMTP), the GNAT looks up it's table and sees that all SMTP requests are to be directed to the SMTP Gateway, it forwards the request to the Gateway and performs NAT for the connection. When it sees a request for HTTP it forwards it to the appropriate place likewise. Now when the GNAT sees a request for port 99 (just an example, not to disparage the upright users of port 99/tcp) it looks in it table and sees that this port is unused and dumps the packet or sends some form of error message. The purpose of the GNAT is to provide 2 things: 1. A singular Global address for a point-of-presence. A company has one address that hides behind it any number of servers. Simplistic round robin load balancing should also be fairly easy to add into the setup. This would also make it easier to expand their Internet servers as needed and avoid disasters similar to when a local ISP changed the address of their POP server. 2. A level of Security by Obscurity. S.b.O is in and of itself a Bad Thing(TM). The GNAT goes a step farther by not even allowing connections to servers on un-authorized ports. When un-authorized connections come in, they go to the bit bucket. DOS is still possible, but DOS is an entirely different problem. The GNAT works by only giving a predator one tool to work with. One port that can be heavily guarded and reinforced. Thoughts, comments? Chris All original thoughts, mis-spellings, and mis-fires (c) 1996 Chris Pugrud >-----Original Message----- >From: Russ [SMTP:Russ.Cooper@RC.on.ca] >Sent: Wednesday, November 27, 1996 4:24 AM >To: Firewalls Mailing list; 'Ryan Russell/SYBASE' >Subject: RE: Cisco's PIX firewall > >Ryan said... >>NAT gives security for two kinds of hosts: >* >1. Public hosts......"NAT is not really needed in this case, nor >does it add much security by itself."... >* >2. Internal hosts......stuff about no one-to-one mapping...but >there is a one-to-one mapping to anything that is inside a NAT and is >going to accept inbound connections...like an internal SMTP server for >example. Then there's the fact that once an internal host makes a >connection through a NAT, it can then be tampered with as if there was >no NAT. >* >If someone asked me what security NAT provides, I'd say none at all. >Firewall-1 and PIX offer security, and, they offer NAT. NAT is not a >security product, it may obscure things, but it protects nothing by >itself. >* >Cheers, >Russ >R.C. Consulting, Inc. - NT/Internet Security Consulting >mailto:Russ.Cooper@RC.on.ca <-- *note the new address* From firewalls-owner Sun Dec 1 23:10:09 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA08344 for firewalls-outgoing; Sun, 1 Dec 1996 22:56:23 -0800 (PST) Received: from internic.uob.bh ([193.188.12.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id WAA08312 for ; Sun, 1 Dec 1996 22:56:07 -0800 (PST) Received: from hisham.uob.bh ([193.188.12.106]) by internic.uob.bh (Netscape Mail Server v2.0) with SMTP id AAA18474 for ; Mon, 2 Dec 1996 09:59:28 +0300 Message-ID: <32A27FF4.431B@admin.uob.bh> Date: Mon, 02 Dec 1996 10:06:28 +0300 From: "Hisham Khalifa Al Saad" Reply-To: webmaster@admin.uob.bh X-Mailer: Mozilla 3.0 (Win95; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: [Fwd: Caution : Internet Virus] Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi members of Firewalls, I got this Virus alert in my mail box, and by myself i forward it to you: ------------------------------------------------------------------------ Hi, We just got word that there is a new virus screaming around the internet that will wipe out your hard drive if you open the file. Here is the word they sent us... "There is a computer virus that is being sent across the internet. If you receive an e-mail with a subject line of "Irinia", DO NOT read the message. Delete it immediately. Some miscreant is sending people files under the name of "Irinia". If you receive this file or e-mail, do not download it. It has a virus that rewrites your hard drive, obliterating anything on it. Please be careful and forward this e-mail to anyone you care about." This information was received from Professor Edward Prideaux, College of Salvonic Studies, London. This virus appears to be much more aggressive than the irritating Microsoft word virus. Be alert. ----------------------- END OF ALERT MESSAGE ---------------------------------- Thank you, Take Care, Hisham Al Saad University of Bahrain From firewalls-owner Sun Dec 1 23:24:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA08834 for firewalls-outgoing; Sun, 1 Dec 1996 23:09:44 -0800 (PST) Received: from juneau.steldyn.com ([204.76.191.254]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id XAA08827 for ; Sun, 1 Dec 1996 23:09:37 -0800 (PST) Received: by juneau.steldyn.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BBDFE5.46D30540@juneau.steldyn.com>; Mon, 2 Dec 1996 00:10:51 -0700 Message-ID: From: Chris Pugrud To: "'Rabid Wombat'" , "'Stewart Shinewald'" Cc: Firewalls Mailing list Subject: RE: How to secure a Webpage? Date: Mon, 2 Dec 1996 00:10:50 -0700 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I prefer using SCSI disks and setting the hardware Write-Protect jumper. Fast and Safe. With a good OS you only need a disk for temp and log files, the rest goes on the WP disk. Do all of your development on a mirror machine, then bake. When thoroughly cooked (tested, for those who didn't stuff out on the American bastardization called Thanksgiving) mount in external server and enjoy! Chris >-----Original Message----- >From: Rabid Wombat [SMTP:wombat@mcfeely.bsfs.org] >Sent: Wednesday, November 27, 1996 3:30 PM >To: Stewart Shinewald >Cc: Firewalls Mailing list >Subject: Re: How to secure a Webpage? > >You can always develop your content on another system, put the content on >a zip drive, set the media to read-only, and mount it on the external >system. > >-r.w. > > >On Wed, 27 Nov 1996, Stewart Shinewald wrote: > >> Our company is considering the development of a webpage and placing it >> outside our firewall. >> >> Can anyone advise me or point me in the right direction to identify what >> controls are required for a webpage to be made as secure as possible to >> either prevent a change or at least identify if a change were made. Is >> my assumption valid that a properly set up firewall would prevent webpage >> browsers from penetrating our firewall? >> >> Any assistance would be appreciated. >> >> Stewart Shinewald >> Internal Audit >> From firewalls-owner Sun Dec 1 23:41:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA10556 for firewalls-outgoing; Sun, 1 Dec 1996 23:38:13 -0800 (PST) Received: from tce.nl ([194.171.39.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id XAA10538 for ; Sun, 1 Dec 1996 23:38:05 -0800 (PST) Received: by tce.nl (SMI-8.6/SMI-SVR4) id IAA02948; Mon, 2 Dec 1996 08:41:06 +0100 Date: Mon, 2 Dec 1996 08:41:06 +0100 From: weldam@tce.nl (Ramon Weldam) Message-Id: <199612020741.IAA02948@tce.nl> To: Firewalls@GreatCircle.COM Subject: How do I get off the list ? X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, Can anyone help me to get off the list ? Please help me. From firewalls-owner Mon Dec 2 00:40:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA14741 for firewalls-outgoing; Mon, 2 Dec 1996 00:34:25 -0800 (PST) Received: from ncept.pt.nce.sita.int (ncept.pt.nce.sita.int [57.7.6.251]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id AAA14733 for ; Mon, 2 Dec 1996 00:34:16 -0800 (PST) Received: from pc_ptdv.pt.nce.sita.int by ncept.pt.nce.sita.int (8.7.3/SitaNet-1.4) id JAA11212; Mon, 2 Dec 1996 09:34:07 +0100 (MET) Date: Mon, 2 Dec 96 09:36:48 PST From: Denis Valois Subject: RE: [Fwd: Caution : Internet Virus] To: firewalls@GreatCircle.COM, webmaster@internic.uob.bh X-Mailer: Chameleon ENGP1, TCP/IP for Windows, NetManage Inc. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is a hoax. Anyway, just by saying that "reading" a mailgram wipes out your hard drive is of utmost foolishness. Denis Valois Computer & Network Security SITA (Societe Internationale de Telecommunications Aeronautiques) On Mon, 02 Dec 1996 10:06:28 +0300 Hisham Khalifa Al Saad wrote: >Hi members of Firewalls, > >I got this Virus alert in my mail box, and by myself i forward it to >you: > >---------------------------------------------------------------------- -- > >Hi, > We just got word that there is a new virus screaming around the >internet that will wipe out your hard drive if you open the file. >Here is the word >they sent us... > >"There is a computer virus that is being sent across the internet. If >you receive an e-mail with a subject line of "Irinia", DO NOT read the >message. >Delete it immediately. Some miscreant is sending people files under the >name of "Irinia". If you receive this file or e-mail, do not download >it. >It has a virus that rewrites your hard drive, obliterating anything on >it. >Please be careful and forward this e-mail to anyone you care about." > >This information was received from Professor Edward Prideaux, College of >Salvonic Studies, London. > >This virus appears to be much more aggressive than the irritating >Microsoft word virus. Be alert. > >----------------------- END OF ALERT MESSAGE >---------------------------------- > > >Thank you, >Take Care, > >Hisham Al Saad >University of Bahrain > From firewalls-owner Mon Dec 2 00:55:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA14573 for firewalls-outgoing; Mon, 2 Dec 1996 00:29:24 -0800 (PST) Received: from relay1.shore.net (relay1.shore.net [192.233.85.129]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id AAA14566 for ; Mon, 2 Dec 1996 00:29:16 -0800 (PST) Received: from [198.115.177.223] (slip-0-23.slip.shore.net [198.115.177.223]) by relay1.shore.net (8.8.3/8.8.3) with SMTP id DAA19018; Mon, 2 Dec 1996 03:29:05 -0500 (EST) X-Sender: vin@shell1.shore.net Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 2 Dec 1996 03:29:06 -0500 To: firewalls@greatcircle.com From: vin@shore.net (Vin McLellan) Subject: Corporation Security - 90 Day Study Cc: warroom2@aol.com, tuckerp@css583.gordon.army.mil Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Phil Tucker" asked: >A Corporation Security Study was conducted during July-Oct >timeframe. This was aired on TV but did not indicate if a >copy of the report was available. Does anyone know where a >copy of this report might be retrieved? You may be seeking the WarRoom Research study on corporate security practices, which collected 205 anonymous reports from Fortune 1000 firms. It was described in a 11/21 press conference at the National Press Club in D.C., broadcast live on C-Span, where I was one of several on a panel from industry and government invited to commented on the results. You can get the survey report from WarRoom Research, LLC, 1134 Veranda Ct., Baltimore, MD, 21226. Tel. (410) 437-1106 All but sponsored by Sam Nunn's Senate subcommittee studying Troubles in Cyberspace, the WarRoom survey got a snapshot of the state of the art, which (as all here might expect) was troublesome in several aspects. I'd quibble with some of the methodology -- I'm always uncomfortable when everyone who handles the numbers has a vested interest in high counts; and this survey was selectively distributed by vendors of security products and services -- but the survey results drew a lot of media attention. Nearly half (98) of the 205 respondents reported that their computers or networks had been successfully penetrated by "outsiders" in the past year, and many reported surprisingly high costs (as opposed to losses) associated with these attacks. (36, I recall, pegged costs at over $1 million.) I think the numbers are a little slippery (eg, respondents may have tallied PC-virus outbreaks among generic "penetrations," and it wasn't clear if the "costs" were cumulative, solid, or estimates,) but even as a flawed snapshot it was thought-provoking. (The industrious WarRoom researchers plan a broader, more scientific, study early next year; perhaps in cooperation with a federal agency.) I was disturbed that so many respondents, a large majority, reported that their firms had no formal, written, security policies. I was also intrigued that e-mail files seem to be the target of choice for online intruders... and worried (but not surprised) to learn that some 30 percent of the executives surveyed doubted that their IS staff would _know_ if their computers had been illicitly penetrated. (Actually, I was surprised so many executives were aware of this.) I was far less concerned than others on the panel that police are so seldom notified of these incidents. Suerte, _Vin (Fair warning: Washington's concern about cyberwar and cyberterrorism -- and the barely-muted desire of the FBI and other lawmen to establish _domestic_ GAK rights for their investigations -- make it likely our craft will soon confront additional, perhaps conflicting, regulatory and legislative pressures from dot-gov. If you're associated with an ISS professional group, goose them to stick an oar in! Reality checks might be critically important for federal CompSec policy in '97. Newsat11! Beg pardon for the digression.) Vin McLellan +The Privacy Guild+ 53 Nichols St., Chelsea, Ma. 02150 USA Tel: (617) 884-5548 <*><*><*><*><*><*><*><*><*> From firewalls-owner Mon Dec 2 03:26:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA23054 for firewalls-outgoing; Mon, 2 Dec 1996 03:11:25 -0800 (PST) Received: from europa.lif.icnet.uk (europa.lif.icnet.uk [143.65.1.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id DAA23047 for ; Mon, 2 Dec 1996 03:11:17 -0800 (PST) From: harley@icrf.icnet.uk Message-Id: <199612021111.DAA23047@miles.greatcircle.com> Received: by europa.lif.icnet.uk; Mon, 2 Dec 1996 11:10:43 GMT Subject: RE: [Fwd: Caution : Internet Virus] (fwd) To: firewalls@GreatCircle.COM Date: Mon, 2 Dec 1996 11:10:43 +0000 (GMT) X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > This is a hoax. It's also off-topic. I won't post it in full, but there's a pretty reasonable CIAC bulletin addressing most of the alerts which regularly plague us at: http://ciac.llnl.gov/ciac/bulletins/h-05.shtml It includes info on the alerts mentioned below, some historical background, and suggestions on validating hoaxes rather than passing them on uncritically. David Harley \ | / alt.comp.virus FAQ D.Harley@icrf.icnet.uk \ | / & Anti-Virus Web Page Support & Security Analyst \ | / Folk London On-Line gig-list Imperial Cancer Research Fund ____\|/____ http://webworlds.co.uk/dharley/ -----------------extract------------------------------- INFORMATION BULLETIN H-05 Internet Hoaxes: PKZ300, Irina, Good Times, Deeyenda, Ghost November 20, 1996 16:00 GMT PROBLEM: This bulletin addresses the following hoaxes and erroneous warnings: PKZ300 Warning, Irina, Good Times, Deeyenda, and Ghost.exe PLATFORM: All, via e-mail DAMAGE: Time lost reading and responding to the messages SOLUTION: Pass unvalidated warnings only to your computer security department or incident response team. See below on how to recognize validated and unvalidated warnings and hoaxes. VULNERABILITY New hoaxes and warnings have appeared on the Internet and old ASSESSMENT: hoaxes are still being cirulated. ---------------------end extract-------------------------------- From firewalls-owner Mon Dec 2 03:55:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA24082 for firewalls-outgoing; Mon, 2 Dec 1996 03:51:06 -0800 (PST) Received: from woffice10.welsh-ofce.gov.uk (woffice10.welsh-ofce.gov.uk [194.81.116.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id DAA24069 for ; Mon, 2 Dec 1996 03:50:53 -0800 (PST) Received: from b1.gtnet.gov.uk (b18.gtnet.gov.uk [194.81.25.18]) by woffice10.welsh-ofce.gov.uk (8.8.3/8.6.12) with SMTP id LAA08290 for ; Mon, 2 Dec 1996 11:48:41 GMT Date: Mon, 2 Dec 96 11:30:40 PST From: howells@Welsh-Ofce.gov.uk Subject: RE: Firewalls-Digest V5 #642 IRINIA VIRUS To: Firewalls@GreatCircle.COM X-Mailer: Chameleon ENGP1, TCP/IP for Windows, NetManage Inc. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk For all subscribers to note - this has already been admited to have been a marketing ploy to publicise a new book based on the Internet/Cyberspace. The original e-mails sent out (proporting to be from the School of Slavonic Studies, University of London) was actually sent by the book publishers. It should have been immediately followed by a second e-mail explaining the hoax and a little about the book. Unfortunately, in many cases the second e-mail dis not arrive and the 'warning' propagated around the world. Several of the UK based Internet magazines have covered the story (try http://www.paragon.co.uk/ The name Irina (or Irenia) is the name of the book and the use of the name of the School of Slavonic Studies was meant as a play on words apparently. Regards Jerry ------------------------------------- Name: Jeremy P Howells E-mail: howells@welsh-ofce.gov.uk Time: 11:38:52 Date: 12/02/96 Tel: 01222 825754 Fax: 01222 825852 ------------------------------------ ---------------Original Message--------------- Firewalls-Digest Monday, December 2 1996 Volume 05 : Number 642 Date: Mon, 02 Dec 1996 10:06:28 +0300 From: "Hisham Khalifa Al Saad" Subject: [Fwd: Caution : Internet Virus] Hi members of Firewalls, I got this Virus alert in my mail box, and by myself i forward it to you: - ------------------------------------------------------------------------ Hi, We just got word that there is a new virus screaming around the internet that will wipe out your hard drive if you open the file. Here is the word they sent us... "There is a computer virus that is being sent across the internet. If you receive an e-mail with a subject line of "Irinia", DO NOT read the message. Delete it immediately. Some miscreant is sending people files under the name of "Irinia". If you receive this file or e-mail, do not download it. It has a virus that rewrites your hard drive, obliterating anything on it. Please be careful and forward this e-mail to anyone you care about." This information was received from Professor Edward Prideaux, College of Salvonic Studies, London. This virus appears to be much more aggressive than the irritating Microsoft word virus. Be alert. - ----------------------- END OF ALERT MESSAGE From firewalls-owner Mon Dec 2 04:55:04 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA27858 for firewalls-outgoing; Mon, 2 Dec 1996 04:51:52 -0800 (PST) Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id EAA27843 for ; Mon, 2 Dec 1996 04:51:44 -0800 (PST) Received: from big-dogs.cisco.com ([171.68.53.75]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id EAA21546; Mon, 2 Dec 1996 04:51:12 -0800 Message-Id: <2.2.32.19961202125115.0073774c@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 02 Dec 1996 07:51:15 -0500 To: webmaster@internic.uob.bh From: Paul Ferguson Subject: Re: [Fwd: Caution : Internet Virus] Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please. This is a miserable *hoax*. - paul At 10:06 AM 12/2/96 +0300, Hisham Khalifa Al Saad wrote: >Hi members of Firewalls, > >I got this Virus alert in my mail box, and by myself i forward it to >you: > >------------------------------------------------------------------------ > >Hi, > We just got word that there is a new virus screaming around the >internet that will wipe out your hard drive if you open the file. >Here is the word >they sent us... > >"There is a computer virus that is being sent across the internet. If >you receive an e-mail with a subject line of "Irinia", DO NOT read the >message. >Delete it immediately. Some miscreant is sending people files under the >name of "Irinia". If you receive this file or e-mail, do not download >it. >It has a virus that rewrites your hard drive, obliterating anything on >it. >Please be careful and forward this e-mail to anyone you care about." > >This information was received from Professor Edward Prideaux, College of >Salvonic Studies, London. > >This virus appears to be much more aggressive than the irritating >Microsoft word virus. Be alert. > >----------------------- END OF ALERT MESSAGE >---------------------------------- > > >Thank you, >Take Care, > >Hisham Al Saad >University of Bahrain > -- Paul Ferguson || || Consulting Engineering || || Herndon, Virginia USA |||| |||| tel: +1.703.397.5938 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Mon Dec 2 05:25:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA28723 for firewalls-outgoing; Mon, 2 Dec 1996 05:17:15 -0800 (PST) Received: from ereapp.erenj.com (ereapp.ERENJ.COM [159.70.31.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id FAA28703 for ; Mon, 2 Dec 1996 05:17:05 -0800 (PST) Received: (from smap@localhost) by ereapp.erenj.com (8.8.3/8.8.3) id IAA06437; Mon, 2 Dec 1996 08:16:01 -0500 Received: from eredns.erenj.com(159.70.1.252) by ereapp.erenj.com via smap (V1.3) id sma006435; Mon Dec 2 08:15:38 1996 Received: from stargate.erenj.com (stargate.erenj.com [159.70.1.8]) by eredns.erenj.com (8.7.4/8.7.3) with SMTP id IAA15129; Mon, 2 Dec 1996 08:15:36 -0500 Received: from stargate.erenj.com by stargate.erenj.com; (5.65v3.2/1.1.8.2/12Feb96-1009AM/bdboyle@erenj.com) id AA06412; Mon, 2 Dec 1996 08:15:29 -0500 Message-Id: <32A2D671.2781@erenj.com> Date: Mon, 02 Dec 1996 08:15:29 -0500 From: "Bryan D. Boyle" Organization: Exxon Research and Engineering Co. X-Mailer: Mozilla 3.0C-NSCP (X11; I; OSF1 V4.0 alpha) Mime-Version: 1.0 To: Denis Valois Cc: firewalls@GreatCircle.COM, webmaster@internic.uob.bh Subject: Re: Internet Virus HOAX, Part 3x10^4 References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Denis Valois wrote: > > This is a hoax. > > Anyway, just by saying that "reading" a mailgram wipes out > your hard drive is of utmost foolishness. For more information, please consult the CIAC bulletin at this URL (for those not web challenged...) concerning this HOAX. In the future, it would be nice if people checked AUTHORITATIVE sources before spamming mailboxes with this stuff, albeit with good intentions... CIAC Current HOAX bulletin: http://ciac.llnl.gov/ciac/bulletins/h-05.shtml -- Bryan D. Boyle | EMAIL: bdboyle@erenj.com 908-730-3338 #include | http://www.access.digex.net/~bdboyle/index.html "They that can give up liberty to obtain a little temporary safety deserve neither liberty nor safety." - Benjamin Franklin, Historical Review of Pennsylvania From firewalls-owner Mon Dec 2 05:40:09 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA00258 for firewalls-outgoing; Mon, 2 Dec 1996 05:38:04 -0800 (PST) Received: from gargoyle.clark.net (gargoyle.clark.net [168.143.0.250]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id FAA00251 for ; Mon, 2 Dec 1996 05:37:56 -0800 (PST) Received: (from proberts@localhost) by gargoyle.clark.net (8.7.4/8.7.3) id JAA25557; Mon, 2 Dec 1996 09:44:04 -0500 Date: Mon, 2 Dec 1996 09:44:04 -0500 (EST) From: "Paul D. Robertson" X-Sender: proberts@localhost To: Paul Ferguson cc: webmaster@internic.uob.bh, firewalls@GreatCircle.COM Subject: Irinia In-Reply-To: <2.2.32.19961202125115.0073774c@lint.cisco.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 2 Dec 1996, Paul Ferguson wrote: > Please. > > This is a miserable *hoax*. I think the whole Goodtimes hoax was about 200 times more effective than any _real_ virus in terms of attacks. If I've responeded once, I've responded 50 times, and now it's mutating *sigh*. Now if we could all just mail out the clue virus. Paul > At 10:06 AM 12/2/96 +0300, Hisham Khalifa Al Saad wrote: > > >Hi members of Firewalls, > > > >I got this Virus alert in my mail box, and by myself i forward it to > >you: > > > >------------------------------------------------------------------------ > > > >Hi, > > We just got word that there is a new virus screaming around the > >internet that will wipe out your hard drive if you open the file. > >Here is the word > >they sent us... > > > >"There is a computer virus that is being sent across the internet. If > >you receive an e-mail with a subject line of "Irinia", DO NOT read the > >message. > >Delete it immediately. Some miscreant is sending people files under the > >name of "Irinia". If you receive this file or e-mail, do not download > >it. > >It has a virus that rewrites your hard drive, obliterating anything on > >it. > >Please be careful and forward this e-mail to anyone you care about." > > > >This information was received from Professor Edward Prideaux, College of > >Salvonic Studies, London. > > > >This virus appears to be much more aggressive than the irritating > >Microsoft word virus. Be alert. > > > >----------------------- END OF ALERT MESSAGE > >---------------------------------- > > > > > >Thank you, > >Take Care, > > > >Hisham Al Saad > >University of Bahrain > > > > -- > Paul Ferguson || || > Consulting Engineering || || > Herndon, Virginia USA |||| |||| > tel: +1.703.397.5938 ..:||||||:..:||||||:.. > e-mail: pferguso@cisco.com c i s c o S y s t e m s > ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@clark.net which may have no basis whatsoever in fact." PSB#9280 From firewalls-owner Mon Dec 2 05:58:00 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA01048 for firewalls-outgoing; Mon, 2 Dec 1996 05:47:24 -0800 (PST) Received: from trumpet.aix.calpoly.edu (trumpet.aix.calpoly.edu [129.65.65.6]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id FAA01020 for ; Mon, 2 Dec 1996 05:47:14 -0800 (PST) Received: by trumpet.aix.calpoly.edu (AIX 3.2/UCB 5.64/4.03) id AA12610; Mon, 2 Dec 1996 05:46:27 -0800 Date: Mon, 2 Dec 1996 05:46:26 -0800 (PST) From: Fade To: Hisham Khalifa Al Saad Cc: firewalls@GreatCircle.COM Subject: Re: [Fwd: Caution : Internet Virus] In-Reply-To: <32A27FF4.431B@admin.uob.bh> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 2 Dec 1996, Hisham Khalifa Al Saad wrote: > Hi members of Firewalls, > > I got this Virus alert in my mail box, and by myself i forward it to > you: > > ------------------------------------------------------------------------ > > Hi, > We just got word that there is a new virus screaming around the > internet that will wipe out your hard drive if you open the file. > Here is the word > they sent us... > > "There is a computer virus that is being sent across the internet. If > you receive an e-mail with a subject line of "Irinia", DO NOT read the > message. > Delete it immediately. Some miscreant is sending people files under the > name of "Irinia". If you receive this file or e-mail, do not download > it. > It has a virus that rewrites your hard drive, obliterating anything on > it. > Please be careful and forward this e-mail to anyone you care about." > > This information was received from Professor Edward Prideaux, College of > Salvonic Studies, London. > > This virus appears to be much more aggressive than the irritating > Microsoft word virus. Be alert. > > ----------------------- END OF ALERT MESSAGE > ---------------------------------- > > Although this is obviously a hoax, it points out an interesting security weakness. You have, in fact, spread the "virus" by emailing this "warning" to other people. The "virus" is the panic (or possible panic) caused by such a warning. Proving once again that the human factor is the weakest link in computer security. But enough with the off-topic emails. R. E. Paret From firewalls-owner Mon Dec 2 06:11:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA01893 for firewalls-outgoing; Mon, 2 Dec 1996 05:59:19 -0800 (PST) Received: from cypress.cycon.com (cypress.CYCON.COM [204.5.16.32]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id FAA01872 for ; Mon, 2 Dec 1996 05:59:05 -0800 (PST) Received: from localhost (sconner@localhost) by cypress.cycon.com (8.7.5/8.7.3) with SMTP id JAA10840; Mon, 2 Dec 1996 09:05:31 -0500 Date: Mon, 2 Dec 1996 09:05:29 -0500 (EST) From: Steve Conner To: Zheng Wenfeng cc: Firewalls@GreatCircle.COM Subject: Re: Critical Message In-Reply-To: <30C0EF82.6CFC@gdut.edu.cn> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, As long as you haven't rebooted the machine, you should be OK. All you have done is wiped out a symbolic link to a low level device driver. To fix it do the following: cd /dev/dsk ln -s ../../devices/iommu@0,10000000/sbus@0,10001000/espdma@4,8400000/esp@4,8800000/sd@3,0:a /dev/dsk/c0t3d0s0 The ln is one complete command so make sure you type in the above three lines in as one command, sorry, my mail editor only allows 70ish characters per line. This should fix your problem. Steve --------------------------------------------------------------- Steve Conner Cypress Consulting, Inc. sconner@cycon.com 703-256-1279 Manager, Research & Development http://www.cycon.com CYCON Labyrinth, Firewall and Network Address Translator --------------------------------------------------------------- On Sat, 2 Dec 1995, Zheng Wenfeng wrote: > Dear Mr. or Miss. > sorry! I have encountered a critical problem, Now I don't know who > can help me? > I have made the critical problem when I use the tar command, the > following > message is my process course, > first, I have sent the command when I am a supervisor, > #tar -cvf /dev/dsk/c0t3d0s0 /home1/wjz/*.txt > and /dev/dsk/c0t3d0s3 is the boot root disk, I know I have made a > critical mistake > but now I haven't any way to resolv the above problem, can you give me > a help? > thank you!!1 > By the way, my UNIX host is Solaris 2.3 operation system. > > Best Regards > > Addr: East 729 DongFeng Road,GuangZhou, > Email:lucky@gdut.edu.cn > GuangDong province,China > or:zhengwf@gdut.edu.cn > Code:510090 > Organize:Education department > From firewalls-owner Mon Dec 2 06:25:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA03471 for firewalls-outgoing; Mon, 2 Dec 1996 06:14:06 -0800 (PST) Received: from eplegal.eapi.com (marauder.epcorp.com [198.30.14.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA03450 for ; Mon, 2 Dec 1996 06:13:44 -0800 (PST) Received: from eppcmcw.eapi.com by eplegal.eapi.com id aa00392; 2 Dec 96 9:13 EST Message-Id: <3.0.32.19961202091325.0077cfd4@eptax.epcorp.com> X-Sender: martinw@eptax.epcorp.com X-Mailer: Windows Eudora Pro Version 3.0 Demo (32) Date: Mon, 02 Dec 1996 09:13:30 -0500 To: firewalls@greatcircle.com From: "Martin C. Walker" Subject: 2 questions re:fw-1 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Runing FW-1 v2.1 on Solaris 2.5 x86. I have 2 questions 1. Where in the hierarchy of things that FW does is NAT applied on both the inbound and outbound (wrt the packet direction) interfaces ? I have "inbound" set in my properties. Am I correct in thinking that, for a forward moving packet outbound from the internal network the following happens: packet reaches fw-1 internal interface anti spoofing applied items marked "first" in security policy properties rule base except for last rule items marked "before last" in security policy properties last rule of rule base items marked "last" in security policy properties implicit drop nat packet leaves external interface (boldy going where no packet has gone before) 2. At what level does snoop work on the fw-1 machine wrt to the FW-1 actions. ie will snoop only see packets that make it through the first 8 things above ? ------------------------------------------------------------------------ Martin C. Walker martinw@epcorp.com Project Lead Voice: (513)629-2517 Eagle-Picher Industries Fax: (513)629-2449 580 Walnut St, Cincinnati, OH 45202 From firewalls-owner Mon Dec 2 07:25:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA08487 for firewalls-outgoing; Mon, 2 Dec 1996 07:13:34 -0800 (PST) Received: from smtp2.interramp.com (smtp2.interramp.com [38.8.200.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA08470 for ; Mon, 2 Dec 1996 07:13:19 -0800 (PST) Received: from davidh.interramp.com by smtp2.interramp.com (8.8.1/SMI-4.1.3-PSI-irsmtp) id KAA24077; Mon, 2 Dec 1996 10:13:08 -0500 (EST) Message-ID: <32A2DDF1.3BEB@checkpoint.com> Date: Mon, 02 Dec 1996 07:47:37 -0600 From: David Helms Reply-To: david.helms@checkpoint.com Organization: CheckPoint Software Technologies X-Mailer: Mozilla 3.0 (Win95; I) MIME-Version: 1.0 To: Bill Husler CC: Dave Roberts , Firewalls@GreatCircle.COM Subject: Re: Redundant FW-1s in Parallel!? References: <199611300302.FAA18918@cale.checkpoint.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bill, The answer is yes and no. We have tried to not use the phrase "High Availability" on purpose. Qualix provides high availability in their solution and it is a valuable supplement to what FW-1 does. What "State Sharing" does is solve the assymetrical routing problem when you have multiple, valid, routed paths that the packets within a logical session can take. If this ability to handle multple paths is combined with a routing topology mechanism that is extremely responsive to topology changes, then you approach the functionality level of a "High Availability" system. So, in short, yes the "after" diagram you have shown will work, in terms of solving the assymetrical routing problem. However, to make that system "Highly Available" you also have to include the surrounding routers into the picture and make the sure they are playing the game also. David Bill Husler wrote: > > David, > Let me see if I understand this. > > Currently, if we want HA we must use Qualix software which required two > dedicated lan ports and external shared DASD between two firewalls - one > of which is simply a hot standby. With this configuration on a Sparc-5, > we only get to have two usable interfaces. If I understand what we will > get with Checkpoints flavor is the ability to actually use these other > interfaces for the sort of things we wanted to in the first place like > providing employee dial-up or private connections to other companies > while provide load balancing and fail-over. Is this true? > > BEFORE AFTER > > -------------------- -------------- > Int | | Ext Int | | Ext > -----| Primary Firewall |----- -----| Firewall A |----- > | | | | | | | | > | -------------------- | | -------------- | > | ......|.|........|........ | | | | | > | . req | | ---------- . | | -------- -------- | > -----| . for | | |Ext Disk| . |----- -----| | DIAL | | OTHR | > |----- > | . HA | | ---------- . | | -------- -------- | > | ......|.|........|........ | | | | | > | -------------------- | | -------------- | > | | | | | | | | > -----| Backup Firewall |----- -----| Firewall B |----- > | | | | > -------------------- -------------- > Bill > > >Subject: Re: Redundant FW-1s in Parallel!? > >Sent: 11/27/96 9:04 AM > >Received: 11/27/96 8:01 PM > >From: David Helms, david.helms@checkpoint.com > >To: Dave Roberts, djr@saa-cons.co.uk > >CC: Firewalls@GreatCircle.COM > > > >Dave, > > > >See my comments below.... > > > >Dave Roberts wrote: > >> > >> On Tue, 26 Nov 1996, David Helms wrote: > >> > >> > That "State-Sharing" protocol was announced as a feature of the V3.0 > >> > release of FireWall-1. > >> > >> How does the software share the state information? ie what kind of > >> protocol over what kind of medium. > > > >The state sharing protocol is a TCP-protocol that falls within the group > >of what are considered FW-1 control protocols. > > > >> Is it encrypted and/or authenticated? > > > >Yes and yes, based on the same mechanism as other FW-1 control > >protocols. > > > >David > >> > >> -- > >> Dave Roberts For PGP Key - send mail with subject of 'get pgp':- > >> Senior Unix Admin < 51 4B 6A 35 3F C4 B6 3D 13 88 0C B2 48 61 51 1C > > >> SAA Consultants Ltd Std disclaimer applies, it's nothing to do with them > >> Plymouth, UK. Tel: +44 1752 606000 Fax: +44 1752 606838 > > > >-- > >__________________________________ > > David Helms > > Senior Technical Consultant > > CheckPoint Software Technologies > > ph 703.684.4824 > > fx 703.684.4847 > > davidh@checkpoint.com > >__________________________________ -- __________________________________ David Helms Senior Technical Consultant CheckPoint Software Technologies ph 703.684.4824 fx 703.684.4847 davidh@checkpoint.com __________________________________ From firewalls-owner Mon Dec 2 07:41:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA09152 for firewalls-outgoing; Mon, 2 Dec 1996 07:23:33 -0800 (PST) Received: from eplegal.eapi.com (marauder.epcorp.com [198.30.14.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA09140 for ; Mon, 2 Dec 1996 07:23:21 -0800 (PST) Received: from eppcmcw.eapi.com by eplegal.eapi.com id aa02802; 2 Dec 96 10:22 EST Message-Id: <3.0.32.19961202102312.009d5d54@eptax.epcorp.com> X-Sender: martinw@eptax.epcorp.com X-Mailer: Windows Eudora Pro Version 3.0 Demo (32) Date: Mon, 02 Dec 1996 10:23:15 -0500 To: Firewalls@GreatCircle.com From: "Martin C. Walker" Subject: 2 questions re:fw-1 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Runing FW-1 v2.1 on Solaris 2.5 x86. I have 2 questions 1. Where in the hierarchy of things that FW does is NAT applied on both the inbound and outbound (wrt the packet direction) interfaces ? I have "inbound" set in my properties. Am I correct in thinking that, for a forward moving packet outbound from the internal network the following happens: packet reaches fw-1 internal interface anti spoofing applied items marked "first" in security policy properties rule base except for last rule items marked "before last" in security policy properties last rule of rule base items marked "last" in security policy properties implicit drop nat packet leaves external interface (boldy going where no packet has gone before) 2. At what level does snoop work on the fw-1 machine wrt to the FW-1 actions. ie will snoop only see packets that make it through the first 8 things above ? ------------------------------------------------------------------------ Martin C. Walker martinw@epcorp.com Project Lead Voice: (513)629-2517 Eagle-Picher Industries Fax: (513)629-2449 580 Walnut St, Cincinnati, OH 45202 From firewalls-owner Mon Dec 2 08:26:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA11981 for firewalls-outgoing; Mon, 2 Dec 1996 08:09:13 -0800 (PST) Received: from gw.garrison.com (gw.garrison.com [205.241.58.147]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA11973 for ; Mon, 2 Dec 1996 08:09:06 -0800 (PST) Received: by gw.garrison.com; id EAA17165; Mon, 2 Dec 1996 04:03:01 -0600 (CST) Received: from ukn0.garrison.com(10.0.0.2) by gw.garrison.com via smap (3.2) id xma017156; Mon, 2 Dec 96 04:02:55 -0600 Received: by garrison.com. (4.1/Surrogate Sendmail hack) id AA01528; Mon, 2 Dec 96 10:04:05 CST Date: Mon, 2 Dec 96 10:04:05 CST From: jeromie@garrison.com (Jeromie Jackson) Message-Id: <9612021604.AA01528@garrison.com.> To: zaka@tiac.net, lazar@netevolve.com Subject: Re: Cisco's PIX firewall Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > The biggest advantage to the PIX is that you can use a private addressing > scheme on your network. This allows you to create a meaningful IP > addressing scheme. For example, you can designate the second octet to > match the OSPF area the address is used in. (i.e 10.3.0.0 for area 3, > 10.4.0.0 for area 4 and so on). Another advantage to private addressing is > that you never have to worry about renumbering your network due to changing > ISP's or anything like that. Let us not forget, that just about any firewall in the market has the ability to allow you to use internal net 10 addressing... This is not feature of the box itself. Jeromie Jackson Garrison Technologies jeromie@garrison.com From firewalls-owner Mon Dec 2 08:56:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA14716 for firewalls-outgoing; Mon, 2 Dec 1996 08:48:15 -0800 (PST) Received: from aries.dgsca.unam.mx (aries.dgsca.unam.mx [132.248.120.102]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id IAA14709 for ; Mon, 2 Dec 1996 08:48:07 -0800 (PST) Received: by aries.dgsca.unam.mx (940816.SGI.8.6.9/940406.SGI.AUTO) id KAA21297; Mon, 2 Dec 1996 10:42:09 -0600 Date: Mon, 2 Dec 1996 10:42:01 -0600 (CST) From: "Raul Sanchez A." To: firewalls@greatcircle.com Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk suscribe firewalls resa@servidor.unam.mx From firewalls-owner Mon Dec 2 09:11:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA14508 for firewalls-outgoing; Mon, 2 Dec 1996 08:44:42 -0800 (PST) Received: from mailhost.lanl.gov (mailhost.lanl.gov [128.165.3.12]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA14485 for ; Mon, 2 Dec 1996 08:44:29 -0800 (PST) Received: from [128.165.20.50] ([128.165.20.50]) by mailhost.lanl.gov (8.7.6/8.7.3) with ESMTP id JAA09268; Mon, 2 Dec 1996 09:44:21 -0700 (MST) X-Sender: u094929@128.165.3.68 Message-Id: In-Reply-To: <31FCF437.41C67EA6@hephaestus.icorp.net> References: <199607280352.XAA03167@bert.markettech.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 2 Dec 1996 09:44:18 -0700 To: Eric Wieling , isdnsec@markettech.com, firewalls@GreatCircle.COM From: "Gary G. Christoph" Subject: Re: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Eric- Does the offer still hold? :-) Thanks, Gary At 10:26 -0700 7/29/96, Eric Wieling wrote: >ISDN Secrets wrote: >> >> Most places in the country are charged by the minute >> for ISDN access even for local calls. Some areas as >> much as 2 cents per B channel (that's 4 cents per minute >> with 128KB access) during primetime hours. Where I live, >> in the month of July alone I would have paid $1279.20 >> for dedicated access (unless you know the secret the >> phone company will not share with you). I only paid >> $45. > >It's called Data Over Voice Bearer Service (DOVBS) and I'll tell you >about it for free, if you e-mail me. 8-) > >-- >Eric Wieling >Advanced Network Research >InterCommerce Corporation >Pager: 800-758-3680 > >If you consistently take an antagonistic approach, however, people are >going to start thinking you're from New York. :-) > --Larry Wall to Dan Bernstein ---------------------------------------------------------------------- Gary G. Christoph, Ph.D. Systems Security Research and Development Team Leader Computer Research and Applications Group, CIC-3, MS-B265 Computing, Information and Communications Division University of California, Los Alamos National Laboratory Los Alamos, NM 87545 ggc@lanl.gov (505) 667-3709 FAX (505) 665-5520 ---------------------------------------------------------------------- From firewalls-owner Mon Dec 2 09:33:56 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA15456 for firewalls-outgoing; Mon, 2 Dec 1996 08:55:52 -0800 (PST) Received: from hq.si.net (hq.si.net [192.156.192.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA15440 for ; Mon, 2 Dec 1996 08:55:44 -0800 (PST) Received: (from mlu@localhost) by hq.si.net (8.8.3/8.7.3) id LAA05893; Mon, 2 Dec 1996 11:54:45 -0500 (EST) Date: Mon, 2 Dec 1996 11:54:45 -0500 (EST) From: Ming Lu Message-Id: <199612021654.LAA05893@hq.si.net> To: Denis.Valois@pt.nce.sita.int, firewalls@GreatCircle.COM, webmaster@internic.uob.bh Subject: RE: [Fwd: Caution : Internet Virus] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Bill Gates' machines, it is possible..:-), not on unix Cheers Ming From firewalls-owner Mon Dec 2 10:03:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA19881 for firewalls-outgoing; Mon, 2 Dec 1996 09:48:22 -0800 (PST) Received: from ncc.moc.kw (ncc.moc.kw [196.1.69.98]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id JAA19831 for ; Mon, 2 Dec 1996 09:47:38 -0800 (PST) Received: from elias.moc.kw (raadazar.moc.kw [168.187.100.241]) by ncc.moc.kw (8.7.5/8.7.3) with SMTP id UAA19939 for ; Mon, 2 Dec 1996 20:47:33 -0300 (GMT) Message-ID: <32A31829.5E60@ncc.moc.kw> Date: Mon, 02 Dec 1996 20:55:53 +0300 From: Biju John Reply-To: nbku1@ncc.moc.kw Organization: NBK X-Mailer: Mozilla 3.0 (Win95; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: SSL Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, Any one suggest where can I get information (simple explanation ) on SSL (Not Netscape site!!) BJ From firewalls-owner Mon Dec 2 10:12:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA20820 for firewalls-outgoing; Mon, 2 Dec 1996 09:57:54 -0800 (PST) Received: from newman (newman.aventail.com [38.225.141.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id JAA20800 for ; Mon, 2 Dec 1996 09:57:42 -0800 (PST) Received: from 192.168.1.29 (steinbrenner [192.168.1.29]) by newman (8.6.12/8.6.9) with ESMTP id KAA00960; Wed, 13 Nov 1996 10:54:08 -0800 X-Mailer: exmh version 1.6.7 5/3/96 From: marcvh@aventail.com (Marc VanHeyningen) To: "Young-jin Hong" Subject: Re: =?EUC-KR?B?USkgV2hhdCBpcyBDSVJDVUlUIEdBVEVXQVkoPUNJUkNVSVQgTEVWRUwg?= =?EUC-KR?B?UFJPWFkpPw==?= cc: Firewalls@greatcircle.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 02 Dec 1996 09:52:39 -0800 Message-ID: <19827.849549159@cosmo.aventail.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Dear list members. > >I'd like to know what 'circuit gateway(=circuit level proxy)' is or >how different from application gateway and packet-filtering in >generic firewalls. > >Let me know what it is or where i can find it out. Briefly, a circuit level proxy is a "generic" application gateway which is like an application proxy in that it does not forward packets but instead proxies application-level content across a barrier, but is designed to be general enough to work with many different protocols, not just one. In practice, SOCKS is the most common circuit-level solution used and discussed. In practice, the distinction can get blurred sometimes. Our SOCKS v5 server, for instance, is a circuit level proxy but is capable of doing some things normally associated with an application proxy, like performing content-based filtering of HTTP requests. I'd recommend Chapter 3 of the Wily Hacker book. There's also a white paper on our web site that discusses some of the tradeoffs: . -- Marc VanHeyningen marcvh@aventail.com Internet Security Architect Aventail http://www.aventail.com/ From firewalls-owner Mon Dec 2 10:51:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA22117 for firewalls-outgoing; Mon, 2 Dec 1996 10:10:28 -0800 (PST) Received: from pancake.remcomp.fr (pancake.remcomp.fr [194.51.30.247]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA22029 for ; Mon, 2 Dec 1996 10:10:04 -0800 (PST) Received: from tony.zapata.com ([128.127.10.2]) by zapata.omnix.fr.org (8.6.12/8.6.9) with SMTP id SAA02634; Mon, 2 Dec 1996 18:08:41 +0100 Message-ID: <32A2D5D2.6D5D@omnix.fr.org> Date: Mon, 02 Dec 1996 14:12:50 +0100 From: Stephane Bouch=?iso-8859-1?Q?=E9 , ?=@remcomp.fr Organization: OMNISET X-Mailer: Mozilla 2.01 (Win95; I) MIME-Version: 1.0 To: webmaster@admin.uob.bh CC: firewalls@GreatCircle.COM Subject: Re: [Fwd: Caution : Internet Virus] References: <32A27FF4.431B@admin.uob.bh> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hisham Khalifa Al Saad wrote: > = > Hi members of Firewalls, > = > I got this Virus alert in my mail box, and by myself i forward it to > you: > = > ------------------------------------------------------------------------>= = > Hi, > We just got word that there is a new virus screaming around the > internet that will wipe out your hard drive if you open the file. > Here is the word > they sent us... > = > "There is a computer virus that is being sent across the internet. If > you receive an e-mail with a subject line of "Irinia", DO NOT read the > message. > Delete it immediately. Some miscreant is sending people files under the > name of "Irinia". If you receive this file or e-mail, do not download > it. > It has a virus that rewrites your hard drive, obliterating anything on > it. > Please be careful and forward this e-mail to anyone you care about." > = > This information was received from Professor Edward Prideaux, College of > Salvonic Studies, London. > = > This virus appears to be much more aggressive than the irritating > Microsoft word virus. Be alert. > = > ----------------------- END OF ALERT MESSAGE > ---------------------------------- > = > Thank you, > Take Care, > = > Hisham Al Saad > University of Bahrain Please give us more information about this. Who sent it the alert = message to you. Is this a TROJAN? A VIRUS? WHAT IS THE ATTACHEMENT ? It doesn't look serious, technically speaking (without more details). = Please; let us know about. -- = = ------------------------------------------------------------------------ St= =E9phane Bouch=E9 | "Lie is virtual reality" OMNISET | PC Security Experts | "World is crazier than cows" sb@omniset.com | = ------------------------------------------------------------------------ From firewalls-owner Mon Dec 2 10:58:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA23784 for firewalls-outgoing; Mon, 2 Dec 1996 10:31:57 -0800 (PST) Received: from relay1.shore.net (relay1.shore.net [192.233.85.129]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA23764 for ; Mon, 2 Dec 1996 10:31:44 -0800 (PST) Received: from [198.115.177.209] (slip-0-9.slip.shore.net [198.115.177.209]) by relay1.shore.net (8.8.3/8.8.3) with SMTP id NAA19748 for ; Mon, 2 Dec 1996 13:31:37 -0500 (EST) X-Sender: vin@shell1.shore.net Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 2 Dec 1996 13:31:39 -0500 To: firewalls@greatcircle.com From: vin@shore.net (Vin McLellan) Subject: Corporation Security - 90 Day Study Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mark Gembicki of WarRoom Research tells me that his survey of information security in 205 Fortune 1000 companies is now available online at , along with a press release and a statement from Sen. Nunn's Permanent Subcommittee on Investigations. Vin McLellan +The Privacy Guild+ 53 Nichols St., Chelsea, Ma. 02150 USA Tel: (617) 884-5548 <*><*><*><*><*><*><*><*><*> From firewalls-owner Mon Dec 2 11:18:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA22942 for firewalls-outgoing; Mon, 2 Dec 1996 10:22:32 -0800 (PST) Received: from emout07.mail.aol.com (emout07.mx.aol.com [198.81.11.22]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA22909 for ; Mon, 2 Dec 1996 10:22:07 -0800 (PST) From: WarRoom2@aol.com Received: by emout07.mail.aol.com (8.6.12/8.6.12) id NAA10471 for firewalls@greatcircle.com; Mon, 2 Dec 1996 13:21:53 -0500 Date: Mon, 2 Dec 1996 13:21:53 -0500 Message-ID: <961202132153_1684427786@emout07.mail.aol.com> To: firewalls@greatcircle.com Subject: WarRoom's Information Systems Security Survey -- http://www.infowar.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A variety of information on WarRoom Research's Information Systems Security (ISS) Survey is now available online. The following files reside at http://www.infowar.com: survey.doc -- survey questionaire in Word; surv_q12.hcx -- display of question number 12 in Harvard Chart XL; surv_q15.hcx -- display of question number 15 in Harvard Chart XL; news.txt -- WarRoom Research news release about survey in ASCII; results.txt -- survey results by question in ASCII; results.wk4 -- survey results by question in Lotus 1-2-3; and senate.txt -- statement from Permanent Subcommittee on Investigations in ASCII. Should anyone have questions or comments, I would be happy to respond. Best regards, Mark Gembicki, Exec. VP WarRoom Research 410.437.1110 central 410.437.1118 fax WarRoom2@aol.com From firewalls-owner Mon Dec 2 11:43:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA20164 for firewalls-outgoing; Mon, 2 Dec 1996 09:52:09 -0800 (PST) Received: from chronos.synopsys.com (chronos.synopsys.com [146.225.8.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id JAA20150 for ; Mon, 2 Dec 1996 09:51:57 -0800 (PST) Received: from atropos.synopsys.com by chronos.synopsys.com with SMTP id AA10689 (5.65c/IDA-1.4.4 for ); Mon, 2 Dec 1996 09:50:57 -0800 Received: from flying.synopsys.com (flying.synopsys.com [146.225.72.11]) by atropos.synopsys.com (8.6.9/8.6.9) with ESMTP id JAA27995; Mon, 2 Dec 1996 09:51:45 -0800 From: Habeeb Qadri Received: by flying.synopsys.com (SMI-8.6/SNPS-Sol2) id JAA09181; Mon, 2 Dec 1996 09:51:51 -0800 Date: Mon, 2 Dec 1996 09:51:51 -0800 Message-Id: <199612021751.JAA09181@flying.synopsys.com> To: firewalls-digest@GreatCircle.COM, felipe@pty.com Subject: Re: FW-1 for ISP's X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Felipe: you probably do not want to hear this, BUT..... The intent of the CheckPoint license is that if you have 300 hosts on the INSIDE of your firewall, and you ONLY have a "250 user license" then you are in violation of their licensing policy. It does not matter if only less than 250 hosts on the INSIDE need/use the firewall protection. As far is CheckPoint is concerned, their FW-1 software is "protecting" more than 250 hosts regardless of whether they need it or not. Suggest you check with your reseller, and or CheckPoint directly to avoid licensing problems later. Habeeb Qadri PS: I dont work for CheckPoint, but have taught their FW-1 class in the United Stats as a consultant for about 15 months. > From postmaster@synopsys.com Wed Nov 27 19:19:44 1996 > Subject: FW-1 for ISP's > To: firewalls-digest@GreatCircle.COM > Date: Wed, 27 Nov 1996 20:54:21 +0500 (GMT) > From: felipe@pty.com (Ing. Felipe Tribaldos) > X-Url: http://www.pty.com/ > Mime-Version: 1.0 > Content-Transfer-Encoding: 7bit > > Hi; > > I would like to hear about ISP's who have FW-1 on Solaris. > We purchased it, but are having problems with the licensing (250 node) > version 2.0. > > I would like to hear especially if you have access server inside > our outside of the firewall. This is a tricky issue, as any ISP > knows that AS keep growing and growing. > > Also where do you put all the routers, these keep growing also. > Do you protect dedicated customers networks also? > > I would like to hear how others have handled this issue, as an > unlimited license is out of the quesion $19K!. If we only > protect a couple of servers, then it doesn't make sense > to use FW-1 since in the case of an ISP all the servers provide > public services, such as DNS,MAIL,FTP,WWW,NEWS, etc.? > Please answer by > private email, as I am on digest mode, and won't see messages right > away. > > Thanks; > > Felipe > > -- > ___________________________________________________________________________ > | Ing. Felipe Tribaldos | > | Gerente de Operaciones / Operations Manager Tel. +(507)269-3571/223-5111| > | CyberMedia Panama Fax. +(507)264-6082 | > | Internet Access - Web Publishing Res. +(507)269-7330 | > | url: http://www.pty.com/ email: felipe@pty.com | > | __________________________________________________________________________| > From firewalls-owner Mon Dec 2 11:52:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA28854 for firewalls-outgoing; Mon, 2 Dec 1996 11:24:04 -0800 (PST) Received: from whiz.mfi.com (whiz.mfi.com [198.71.19.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id LAA28815 for ; Mon, 2 Dec 1996 11:23:52 -0800 (PST) Received: from ccmail2.mfi.com by whiz.mfi.com (AIX 3.2/UCB 5.64/4.03) id AA11294; Mon, 2 Dec 1996 11:22:38 -0800 Received: from ccMail by mfi.com (SMTPLINK V2.11) id AA849554501; Mon, 02 Dec 96 11:24:07 PST Date: Mon, 02 Dec 96 11:24:07 PST From: "Richard Power" Message-Id: <9611028495.AA849554501@mfi.com> To: firewalls-digest@GreatCircle.COM, INFSEC-L@ETSUADMN.TAMU-COMMERCE.EDU, best-of-security@suburbia.net Subject: Free "Intranet security tips from CSI Sender: firewalls-owner@GreatCircle.COM Precedence: bulk If you want a free copy of the "CSI Roundtable on Intranet Security," e-mail your postal address to prapalus@mfi.com. This report is not available electronically. 2 December 1996 FOR IMMEDIATE RELEASE CSI roundtable explores Intranet security: Web of productivity or peril? SAN FRANCISCO -- According to industry analysts, one in every five corporations has already deployed an Intranet and 70% of corporations plan to in 1997. The white-hot drive toward corporate Intranets exceeds even the thrust toward Internet access; analysts project that by the year 2000, there will be five million Intranet servers versus less than one million Internet servers. Clearly, this is a sweeping change in how information systems are built. What are the information security implications? What are the risks, threats and vulnerabilities of the Intranet computing environment? In a special edition of the Computer Security Alert, a roundtable of information security experts offer a fascinating look into the challenges of Intranet security. The questions that CSI's blue-ribbon panel tackles include: How does Intranet security differ from LAN/WAN and client/server security? What vulnerabilities are accentuated in Intranet? How can you control content on Intranet web sites? Where does the Internet end and the Intranet begin? How would you do an Intranet risk analysis? What issues should be spelled out in an Intranet security policy? The Computer Security Alert is the members-only monthly newsletter of the Computer Security Institute. CSI offers a two-day class, "How to Secure Your Intra/Internet Connections," which details how an organization can safely and securely utilize Intra/Internet technology. For further information, please call 415/905-2310. ### Computer Security Institute is the oldest international membership organization specifically serving the information security professional. Established in 1974, CSI has thousands of members worldwide and provides a wide variety of information and educational programs to assist them in protecting the information assets of corporate, government and educational organizations. From firewalls-owner Mon Dec 2 12:23:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA01408 for firewalls-outgoing; Mon, 2 Dec 1996 11:48:01 -0800 (PST) Received: from panix3.panix.com (panix3.panix.com [198.7.0.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA01382 for ; Mon, 2 Dec 1996 11:47:50 -0800 (PST) Received: from localhost (fangyou2@localhost) by panix3.panix.com (8.8.2/8.7/PanixU1.3) with SMTP id OAA24114 for ; Mon, 2 Dec 1996 14:47:57 -0500 (EST) Date: Mon, 2 Dec 1996 14:47:50 -0500 (EST) From: FaNgYoU2 To: firewalls@GreatCircle.com Subject: Re: Question on Windows NT web behind firewall Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The web server on the NT machine inside the TIS Gauntlet is running Netscape Server 2.0 Does that have any know vulnerablities that can be exploited by users with http connections from the Internet? Please stop sending e-mail asking how I got through the Gauntlet. I did not get through the Gauntlet. I got physical access exactly the way I said I did. FaNgYoU2, Cyberspace^^Vampyre ^^ Touch it, touch it, touch me ... creatures of the Night ^^ From firewalls-owner Mon Dec 2 12:37:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA00473 for firewalls-outgoing; Mon, 2 Dec 1996 11:40:10 -0800 (PST) Received: from relay6.UU.NET (relay6.UU.NET [192.48.96.16]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA00432 for ; Mon, 2 Dec 1996 11:39:55 -0800 (PST) Received: from uurcp.rcp.net.pe by relay6.UU.NET with SMTP (peer crosschecked as: [161.132.2.10]) id QQbsju09992; Mon, 2 Dec 1996 14:39:59 -0500 (EST) Received: from mem.gob.pe(really [161.132.54.4]) by uurcp.rcp.net.pe via sendmail with smtp id for ; Mon, 2 Dec 1996 14:37:29 -0500 (EST) (Smail-3.2 1996-Jul-4 #1 built 1996-Sep-16) Received: from MEM/MAIL by mem.gob.pe (Mercury 1.13); Mon, 2 Dec 96 14:35:08 -0500 Received: from MAIL by MEM (Mercury 1.13); Mon, 2 Dec 96 14:30:04 -0500 Received: from amauta by mem.gob.pe (Mercury 1.13); Mon, 2 Dec 96 14:30:02 -0500 Comments: Authenticated sender is From: "Sergio Untiveros" Organization: Ministerio de Energia y Minas To: Firewalls@GreatCircle.COM Date: Mon, 2 Dec 1996 14:35:18 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: I free Firewall Software for NT. X-mailer: Pegasus Mail for Win32 (v2.42) Message-ID: <214AE50EED@mem.gob.pe> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello friends. I need a free firewall software on NT server v4.0. Where I will found it? Thanks for your helps. Sergio Ministerio de Energia y Minas Sergio Untiveros / Network Manager Telf. 4750064 Anexo 223, 403 Telf: 9946059 http://www.mem.gob.pe From firewalls-owner Mon Dec 2 13:26:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA10820 for firewalls-outgoing; Mon, 2 Dec 1996 13:19:33 -0800 (PST) Received: from main.geminisecure.com (main.geminisecure.com [205.179.16.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id NAA10804 for ; Mon, 2 Dec 1996 13:19:23 -0800 (PST) Received: (from leonard@localhost) by main.geminisecure.com (8.6.9/8.6.9) id NAA08378; Mon, 2 Dec 1996 13:15:39 -0800 Date: Mon, 2 Dec 1996 13:15:39 -0800 (PST) From: Leonard Miyata To: Biju John cc: firewalls@GreatCircle.COM Subject: Re: SSL In-Reply-To: <32A31829.5E60@ncc.moc.kw> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The Northern Telecom (NORTEL) web site, (www.nortel.com) has several write ups and white papers posted. Search for their 'Entrust' home page off of their site Personal Opinions provided by Leonard Miyata aka leonard@geminisecure.com GEMINI COMPUTERS INC. On Mon, 2 Dec 1996, Biju John wrote: > Hello, > > Any one suggest where can I get information (simple explanation ) on SSL > (Not Netscape site!!) > > BJ > From firewalls-owner Mon Dec 2 13:40:53 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA11137 for firewalls-outgoing; Mon, 2 Dec 1996 13:24:02 -0800 (PST) Received: from ns1.ntshop.com ([207.91.166.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id NAA11117 for ; Mon, 2 Dec 1996 13:23:53 -0800 (PST) Received: from beast.ntshop.net ([207.91.166.3]) by ns1.ntshop.com (post.office MTA v2.0 0813 ID# 153-13296) with SMTP id AAA167 for ; Mon, 2 Dec 1996 15:27:24 -0600 Received: by beast.ntshop.net with Microsoft Mail id <01BBE064.DAA63E20@beast.ntshop.net>; Mon, 2 Dec 1996 15:24:05 -0600 Message-ID: <01BBE064.DAA63E20@beast.ntshop.net> From: Mark Joseph Edwards To: "'firewalls@GreatCircle.com'" Subject: RE: Internet Virus HOAX, Part 3x10^5 Date: Mon, 2 Dec 1996 15:24:01 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Psssst. Hey buddy....wanna buy a bridge in Brooklyn? > "There is a computer virus that is being sent across the internet. If > you receive an e-mail with a subject line of "Irinia", DO NOT read the > message. Delete it immediately From firewalls-owner Mon Dec 2 14:10:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA11635 for firewalls-outgoing; Mon, 2 Dec 1996 13:28:53 -0800 (PST) Received: from hp5.xlconnect.com ([166.80.10.159]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id NAA11583 for ; Mon, 2 Dec 1996 13:28:31 -0800 (PST) Received: by hp5.xlconnect.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BBE06D.9D0099E0@hp5.xlconnect.com>; Mon, 2 Dec 1996 16:26:47 -0500 Message-ID: From: "Osterwald, Paul" To: "'suntiver@mem.gob.pe'" , "'Firewalls@GreatCircle.COM'" Subject: RE: IP numbers end Date: Mon, 2 Dec 1996 16:31:06 -0500 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sergio: The Best Current Practice document 5 (BCP5, RFC 1918) advocates the use of privatized addressing. This in conjunction with a firewall will allow you to use a Class A, multiple B, or multiple C address spaces internally and then use your registered address on your Internet segment (outside the firewall). For publicly available firewall software, go to http://www.tis.com and obtain the firewall toolkit. It is an excellent product. They also have a mailing list to support it. For references on firewalls, there is Repelling the Wily Hacker by Cheswick and Bellovin and Building Internet Firewalls by Chapman and Zwicky. Hope this helps. Paul Subtle and insubstantial, the expert leaves no trace; Divinely mysterious, he is inaudible. - Sun Tzu -----Original Message----- From: Sergio Untiveros [SMTP:suntiver@mem.gob.pe] Sent: Wednesday, November 27, 1996 1:29 AM To: Firewalls@GreatCircle.COM Subject: IP numbers end Hi friends. I write from Peru South America. My question is follow: How Can we have more IP numbers in our site?, becuse the 254 numbers are used. We not have subnets. Thanks for your help. Ministerio de Energia y Minas Sergio Untiveros Adm. de Red Telf. 4750064 Anexo 223, 403 Telf: 9946059 From firewalls-owner Mon Dec 2 14:26:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA15436 for firewalls-outgoing; Mon, 2 Dec 1996 14:13:04 -0800 (PST) Received: from europe.std.com (europe.std.com [199.172.62.20]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id OAA15400 for ; Mon, 2 Dec 1996 14:12:51 -0800 (PST) Received: from world.std.com by europe.std.com (8.7.5/BZS-8-1.0) id RAA03368; Mon, 2 Dec 1996 17:12:46 -0500 (EST) Received: by world.std.com (5.65c/Spike-2.0) id AA11389; Mon, 2 Dec 1996 17:12:25 -0500 From: heiser@world.std.com (Bill Heiser) Message-Id: <199612022212.AA11389@world.std.com> Subject: restricting OUTBOUND access To: firewalls@greatcircle.com Date: Mon, 2 Dec 1996 17:12:25 -0500 (EST) X-Mailer: ELM [version 2.4 PL25] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk An associate of mine is trying to convince me that it's safe to restrict only inbound traffic thru a firewall, but to allow completely unrestricted traffic outbound. I'm looking for concrete examples of why this is a Bad Thing. I guess I'm thinking in terms of inside users connecting to evil services on the outside, with the established connections being used to do Bad Things to inside systems. However I don't have any concrete examples. Also, since presumably once someone is "inside" they can do anything they want anyway (put stuff on a floppy, fax, etc), that makes a case for his argument that allowing outbound unrestricted access isn't so bad. But I'm not convinced. Any feedback on what kinds of bad things can happen (by users on the OUTSIDE) with this kind of firewall setup would be appreciated. Thanks in advance, Bill -- Bill Heiser heiser@world.std.com From firewalls-owner Mon Dec 2 15:40:50 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA23075 for firewalls-outgoing; Mon, 2 Dec 1996 15:35:44 -0800 (PST) Received: from osceola.gate.net (osceola.gate.net [199.227.0.18]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id PAA23066 for ; Mon, 2 Dec 1996 15:35:33 -0800 (PST) Received: from gate.net.gate.net (orlfl2-3.gate.net [199.227.3.130]) by osceola.gate.net (8.8.3/8.6.12) with ESMTP id SAA36116; Mon, 2 Dec 1996 18:35:23 -0500 Message-Id: <199612022335.SAA36116@osceola.gate.net> From: "William Beem" To: , Subject: Re: SSL Date: Mon, 2 Dec 1996 18:33:15 -0500 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Try http://www.microsoft.com/intdev/security --William ---------- > From: Biju John > To: firewalls@GreatCircle.COM > Subject: SSL > Date: Monday, December 02, 1996 12:55 PM > > Hello, > > Any one suggest where can I get information (simple explanation ) on SSL > (Not Netscape site!!) > > BJ From firewalls-owner Mon Dec 2 15:57:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA23877 for firewalls-outgoing; Mon, 2 Dec 1996 15:44:54 -0800 (PST) Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id PAA23859; Mon, 2 Dec 1996 15:44:46 -0800 (PST) Received: from dochin-pc.cisco.com (dhcp-vm1-2-150.cisco.com [171.68.164.150]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id PAA04476; Mon, 2 Dec 1996 15:44:41 -0800 Message-Id: <2.2.32.19961202223923.00d001a0@diablo.cisco.com> X-Sender: dochin@diablo.cisco.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 02 Dec 1996 14:39:23 -0800 To: Mark_Plesser_at_NYRAPO@GreatCircle.COM From: "Don S. Chin" Subject: Cisco's PIX Firewall Cc: firewalls@GreatCircle.COM, lazar@netevolve.com, mhoward@cisco.com, froys@cisco.com, jlw@cisco.com, afoss@cisco.com, amittal@cisco.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mark, I don't have the original email thread -- I'm working from a hard copy. To clarify the PIX Firewall, it is not a packet filter. It is a dedicated security device, built with one purpose in mind -- securing the private LAN to the Internet. We are in fact directly in competition with Checkpoint, Raptor, TIS, etc. The "cut-through proxy" feature provides a significant performance enhancement to the security function since users are authenticated at the application layer. Once authenticated, the process flow shifts back to the network layer which provides the high performance. The product itself is NCSA certified, and SRI has done a security audit on the PIX Firewall (see http://www.cisco.com/pix) I hope this clarifies things for you. Don Chin 170 West Tasman Drive Email: dochin@cisco.com Product Marketing Manager San Jose, CA 95134-1706 Internet Business Unit Direct (408) 527-8116 Cisco Systems Corp. FAX (408) 527-8122 From firewalls-owner Mon Dec 2 16:25:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA24544 for firewalls-outgoing; Mon, 2 Dec 1996 15:57:23 -0800 (PST) Received: from pinky.junction.net (pinky.junction.net [199.166.227.12]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id PAA24525 for ; Mon, 2 Dec 1996 15:57:15 -0800 (PST) Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by pinky.junction.net (8.6.12/8.6.12) with ESMTP id QAA20086 for ; Mon, 2 Dec 1996 16:13:19 -0800 Received: from localhost (michael@localhost) by sidhe.memra.com (8.6.12/8.6.12) with SMTP id PAA03673 for ; Mon, 2 Dec 1996 15:53:20 -0800 Date: Mon, 2 Dec 1996 15:53:18 -0800 (PST) From: Michael Dillon To: firewalls@GreatCircle.COM Subject: RE: [Fwd: Caution : Internet Virus] In-Reply-To: Message-ID: Organization: Memra Software Inc. - Internet consulting MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 2 Dec 1996, Denis Valois wrote: > This is a hoax. > > Anyway, just by saying that "reading" a mailgram wipes out > your hard drive is of utmost foolishness. Irina may be a hoax, but the danger is real. There are now email applications that *CAN* open up attached binaries and execute them without user intervention. Michael Dillon - ISP & Internet Consulting Memra Software Inc. - Fax: +1-604-546-3049 http://www.memra.com - E-mail: michael@memra.com From firewalls-owner Mon Dec 2 16:45:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA26711 for firewalls-outgoing; Mon, 2 Dec 1996 16:28:26 -0800 (PST) Received: from trumpet.aix.calpoly.edu (trumpet.aix.calpoly.edu [129.65.65.6]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id QAA26704 for ; Mon, 2 Dec 1996 16:28:14 -0800 (PST) Received: by trumpet.aix.calpoly.edu (AIX 3.2/UCB 5.64/4.03) id AA81393; Mon, 2 Dec 1996 16:26:11 -0800 Date: Mon, 2 Dec 1996 16:26:10 -0800 (PST) From: "R. E. Paret" To: Bill Heiser Cc: firewalls@GreatCircle.COM Subject: Re: restricting OUTBOUND access In-Reply-To: <199612022212.AA11389@world.std.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 2 Dec 1996, Bill Heiser wrote: > > An associate of mine is trying to convince me that it's safe > to restrict only inbound traffic thru a firewall, but to > allow completely unrestricted traffic outbound. I'm looking > for concrete examples of why this is a Bad Thing. There are a variety of reasons why this could be a Bad Thing(tm), depending on your perspective. One is if your organization wanted to filter out web sites based on content (no looking at erotica during business hours) accessing such material would be termed a Bad Thing and thus need to be restricted. While we're on the topic of the WWW, hostile Java applets on a seemingly safe site could wreak havok on your internal network. An malcontent on the inside could ftp exploit code to gain a greater level of priviledge on the internal network, which is also a Bad Thing. There are probably more examples where you would want to control outbound access (and not neccessarily just though firewalls) but those are the few I can think of off the top of my head. R.E. Paret From firewalls-owner Mon Dec 2 17:01:04 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA24113 for firewalls-outgoing; Mon, 2 Dec 1996 15:49:26 -0800 (PST) Received: from pinky.junction.net (pinky.junction.net [199.166.227.12]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id PAA24106 for ; Mon, 2 Dec 1996 15:49:19 -0800 (PST) Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by pinky.junction.net (8.6.12/8.6.12) with ESMTP id QAA19994 for ; Mon, 2 Dec 1996 16:05:20 -0800 Received: from localhost (michael@localhost) by sidhe.memra.com (8.6.12/8.6.12) with SMTP id PAA03613 for ; Mon, 2 Dec 1996 15:45:19 -0800 Date: Mon, 2 Dec 1996 15:45:18 -0800 (PST) From: Michael Dillon To: firewalls@GreatCircle.COM Subject: Re: (MSIE3.0) - Re: ActiveX and Risks In-Reply-To: <32A20036.60BA@medeserv.com.au> Message-ID: Organization: Memra Software Inc. - Internet consulting MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 2 Dec 1996, Steven Herod wrote: > > This *can* be done. Microsoft provides (for the cost of shipping the > > CD-ROM) an administration kit that can be used to create an install > > set > > The cost of distribution is more than the $20 shipping fee. > You must change your web site to use IE specific features, issue > press releases aligning youself with Microsofts internet strategy, > install it on all the machines on your site and more..... There are alternatives as well that usually include Netscape and Eudora and various other utilities with a dialler and install script. http://www.intercon.com/valet http://www.ccsweb.com http://www.usefulware.com Michael Dillon - ISP & Internet Consulting Memra Software Inc. - Fax: +1-604-546-3049 http://www.memra.com - E-mail: michael@memra.com From firewalls-owner Mon Dec 2 17:08:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA24122 for firewalls-outgoing; Mon, 2 Dec 1996 15:49:59 -0800 (PST) Received: from LIVEDGAR.gsionline.com (livedgar.gsionline.com [204.254.209.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id PAA24115 for ; Mon, 2 Dec 1996 15:49:49 -0800 (PST) Received: from LIVEDGAR.gsionline.com by LIVEDGAR.gsionline.com (NTMail 3.02.09) with ESMTP id ia053958 for ; Mon, 2 Dec 1996 18:51:46 -0500 X-Sender: nbk#204.254.209.2@192.168.0.22 X-Mailer: Windows Eudora Version 1.4.3 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: heiser@world.std.com (Bill Heiser) From: nkeenan@gsionline.com (Nick Keenan) Subject: Re: restricting OUTBOUND access Cc: firewalls@greatcircle.com Date: Mon, 2 Dec 1996 18:51:46 -0500 Message-Id: <23514668534765@gsionline.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >Any feedback on what kinds of bad things can happen (by users >on the OUTSIDE) with this kind of firewall setup would be >appreciated. > Well, this may be a stretch into the hypothetical: User is running windows 95. Uses outgoing connection to connect into a modem pool outside of the firewall (could be anywhere on the Internet with new TCP/IP based modem pool servers). Uses Dial-Up Networking to dial into a Remote Access Server. His computer, AND HIS NETWORK, are now accessible from the RAS host. So imagine this scenario (again, far into the hypothetical): Bad guy wants to trap the unwary. Sets up a Dial-up bulletin board with bait (porn* perhaps?). Says only access is through dial-up, doesn't want to deal with Internet Porno Cops. Also sets up modem pool in same area code, on the Internet, and invites people to connect to the modem pool and dial the BBS. Users think they are being clever, viewing porn at work with no one the wiser. In reality, they are providing a back door for him to hack their network. Unlikely, yes. This is a hypothetical. But the point is that Windows 95 allows you to compromise the network via outgoing modem calls. And you can use TCP/IP to access a modem. *Footnote: I hate using porn as an example, but it was the only bait I could think of on short notice. Already too much misinformation has been spread linking the Internet and porn -- see the Rimm study claiming that over 2/3 of Internet traffic is porn. Nick From firewalls-owner Mon Dec 2 17:28:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA01306 for firewalls-outgoing; Mon, 2 Dec 1996 17:13:56 -0800 (PST) Received: from news.rc.on.ca ([207.176.151.6]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id RAA01289 for ; Mon, 2 Dec 1996 17:13:46 -0800 (PST) Received: by mail.rc.on.ca with IMAIL 2.0 id <01BBE08C.FB0CE470@mail.rc.on.ca>; Mon, 2 Dec 1996 20:11:19 -0500 Message-ID: From: Russ To: "Firewalls@GreatCircle.COM" , "'Sergio Untiveros'" Subject: RE: I free Firewall Software for NT. Date: Mon, 2 Dec 1996 20:11:18 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Connector (Beta) (4.5.1280.0) Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Hello friends. I need a free firewall software on NT server v4.0.=20 >Where I will found it? Thanks for your helps. * Control Panel/Networks/TCP-IP/Advanced/Enable Security/Configure/Permit Only/Permit Only/Permit Only/Ok/Ok/Ok/Ok * Bada bing bada bang, nothing can penetrate it. Whaddaya want for nuthin... * Cheers, Russ R.C. Consulting, Inc. - NT/Internet Security Consulting mailto:Russ.Cooper@RC.on.ca <-- *note the new address* From firewalls-owner Mon Dec 2 17:40:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA02130 for firewalls-outgoing; Mon, 2 Dec 1996 17:20:57 -0800 (PST) Received: from cidintpop2.INFOSEL.NET.MX (cidintpop2.infosel.net.mx [148.246.247.106]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id RAA02093 for ; Mon, 2 Dec 1996 17:20:39 -0800 (PST) Received: from cidexchange.infosel.com.mx ([148.246.8.22]) by cidintpop2.INFOSEL.NET.MX (post.office MTA v2.0 0813 ID# 0-11856) with SMTP id AAA182 for ; Mon, 2 Dec 1996 19:19:56 -0600 Received: by cidexchange.infosel.com.mx with Microsoft Exchange (IMC 4.0.837.3) id <01BBE085.6C796D70@cidexchange.infosel.com.mx>; Mon, 2 Dec 1996 19:17:13 -0600 Message-ID: X-MS-TNEF-Correlator: From: =?iso-8859-1?Q?Jaime_Alberto_Botello_Cant=FA?= To: "'firewalls@greatcircle.com'" Subject: Configuring NAT feature in Cisco IOS 11.2 Date: Mon, 2 Dec 1996 19:17:06 -0600 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.837.3 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="---- =_NextPart_000_01BBE085.6C85A270" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------ =_NextPart_000_01BBE085.6C85A270 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Hi, Someone know how to configure the NAT feature in the cisco IOS 11.2?, we are trying to do some test to check the performance and to evaluate this like an option to smaller clients. I already look at cisco web, but no luck. Thanks in advance. ------ =_NextPart_000_01BBE085.6C85A270 Content-Type: application/ms-tnef Content-Transfer-Encoding: base64 eJ8+Ig4BAQaQCAAEAAAAAAABAAEAAQeQBgAIAAAA5AQAAAAAAADoAAEIgAcAGAAAAElQTS5NaWNy b3NvZnQgTWFpbC5Ob3RlADEIAQWAAwAOAAAAzAcMAAIAEwARAAYAAQAMAQEggAMADgAAAMwHDAAC ABMAEQAKAAEAEAEBCYABACEAAABBMDY3NkQxNzY4NENEMDExQTQyNDAwQTAyNERGMEZBOQAHBwEN gAQAAgAAAAIAAgABBIABACoAAABDb25maWd1cmluZyBOQVQgZmVhdHVyZSBpbiBDaXNjbyBJT1Mg MTEuMgB/DQEDkAYA+AYAACcAAAALAAIAAQAAAAIBMQABAAAA/AAAAFBDREZFQjA5AAEAAgBtAAAA AAAAADihuxAF5RAaobsIACsqVsIAAG1zcHN0LmRsbAAAAAAATklUQfm/uAEAqgA32W4AAABDOlxQ cm9ncmFtIEZpbGVzXE1pY3Jvc29mdCBFeGNoYW5nZVxtYWlsYm94XG1haWxib3gucHN0ABgAAAAA AAAA8jxG+3A4zhGZPQAB+godkYKAAAAAAAAAGAAAAAAAAADyPEb7cDjOEZk9AAH6Ch2RooAAABAA AACgZ20XaEzQEaQkAKAk3w+pKgAAAENvbmZpZ3VyaW5nIE5BVCBmZWF0dXJlIGluIENpc2NvIElP UyAxMS4yAEAAOQBQo/6yt+C7AR4AcAABAAAAKgAAAENvbmZpZ3VyaW5nIE5BVCBmZWF0dXJlIGlu IENpc2NvIElPUyAxMS4yAAAAAgFxAAEAAAAWAAAAAbvgt2TLF21no0xoEdCkJACgJN8PqQAAAwAG EJkIOBADAAcQwwAAAB4ACBABAAAAZQAAAEhJLFNPTUVPTkVLTk9XSE9XVE9DT05GSUdVUkVUSEVO QVRGRUFUVVJFSU5USEVDSVNDT0lPUzExMj8sV0VBUkVUUllJTkdUT0RPU09NRVRFU1RUT0NIRUNL VEhFUEVSRk9STUEAAAAAAwAQEAAAAAADABEQAQAAAAIBCRABAAAAQQEAAD0BAACFAQAATFpGdXYL LuADAAoAcmNwZzEyNSYyAPgLYG5nAdA1OJ0B9yACpAPjAgBjaArAYHNldDAgBxMCgH05CoF1YwBQ CwMLtSBIXGksCqIKhAqAUwNwZUECIGUga25vB+BoERTRdG8gBaBuZmkmZwhwFJB0aBSQTkHAVCBm ZWF0FdILgI0WA2MEAAWgIElPBfAAMTEuMj8sIHenFJAKwBXxcnkLgGcVMvpkFVBzFEEVMAeQBUAV QmkWIGNrFgNwBJACEHIlA4FjGKFuZBUyZXYdB0B1FrAV8gQAIGxp0msb4iBvBTBpAiAVMvJzAMBs bASQFWAdUAnwqHRzLhN6SRiwbAlwyGFkeR1Ab28a4Bawyxd1GJBiGHBidQVAFMArHUASMGsfa1QR AG5rfwQgFxEgkByAG8EfZRHxAAElQAAAAAMAgBD/////CwBmgAggBgAAAAAAwAAAAAAAAEYAAAAA A4UAAAAA//8DAGeACCAGAAAAAADAAAAAAAAARgAAAAAQhQAAAAAAAAMAaoAIIAYAAAAAAMAAAAAA AABGAAAAAFKFAABQDQAAHgBrgAggBgAAAAAAwAAAAAAAAEYAAAAAVIUAAAEAAAAEAAAAOC4wAAMA bIAIIAYAAAAAAMAAAAAAAABGAAAAAAGFAAAAAAAACwBtgAggBgAAAAAAwAAAAAAAAEYAAAAADoUA AAAAAAADAGmACCAGAAAAAADAAAAAAAAARgAAAAARhQAAAAAAAAMAboAIIAYAAAAAAMAAAAAAAABG AAAAABiFAAAAAAAAHgBvgAggBgAAAAAAwAAAAAAAAEYAAAAANoUAAAEAAAABAAAAAAAAAB4AcIAI IAYAAAAAAMAAAAAAAABGAAAAADeFAAABAAAAAQAAAAAAAAAeAHGACCAGAAAAAADAAAAAAAAARgAA AAA4hQAAAQAAAAEAAAAAAAAAAwDxPwkEAAADACYAAAAAAAMANgAAAAAAAgFHAAEAAAAzAAAAYz1V UzthPSA7cD1JbmZvU2VsO2w9Q0lERVhDSEFOR0UtOTYxMjAzMDExNzA2Wi0zNjEAAAIB+T8BAAAA SwAAAAAAAADcp0DIwEIQGrS5CAArL+GCAQAAAAAAAAAvTz1JTkZPU0VML09VPU1FWElDTy9DTj1S RUNJUElFTlRTL0NOPUpCT1RFTExPAAAeAPg/AQAAABwAAABKYWltZSBBbGJlcnRvIEJvdGVsbG8g Q2FudPoAAgH7PwEAAABLAAAAAAAAANynQMjAQhAatLkIACsv4YIBAAAAAAAAAC9PPUlORk9TRUwv T1U9TUVYSUNPL0NOPVJFQ0lQSUVOVFMvQ049SkJPVEVMTE8AAB4A+j8BAAAAHAAAAEphaW1lIEFs YmVydG8gQm90ZWxsbyBDYW50+gBAAAcwIA33srfguwFAAAgw4AsXtbfguwEDAA00/T8AAAIBFDQB AAAAEAAAAFSUocApfxAbpYcIACsqJRceAD0AAQAAAAEAAAAAAAAACwApAAEAAAALACMAAAAAAAIB fwABAAAAUAAAADxjPVVTJWE9XyVwPUluZm9TZWwlbD1DSURFWENIQU5HRS05NjEyMDMwMTE3MDZa LTM2MUBjaWRleGNoYW5nZS5pbmZvc2VsLmNvbS5teD4AM4w= ------ =_NextPart_000_01BBE085.6C85A270-- From firewalls-owner Mon Dec 2 18:15:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA06655 for firewalls-outgoing; Mon, 2 Dec 1996 18:02:31 -0800 (PST) Received: from hq.si.net (hq.si.net [192.156.192.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id SAA06628 for ; Mon, 2 Dec 1996 18:02:23 -0800 (PST) Received: (from mlu@localhost) by hq.si.net (8.8.3/8.7.3) id VAA14816; Mon, 2 Dec 1996 21:02:22 -0500 (EST) Date: Mon, 2 Dec 1996 21:02:22 -0500 (EST) From: Ming Lu Message-Id: <199612030202.VAA14816@hq.si.net> To: heiser@world.std.com, nkeenan@gsionline.com Subject: Re: restricting OUTBOUND access Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Nick: did you mean dialup via win95? It will bypass firewall anyway. I really don't see how the firewall can block people in this case; unless the modem pool is behind the firewall. Regards Ming From firewalls-owner Mon Dec 2 18:25:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA07891 for firewalls-outgoing; Mon, 2 Dec 1996 18:13:49 -0800 (PST) Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id SAA07881 for ; Mon, 2 Dec 1996 18:13:40 -0800 (PST) Received: from big-dogs.cisco.com ([171.68.53.75]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id SAA05301; Mon, 2 Dec 1996 18:13:30 -0800 Message-Id: <2.2.32.19961203021331.006c4b88@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Date: Mon, 02 Dec 1996 21:13:31 -0500 To: Jaime Alberto Botello =?iso-8859-1?Q?Cant=FA?= From: Paul Ferguson Subject: Re: Configuring NAT feature in Cisco IOS 11.2 Cc: "'firewalls@greatcircle.com'" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 07:17 PM 12/2/96 -0600, Jaime Alberto Botello Cant=FA wrote: > >Someone know how to configure the NAT feature in the cisco IOS 11.2?,=20 >we are trying to do some test to check the performance and to evaluate=20 >this like an option to smaller clients. > >I already look at cisco web, but no luck. > >Thanks in advance. > You must not have looked here: http://cio.cisco.com/univercd/data/doc/software/11_2/cnp1/5cip.htm#REF30065 - paul -- Paul Ferguson || || Consulting Engineering || || Herndon, Virginia USA |||| |||| tel: +1.703.397.5938 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Mon Dec 2 18:55:27 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA11607 for firewalls-outgoing; Mon, 2 Dec 1996 18:50:29 -0800 (PST) Received: from darkstar.sysinfo.com (darkstar.sysinfo.com [204.246.65.62]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id SAA11588 for ; Mon, 2 Dec 1996 18:50:20 -0800 (PST) Received: from parka.winternet.com (dufresne@parka.winternet.com [198.174.169.9]) by darkstar.sysinfo.com (8.8.2/8.8.2) with SMTP id UAA00283; Mon, 2 Dec 1996 20:52:00 -0600 Date: Mon, 2 Dec 1996 20:44:27 -0600 (CST) From: Ron DuFresne To: Denis Valois cc: firewalls@GreatCircle.COM, webmaster@internic.uob.bh Subject: RE: [Fwd: Caution : Internet Virus] In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hmm, could well be a new form of one of the M$office macro viri, and, if you read a mail attachment with word that is infected, you will infect your system, at least *.dot and *.doc files. Might be a tad of truth in the 'reading' part... Later, Ron DuFresne On Mon, 2 Dec 1996, Denis Valois wrote: > This is a hoax. > > Anyway, just by saying that "reading" a mailgram wipes out > your hard drive is of utmost foolishness. > > > Denis Valois > Computer & Network Security > SITA (Societe Internationale de Telecommunications Aeronautiques) > > On Mon, 02 Dec 1996 10:06:28 +0300 Hisham Khalifa Al Saad wrote: > >Hi members of Firewalls, > > > >I got this Virus alert in my mail box, and by myself i forward it to > >you: > > > >---------------------------------------------------------------------- > -- > > > >Hi, > > We just got word that there is a new virus screaming around the > >internet that will wipe out your hard drive if you open the file. > >Here is the word > >they sent us... > > > >"There is a computer virus that is being sent across the internet. > If > >you receive an e-mail with a subject line of "Irinia", DO NOT read > the > >message. > >Delete it immediately. Some miscreant is sending people files under > the > >name of "Irinia". If you receive this file or e-mail, do not > download > >it. > >It has a virus that rewrites your hard drive, obliterating anything > on > >it. > >Please be careful and forward this e-mail to anyone you care about." > > > >This information was received from Professor Edward Prideaux, College > of > >Salvonic Studies, London. > > > >This virus appears to be much more aggressive than the irritating > >Microsoft word virus. Be alert. > > > >----------------------- END OF ALERT MESSAGE > >---------------------------------- > > > > > >Thank you, > >Take Care, > > > >Hisham Al Saad > >University of Bahrain > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. From firewalls-owner Mon Dec 2 19:10:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA10821 for firewalls-outgoing; Mon, 2 Dec 1996 18:44:13 -0800 (PST) Received: from darkstar.sysinfo.com (darkstar.sysinfo.com [204.246.65.62]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id SAA10796 for ; Mon, 2 Dec 1996 18:44:00 -0800 (PST) Received: from parka.winternet.com (dufresne@parka.winternet.com [198.174.169.9]) by darkstar.sysinfo.com (8.8.2/8.8.2) with SMTP id UAA00272; Mon, 2 Dec 1996 20:45:41 -0600 Date: Mon, 2 Dec 1996 20:38:08 -0600 (CST) From: Ron DuFresne To: Hisham Khalifa Al Saad cc: firewalls@GreatCircle.COM Subject: Re: [Fwd: Caution : Internet Virus] In-Reply-To: <32A27FF4.431B@admin.uob.bh> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This one came my way: Subject: SERIOUS: Computer Virus Warning Please pass this message on to anyone you know! Firm warns of INTERNET virus. CD-Rom manufacturer Chinon America, Inc. says computer vandals have ilegally put its name on a virus-ridden file and relased it on the INTERNET. Chinon warns NOT to download the file called "CD-IT.ZIP", saying it will corrupt the hard disk! In a statement from Torrance, CA., Chinon says "The program, allegedly a shareware PC utility that will convert an ordinary CD-ROM drive into a CD-Recordable (CR-R) device, which is technically impossible, instead destroys the files on the PC hard drive. The program also immediately crashed the CPU, forces the user to reboot and stays in memory. This virus has proven thus far to be -undetectable- by traditional virus checkers." Chinon says that the CD-IT.ZIP file 'promises to enable read/write to your CD-ROM drive', and lists the program as being authored by Joseph S. Shriner, couriered by HDA, and copyrighted by Chinon Products. Saying that it has no division by that name, Chinon management speculates that the vandals picked its company name to make it seem that the software was being endorsed by a well know and reputable CD-ROM manufacturer. Chinon is urging people with information that could lead to the arrest and prosecution of these associated with the CD-IT program to call the company at (310) 533-0274. Later, Ron DuFresne On Mon, 2 Dec 1996, Hisham Khalifa Al Saad wrote: > Hi members of Firewalls, > > I got this Virus alert in my mail box, and by myself i forward it to > you: > > ------------------------------------------------------------------------ > > Hi, > We just got word that there is a new virus screaming around the > internet that will wipe out your hard drive if you open the file. > Here is the word > they sent us... > > "There is a computer virus that is being sent across the internet. If > you receive an e-mail with a subject line of "Irinia", DO NOT read the > message. > Delete it immediately. Some miscreant is sending people files under the > name of "Irinia". If you receive this file or e-mail, do not download > it. > It has a virus that rewrites your hard drive, obliterating anything on > it. > Please be careful and forward this e-mail to anyone you care about." > > This information was received from Professor Edward Prideaux, College of > Salvonic Studies, London. > > This virus appears to be much more aggressive than the irritating > Microsoft word virus. Be alert. > > ----------------------- END OF ALERT MESSAGE > ---------------------------------- > > > Thank you, > Take Care, > > Hisham Al Saad > University of Bahrain > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. From firewalls-owner Mon Dec 2 19:25:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA13694 for firewalls-outgoing; Mon, 2 Dec 1996 19:18:01 -0800 (PST) Received: from snth.stph.net (snth.snth.stph.net [196.12.33.107]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id TAA13680 for ; Mon, 2 Dec 1996 19:17:52 -0800 (PST) Received: by snth.stph.net id ; Tue, 3 Dec 1996 08:47:56 +0530 Date: Tue, 3 Dec 1996 08:47:56 +0530 From: Venkata Ramakrishna R Message-Id: <199612030317.IAA10371@snth.stph.net> Received: from simla.snth.stph.net(196.12.56.141) by snth.snth.stph.net via smap (V1.3) id sma010369; Tue Dec 3 08:47:53 1996 To: firewalls@greatcircle.com Subject: POP3 for TIS firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, Where can I get POP3 proxy for TIS firewall ?? Please guide me.... Thanks, -Ramu. From firewalls-owner Mon Dec 2 20:41:53 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA18912 for firewalls-outgoing; Mon, 2 Dec 1996 20:39:45 -0800 (PST) Received: from rxk.India.Fluent.COM ([192.233.231.28]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id UAA18880 for ; Mon, 2 Dec 1996 20:39:32 -0800 (PST) Received: by rxk.India.Fluent.COM (931110.SGI/930416.SGI.AUTO) for firewalls@greatcircle.com id AA16452; Tue, 3 Dec 96 10:07:59 +0530 From: "Rajeev Kumar" Message-Id: <9612031007.ZM16450@rxk.India.Fluent.COM> Date: Tue, 3 Dec 1996 10:07:58 +0000 In-Reply-To: heiser@world.std.com (Bill Heiser) "restricting OUTBOUND access" (Dec 2, 5:12pm) References: <199612022212.AA11389@world.std.com> X-Mailer: Z-Mail (3.1.0 22feb94 MediaMail) To: heiser@world.std.com (Bill Heiser) Subject: Re: restricting OUTBOUND access Cc: firewalls@greatcircle.com Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, The matter is vey subjective still I would like to quote from Cheswick &Bellovin's (Firewalls and Internet Security: pp 86) " There is no point to building a very high wall against ougoing ftp, while not worrying about pocket-sized tape cassettes that hols several gigabytes of data." and the last point on the same page "Our gateway only minimizes the considerable threat from the masses on the Internet. THERE ARE NUMEROUS OTHER SECURITY THREATS TO THE COMPANY". In my personal opinion if people are smart enough they can dig holes down the wall and you keep on watching the height of the wall and trying to make as high as possible. The harder you become for user, more curious they become to peep other side of the wall, wasting your time and the users both to get involed in Secure-Cold-War. Better not to allow dig holes under the wall if somebody crosses your short walls you have a freedom to watch her and curb anytime. If not satisfied , read the quote from my signature, That is also borrowed once but I mean it! Rajeev On Dec 2, 5:12pm, Bill Heiser wrote: > Subject: restricting OUTBOUND access > > An associate of mine is trying to convince me that it's safe > to restrict only inbound traffic thru a firewall, but to > allow completely unrestricted traffic outbound. I'm looking > for concrete examples of why this is a Bad Thing. I guess > I'm thinking in terms of inside users connecting to evil > services on the outside, with the established connections > being used to do Bad Things to inside systems. However > I don't have any concrete examples. Also, since > presumably once someone is "inside" they can do anything > they want anyway (put stuff on a floppy, fax, etc), that > makes a case for his argument that allowing outbound > unrestricted access isn't so bad. But I'm not convinced. > > Any feedback on what kinds of bad things can happen (by users > on the OUTSIDE) with this kind of firewall setup would be > appreciated. > > Thanks in advance, > Bill > > > -- > Bill Heiser heiser@world.std.com >-- End of excerpt from Bill Heiser -- ######################################################################### Rajeev Kumar | Phone: +91-212-771923 Flow Consultants India | Fax : +91-212-771928 E-mail:rxk@india.fluent.com | Home Ph. No: +91-1332-71281 A-1 Tech. Park, M.I.D.C. | http://www.fluent.com Talwade, PUNE |---------------------------------------- INDIA |IF ANYTHING CAN GO WRONG, IT WILL ######################################################################### From firewalls-owner Mon Dec 2 21:10:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA19511 for firewalls-outgoing; Mon, 2 Dec 1996 20:55:57 -0800 (PST) Received: from cih-gw.cih.com (cih-gw.cih.com [204.69.206.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id UAA19497 for ; Mon, 2 Dec 1996 20:55:50 -0800 (PST) Received: (from mail@localhost) by cih-gw.cih.com (8.7.6/8.6.9) id XAA25427; Mon, 2 Dec 1996 23:59:02 -0500 X-Authentication-Warning: cih-gw.cih.com: mail set sender to using -f Received: from cih-gw(204.69.206.1) by cih-gw.cih.com via smap (V2.0alpha) id sma025423; Mon Dec 2 23:58:58 1996 Date: Mon, 2 Dec 1996 23:58:58 -0500 (EST) From: "Craig I. Hagan" Reply-To: hagan@cih.com To: Nick Keenan cc: Bill Heiser , firewalls@GreatCircle.COM Subject: Re: restricting OUTBOUND access In-Reply-To: <23514668534765@gsionline.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Unlikely, yes. This is a hypothetical. But the point is that Windows 95 > allows you to compromise the network via outgoing modem calls. And you can > use TCP/IP to access a modem. worse....what about PPTP? bad guy(tm) can create a hostile application which you access, causing a PPTP tunnel to be initiated by you against his happy fun server. from there, he gets to unlease god only know what sort of insanity onto your network. -- craig ------------------------------------------------------------------------------- Craig I. Hagan "It's a small world, but I wouldn't want to back it up" hagan@cih.com "True hackers don't die, their ttl expires" From firewalls-owner Mon Dec 2 23:25:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA27723 for firewalls-outgoing; Mon, 2 Dec 1996 23:20:07 -0800 (PST) Received: from mail.pixi.com (phoenix.pixi.com [204.182.46.82]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id XAA27716 for ; Mon, 2 Dec 1996 23:19:59 -0800 (PST) Received: from thoth (netsurfer2.pixi.com [204.188.76.196]) by mail.pixi.com (8.8.3/8.8.3/PIXI-5.0) with ESMTP id VAA11221; Mon, 2 Dec 1996 21:19:41 -1000 (HST) Message-Id: <199612030719.VAA11221@mail.pixi.com> From: "James D. Wilson" To: "Ron DuFresne" , "Hisham Khalifa Al Saad" Cc: Subject: Re: [Fwd: Caution : Internet Virus] Date: Mon, 2 Dec 1996 21:16:27 -0000 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Report it to CIAC #include _ __ __ _____ ____ / | / /__ / /_/ ___/__ _______/ __/__ _____ / |/ / _ \/ __/\__ \/ / / / ___/ /_/ _ \/ ___/ / /| / __/ /_ ___/ / /_/ / / / __/ __/ / ================/_/=|_/\___/\__//____/\__,_/_/==/_/==\___/_/========== ===== ---------- > From: Ron DuFresne > To: Hisham Khalifa Al Saad > Cc: firewalls@GreatCircle.COM > Subject: Re: [Fwd: Caution : Internet Virus] > Date: Monday, December 02, 1996 4:38 PM > > > This one came my way: > > Subject: SERIOUS: Computer Virus Warning > > Please pass this message on to anyone you know! > > Firm warns of INTERNET virus. > > CD-Rom manufacturer Chinon America, Inc. says computer vandals have > ilegally put its name on a virus-ridden file and relased it on the > INTERNET. > > Chinon warns NOT to download the file called "CD-IT.ZIP", saying > it will corrupt the hard disk! > > In a statement from Torrance, CA., Chinon says "The program, allegedly > a shareware PC utility that will convert an ordinary CD-ROM drive into > a CD-Recordable (CR-R) device, which is technically impossible, instead > destroys the files on the PC hard drive. > > The program also immediately crashed the CPU, forces the user to reboot > and stays in memory. This virus has proven thus far to be > -undetectable- by traditional virus checkers." > > Chinon says that the CD-IT.ZIP file 'promises to enable read/write to > your CD-ROM drive', and lists the program as being authored by Joseph S. > Shriner, couriered by HDA, and copyrighted by Chinon Products. > Saying that it has no division by that name, Chinon management > speculates that the vandals picked its company name to make it seem > that the software was being endorsed by a well know and reputable > CD-ROM manufacturer. > > Chinon is urging people with information that could lead to the arrest > and prosecution of these associated with the CD-IT program to call the > company at (310) 533-0274. > > Later, > > Ron DuFresne > > On Mon, 2 Dec 1996, Hisham Khalifa Al Saad wrote: > > > Hi members of Firewalls, > > > > I got this Virus alert in my mail box, and by myself i forward it to > > you: > > > > ---------------------------------------------------------------------- -- > > > > Hi, > > We just got word that there is a new virus screaming around the > > internet that will wipe out your hard drive if you open the file. > > Here is the word > > they sent us... > > > > "There is a computer virus that is being sent across the internet. If > > you receive an e-mail with a subject line of "Irinia", DO NOT read the > > message. > > Delete it immediately. Some miscreant is sending people files under the > > name of "Irinia". If you receive this file or e-mail, do not download > > it. > > It has a virus that rewrites your hard drive, obliterating anything on > > it. > > Please be careful and forward this e-mail to anyone you care about." > > > > This information was received from Professor Edward Prideaux, College of > > Salvonic Studies, London. > > > > This virus appears to be much more aggressive than the irritating > > Microsoft word virus. Be alert. > > > > ----------------------- END OF ALERT MESSAGE > > ---------------------------------- > > > > > > Thank you, > > Take Care, > > > > Hisham Al Saad > > University of Bahrain > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > "Cutting the space budget really restores my faith in humanity. It > eliminates dreams, goals, and ideals and lets us get straight to the > business of hate, debauchery, and self-annihilation." -- Johnny Hart > ***testing, only testing, and damn good at it too!*** > > OK, so you're a Ph.D. Just don't touch anything. > From firewalls-owner Mon Dec 2 23:40:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA28454 for firewalls-outgoing; Mon, 2 Dec 1996 23:37:58 -0800 (PST) Received: from upshield.uniq.com.au (upstop.uniq.com.au [192.195.152.113]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id XAA28418 for ; Mon, 2 Dec 1996 23:37:45 -0800 (PST) Received: (from smtp@localhost) by upshield.uniq.com.au id SAA11565 (8.7.6/IDA-1.6); Tue, 3 Dec 1996 18:37:27 +1100 (EST) Received: from upshoo.uniq.com.au(192.195.152.130) by upshield via smap (V1.3) id ./smaAAAa002of; Tue Dec 3 18:36:56 1996 Received: from basil.uniq.com.au (basil.uniq.com.au [192.168.3.1]) by upserv.uniq.com.au with ESMTP id SAA11839 (8.7.6/IDA-1.6); Tue, 3 Dec 1996 18:33:23 +1100 (EST) Received: (from pauline@localhost) by basil.uniq.com.au id SAA07796 (8.7.6/IDA-1.6); Tue, 3 Dec 1996 18:35:22 +1100 (EST) Date: Tue, 3 Dec 1996 18:35:22 +1100 (EST) From: Pauline van Winsen - Uniq Professional Services Message-ID: <199612030735.SAA07796@basil.uniq.com.au> To: firewalls@GreatCircle.COM, heiser@world.std.com Subject: Re: restricting OUTBOUND access Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-MD5: XHaBZVdJE7VYYkM7sTZDeQ== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > An associate of mine is trying to convince me that it's safe > to restrict only inbound traffic thru a firewall, but to > allow completely unrestricted traffic outbound. I'm looking > for concrete examples of why this is a Bad Thing. I guess > I'm thinking in terms of inside users connecting to evil > services on the outside, with the established connections > being used to do Bad Things to inside systems. However > I don't have any concrete examples. Also, since > presumably once someone is "inside" they can do anything > they want anyway (put stuff on a floppy, fax, etc), that > makes a case for his argument that allowing outbound > unrestricted access isn't so bad. But I'm not convinced. > > Any feedback on what kinds of bad things can happen (by users > on the OUTSIDE) with this kind of firewall setup would be > appreciated. apart from the reasons you list above... the reason i routinely restrict all outgoing traffic to a known set of IP address & protocols is that you significantly reduce the chance of one of your own users launching attacks on other sites on the Internet. the risks to your organisation from this sort of activity may be quite large. damage to reputation being the major risk. if all sites restricted outgoing traffic to a known set of IP addresses, the risk of attacks such as the TCP SYN denial of service attack would be reduced as the perpertrators would be easier to track down. this requires co-operation from all internet users, but you have to start somewhere. cheers, pauline Pauline van Winsen pauline@uniq.com.au Uniq Professional Services Pty Ltd www.uniq.com.au PO Box 70, Paddington, NSW 2021, (Sydney) Australia Phone: +61-2-9380-6360 Fax: +61-2-9380-6416 Pager: 016 287 000 "Never try to flirt with your boss... he's your bread & butter and not your honey." The boss is not your honey - Book 3, Woman's World, circa 1964. From firewalls-owner Tue Dec 3 00:40:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA02617 for firewalls-outgoing; Tue, 3 Dec 1996 00:28:41 -0800 (PST) Received: from pinky.junction.net (pinky.junction.net [199.166.227.12]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id AAA02606 for ; Tue, 3 Dec 1996 00:28:34 -0800 (PST) Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by pinky.junction.net (8.6.12/8.6.12) with ESMTP id AAA26838; Tue, 3 Dec 1996 00:44:28 -0800 Received: from localhost (michael@localhost) by sidhe.memra.com (8.6.12/8.6.12) with SMTP id AAA07628; Tue, 3 Dec 1996 00:24:28 -0800 Date: Tue, 3 Dec 1996 00:24:27 -0800 (PST) From: Michael Dillon To: firewalls@GreatCircle.COM cc: Hisham Khalifa Al Saad Subject: Re: [Fwd: Caution : Internet Virus] In-Reply-To: Message-ID: Organization: Memra Software Inc. - Internet consulting MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 2 Dec 1996, Ron DuFresne wrote: > CD-Rom manufacturer Chinon America, Inc. says computer vandals have > ilegally put its name on a virus-ridden file and relased it on the > INTERNET. This is old news and is also an interesting study in social engineering. > In a statement from Torrance, CA., Chinon says "The program, allegedly > a shareware PC utility that will convert an ordinary CD-ROM drive into > a CD-Recordable (CR-R) device, which is technically impossible, instead > destroys the files on the PC hard drive. > Chinon says that the CD-IT.ZIP file 'promises to enable read/write to > your CD-ROM drive', and lists the program as being authored by Joseph S. > Shriner, couriered by HDA, and copyrighted by Chinon Products. > Saying that it has no division by that name, Chinon management > speculates that the vandals picked its company name to make it seem > that the software was being endorsed by a well know and reputable > CD-ROM manufacturer. Not so fast Chinon. This was a trojan horse targetted at specific individuals. Who were some of the first people to buy CD-R devices when they came on the market? Warez dealers, of course! And lots of little warez collectors out there were drooling and waiting for the price of CD-R devices to drop low enough that they could start making a few bucks selling CD-ROM's. But there is an additional clue that this was targetted at the warez people. The software claimed to be "couriered" by HDA. Warez people use the word "courier" to refer to the process of stealing a copy of commercial or not-for-distribution software and quickly distributing it around the world. As I remember it, Chinon was a fairly popular brand of cheap CD-ROM at one time so this trojan was trying to pretend it was a top-secret program stolen from Chinon and it was targetted at a specific group who desperately wanted a cheap way to record CD-ROM's. Hunt around IRC and you will find that in this day and age of cheap CD-R devices there are quite a lot of warez entrepreneurs selling you everything you could imagine. If you ask the right folks I'm told that full copies of NT's source code are available too although I can't be too sure if I believe the source of that info. Michael Dillon - Internet & ISP Consulting Memra Software Inc. - Fax: +1-604-546-3049 http://www.memra.com - E-mail: michael@memra.com From firewalls-owner Tue Dec 3 00:55:26 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA03105 for firewalls-outgoing; Tue, 3 Dec 1996 00:41:21 -0800 (PST) Received: from zeus ([194.242.64.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id AAA03098 for ; Tue, 3 Dec 1996 00:41:08 -0800 (PST) Received: (from root@localhost) by zeus (8.6.11/8.6.9) id JAA00750 for ; Tue, 3 Dec 1996 09:41:06 +0100 Received: from pc_erik(172.16.10.232) by zeus via smap (V2.0alpha) id sma000745; Tue Dec 3 09:40:31 1996 Message-ID: <32A3F618.639D@beauvalot.com> Date: Tue, 03 Dec 1996 10:42:48 +0100 From: Erik BEAUVALOT Reply-To: erik@beauvalot.com Organization: AT&T Labs. X-Mailer: Mozilla 3.0 (Win95; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: Re: POP3 for TIS firewall References: <199612030317.IAA10371@snth.stph.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Venkata Ramakrishna R wrote: > > Hi, > > Where can I get POP3 proxy for TIS firewall ?? > > Please guide me.... > > Thanks, > -Ramu. Use the Plug-gw on the port 110 (pop3) Ex of a /usr/local/etc/netperm-table : plug-gw: port pop3 -plug-to -port pop3 You shoud be able to connect with that all the inside machine on a pop3 Server -- ------------------------------------------------- Erik BEAUVALOT AT&T R&D Lab Manager of Paris/EMEA Tel : +(33)1 47 67 46 06 GSM: +(33) 09 48 32 11 E-Mail : erik@beauvalot.com http://www.labs.emea.att.com/~erik ------------------------------------------------- From firewalls-owner Tue Dec 3 01:25:40 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA03845 for firewalls-outgoing; Tue, 3 Dec 1996 01:00:46 -0800 (PST) Received: from nsco.network.com (nsco.network.com [129.191.1.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id BAA03776 for ; Tue, 3 Dec 1996 01:00:16 -0800 (PST) Received: from mnbp.network.com (ushub.network.com) by nsco.network.com (4.1/1.34) id AA20383; Tue, 3 Dec 96 03:09:00 CST Received: by mnbp.network.com with Microsoft Mail id <32A3EC34@mnbp.network.com>; Tue, 03 Dec 96 03:00:36 CST From: Paul Mason To: "'Firewalls '" Subject: Outbound Restrictions. Date: Tue, 03 Dec 96 03:00:00 CST Message-Id: <32A3EC34@mnbp.network.com> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Just food for thought. I recently caught an open back door at a customers site by auditing outbound traffic for the internal source address. Turns out someone was dialing out to the internet from their PC while still connected to the corporate backbone ( It seems this user felt they should not have to login to the firewall before using the internet ). The dial out connection allowed someone from the outside get in to the enterprise ( IP routing is a wonderful thing ). The outbound audit triggered when this unwanted system then tried to leave the site though the firewall, thus notifying security department of the back doors existence. Talk about a major violation of site security policy. If I am not mistaken there have been several cases where firewalls were toppled from the inside by using this same occurrence. Paul Mason Systems Engineer Network Systems Canada paul.mason@network.com P.S. You can never hope to find anything unless your looking!! Audit, Audit, Audit.!! On Dec 2, 5:12pm, Bill Heiser wrote: > Subject: restricting OUTBOUND access > > An associate of mine is trying to convince me that it's safe > to restrict only inbound traffic thru a firewall, but to > allow completely unrestricted traffic outbound. I'm looking > for concrete examples of why this is a Bad Thing. I guess > I'm thinking in terms of inside users connecting to evil > services on the outside, with the established connections > being used to do Bad Things to inside systems. However > I don't have any concrete examples. Also, since > presumably once someone is "inside" they can do anything > they want anyway (put stuff on a floppy, fax, etc), that > makes a case for his argument that allowing outbound > unrestricted access isn't so bad. But I'm not convinced. > > Any feedback on what kinds of bad things can happen (by users > on the OUTSIDE) with this kind of firewall setup would be > appreciated. > > Thanks in advance, > Bill > > > -- > Bill Heiser heiser@world.std.com >-- End of excerpt from Bill Heiser From firewalls-owner Tue Dec 3 01:39:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA03144 for firewalls-outgoing; Tue, 3 Dec 1996 00:42:45 -0800 (PST) Received: from coal.ksc.net.th (coal.ksc.net.th [202.44.144.54]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id AAA03128 for ; Tue, 3 Dec 1996 00:42:26 -0800 (PST) Received: from localhost by coal.ksc.net.th (SMI-8.6/SMI-SVR4) id PAA04783; Tue, 3 Dec 1996 15:37:12 -0700 Date: Tue, 3 Dec 1996 15:37:12 -0700 (GMT) From: Zayar To: "Gary G. Christoph" cc: Eric Wieling , isdnsec@markettech.com, firewalls@GreatCircle.COM Subject: Re: In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dear sir , Can anyone tell me the mailing lists of Sun Solaris security system Deeply appreciate for your help . best regards , zayar On Mon, 2 Dec 1996, Gary G. Christoph wrote: > Date: Mon, 2 Dec 1996 09:44:18 -0700 > From: "Gary G. Christoph" > To: Eric Wieling , isdnsec@markettech.com, > firewalls@GreatCircle.COM > Subject: Re: > > Eric- > > Does the offer still hold? :-) > > Thanks, > > Gary > > > At 10:26 -0700 7/29/96, Eric Wieling wrote: > >ISDN Secrets wrote: > >> > >> Most places in the country are charged by the minute > >> for ISDN access even for local calls. Some areas as > >> much as 2 cents per B channel (that's 4 cents per minute > >> with 128KB access) during primetime hours. Where I live, > >> in the month of July alone I would have paid $1279.20 > >> for dedicated access (unless you know the secret the > >> phone company will not share with you). I only paid > >> $45. > > > >It's called Data Over Voice Bearer Service (DOVBS) and I'll tell you > >about it for free, if you e-mail me. 8-) > > > >-- > >Eric Wieling > >Advanced Network Research > >InterCommerce Corporation > >Pager: 800-758-3680 > > > >If you consistently take an antagonistic approach, however, people are > >going to start thinking you're from New York. :-) > > --Larry Wall to Dan Bernstein > > > > ---------------------------------------------------------------------- > Gary G. Christoph, Ph.D. > Systems Security Research and Development Team Leader > Computer Research and Applications Group, CIC-3, MS-B265 > Computing, Information and Communications Division > University of California, Los Alamos National Laboratory > Los Alamos, NM 87545 > ggc@lanl.gov (505) 667-3709 FAX (505) 665-5520 > ---------------------------------------------------------------------- > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ MR. Zayar Maungmaungkhin , \ "****@@@@****" \ ABAC NETWORK-OPERATION-CENTRE \--------------------\ KSC Internet Group <><><><><><><><><><><> ComputerLab ( E buldg 5th floor ) Assumption University . Tel: +662719-1946-8 +6623004543 x-3674 Fax: +662 719-1945 e-mail: zayar@maia.au.ac.th zayar@coal.ksc.net.th ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From firewalls-owner Tue Dec 3 01:39:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA04643 for firewalls-outgoing; Tue, 3 Dec 1996 01:13:13 -0800 (PST) Received: from vine.vine.net (ns1.vine.net [206.138.85.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id BAA04614 for ; Tue, 3 Dec 1996 01:13:00 -0800 (PST) Received: from localhost (security@localhost) by vine.vine.net (8.7/8.6.9) with SMTP id EAA18120; Tue, 3 Dec 1996 04:06:30 -0600 Date: Tue, 3 Dec 1996 04:06:30 -0600 (CST) From: Security Mail To: Denis Valois cc: firewalls@GreatCircle.COM, webmaster@internic.uob.bh Subject: RE: [Fwd: Caution : Internet Virus] In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 2 Dec 1996, Denis Valois wrote: > This is a hoax. > > Anyway, just by saying that "reading" a mailgram wipes out > your hard drive is of utmost foolishness. Denis, In the message he said it was a file attach. If the virus was sent attached in a .zip or .exe and the infected file was run it would infect the computer. I believe he was talking here of a Word Macro Virus, attached as a .DOC file, that when opened by Microsoft Word would trash the hard disk. Some users use a program CC Mail that would automagicly open Microsoft Word and load the file sent in the e-mail. This could result in the loss of the hard disk if the Macro Virus was opened in Microsoft word. I do have a large collection of Word Viruses, one in my collection, (FORMAT-C Word Macro Virus) will do just this in CC-Mail or if opened in Microsoft Word. There was a wide spread message that went out about 'The Good Times Virus' This indeed was a Hoax! No Virus can wipe the hard disk just by reading an e-mail message. BUT, this message below told of an attachment that if run would cause dammage! > "There is a computer virus that is being sent across the internet. > If you receive an e-mail with a subject line of "Irinia", DO NOT read > the message. Delete it immediately. Some miscreant is sending people > files under the name of "Irinia". If you receive this file or e-mail, > do not download it. It has a virus that rewrites your hard drive, > obliterating anything on it. Please be careful and forward this e-mail > to anyone you care about." Michael Paris *********************************************************** InVircible Support Staff support@invircible.com Vine Computer Industry vine@invircible.com Computer Anti-Virus Sales sales@invircible.com E-MAIL UPGRADES: Auto-Upgrade InVircible Manual manual@invircible.com Title message: IV-MANUAL Auto-Upgrade Invircible upgrade@invircible.com Title Message: IV-UPGRADE FTP : ftp.invircible.com Invircible Anti-Virus Web Page : http://invircible.com Sales : 800-422-5130 BBS : 708-863-6348 Support : 708-863-1464 FAX : 708-863-1917 *********************************************************** From firewalls-owner Tue Dec 3 02:55:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA08877 for firewalls-outgoing; Tue, 3 Dec 1996 02:28:28 -0800 (PST) Received: from sghms.ac.uk (s1.sghms.ac.uk [192.153.12.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id CAA08829 for ; Tue, 3 Dec 1996 02:27:51 -0800 (PST) Received: from gillettpc.sghms.ac.uk by sghms.ac.uk (SGHMSV1.0) ID AA10698; Tue, 3 Dec 96 10:25:40 GMT Date: Tue, 3 Dec 1996 11:33:20 PST From: Mark Gillett Subject: Re: POP3 for TIS firewall To: Venkata Ramakrishna R Cc: firewalls@greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk There is a POP3 proxy in the standard TIS toolkit, although your installation may not include it or it may not be setup to allow connections. See your netperm-table for confirmation of this. Hope that helps ! On Tue, 3 Dec 1996 08:47:56 +0530 Venkata Ramakrishna R wrote: > From: Venkata Ramakrishna R > Date: Tue, 3 Dec 1996 08:47:56 +0530 > Subject: POP3 for TIS firewall > To: firewalls@greatcircle.com > > > Hi, > > Where can I get POP3 proxy for TIS firewall ?? > > Please guide me.... > > Thanks, > -Ramu. ================================================================ Mark Gillett, Computer Unit, St. Georges Hospital Medical School ---------------------------------------------------------------- Contrary to popular belief, Unix is user friendly. It just happens to be very selective about who it decides to make friends with. ---------------------------------------------------------------- e-mail : mgillett@sghms.ac.uk web : http://www.sghms.ac.uk ================================================================ From firewalls-owner Tue Dec 3 04:25:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA15132 for firewalls-outgoing; Tue, 3 Dec 1996 04:00:24 -0800 (PST) Received: from cosmos.kaist.ac.kr (maple.kaist.ac.kr [143.248.185.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id DAA14883 for ; Tue, 3 Dec 1996 03:59:10 -0800 (PST) Received: (from chang@localhost) by cosmos.kaist.ac.kr (8.6.12h2/8.6.12) id UAA02796 for firewalls@greatcircle.com; Tue, 3 Dec 1996 20:56:57 +0900 From: Changmin Park Message-Id: <199612031156.UAA02796@cosmos.kaist.ac.kr> Subject: Hi, dear guru. To: firewalls@greatcircle.com Date: Tue, 3 Dec 1996 20:56:56 +0900 (KST) X-Mailer: ELM [version 2.4 PL21-h4] MIME-Version: 1.0 Content-Type: text/plain; charset=iso-2022-kr Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, security guru. I have some questions about the type of On Guard firewalls. Tell me some useful things about "On Guard" Firewall. 1. Does "On Guard" depend on only Unix, or Windows NT, or other OS? 2. If there are some more better aspects than Checkpoint's Firewall-1, What are they? 3. Someone told me that "On Guard" can filter packets through IPX protocol, is it true? then.. How can it be established in technology? 4. How about the performance/cost, I need some comparison data with other Firewalls. 5. How about the occupancy in the world, especially in the ASIA. 6. What are the best features in the "On Guard". If you have some useful informations, please tell me them. We would buy some firewall boxes, but we don't have enough informations about them. Thank you in advance. -- mmmmmmm chang@cosmos.kaist.ac.kr finger me for pgp key ^-O-O-^ pager: 012-737-0721 tel: 042-879-2838 ====oOOo===oOOo=========/Life/Sucks/Shit/======== K/U/S ============= ---Making love out of Nothing at all--- From firewalls-owner Tue Dec 3 06:25:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA21959 for firewalls-outgoing; Tue, 3 Dec 1996 06:15:14 -0800 (PST) Received: from cbisinet.cbis.com (cbisinet.cbis.com [206.230.22.18]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA21950 for ; Tue, 3 Dec 1996 06:15:03 -0800 (PST) Received: from notes.cbis.com by cbisinet.cbis.com (5.x/SMI-SVR4) id AA07285; Tue, 3 Dec 1996 09:14:59 -0500 Received: by notes.cbis.com (IBM OS/2 SENDMAIL VERSION 1.3.17/2.12um) id AA8512; Tue, 03 Dec 96 09:14:51 -0500 Message-Id: <9612031414.AA8512@notes.cbis.com> Received: by CBIS (Lotus Notes Mail Gateway for SMTP V1.1) id F9CDC69C46B16EBD852563F5004E1113; Tue, 3 Dec 96 09:14:51 To: firewalls-digest From: Warren Moore Date: 3 Dec 96 9:08:44 Subject: Strange Virus... Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Probably off-subject, but considering what's been on here for the last day or so, maybe not...funny regardless. Free Money!!! There is a computer virus that is being sent across the Internet. If you receive an e-mail message with the subject line "Free Money," DO NOT read the message. DELETE it immediately, UNPLUG your computer, then BURN IT to ASHES in a government-approved toxic waste disposal INCINERATOR. Once a computer is infected, it will be TOO LATE. Your computer will begin to emit a vile ODOR. Then it will secrete a foul, milky DISCHARGE. Verily, it shall SCREECH with the tortured, monitor-shattering SCREAM of 1,000 hell-scorched souls, drawing unwanted attention to your cubicle from co-workers and supervisors alike. After violently ripping itself from the wall, your computer will punch through your office window as it STREAKS into the night, HOWLING like a BANSHEE. Once free, it will spend the rest of its days CRUSHING household PETS and MOCKING the POPE. Some filthy, disgusting miscreant... some no-good, low-down, good-for -nothing DIRTY SNAKE, in twisted pursuit of his own sadistic dreams, is sending this virus across the Net via an e-mail entitled "Free Money." What is so terrifying about this virus is that you do not even to have to open the e-mail for it to activate. In fact, you do not even need to RECEIVE the e-mail. You do not even need to OWN a COMPUTER. "Free Money" can infect even minor HOUSEHOLD APPLIANCES. How it does this with straight ASCII code is, franky, a matter of some debate... but BELIEVE YOU US, if this weren't a SERIOUS situation, WE WOULDN'T BE DISCUSSING IT IN 'ALL CAPS'. So for the LOVE OF GOD, forward this e-mail to all those you claim to care about, all those you purport to love. Don't do it later! Do it NOW! Now! Now! NOW! NOW! NOW! Attachment converted: deathlab:free_money_virus.sea (VIRUS/VRS) 0003D961 Content-Type: virus/sea; name="Free_Money_Virus" (SUCKER/SKR) (SRC:WTBR) Auto-Infect: enabled --- Warren S. Moore, CISSP Information Security Specialist Cincinnati Bell Information Systems Inc. ---also--- Mayor, City of Union, KY Jack of All Trades, Master of Damn Few! From firewalls-owner Tue Dec 3 06:26:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA20988 for firewalls-outgoing; Tue, 3 Dec 1996 05:54:58 -0800 (PST) Received: from emout17.mail.aol.com (emout17.mx.aol.com [198.81.11.43]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id FAA20979 for ; Tue, 3 Dec 1996 05:54:52 -0800 (PST) From: WarRoom2@aol.com Received: by emout17.mail.aol.com (8.6.12/8.6.12) id IAA20214 for firewalls@greatcircle.com; Tue, 3 Dec 1996 08:54:52 -0500 Date: Tue, 3 Dec 1996 08:54:52 -0500 Message-ID: <961203085451_1651011832@emout17.mail.aol.com> To: firewalls@greatcircle.com Subject: WarRoom ISS Survey -- Gembicki's Comments Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Anyone interested in WarRoom Research's comments on the 1996 Information Systems Security Survey should contact me directly at ; Tue, 3 Dec 1996 06:31:33 -0800 (PST) Received: from coltano.stortek.com by stortek.com with SMTP id AA16497 (5.65c/IDA-1.4.4 for ); Tue, 3 Dec 1996 07:31:31 -0700 Received: (from jim@localhost) by coltano.stortek.com (8.8.3/8.7.3) id HAA08003 for firewalls@GreatCircle.COM; Tue, 3 Dec 1996 07:29:58 -0700 (MST) Date: Tue, 3 Dec 1996 07:29:58 -0700 (MST) From: Jim Wamsley 303-673-8163 Message-Id: <199612031429.HAA08003@coltano.stortek.com> To: firewalls@GreatCircle.COM Subject: RE: [Fwd: Caution : Internet Virus] X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Dec 3 Michael Paris wrote > > In the message he said it was a file attach. > > If the virus was sent attached in a .zip or .exe and the infected file was > run it would infect the computer. > > I believe he was talking here of a Word Macro Virus, attached as a .DOC > file, that when opened by Microsoft Word would trash the hard disk. > Hey guys, is everyone forgetting that Microsquish put out a macro protection script called ScanProt that scanned every document before it was opened looking for certain known 'macro virus' and warned you if the document contained anything suspicous? I beleive it also compares your normal.dot against what the doc had . This goes a long way toward _stopping_ an infected document from doing any damage. Works very well. Have received a few _infected_ attachments that were caught. ______________________________________________________________ [ Jim Wamsley, Network Engineering ] [ StorageTek 2270 S. 88th St, M.S. 4379, Louisville, CO 80028 ] [ Audible: (303) 673-8163 Logical jim_wamsley@stortek.com ] [ Everything to Excess! ] [ To enjoy life to the fullest, you must take big bites. ] [ Moderation is for monks. ] [ Lazarus Long ] [______________________________________________________________] From firewalls-owner Tue Dec 3 06:55:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA22931 for firewalls-outgoing; Tue, 3 Dec 1996 06:41:32 -0800 (PST) Received: from bworld.com.ph ([203.177.6.33]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA22917 for ; Tue, 3 Dec 1996 06:41:21 -0800 (PST) Received: by bworld.com.ph (SMI-8.6/SMI-SVR4) id WAA13877; Tue, 3 Dec 1996 22:41:17 -0800 Date: Tue, 3 Dec 1996 22:41:17 -0800 From: root@bworld.com.ph (Super-User) Message-Id: <199612040641.WAA13877@bworld.com.ph> To: firewalls@greatcircle.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-MD5: li0EXXBwC8TLrOJN4Ai89g== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk hello, Please let me know where I may access FAQS of this mailing list... thanks, miguel From firewalls-owner Tue Dec 3 07:10:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA23935 for firewalls-outgoing; Tue, 3 Dec 1996 07:00:33 -0800 (PST) Received: from lab58-12.ims.advantis.com (pony-express.ims.advantis.com [192.231.11.167]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA23928 for ; Tue, 3 Dec 1996 07:00:26 -0800 (PST) Received: (from hfarkas@localhost) by lab58-12.ims.advantis.com (8.6.9/95.10.11) id JAA30273 for ; Tue, 3 Dec 1996 09:57:55 -0500 Received: from carfax.ims.advantis.com(164.120.32.46) by lab58_12 via smap (V1.3) id sma027967; Tue Dec 3 09:57:46 1996 Received: by carfax.ims.advantis.com (8.6.9/4.03) id KAA83332; Tue, 3 Dec 1996 10:07:36 -0500 Date: Tue, 3 Dec 1996 10:07:36 -0500 (EST) From: Peter Yau To: FireWalls@GreatCircle.com Subject: NetBios over IP Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Are there security concerns for NetBIOS over IP? Is it a danger that because it is a messaging protocol which uses names as opposed to addresses that it'd be more easy to spoof? With NetBIOS encapsulated in IP traversing (from outside) the FW-1, are we only abled to filter on IP only? Once IP filtering takes place, the packet then gets unencapsulated before it gets sent to its final destination? The proper port needs to be open in FW-1 to accomodate NetBIOS, of course. Where exactly does unencapsulation take place, at the last Router hop prior to the final destination? Thanks in advance. From firewalls-owner Tue Dec 3 07:40:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA24736 for firewalls-outgoing; Tue, 3 Dec 1996 07:15:21 -0800 (PST) Received: from smtp.msp.tsg-usa.com (mntsg.tsg-usa.com [206.185.177.223]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA24687 for ; Tue, 3 Dec 1996 07:15:06 -0800 (PST) From: uhaas@tsg-usa.com Received: by smtp.msp.tsg-usa.com(Lotus SMTP MTA v1.01 (214.1 9-9-1996)) id 862563F5.0054370B ; Tue, 3 Dec 1996 09:19:51 -0500 X-Lotus-FromDomain: TSG To: suntiver@mem.gob.pe cc: firewalls@greatcircle.com Message-ID: <862563F0:0004939E.00@smtp.msp.tsg-usa.com> Date: Wed, 27 Nov 1996 18:56:36 -0500 Subject: Re: IP numbers end Mime-Version: 1.0 Content-type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ministerio, One way is to acquire another subnet and route that to you. Another way (that I like) is to use NAT software, get another IP ragne and route that to you. We do this. The NAT approach has some advantages. The major one I like is to define a pool of addresses from the new subnet and they are assinged to computers as they are needed. This means that 256 addresses will result in 256 address available for use. When they are not used for a specific period of time, they are released back into the pool. This is more efficient use of the subnet because all addresses will be used for Internet use, intead of having many addresses reserved, but not used. This way it takes longer to run out again. NAT handles the internet subnet you aquire. For the addresses on the inside, I prefer to use RFC 1918 style addresses. I have done this with the IBM SNG product, but several others on the mailing list also claim to do the same thing. Pricing and miliage may vary. Urban suntiver @ mem.gob.pe 11-27-96 03:29 AM To: Firewalls @ GreatCircle.COM cc: Subject: IP numbers end Hi friends. I write from Peru South America. My question is follow: How Can we have more IP numbers in our site?, becuse the 254 numbers are used. We not have subnets. Thanks for your help. Ministerio de Energia y Minas Sergio Untiveros Adm. de Red Telf. 4750064 Anexo 223, 403 Telf: 9946059 ------------------------------------------------------------ Urban A. Haas Open Systems and Network Consulting Total Solutions Group Phone: (800) 423-8741 Ext. 133; Fax: (612) 831-0509 Internet: uhaas@tsg-usa.com -or- mailto:uhaas@tsg-usa.com ------------------------------------------------------------ From firewalls-owner Tue Dec 3 07:40:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA25548 for firewalls-outgoing; Tue, 3 Dec 1996 07:26:10 -0800 (PST) Received: from europa.lif.icnet.uk (europa.lif.icnet.uk [143.65.1.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA25513 for ; Tue, 3 Dec 1996 07:25:47 -0800 (PST) From: harley@icrf.icnet.uk Message-Id: <199612031525.HAA25513@miles.greatcircle.com> Received: by europa.lif.icnet.uk; Tue, 3 Dec 1996 15:26:03 GMT Subject: Internet virus yet again To: firewalls@GreatCircle.COM Date: Tue, 3 Dec 1996 15:26:03 +0000 (GMT) X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > I believe he was talking here of a Word Macro Virus, attached as a .DOC > > file, that when opened by Microsoft Word would trash the hard disk. > > > > Hey guys, is everyone forgetting that Microsquish put out a macro protection > script called ScanProt that scanned every document before it was opened looking for certain known 'macro virus' and warned you if the document contained > anything suspicous? I beleive it also compares your normal.dot against what > the doc had . This goes a long way toward _stopping_ an infected document from > doing any damage. Works very well. Have received a few _infected_ attachments > that were caught. > Aargh! Stop it! Yes, ScanProt can help. But it only actually recognises WM.Concept, and it's quite possible, in good faith, to open a document in ways which will bypass it. The same applies to the equivalent tool built into Word 7. I remember when this list was about firewalls.... (whimper). -- David Harley \ | / alt.comp.virus FAQ D.Harley@icrf.icnet.uk \ | / & Anti-Virus Web Page Support & Security Analyst \ | / Folk London On-Line gig-list Imperial Cancer Research Fund ____\|/____ http://webworlds.co.uk/dharley/ From firewalls-owner Tue Dec 3 07:56:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA27828 for firewalls-outgoing; Tue, 3 Dec 1996 07:50:23 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA27810 for ; Tue, 3 Dec 1996 07:50:15 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-961106) id HAA08090; Tue, 3 Dec 1996 07:49:45 -0800 Received: from dax.sai.com(207.95.117.66) by mycroft via smap (V1.3mjr) id sma008086; Tue Dec 3 07:49:05 1996 Received: from dax.sai.com by dax.sai.com with smtp (Smail3.1.29.1 #2) id m0vUx3x-003pk7C; Tue, 3 Dec 96 10:47 EST Date: Tue, 3 Dec 1996 10:47:12 -0500 (EST) From: Darryl Wagoner To: Security Mail cc: Denis Valois , firewalls@GreatCircle.COM, webmaster@internic.uob.bh Subject: RE: [Fwd: Caution : Internet Virus] In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 3 Dec 1996, Security Mail wrote: > This indeed was a Hoax! No Virus can wipe the hard disk just by reading > an e-mail message. BUT, this message below told of an attachment that if > run would cause dammage! This is not true on Unix! Many Unix mailers and pagers will send escape codes to the tty. The good ones will not, but many of the old ones will. This will allow a mail message to control the terminal. Many terminals has escape codes to send text back to the host. QED the mail message can do anything the user has privs to do. -- Darryl Wagoner darryl@sai.com http://www.sai.com/ Office: 603.672.0736 Fax: 603-672-4846 Beware of self-styled experts: an ex is a has-been, and a spurt is a drip under pressure. From firewalls-owner Tue Dec 3 08:03:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA21431 for firewalls-outgoing; Tue, 3 Dec 1996 06:02:43 -0800 (PST) Received: from gauntlet-1.trusted.com (gauntlet-1.trusted.com [204.254.155.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA21424 for ; Tue, 3 Dec 1996 06:02:36 -0800 (PST) Received: by gauntlet-1.trusted.com; id JAA22778; Tue, 3 Dec 1996 09:11:39 -0500 Received: from dira.rv.tis.com(10.0.1.43) by gauntlet-1.trusted.com via smap (V3.1.1) id xma022769; Tue, 3 Dec 96 09:11:18 -0500 Received: from unit65.rv.tis.com (dyn105.hq.tis.com [10.33.10.105]) by dira.rv.tis.com (8.7.4/8.7.3) with SMTP id IAA04693; Tue, 3 Dec 1996 08:57:42 -0500 (EST) Message-Id: <3.0.32.19961203085259.006a46ec@pop.rv.tis.com> X-Sender: avolio@pop.rv.tis.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Tue, 03 Dec 1996 09:00:09 -0500 To: Venkata Ramakrishna R , firewalls@greatcircle.com From: Frederick M Avolio Subject: Re: POP3 for TIS firewall Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The Gauntlet Internet Firewall comes with a POP3 proxy. Fred At 08:47 AM 12/3/96 +0530, Venkata Ramakrishna R wrote: > >Hi, > > Where can I get POP3 proxy for TIS firewall ?? > > Please guide me.... > >Thanks, >-Ramu. > > From firewalls-owner Tue Dec 3 09:24:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA03922 for firewalls-outgoing; Tue, 3 Dec 1996 08:46:08 -0800 (PST) Received: from lab58-12.ims.advantis.com (pony-express.ims.advantis.com [192.231.11.167]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id IAA03907 for ; Tue, 3 Dec 1996 08:45:58 -0800 (PST) Received: (from hfarkas@localhost) by lab58-12.ims.advantis.com (8.6.9/95.10.11) id LAA23931 for ; Tue, 3 Dec 1996 11:43:31 -0500 Received: from carfax.ims.advantis.com(164.120.32.46) by lab58_12 via smap (V1.3) id sma031097; Tue Dec 3 11:43:21 1996 Received: by carfax.ims.advantis.com (8.6.9/4.03) id LAA119799; Tue, 3 Dec 1996 11:53:12 -0500 Date: Tue, 3 Dec 1996 11:53:11 -0500 (EST) From: Peter Yau To: firewalls@GreatCircle.com Subject: NetBios over IP (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ---------- Forwarded message ---------- Date: Tue, 3 Dec 1996 10:07:36 -0500 (EST) From: Peter Yau To: FireWalls@GreatCircle.COM Subject: NetBios over IP Are there security concerns for NetBIOS over IP? Is it a danger that because it is a messaging protocol which uses names as opposed to addresses that it'd be more easy to spoof? With NetBIOS encapsulated in IP traversing (from outside) the FW-1, are we only abled to filter on IP only? Once IP filtering takes place, the packet then gets unencapsulated before it gets sent to its final destination? The proper port needs to be open in FW-1 to accomodate NetBIOS, of course. Where exactly does unencapsulation take place, at the last Router hop prior to the final destination? Thanks in advance. From firewalls-owner Tue Dec 3 09:26:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA05713 for firewalls-outgoing; Tue, 3 Dec 1996 09:09:25 -0800 (PST) Received: from vm.stlawu.edu (vm.stlawu.edu [199.0.76.25]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id JAA05704 for ; Tue, 3 Dec 1996 09:09:18 -0800 (PST) Received: from VM.STLAWU.EDU by vm.stlawu.edu (IBM VM SMTP V2R3) with BSMTP id 6115; Tue, 03 Dec 96 12:06:13 EST Received: from MUSIC.STLAWU.EDU (NJE origin MUSIC@STLAWU) by VM.STLAWU.EDU (LMail V1.2c/1.8c) with BSMTP id 9684; Tue, 3 Dec 1996 12:06:13 -0500 Message-Id: <03DEC96.13071906.0090.MUSIC@MUSIC.STLAWU.EDU> Date: Tue, 03 Dec 1996 12:06:13 EST From: Giant Tuna To: Subject: Re: Fwd:Caution : Internet Virus X-Mailer: MUSIC/SP V5.1.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Do not worry about the "irinia" virus it is a hoax that was spred by penguin books to promote a book in September. CIAC already is aware of the possible virus check any AV company's virus list to review the hoax or CIAC at http://ciac.llnl.gov/ciac/bulletins/h-05.shtml clarke ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +Contact: x9o2@music.stlawu.edu or pthomas@northnet.org+ +------------------------------------------------------+ +WWW: http://music.stlawu.edu/x9o2:http/clarke.html + +======================================================++++++++++++++++ +"Just as the strength of the Internet is chaos, so is the strength of+ +of our liberty depends upon the chaos and cacophony of the unfettered+ +speech th First Amendment protects." +++++++++++++++++++++++++++++++++ + --JUDGE STEWART DALZELL + Guinness = "Pure Genius" + +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ From firewalls-owner Tue Dec 3 09:55:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA08643 for firewalls-outgoing; Tue, 3 Dec 1996 09:37:00 -0800 (PST) Received: from free-me.marben.be (gatekeeper.marben.be [194.78.27.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id JAA08475 for ; Tue, 3 Dec 1996 09:34:56 -0800 (PST) Received: (from smap@localhost) by free-me.marben.be (8.7.5/8.7.3) id SAA07419 for <@gatekeeper.marben.be:firewalls@GreatCircle.COM>; Tue, 3 Dec 1996 18:34:58 +0100 (MET) X-Authentication-Warning: free-me.marben.be: smap set sender to using -f Received: from tarifa.marben.be(172.20.0.254) by free-me.marben.be via smap (V1.3) id sma007416; Tue Dec 3 18:34:57 1996 Received: from tarifa.marben.be by tarifa via SMTP (940816.SGI.8.6.9/940406.SGI.AUTO) for id SAA15089; Tue, 3 Dec 1996 18:27:52 +0100 Message-ID: <32A46318.6231@marben.be> Date: Tue, 03 Dec 1996 18:27:52 +0100 From: Jean-Pierre Morant Organization: Marben SA-NV X-Mailer: Mozilla 3.0Gold (X11; I; IRIX 5.3 IP22) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: SNMP and firewalls Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all ! I would like to find an application - level gateway for SNMP, so that specific users can or cannot use specific commands. Do anybody know of such a beast (free or not so free) ? Thanks JPM -- Jean-Pierre Morant c/o MARBEN S.A./N.V. La vie serait tellement Boulevard du Souverain,400, Vorstlaan plus facile 1160 Bruxelles Si seulement Belgium nous avions les sources.... + 32 2 663 1130 (phone) + 32 2 663 1199 (fax) http://www.marben.be jpm@marben.be From firewalls-owner Tue Dec 3 10:03:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA01523 for firewalls-outgoing; Tue, 3 Dec 1996 08:28:12 -0800 (PST) Received: from smtp.connectnet.com (smtp.connectnet.com [207.110.0.12]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA01473 for ; Tue, 3 Dec 1996 08:27:50 -0800 (PST) Received: from max-nc-83.connectnet.com (max-nc-83.connectnet.com [206.64.43.83]) by smtp.connectnet.com (8.8.3/Connectnet-2.2) with SMTP id IAA12809; Tue, 3 Dec 1996 08:28:14 -0800 (PST) Received: by max-nc-83.connectnet.com with Microsoft Mail id <01BBE0F4.D896BCA0@max-nc-83.connectnet.com>; Tue, 3 Dec 1996 08:34:49 -0800 Message-ID: <01BBE0F4.D896BCA0@max-nc-83.connectnet.com> From: Jamey Kirby To: firewalls-digest , "'Warren Moore'" Subject: RE: Strange Virus... Date: Tue, 3 Dec 1996 08:30:07 -0800 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What a moron! ---------- From: Warren Moore[SMTP:warren.moore@cbis.com] Sent: Tuesday, December 03, 1996 1:09 AM To: firewalls-digest Subject: Strange Virus... Probably off-subject, but considering what's been on here for the last day or so, maybe not...funny regardless. Free Money!!! There is a computer virus that is being sent across the Internet. If you receive an e-mail message with the subject line "Free Money," DO NOT read the message. DELETE it immediately, UNPLUG your computer, then BURN IT to ASHES in a government-approved toxic waste disposal INCINERATOR. Once a computer is infected, it will be TOO LATE. Your computer will begin to emit a vile ODOR. Then it will secrete a foul, milky DISCHARGE. Verily, it shall SCREECH with the tortured, monitor-shattering SCREAM of 1,000 hell-scorched souls, drawing unwanted attention to your cubicle from co-workers and supervisors alike. After violently ripping itself from the wall, your computer will punch through your office window as it STREAKS into the night, HOWLING like a BANSHEE. Once free, it will spend the rest of its days CRUSHING household PETS and MOCKING the POPE. Some filthy, disgusting miscreant... some no-good, low-down, good-for -nothing DIRTY SNAKE, in twisted pursuit of his own sadistic dreams, is sending this virus across the Net via an e-mail entitled "Free Money." What is so terrifying about this virus is that you do not even to have to open the e-mail for it to activate. In fact, you do not even need to RECEIVE the e-mail. You do not even need to OWN a COMPUTER. "Free Money" can infect even minor HOUSEHOLD APPLIANCES. How it does this with straight ASCII code is, franky, a matter of some debate... but BELIEVE YOU US, if this weren't a SERIOUS situation, WE WOULDN'T BE DISCUSSING IT IN 'ALL CAPS'. So for the LOVE OF GOD, forward this e-mail to all those you claim to care about, all those you purport to love. Don't do it later! Do it NOW! Now! Now! NOW! NOW! NOW! Attachment converted: deathlab:free_money_virus.sea (VIRUS/VRS) 0003D961 Content-Type: virus/sea; name="Free_Money_Virus" (SUCKER/SKR) (SRC:WTBR) Auto-Infect: enabled --- Warren S. Moore, CISSP Information Security Specialist Cincinnati Bell Information Systems Inc. ---also--- Mayor, City of Union, KY Jack of All Trades, Master of Damn Few! From firewalls-owner Tue Dec 3 10:23:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA09018 for firewalls-outgoing; Tue, 3 Dec 1996 09:43:17 -0800 (PST) Received: from LIVEDGAR.gsionline.com (livedgar.gsionline.com [204.254.209.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id JAA08999 for ; Tue, 3 Dec 1996 09:43:02 -0800 (PST) Received: from LIVEDGAR.gsionline.com by LIVEDGAR.gsionline.com (NTMail 3.02.09) with ESMTP id da054057 for ; Tue, 3 Dec 1996 12:44:51 -0500 X-Sender: nick#204.254.209.2@192.168.0.22 X-Mailer: Windows Eudora Version 1.4.3 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Russ From: nkeenan@gsionline.com (Mr. Nick Keenan) Subject: RE: restricting OUTBOUND access Cc: firewalls@greatcircle.com Date: Tue, 3 Dec 1996 12:44:51 -0500 Message-Id: <17445102935420@gsionline.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Come now, its extremely tricky to set up Windows '95 to act as a >router. You mind explaining to me how you could do that easily in your >scenario? OK. I thought Win 95 gave NetBEUI access by default, but I haven't worked with it enough to bet on it. So replace Windows 95 with Windows NT, and replace Dial-Up Networking with Remote Access Service. RAS does TCP-IP routing by default. Or use Windows 3.1 RAS, and check the box "Allow access to entire network" during setup. Or even if you don't allow network access, your own computer is still vulnerable. Which means, incidentally, that the intruder can alter your configuration to allow network access -- particularly on 3.1 and 95, which don't have OS-level security on the disk or configurations files. The point is that under Windows, outgoing modem connections are a security liability. Internet connections can be used to establish modem connections. Ergo, outgoing Internet connections are a security liability. Nick Keenan Global Securities Information nkeenan@gsionline.com http://www.gsionline.com LIVEDGAR(TM) -- The EDGAR(TM) Experts. From firewalls-owner Tue Dec 3 10:55:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA13602 for firewalls-outgoing; Tue, 3 Dec 1996 10:36:04 -0800 (PST) Received: from lab58-12.ims.advantis.com (pony-express.ims.advantis.com [192.231.11.167]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA13588 for ; Tue, 3 Dec 1996 10:35:56 -0800 (PST) Received: (from hfarkas@localhost) by lab58-12.ims.advantis.com (8.6.9/95.10.11) id NAA30135 for ; Tue, 3 Dec 1996 13:33:24 -0500 Received: from carfax.ims.advantis.com(164.120.32.46) by lab58_12 via smap (V1.3) id sma029365; Tue Dec 3 13:33:19 1996 Received: by carfax.ims.advantis.com (8.6.9/4.03) id NAA129738; Tue, 3 Dec 1996 13:43:10 -0500 Date: Tue, 3 Dec 1996 13:43:10 -0500 (EST) From: Peter Yau To: firewalls@GreatCircle.COM Subject: NetBios over IP Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ---------- Forwarded message ---------- Date: Tue, 3 Dec 1996 10:07:36 -0500 (EST) From: Peter Yau To: FireWalls@GreatCircle.COM Subject: NetBios over IP Are there security concerns for NetBIOS over IP? Is it a danger that because it is a messaging protocol which uses names as opposed to addresses that it'd be more easy to spoof? With NetBIOS encapsulated in IP traversing (from outside) the FW-1, are we only abled to filter on IP only? Once IP filtering takes place, the packet then gets unencapsulated before it gets sent to its final destination? The proper port needs to be open in FW-1 to accomodate NetBIOS, of course. Where exactly does unencapsulation take place, at the last Router hop prior to the final destination? Thanks in advance. From firewalls-owner Tue Dec 3 11:40:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA15884 for firewalls-outgoing; Tue, 3 Dec 1996 10:59:49 -0800 (PST) Received: from relay.hq.tis.com (relay.hq.tis.com [192.94.214.100]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA15875 for ; Tue, 3 Dec 1996 10:59:41 -0800 (PST) Received: by relay.hq.tis.com; id NAA11381; Tue, 3 Dec 1996 13:57:52 -0500 Received: from clipper.hq.tis.com(10.33.1.2) by relay.tis.com via smap (V3.1.1) id xma011346; Tue, 3 Dec 96 13:57:29 -0500 Received: from jupiter.hq.tis.com (jupiter.hq.tis.com [10.33.112.189]) by clipper.hq.tis.com (8.7.5/8.7.3) with SMTP id NAA19787; Tue, 3 Dec 1996 13:58:07 -0500 (EST) From: Jody C Patilla Message-Id: <199612031858.NAA19787@clipper.hq.tis.com> Subject: Re: Strange Virus... To: jkirby@connectnet.com (Jamey Kirby) Date: Tue, 3 Dec 1996 13:58:05 -0500 (EST) Cc: firewalls-digest@greatcircle.com, warren.moore@cbis.com In-Reply-To: <01BBE0F4.D896BCA0@max-nc-83.connectnet.com> from "Jamey Kirby" at Dec 3, 96 08:30:07 am Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > What a moron! > > ---------- > From: Warren Moore[SMTP:warren.moore@cbis.com] > Sent: Tuesday, December 03, 1996 1:09 AM > To: firewalls-digest > Subject: Strange Virus... > > There is a computer virus that is being sent across the Internet. > If you receive an e-mail message with the subject line "Free Money," > DO NOT read the message. DELETE it immediately, UNPLUG your computer, > then BURN IT to ASHES in a government-approved toxic waste disposal > INCINERATOR. [satirical rant deleted] Actually, I thought it was rather funny. And just think, if everyone who actually BELIEVED it, followed the instructions, network security would have been improved by a huge margin in one fell stroke. - jcp -- ========================================================================= Jody C. Patilla jcp@tis.com Trusted Information Systems Glenwood, Md. From firewalls-owner Tue Dec 3 11:40:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA16415 for firewalls-outgoing; Tue, 3 Dec 1996 11:05:54 -0800 (PST) Received: from relay-7.mail.demon.net (relay-7.mail.demon.net [194.217.242.9]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id LAA16396 for ; Tue, 3 Dec 1996 11:05:41 -0800 (PST) Received: from youngman.demon.co.uk ([158.152.67.147]) by relay-7.mail.demon.net id aa701913; 3 Dec 96 18:20 GMT Message-ID: <32A46EA8.58C3@youngman.demon.co.uk> Date: Tue, 03 Dec 1996 18:17:12 +0000 From: Jeremy Youngman X-Mailer: Mozilla 3.0Gold (Win16; I) MIME-Version: 1.0 To: firewalls-digest@greatcircle.com Subject: Unexpected inbound TCP to our port 4144 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I sometimes see inbound TCP packets to our port 4144, eg: SUMMARY: 4 of TCP [195.232.6.60]->[xxx.xxx.xxx.xxx](1083->4144) SUMMARY: 4 of TCP [195.232.6.60]->[xxx.xxx.xxx.xxx](1084->4144) I believe these are people trying to connect to us as if we were running a Compuserve service (people connect to Compuserve on port 4144). Have other people found packets like this? Any idea what's happening? I think the packets are SYN's, but screend doesn't show because they are SUMMARY records (i'd like screend to summarise by flag type too if poss). Thanks Jeremy -- jeremy@youngman.demon.co.uk | ("`-/")_.-'"``-. http://www.youngman.demon.co.uk | . . `; -._ )-;-,_`) Tel: +44 (0)1603 686258 | (v_,)' _ )`-.\ ``-' PGP: Key avail on request (JSAS) | _.- _..-_/ / ((.' - All cats look grey in the dark - ((,.-' ((,/ From firewalls-owner Tue Dec 3 11:44:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA16171 for firewalls-outgoing; Tue, 3 Dec 1996 11:02:26 -0800 (PST) Received: from darkstar.sysinfo.com (darkstar.sysinfo.com [204.246.65.62]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA16129 for ; Tue, 3 Dec 1996 11:02:07 -0800 (PST) Received: from parka.winternet.com (dufresne@parka.winternet.com [198.174.169.9]) by darkstar.sysinfo.com (8.8.2/8.8.2) with SMTP id NAA02109; Tue, 3 Dec 1996 13:03:45 -0600 Date: Tue, 3 Dec 1996 12:56:13 -0600 (CST) From: Ron DuFresne To: Jim Wamsley 303-673-8163 cc: firewalls@GreatCircle.COM Subject: RE: [Fwd: Caution : Internet Virus] In-Reply-To: <199612031429.HAA08003@coltano.stortek.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hmm, we run scanprot.dot here. Thing is, it only works when run, it does not run in the 'background' scanning every new file or attachment. You have to open scanprot.dot, run it, for it to do it's thing, then close it. Scanprot is not in anyway that we are aware of virus protection, but is a valuable cleanup tool once someones been infrected... Later, Ron DuFresne On Tue, 3 Dec 1996, Jim Wamsley 303-673-8163 wrote: > On Dec 3 Michael Paris wrote > > > > In the message he said it was a file attach. > > > > If the virus was sent attached in a .zip or .exe and the infected file was > > run it would infect the computer. > > > > I believe he was talking here of a Word Macro Virus, attached as a .DOC > > file, that when opened by Microsoft Word would trash the hard disk. > > > > Hey guys, is everyone forgetting that Microsquish put out a macro protection > script called ScanProt that scanned every document before it was opened looking for certain known 'macro virus' and warned you if the document contained > anything suspicous? I beleive it also compares your normal.dot against what > the doc had . This goes a long way toward _stopping_ an infected document from > doing any damage. Works very well. Have received a few _infected_ attachments > that were caught. > > ______________________________________________________________ > [ Jim Wamsley, Network Engineering ] > [ StorageTek 2270 S. 88th St, M.S. 4379, Louisville, CO 80028 ] > [ Audible: (303) 673-8163 Logical jim_wamsley@stortek.com ] > [ Everything to Excess! ] > [ To enjoy life to the fullest, you must take big bites. ] > [ Moderation is for monks. ] > [ Lazarus Long ] > [______________________________________________________________] > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. From firewalls-owner Tue Dec 3 11:57:26 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA17605 for firewalls-outgoing; Tue, 3 Dec 1996 11:21:55 -0800 (PST) Received: from hidata.com (hidata.com [205.158.61.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id LAA17582 for ; Tue, 3 Dec 1996 11:21:45 -0800 (PST) Received: by hidata.com; id AA23167; Tue, 3 Dec 96 11:21:45 PST Received: from osc.hidata.com(205.158.62.10) by hds-gw.hidata.com via smap (V3.1.1) id xma023162; Tue, 3 Dec 96 11:21:18 -0800 Received: from sysadmin by osc.osc.hidata.com (SMI-8.6/SMI-SVR4) id LAA01883; Tue, 3 Dec 1996 11:21:17 -0800 Message-Id: <2.2.32.19961203191650.00c5539c@osc.hidata.com> X-Sender: bstout@osc.hidata.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 03 Dec 1996 11:16:50 -0800 To: Peter Yau , FireWalls@GreatCircle.com From: Bill Stout Subject: Re: NetBios over IP Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Just say no. At 10:07 AM 12/3/96 -0500, Peter Yau wrote: >Are there security concerns for NetBIOS over IP? Is it a danger that because >it is a messaging protocol which uses names as opposed to addresses that it'd >be more easy to spoof? Yes. Weaknesses same as DNS or other non-authenticated naming systems. >With NetBIOS encapsulated in IP traversing (from outside) the FW-1, are >we only abled to filter on IP only? Once IP filtering takes place, the >packet then gets unencapsulated before it gets sent to its final destination? Don't confuse encapsulation with encryption. Encapsulating commands within TCP does not protect them or the systems you send commands to. >The proper port needs to be open in FW-1 to accomodate NetBIOS, of course. >Where exactly does unencapsulation take place, at the last Router hop >prior to the final destination? >Thanks in advance. Just a few tidbits: NetBIOS over TCP/IP is a 'cool thing'. If you have port 137 open, it gives you more targets to hack at than finger when probing a system for data. Nbtstat -A 'ipaddress', tells you (example): C:\> nbtstat -A xxx.xxx.xxx.xxx NetBIOS Remote Machine Name Table Name Type Status --------------------------------------------- Registered Registered Registered Registered Registered Registered Registered Registered Registered MAC Address = 08-00-2B-A3-DA-D5 WWW2 <00> UNIQUE Computer name INETSERVERS <00> GROUP Domain name WWW2 <20> UNIQUE Share service name INETSERVERS <1C> GROUP WINS Domain Group name WWW2 <03> UNIQUE WINS Messenger name INETSERVERS <1E> GROUP Browser group INet~Services <1C> GROUP IIS group name IS~WWW2........<00> UNIQUE IIS unique name WWW2 <01> UNIQUE Service Username ADMINISTRATOR <03> UNIQUE Username WWW2+++++++++++ GROUP Netmon agent A 'large software company' disabled NetBIOS on their webservers after they saw output like that above. I think from a whitepaper I wrote. Also another 'cool thing' to note is that Netbios file sharing security (LanManager 2.0 and earlier) can force your computer to send cleartext username/password/domain information to the server. If a user attempts to connect to a foreign server, file/print/other_unknown services. NetBIOS only needs a username/password/domain when first connecting to a system, and uses that data to generate a User ID (UID). All following data transfers use that plaintext UID to access files with your priviledges ("Honey, it's 'me'"). NetBIOS sesssions thereafter have a timeout value of about 45 minutes. If you stop talking to your server, the server you've been talking to keeps a session open waiting for a request with your UID to reconnect, no additional username/password information required to get to your files. The above also applies to accessing administrative shares (root directory and all files on all drives) on NT systems. I am not sure if NetBIOS SMB sessions are tied to an IP address, I am testing connecting to administrative shares from random IP addresses by scanning UIDs. In theory, one could connect to any NT/IIS share on the internet with administrative access to all files. Even cooler if the server is dual-homed, and they're running 'netmon'(NT sniffer). You could then remotely sniff their internal network using their own sniffer. For documented attacks, see: ftp://ietf.cnri.reston.va.us/internet-drafts/draft-heizer-cifs-v1-spec-00.txt IMNSHO, NetBIOS is not a 'good thing' across the internet. Bill Stout _______________________________________________________________________________ Senior Systems Admin NT/Backoffice/Solaris/WWW-Db/Firewalls/Cisco/VM-UNIX/VMS Hitachi Data Systems 408-970-4822 --- Disclaimer: I speak only for myself From firewalls-owner Tue Dec 3 12:13:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA21719 for firewalls-outgoing; Tue, 3 Dec 1996 12:06:12 -0800 (PST) Received: from palrel3.hp.com (palrel3.hp.com [15.253.88.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id MAA21696; Tue, 3 Dec 1996 12:06:02 -0800 (PST) Received: from borg.mayfield.hp.com (borg.mayfield.hp.com [15.13.216.4]) by palrel3.hp.com with ESMTP (8.7.5/8.7.3) id MAA20855; Tue, 3 Dec 1996 12:05:59 -0800 (PST) Message-Id: <199612032005.MAA20855@palrel3.hp.com> Received: by borg.mayfield.hp.com (1.39.111.2/16.2) id AA010793066; Tue, 3 Dec 1996 11:57:46 -0800 From: Frank Beall Subject: RE: [Fwd: Caution : Internet Virus] To: firewalls@GreatCircle.COM Date: Tue, 03 Dec 1996 11:57:45 PST Cc: darryl@sai.com X-Mailer: Elm [revision: 112.2] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk check out pratical Unix Security by O'Reilly & Associates. on Unix Mail. Frank > > On Tue, 3 Dec 1996, Security Mail wrote: > > > This indeed was a Hoax! No Virus can wipe the hard disk just by reading > > an e-mail message. BUT, this message below told of an attachment that if > > run would cause dammage! > > This is not true on Unix! Many Unix mailers and pagers will send > escape codes to the tty. The good ones will not, but many of > the old ones will. This will allow a mail message to control the > terminal. Many terminals has escape codes to send text back to > the host. QED the mail message can do anything the user has privs > to do. > > -- > Darryl Wagoner darryl@sai.com http://www.sai.com/ > Office: 603.672.0736 Fax: 603-672-4846 > Beware of self-styled experts: an ex is a has-been, and a spurt is a > drip under pressure. > > > From firewalls-owner Tue Dec 3 12:57:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA24912 for firewalls-outgoing; Tue, 3 Dec 1996 12:44:07 -0800 (PST) Received: from mentor.co.nz (mentor.co.nz [202.20.113.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id MAA24750 for ; Tue, 3 Dec 1996 12:42:40 -0800 (PST) Received: from adonis.mentor.co.nz by zeus.mentor.co.nz id aa29959; 4 Dec 96 9:39 NZST From: Mark Clayton Message-Id: <961204093436.ZM7398@adonis> Date: Wed, 4 Dec 1996 09:34:31 +1245 In-Reply-To: Jamey Kirby "RE: Strange Virus..." (Dec 3, 8:30am) References: <01BBE0F4.D896BCA0@max-nc-83.connectnet.com> X-Mailer: Z-Mail 4.0.1 (4.0.1 Apr 9 1996) To: Jamey Kirby , firewalls-digest , "'Warren Moore'" Subject: Re: Strange Virus... Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Atleast it was entertaining !! Considering most people on this list are supposed to be professionals in the computer industry, you would think that mindless discussion over whether a virus was real or not would be kept to a minimum. Guess not... On Dec 3, 8:30am, Jamey Kirby wrote: > Subject: RE: Strange Virus... > What a moron! > > ---------- > From: Warren Moore[SMTP:warren.moore@cbis.com] > Sent: Tuesday, December 03, 1996 1:09 AM > To: firewalls-digest > Subject: Strange Virus... > > Probably off-subject, but considering what's been on here for the last day or > so, maybe not...funny regardless. > > Free Money!!! > > [SNIP HUMOR] > > There is a computer virus that is being sent across the Internet. > Jack of All Trades, Master of Damn Few! >-- End of excerpt from Jamey Kirby Marcus. From firewalls-owner Tue Dec 3 14:26:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA02184 for firewalls-outgoing; Tue, 3 Dec 1996 14:16:11 -0800 (PST) Received: from hermes.hurwitz.com (hermes.hurwitz.com [206.234.77.20]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id OAA02177 for ; Tue, 3 Dec 1996 14:16:03 -0800 (PST) Received: from pheonix.hurwitz.com (desktop_25.hurwitz.com [206.234.77.45]) by hermes.hurwitz.com (8.7.4/8.7.3) with SMTP id RAA23633 for ; Tue, 3 Dec 1996 17:58:14 -0500 Message-Id: <1.5.4.32.19961203221401.006a5a38@smtp.hurwitz.com> X-Sender: abrenton@smtp.hurwitz.com X-Mailer: Windows Eudora Light Version 1.5.4 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 03 Dec 1996 17:14:01 -0500 To: Firewalls@GreatCircle.COM From: Andrea Brenton Subject: Re: Strange Virus... Sender: firewalls-owner@GreatCircle.COM Precedence: bulk There is a virus newsgroup at comp.virus! At 01:58 PM 12/3/96 -0500, you wrote: * > * > What a moron! * > * > ---------- * > From: Warren Moore[SMTP:warren.moore@cbis.com] * > Sent: Tuesday, December 03, 1996 1:09 AM * > To: firewalls-digest * > Subject: Strange Virus... * > * > There is a computer virus that is being sent across the Internet. * > If you receive an e-mail message with the subject line "Free Money," * > DO NOT read the message. DELETE it immediately, UNPLUG your computer, * > then BURN IT to ASHES in a government-approved toxic waste disposal * > INCINERATOR. * * [satirical rant deleted] * * Actually, I thought it was rather funny. And just think, if everyone who * actually BELIEVED it, followed the instructions, network security would have * been improved by a huge margin in one fell stroke. * * - jcp * * -- * ========================================================================= * Jody C. Patilla jcp@tis.com * Trusted Information Systems Glenwood, Md. * xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Disclaimer: Any errors in spelling, tact, or fact are transmission errors. Andrea Brenton Hurwitz Group, Inc IS Manager 29 Crafts St abrenton@hurwitz.com Newton, MA 02158 "The time you enjoy wasting is not wasted time." - Bertrand Russell Views expressed are my own and not that of my employer or clients. From firewalls-owner Tue Dec 3 15:55:54 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA06282 for firewalls-outgoing; Tue, 3 Dec 1996 15:41:55 -0800 (PST) Received: from osceola.gate.net (osceola.gate.net [199.227.0.18]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id PAA06264 for ; Tue, 3 Dec 1996 15:41:43 -0800 (PST) Received: from gate.net.gate.net (orlfl2-25.gate.net [199.227.3.152]) by osceola.gate.net (8.8.3/8.6.12) with ESMTP id SAA59242; Tue, 3 Dec 1996 18:41:19 -0500 Message-Id: <199612032341.SAA59242@osceola.gate.net> From: "William Beem" To: "Russ" , "Mr. Nick Keenan" Cc: Subject: Re: restricting OUTBOUND access Date: Tue, 3 Dec 1996 18:39:15 -0500 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Windows 95 will warn you of this type of security breach. For example, I had Dial-up access on my machine working fine. Later, I installed the network client. Windows 95 warned me of the possible security problem and suggested that I not allow anyone to roam my drive. It's not rocket science. --William ---------- > From: Mr. Nick Keenan > To: Russ > Cc: firewalls@GreatCircle.COM > Subject: RE: restricting OUTBOUND access > Date: Tuesday, December 03, 1996 12:44 PM > > >Come now, its extremely tricky to set up Windows '95 to act as a > >router. You mind explaining to me how you could do that easily in your > >scenario? > > OK. I thought Win 95 gave NetBEUI access by default, but I haven't worked > with it enough to bet on it. > > So replace Windows 95 with Windows NT, and replace Dial-Up Networking with > Remote Access Service. RAS does TCP-IP routing by default. > > Or use Windows 3.1 RAS, and check the box "Allow access to entire network" > during setup. > > Or even if you don't allow network access, your own computer is still > vulnerable. Which means, incidentally, that the intruder can alter your > configuration to allow network access -- particularly on 3.1 and 95, which > don't have OS-level security on the disk or configurations files. > > The point is that under Windows, outgoing modem connections are a security > liability. Internet connections can be used to establish modem connections. > Ergo, outgoing Internet connections are a security liability. > > > Nick Keenan > Global Securities Information > nkeenan@gsionline.com > http://www.gsionline.com > > LIVEDGAR(TM) -- The EDGAR(TM) Experts. From firewalls-owner Tue Dec 3 16:12:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA07713 for firewalls-outgoing; Tue, 3 Dec 1996 16:08:29 -0800 (PST) Received: from ns1.genuity.net (ns1.genuity.net [204.74.114.93]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id QAA07684 for ; Tue, 3 Dec 1996 16:08:19 -0800 (PST) Received: from x-files.genuity.net (x-files.genuity.net [204.74.125.103]) by ns1.genuity.net (8.7.3/8.7.3) with SMTP id RAA09387 for ; Tue, 3 Dec 1996 17:08:19 -0700 (MST) Received: by x-files.genuity.net with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BBE13C.936ECC60@x-files.genuity.net>; Tue, 3 Dec 1996 17:08:17 -0700 Message-ID: From: Douglas Cheline To: "'Firewalls@GreatCircle.COM'" Subject: RE: Firewalls over NT vs. UNIX Date: Tue, 3 Dec 1996 17:08:15 -0700 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I guess no-one really wants to touch this subject. Is it perhaps because NT really is "very secure" and we can trust it to do security firewalling? grin;-) >Douglas Cheline >Senior Consultant Business Solutions > >G E N U I T Y, Inc. >a Bechtel company > >dcheline@genuity.net http://www.genuity.net >---------- >From: Douglas Cheline >Sent: Sunday, December 01, 1996 3:12 PM >To: 'Firewalls@GreatCircle.COM' >Subject: Firewalls over NT vs. UNIX > >The various Firewall vendors that I have spoken to have repeatedly stated >that, eventhough their product does run over NT, running firewalls over UNIX >is much more secure. The reasoning I get is that NT has some inherent >vulnerabilities that cannot be plugged since the code is proprietary and >closed. UNIX on the other hand is standard based and open, plus it has been >on the market much longer and more efforts have been placed in plugging the >holes there. > >This sounds nice but not very convincing unless some hard facts are revealed. > Can knowledgable members of this forum tell me what those 'holes' in NT are? > and is this a valid argument? > >disclaimer: I, myself, prefer UNIX based applications but I don't have a >facts based argument for that preference when it comes to firewalls. > >Thanks in advance for your responses. > >Regards, > >Douglas Cheline >Senior Consultant Business Solutions > >G E N U I T Y, Inc. >a Bechtel company > >dcheline@genuity.net >http://www.genuity.net > From firewalls-owner Tue Dec 3 16:40:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA08446 for firewalls-outgoing; Tue, 3 Dec 1996 16:30:06 -0800 (PST) Received: from relay3.UU.NET (relay3.UU.NET [192.48.96.8]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id QAA08436 for ; Tue, 3 Dec 1996 16:29:57 -0800 (PST) From: dcarlos@sunat.gob.pe Received: from rcp.net.pe by relay3.UU.NET with SMTP (peer crosschecked as: rcp.net.pe [161.132.5.20]) id QQbsof24158; Tue, 3 Dec 1996 19:29:53 -0500 (EST) Received: from sunat.gob.pe(really [161.132.37.1]) by rcp.net.pe via sendmail with smtp id for ; Tue, 3 Dec 1996 19:32:11 -0500 (EST) (Smail-3.2 1996-Jul-4 #3 built 1996-Oct-4) Received: from WS06_07 by sunat.gob.pe with smtp (Smail3.1.28.1 #9) id m0vV7kZ-0002FqC; Tue, 3 Dec 96 19:11 PST Message-Id: Comments: Authenticated sender is To: firewalls@GreatCircle.COM Date: Tue, 3 Dec 1996 19:53:34 +0000 Subject: FIREWALL Evaluation X-mailer: Pegasus Mail for Windows (v2.42a) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please sendl me your opinions about the following firewalls: 1.- IBM Internet Conection Secured Network Gateway for AIX version 2.2 2.- SUN SOLSTICE Firewall-1 Version 2.0 (Is the same of Checkpoint??) 3.- Borderware Thanks Damaso Carlos Tay From firewalls-owner Tue Dec 3 17:40:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA12738 for firewalls-outgoing; Tue, 3 Dec 1996 17:26:43 -0800 (PST) Received: from osceola.gate.net (osceola.gate.net [199.227.0.18]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id RAA12731 for ; Tue, 3 Dec 1996 17:26:35 -0800 (PST) Received: from gate.net.gate.net (orlfl2-6.gate.net [199.227.3.133]) by osceola.gate.net (8.8.3/8.6.12) with ESMTP id UAA52496; Tue, 3 Dec 1996 20:26:33 -0500 Message-Id: <199612040126.UAA52496@osceola.gate.net> From: "William Beem" To: "Douglas Cheline" , "'Firewalls@GreatCircle.COM'" Subject: Re: Firewalls over NT vs. UNIX Date: Tue, 3 Dec 1996 20:24:31 -0500 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk More likely that most folks don't know about the security holes in NT yet. UNIX holes receive a fair amount of attention, which often causes a furor and a fix. Microsoft remains rather tight-lipped about holes in Windows NT. I rather prefer the UNIX approach of knowing what's wrong with it, so I can make a reasonably intelligent assessment regarding the security of my servers. Microsoft seems unwilling to tell me what's wrong with NT. Maybe that's why I have more UNIX boxes at work than NT servers. --William ---------- > From: Douglas Cheline > To: 'Firewalls@GreatCircle.COM' > Subject: RE: Firewalls over NT vs. UNIX > Date: Tuesday, December 03, 1996 7:08 PM > > I guess no-one really wants to touch this subject. Is it perhaps > because NT really is "very secure" and we can trust it to do security > firewalling? grin;-) > > >Douglas Cheline > >Senior Consultant Business Solutions > > > >G E N U I T Y, Inc. > >a Bechtel company > > > >dcheline@genuity.net > http://www.genuity.net > > >---------- > >From: Douglas Cheline > >Sent: Sunday, December 01, 1996 3:12 PM > >To: 'Firewalls@GreatCircle.COM' > >Subject: Firewalls over NT vs. UNIX > > > >The various Firewall vendors that I have spoken to have repeatedly stated > >that, eventhough their product does run over NT, running firewalls over UNIX > >is much more secure. The reasoning I get is that NT has some inherent > >vulnerabilities that cannot be plugged since the code is proprietary and > >closed. UNIX on the other hand is standard based and open, plus it has been > >on the market much longer and more efforts have been placed in plugging the > >holes there. > > > >This sounds nice but not very convincing unless some hard facts are revealed. > > Can knowledgable members of this forum tell me what those 'holes' in NT are? > > and is this a valid argument? > > > >disclaimer: I, myself, prefer UNIX based applications but I don't have a > >facts based argument for that preference when it comes to firewalls. > > > >Thanks in advance for your responses. > > > >Regards, > > > >Douglas Cheline > >Senior Consultant Business Solutions > > > >G E N U I T Y, Inc. > >a Bechtel company > > > >dcheline@genuity.net > >http://www.genuity.net > > From firewalls-owner Tue Dec 3 18:11:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA13544 for firewalls-outgoing; Tue, 3 Dec 1996 17:55:27 -0800 (PST) Received: from ptes.com ([138.112.199.5]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id RAA13537 for ; Tue, 3 Dec 1996 17:55:20 -0800 (PST) Received: by ptes.com (4.1/JMA.3) id AA12668; Tue, 3 Dec 96 16:55:38 PST Received: from mike.ptes.com(138.112.190.103) by newshost via smap (V1.3mjr) id sma012666; Tue Dec 3 16:55:10 1996 X-Sender: mike@pescadero.ptes.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 3 Dec 1996 17:55:48 -0900 To: firewalls@GreatCircle.COM From: mike@ptes.com (Mike Bernhardt) Subject: PIX and Gauntlet Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I question as a relative newcomer: Right now the internet connection at this location is protected with packet filtering with a Cisco router. I want to put a real firewall product in place. I'd like opinions on which y'all think is better and why (price aside): a Cisco PIX, or Gauntlet on an Ultra1 with 2 Ethernet cards. ------------------------------------------------------------- "He who dies with the most toys, still dies." From firewalls-owner Tue Dec 3 18:25:26 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA14730 for firewalls-outgoing; Tue, 3 Dec 1996 18:22:29 -0800 (PST) Received: from shifra.info.umoncton.ca ([139.103.16.13]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id SAA14723 for ; Tue, 3 Dec 1996 18:22:22 -0800 (PST) Received: from localhost (musta@localhost) by shifra.info.umoncton.ca (8.6.11/8.6.9) with SMTP id WAA08563; Tue, 3 Dec 1996 22:26:42 -0400 Date: Tue, 3 Dec 1996 22:26:42 -0400 (AST) From: Mustapha Reply-To: Mustapha To: Jamey Kirby cc: firewalls-digest , "'Warren Moore'" Subject: RE: Strange Virus... In-Reply-To: <01BBE0F4.D896BCA0@max-nc-83.connectnet.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 3 Dec 1996, Jamey Kirby wrote: > What a moron! Not at all! :-) In fact I found Warren's Joke so funny that I forwarded to five other people yet. Come on Jamey! Reading a joke or two each now and then would not do any harm, or pain, or both! :) Best wishes, -Mustapha -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Mustapha Obeid Student Computer Science Department, "Universite de Moncton" Moncton, NB, Canada - E1A 3E9 Fields of Interest: Network Security & Operating Systems *Life would be much easier if we could just look at the source code* -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= From firewalls-owner Tue Dec 3 19:41:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA19025 for firewalls-outgoing; Tue, 3 Dec 1996 19:37:29 -0800 (PST) Received: from pexpress.indcomp.com ([198.182.182.252]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id TAA19018 for ; Tue, 3 Dec 1996 19:37:23 -0800 (PST) Received: from hbr (user-168-121-26-74.dialup.mindspring.com [168.121.26.74]) by pexpress.indcomp.com (8.6.12/8.6.9) with SMTP id WAA14694; Tue, 3 Dec 1996 22:35:19 -0500 Message-ID: <32A4F171.7797@indcomp.com> Date: Tue, 03 Dec 1996 22:35:13 -0500 From: Howard Richter Organization: Richter @home Computing X-Mailer: Mozilla 2.02 (Win95; I) MIME-Version: 1.0 To: Darryl Wagoner CC: Security Mail , Denis Valois , firewalls@GreatCircle.COM, webmaster@internic.uob.bh Subject: Re: [Fwd: Caution : Internet Virus] References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Darryl Wagoner wrote: > > On Tue, 3 Dec 1996, Security Mail wrote: > > > This indeed was a Hoax! No Virus can wipe the hard disk just by reading > > an e-mail message. BUT, this message below told of an attachment that if > > run would cause dammage! > > This is not true on Unix! Many Unix mailers and pagers will send > escape codes to the tty. The good ones will not, but many of > the old ones will. This will allow a mail message to control the > terminal. Many terminals has escape codes to send text back to > the host. QED the mail message can do anything the user has privs > to do. > > -- > Darryl Wagoner darryl@sai.com http://www.sai.com/ > Office: 603.672.0736 Fax: 603-672-4846 > Beware of self-styled experts: an ex is a has-been, and a spurt is a > drip under pressure. But the editor would keep the message from the rest of the system. From firewalls-owner Tue Dec 3 19:55:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA19042 for firewalls-outgoing; Tue, 3 Dec 1996 19:39:07 -0800 (PST) Received: from dax.sai.com (dax.sai.com [207.95.117.66]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id TAA19035 for ; Tue, 3 Dec 1996 19:38:54 -0800 (PST) Received: from dax.sai.com by dax.sai.com with smtp (Smail3.1.29.1 #2) id m0vV8AO-003pahC; Tue, 3 Dec 96 22:38 EST Date: Tue, 3 Dec 1996 22:38:35 -0500 (EST) From: Darryl Wagoner To: Howard Richter cc: Security Mail , Denis Valois , firewalls@GreatCircle.COM, webmaster@internic.uob.bh Subject: Re: [Fwd: Caution : Internet Virus] In-Reply-To: <32A4F171.7797@indcomp.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 3 Dec 1996, Howard Richter wrote: > But the editor would keep the message from the rest of the system. No, all unix editors and pagers have shell command functions. -- Darryl Wagoner darryl@sai.com http://www.sai.com/ Office: 603.672.0736 Fax: 603-672-4846 Beware of self-styled experts: an ex is a has-been, and a spurt is a drip under pressure. From firewalls-owner Tue Dec 3 20:10:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA18719 for firewalls-outgoing; Tue, 3 Dec 1996 19:25:29 -0800 (PST) Received: from isl.sri.com (sheffield.isl.SRI.COM [128.18.23.46]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id TAA18702 for ; Tue, 3 Dec 1996 19:25:19 -0800 (PST) Received: by isl.sri.com (SMI-8.6/SMI-SVR4) id TAA06224; Tue, 3 Dec 1996 19:25:16 -0800 Received: from babylon(128.18.23.47) by sheffield via smap (V2.0beta) id xma006207; Tue, 3 Dec 96 19:25:09 -0800 Received: from gollum.isl.sri.com by babylon (SMI-8.6/SMI-SVR4) id TAA29925; Tue, 3 Dec 1996 19:25:07 -0800 Message-Id: <3.0.32.19961203191637.0068adb4@sheffield.isl.sri.com> X-Sender: terry@sheffield.isl.sri.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Tue, 03 Dec 1996 19:18:06 -0800 To: mike@ptes.com (Mike Bernhardt) From: "Terry L. Bernstein" Subject: Re: PIX and Gauntlet Cc: firewalls@GreatCircle.COM Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk It depends on what you mean by better. When I evaluate firewalls, I consider a number of things, including: * Basic security * Flexibility. Number/type of services currently supported. * Expendability. Ease of adding new services * Manageability. GUI, centralized management of multiple firewalls/routers * VPN Support. * Authentication support. Does it support token cards There are other items you could add, depending on your situation. The point is that one cannot say that one firewall is always better than another. My take on the two firewalls you mentioned is as follows: PIX: Marketed as a plug and play firewall that you can throw in to a relatively simple architecture with little configuration on your part. It will provide decent security through smart packet filtering. I wouldn't use it to protect a financial institution, but I would consider it a good choice for a small/medium office with one Internet connection and few if any Internet servers (i.e. Web or FTP servers). Gauntlet: This is marketed as a high end application proxy. It is much harder to configure and uses cryptic text files (at least in the last version I saw). It will provide better overall security, but will take more effort to install. Also, the reporting is much better. I recommend you also take a look at firewall-1 as a product that has many of the best features of both of these. The bottom line is that the firewall you choose depends on your situation. -- terry -- At 05:55 PM 12/3/96 -0900, Mike Bernhardt wrote: >I question as a relative newcomer: >Right now the internet connection at this location is protected with packet >filtering with a Cisco router. I want to put a real firewall product in >place. > >I'd like opinions on which y'all think is better and why (price aside): a >Cisco PIX, or Gauntlet on an Ultra1 with 2 Ethernet cards. > Terry Bernstein SRI Consulting TBernstein@sri.com http://www.ice.sri.com/~terry From firewalls-owner Tue Dec 3 20:31:30 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA21120 for firewalls-outgoing; Tue, 3 Dec 1996 20:18:41 -0800 (PST) Received: from www.cyberbound.net (www.cyberbound.net [204.119.16.16]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id UAA21113 for ; Tue, 3 Dec 1996 20:18:34 -0800 (PST) Received: from rmalone.iquest.net (ind-0007-2.iquest.net [206.246.171.34]) by www.cyberbound.net (8.6.12/8.6.9) with ESMTP id UAA27804 for ; Tue, 3 Dec 1996 20:18:31 -0800 Message-Id: <199612040418.UAA27804@www.cyberbound.net> From: "Ron Malone" To: Subject: Firewall User Group's Date: Tue, 3 Dec 1996 23:12:42 -0600 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_01BBE16F.7C139C20" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is a multi-part message in MIME format. ------=_NextPart_000_01BBE16F.7C139C20 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Does anyone know if there is a user group for Firewall-1 or Raptor Eagle? Are there any companies that have purchased direct support for Firewall-1 from Checkpoint Software? My company is looking to purchase a firewall product, but find that most software companies want to shield themselves behind a reseller. They claim to want to use reseller's distribution system to sell and support the product. The problem is that purchasing the firewall software via a middleman allows the firewall company to have less responsibility in supporting their product. If your 3rd party support is not strong, then you have a problem obtaining quality support and cannot contact the software maker to provide direct support. Any comments regarding how to get the software maker to support the product that created. Ron ------=_NextPart_000_01BBE16F.7C139C20 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable

Does anyone know if there is a = user group for Firewall-1 or Raptor Eagle?

Are there any = companies that have purchased direct support for Firewall-1 from = Checkpoint Software?

My company is looking to purchase a firewall = product, but find that most software companies want to shield themselves = behind a reseller.  They claim to want to use reseller's = distribution system to sell and support the product.  The problem = is that purchasing the firewall software via a middleman allows the = firewall company to have less responsibility in supporting their = product. If your 3rd party support is not strong, then you have a = problem obtaining quality support and cannot contact the software maker = to provide direct support.  Any comments regarding how to get the = software maker to support the product that created.

Ron

------=_NextPart_000_01BBE16F.7C139C20-- From firewalls-owner Tue Dec 3 20:40:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA22081 for firewalls-outgoing; Tue, 3 Dec 1996 20:28:21 -0800 (PST) Received: from mesbne01.medeserv.com.au (mesbne01.medeserv.com.au [203.9.184.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id UAA22053 for ; Tue, 3 Dec 1996 20:28:10 -0800 (PST) Received: (from mail@localhost) by mesbne01.medeserv.com.au (8.7.4/8.7.3) id OAA12075; Wed, 4 Dec 1996 14:25:45 +1000 (EST) Received: from tooh199.medeserv.com.au(203.9.187.199) by mesbne01 via smap (V1.3) id /mail/incoming/sma012068; Wed Dec 4 14:25:37 1996 Message-ID: <32A4FF2F.40D7@medeserv.com.au> Date: Wed, 04 Dec 1996 14:33:51 +1000 From: Steven Herod Reply-To: sherod@medeserv.com.au Organization: Med-E-Serv Pty Ltd X-Mailer: Mozilla 3.0 (WinNT; I) MIME-Version: 1.0 To: William Beem CC: firewalls@greatcircle.com Subject: Re: Firewalls over NT vs. UNIX References: <199612040126.UAA52496@osceola.gate.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk William Beem wrote: > > More likely that most folks don't know about the security holes in NT yet. > UNIX holes receive a fair amount of attention, which often causes a furor > and a fix. Microsoft remains rather tight-lipped about holes in Windows NT. I'd have to disagree with that, a hole in NT would cause just as large a furor as one in Solaris or Netware for that matter. After all it's Microsofts flagship OS. "The way of the future...". I'd certainly yell loudly. > I rather prefer the UNIX approach of knowing what's wrong with it, so > I can make a reasonably intelligent assessment regarding the security > of my servers. Microsoft seems unwilling to tell me what's wrong with > NT. Maybe that's why I have more UNIX boxes at work than NT servers. Perhaps we need to ask some questions.... To decide if NT4.0 is insecure: What holes are in it? What holes have been patched in past versions? What do you have to do to a base NT system to secure it as a firewall? As an apps server? As a file Server? To decide is Unix (brand X) is insecure: What holes are in it? What holes have been patched in past versions? What do you have to do to a base Unix system to secure it as a firewall? As an apps server? As a file Server? I dare say if Unix wasn't around, and Microsoft launched one of the early implementations of Unix as SuperNT 1.0 the general consensus would have been to avoid it like the plague because of it's security problems. Please correct me if I'm wrong (politely if possible) - I don't intend to cause offence on this prickly subject. From firewalls-owner Tue Dec 3 22:40:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA24304 for firewalls-outgoing; Tue, 3 Dec 1996 22:34:59 -0800 (PST) Received: from mippet.ci.com.au (mippet.ci.COM.AU [192.65.182.30]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id WAA24297 for ; Tue, 3 Dec 1996 22:34:52 -0800 (PST) Received: from fgh.fgh.oz.au (daemon@localhost) by mippet.ci.com.au (8.8.3/8.7.3/CE) with MHSnet id RAA27452 for firewalls@greatcircle.com; Wed, 4 Dec 1996 17:34:43 +1100 (EST) Received: by fgh.oz.au (5.0) from localhost id AA00761; Wed, 4 Dec 1996 17:33:14 --1000 Date: Wed, 4 Dec 1996 17:33:13 +1100 (EST) From: Dave Horsfall To: Firewalls List Subject: Re: [Fwd: Caution : Internet Virus] In-Reply-To: Message-Id: X-Witty-Saying: "Klein Bottle - open other end" X-Disclaimer: "Me, speak for us?" Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 3 Dec 1996, Darryl Wagoner wrote: > > But the editor would keep the message from the rest of the system. > > No, all unix editors and pagers have shell command functions. Editor counter-example: PICO. -- Dave Horsfall VK2KFU dave@fgh.oz.au Ph: +61 2 9957-4224 Fx: +61 2 9922-5286 FGH Decision Support Systems P/L, 77 Pacific Hwy, Nth. Sydney, 2060, Australia From firewalls-owner Wed Dec 4 00:41:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA03047 for firewalls-outgoing; Wed, 4 Dec 1996 00:26:30 -0800 (PST) Received: from snoopy.ncku.edu.tw (snoopy.ncku.edu.tw [140.116.2.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id AAA02831 for ; Wed, 4 Dec 1996 00:18:11 -0800 (PST) Received: (from antony@localhost) by snoopy.ncku.edu.tw (8.6.12/8.6.12) id QAA14604 for Firewalls@GreatCircle.COM; Wed, 4 Dec 1996 16:22:39 +0800 Date: Wed, 4 Dec 1996 16:22:39 +0800 From: "<>" Message-Id: <199612040822.QAA14604@snoopy.ncku.edu.tw> To: Firewalls@GreatCircle.COM Subject: Q: Free NAT packages for FreeBSD ?? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I am looking for a package which would do the functionality of NAT(Network Address Translation ) on FreeBSD or some other platforms. I am wondering if there is any one which is freeware or shareware ? Thanks for reply. +----------------------------|\ /|--------------------------------------+ |Antony Y.R. Lu | ``''' | 886-6-2757575-62311| |Distributed System Lab. \(O) (O)/ antony@snoopy.ncku.edu.tw| |E.E. Institute of NCKU __ \ / __ http://snoopy.ncku.edu.tw/~antony| +-------------------------oooO--(_)--Oooo-----------------------------------+ From firewalls-owner Wed Dec 4 00:57:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA03972 for firewalls-outgoing; Wed, 4 Dec 1996 00:45:54 -0800 (PST) Received: from jupiter.kleline.fr (jupiter.kleline.fr [194.250.17.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id AAA03965 for ; Wed, 4 Dec 1996 00:45:44 -0800 (PST) Received: by jupiter.kleline.fr; id JAA01410; Wed, 4 Dec 1996 09:47:59 +0100 (MET) Received: from unknown(172.25.200.22) by jupiter.kleline.fr via smap (V3.1.1) id xma001406; Wed, 4 Dec 96 09:47:34 +0100 Received: from sirene. by zeus.kleline.fr (SMI-8.6/SMI-SVR4) id JAA14342; Wed, 4 Dec 1996 09:43:04 +0100 Received: from sirene by sirene. (SMI-8.6/SMI-SVR4) id JAA29120; Wed, 4 Dec 1996 09:43:45 +0100 Message-ID: <32A539C1.5CAD@kleline.fr> Date: Wed, 04 Dec 1996 09:43:45 +0100 From: Gilbert Soueidy Organization: KLELine X-Mailer: Mozilla 3.0Gold (X11; I; SunOS 5.5 sun4m) MIME-Version: 1.0 To: Great Circle Firewall Mailing List Subject: Sockd on TIS Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, Is there is a Sockd package by default on Gauntlet TIS proxy ? thanlx for help; -- Gilbert Soueidy KLELine; 8 Rue Galilee-BP 437 System Engineer 75769 Paris Cedex 16-FRANCE Voice: + 33 1 53 57 00 75 mailto:gsoueidy@kleline.fr Fax : + 33 1 53 57 00 50 http://www.kleline.fr From firewalls-owner Wed Dec 4 01:20:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA03170 for firewalls-outgoing; Wed, 4 Dec 1996 00:29:15 -0800 (PST) Received: from redmare.com ([198.247.223.126]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id AAA03158 for ; Wed, 4 Dec 1996 00:29:08 -0800 (PST) Received: (from brian@localhost) by redmare.com (8.7.4/8.7.3) id CAA04412; Wed, 4 Dec 1996 02:25:10 -0600 (CST) Date: Wed, 4 Dec 1996 02:25:09 -0600 (CST) From: Brian Mitchell X-Sender: brian@redmare.com To: Security Mail cc: firewalls@greatcircle.com Subject: RE: [Fwd: Caution : Internet Virus] Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk To me, this message sounds almost identical to the good times 'virus', with the same sort of panic-warning as the original (although no microprocessor-destroying nth complexity binary loop garbage). On Tue, 3 Dec 1996, Security Mail wrote: > On Mon, 2 Dec 1996, Denis Valois wrote: > > > This is a hoax. > > > > Anyway, just by saying that "reading" a mailgram wipes out > > your hard drive is of utmost foolishness. > > Denis, > > In the message he said it was a file attach. > > If the virus was sent attached in a .zip or .exe and the infected file was > run it would infect the computer. > > I believe he was talking here of a Word Macro Virus, attached as a .DOC > file, that when opened by Microsoft Word would trash the hard disk. From firewalls-owner Wed Dec 4 01:25:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA03392 for firewalls-outgoing; Wed, 4 Dec 1996 00:34:22 -0800 (PST) Received: from jupiter.kleline.fr (jupiter.kleline.fr [194.250.17.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id AAA03385 for ; Wed, 4 Dec 1996 00:34:13 -0800 (PST) Received: by jupiter.kleline.fr; id JAA01262; Wed, 4 Dec 1996 09:36:28 +0100 (MET) Received: from unknown(172.25.200.22) by jupiter.kleline.fr via smap (V3.1.1) id xma001260; Wed, 4 Dec 96 09:35:58 +0100 Received: from sirene. by zeus.kleline.fr (SMI-8.6/SMI-SVR4) id JAA14282; Wed, 4 Dec 1996 09:31:27 +0100 Received: from sirene by sirene. (SMI-8.6/SMI-SVR4) id JAA29111; Wed, 4 Dec 1996 09:32:08 +0100 Message-ID: <32A53707.365E@kleline.fr> Date: Wed, 04 Dec 1996 09:32:07 +0100 From: Gilbert Soueidy Organization: KLELine X-Mailer: Mozilla 3.0Gold (X11; I; SunOS 5.5 sun4m) MIME-Version: 1.0 To: Great Circle Firewall Mailing List Subject: IRINA is a Hoax Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi folks; Irina seems to be a Hoax; Look what says the issue 85 of the computer underground digest; ------------ The "Irina" virus warnings are a hoax. The former head of an electronic publishing company circulated the warning to create publicity for a new interactive book by the same name. The publishing company has apologized for the publicity stunt that backfired and panicked Internet users worldwide. The original warning claimed to be from a Professor Edward Pridedaux of the College of Slavic Studies in London; there is no such person or college. However, London's School of Slavonic and East European Studies has been inundated with calls. This poorly thought-out publicity stunt was highly irresponsible. For more information pertaining to this hoax, reference the UK Daily Telegraph at http://www.telegraph.co.uk. -- Gilbert Soueidy KLELine; 8 Rue Galilee-BP 437 System Engineer 75769 Paris Cedex 16-FRANCE Voice: + 33 1 53 57 00 75 mailto:gsoueidy@kleline.fr Fax : + 33 1 53 57 00 50 http://www.kleline.fr From firewalls-owner Wed Dec 4 01:40:39 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA07075 for firewalls-outgoing; Wed, 4 Dec 1996 01:24:09 -0800 (PST) Received: from svp_ci_00.svp-consult.com (svp_ci_nt1.svp-consult.com [207.78.246.98]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id BAA07043 for ; Wed, 4 Dec 1996 01:23:56 -0800 (PST) From: Michael.Kespohl@svp-consult.com Received: by svp_ci_00.svp-consult.com(Lotus SMTP MTA v1.01.02 (238.7 10-8-1996)) id 852563F6.0033D0AD ; Wed, 4 Dec 1996 04:25:57 -0400 X-Lotus-FromDomain: SVP_CONSULT To: firewalls@GreatCircle.COM Message-ID: Date: Wed, 4 Dec 1996 10:28:34 +0200 Subject: NT firewalls / Eagle Mime-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello everybody, are there any firewall systems for Windows NT (commercial or not) besides the Eagle system? Thanks for your help Michael.Kespohl@svp-consult.com From firewalls-owner Wed Dec 4 01:55:31 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA07088 for firewalls-outgoing; Wed, 4 Dec 1996 01:24:18 -0800 (PST) Received: from svp_ci_00.svp-consult.com (svp_ci_nt1.svp-consult.com [207.78.246.98]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id BAA07052 for ; Wed, 4 Dec 1996 01:23:59 -0800 (PST) From: Michael.Kespohl@svp-consult.com Received: by svp_ci_00.svp-consult.com(Lotus SMTP MTA v1.01.02 (238.7 10-8-1996)) id 852563F6.0033D045 ; Wed, 4 Dec 1996 04:25:56 -0400 X-Lotus-FromDomain: SVP_CONSULT To: firewalls@GreatCircle.COM Message-ID: Date: Wed, 4 Dec 1996 10:22:36 +0200 Subject: TIS FWTK and Linux 2.0 Mime-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello out there! I recently read that there's a patch necessary for using the TIS FWTK with Linux systems, unfortunately there was no source given. Could anyone help me getting further information about this? And are there any negative experiences with TIS based firewalls? ...sorry if this is the 1.0e20th question on this - I just joined this list a few days ago. Thanks for your help, Michael Michael.Kespohl@svp-consult.com From firewalls-owner Wed Dec 4 02:20:17 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA07293 for firewalls-outgoing; Wed, 4 Dec 1996 01:26:20 -0800 (PST) Received: from jupiter.kleline.fr (jupiter.kleline.fr [194.250.17.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id BAA07224 for ; Wed, 4 Dec 1996 01:25:46 -0800 (PST) Received: by jupiter.kleline.fr; id KAA01808; Wed, 4 Dec 1996 10:28:00 +0100 (MET) Received: from unknown(172.25.200.22) by jupiter.kleline.fr via smap (V3.1.1) id xma001806; Wed, 4 Dec 96 10:27:54 +0100 Received: from sirene. by zeus.kleline.fr (SMI-8.6/SMI-SVR4) id KAA14606; Wed, 4 Dec 1996 10:23:23 +0100 Received: from sirene by sirene. (SMI-8.6/SMI-SVR4) id KAA29174; Wed, 4 Dec 1996 10:24:05 +0100 Message-ID: <32A54335.4B6D@kleline.fr> Date: Wed, 04 Dec 1996 10:24:05 +0100 From: Gilbert Soueidy Organization: KLELine X-Mailer: Mozilla 3.0Gold (X11; I; SunOS 5.5 sun4m) MIME-Version: 1.0 To: firewalls@GreatCircle.com Subject: Sockd on TIS Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, Is there is a sockd package on Gauntlet TIS proxy by default ? Thanks for help -- Gilbert Soueidy KLELine; 8 Rue Galilee-BP 437 System Engineer 75769 Paris Cedex 16-FRANCE Voice: + 33 1 53 57 00 75 mailto:gsoueidy@kleline.fr Fax : + 33 1 53 57 00 50 http://www.kleline.fr From firewalls-owner Wed Dec 4 02:43:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA10196 for firewalls-outgoing; Wed, 4 Dec 1996 01:59:57 -0800 (PST) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id BAA10019 for ; Wed, 4 Dec 1996 01:59:06 -0800 (PST) Message-Id: <199612040959.BAA10019@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA054353528; Wed, 4 Dec 1996 20:58:49 +1100 From: Darren Reed Subject: Re: Firewalls over NT vs. UNIX To: wrbeem@gate.net (William Beem) Date: Wed, 4 Dec 1996 20:58:48 +1100 (EDT) Cc: dcheline@genuity.net, Firewalls@GreatCircle.COM In-Reply-To: <199612040126.UAA52496@osceola.gate.net> from "William Beem" at Dec 3, 96 08:24:31 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from William Beem, sie said: > > More likely that most folks don't know about the security holes in NT yet. > UNIX holes receive a fair amount of attention, which often causes a furor > and a fix. Microsoft remains rather tight-lipped about holes in Windows NT. > > > I rather prefer the UNIX approach of knowing what's wrong with it, so I can > make a reasonably intelligent assessment regarding the security of my > servers. Microsoft seems unwilling to tell me what's wrong with NT. Maybe > that's why I have more UNIX boxes at work than NT servers. Considering the last 12 weeks, would you build a firewall using HP-UX ? I'm working on setting up a secure system and one of the first things I did after installation was: find / -type f \( -perm -02000 -o -perm -04000 \) -print sorted out what I wanted to set setuid/setgid and the rest went off! Prior to this 3 months ago, HP-UX had been "quiet" compared to Solaris2 so far as security problems are concerned, but now I guess the push to make it easier to manage for non-root is showing. The number of programs and the list itself of setuid-root things is puzzling, indeed! Maybe when some of us have replaced all the NT progarms with GNU versions, rewritten their network daemons and have more options than the COTS product, it'll be taken more seriously. To give you an example of problems that are possible, I've seen a custom screenlock written for Windows 3.11 that was vulnerable to a buffer overrun problem. Also, who wants to run a GUI on their Firewall ? Do all those application proxies need that fancy screen stuff ? Probably not. Are they safe ? Who knows. Can you take it away ? No. Compared to Unix, where all systems by default will work quite well without any GUI so building a Firewall on a stripped-down system becomes much easier. Darren From firewalls-owner Wed Dec 4 03:10:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA14917 for firewalls-outgoing; Wed, 4 Dec 1996 02:48:44 -0800 (PST) Received: from reflections.mindspring.com (reflections.mindspring.com [204.180.142.192]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id CAA14865 for ; Wed, 4 Dec 1996 02:48:05 -0800 (PST) Received: from localhost (lists@localhost) by reflections.mindspring.com (8.7.1/8.7.1) with SMTP id FAA27669; Wed, 4 Dec 1996 05:47:38 -0500 Date: Wed, 4 Dec 1996 05:47:38 -0500 (EST) From: Todd Graham Lewis To: "<>" cc: Firewalls@GreatCircle.COM Subject: Re: Q: Free NAT packages for FreeBSD ?? In-Reply-To: <199612040822.QAA14604@snoopy.ncku.edu.tw> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 4 Dec 1996, <> wrote: > > Hi, I am looking for a package which would do the functionality > of NAT(Network Address Translation ) on FreeBSD or some other > platforms. I am wondering if there is any one which is freeware > or shareware ? Check out IP_Masquerade under Linux. It was among the first NATs available, and from my recollection, it was the first one that worked. It does a good job. > Thanks for reply. No problem. __ Todd Graham Lewis Linux! Core Engineering Mindspring Enterprises tlewis@mindspring.com (800) 719 4664, x2804 From firewalls-owner Wed Dec 4 03:25:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA15005 for firewalls-outgoing; Wed, 4 Dec 1996 02:50:16 -0800 (PST) Received: from reflections.mindspring.com (reflections.mindspring.com [204.180.142.192]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id CAA14963 for ; Wed, 4 Dec 1996 02:49:39 -0800 (PST) Received: from localhost (lists@localhost) by reflections.mindspring.com (8.7.1/8.7.1) with SMTP id FAA27684; Wed, 4 Dec 1996 05:49:40 -0500 Date: Wed, 4 Dec 1996 05:49:39 -0500 (EST) From: Todd Graham Lewis To: Michael.Kespohl@svp-consult.com cc: firewalls@GreatCircle.COM Subject: Re: TIS FWTK and Linux 2.0 In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 4 Dec 1996 Michael.Kespohl@svp-consult.com wrote: > Hello out there! Hi. > I recently read that there's a patch necessary for using the TIS FWTK with > Linux systems, unfortunately there was no source given. Could anyone help > me getting further information about this? And are there any negative > experiences with TIS based firewalls? I'm aware of no such patch; the most recent version of the FWTK works fine for me under the latest 2.0. It might be flocking under smap, but if so it'll only produce annoying warnings. > Thanks for your help, No problem. If you do find a problem, please let the list (and me) know. __ Todd Graham Lewis Linux! Core Engineering Mindspring Enterprises tlewis@mindspring.com (800) 719 4664, x2804 From firewalls-owner Wed Dec 4 03:57:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA16672 for firewalls-outgoing; Wed, 4 Dec 1996 03:15:13 -0800 (PST) Received: from srv2.persocom.com.br ([200.239.60.5]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id DAA16654 for ; Wed, 4 Dec 1996 03:14:40 -0800 (PST) Received: from oswaldo40 ([200.239.46.76]) by srv2.persocom.com.br (post.office MTA v2.0 0813 ID# 0-12327) with ESMTP id AAA154; Wed, 4 Dec 1996 08:48:40 +0000 From: "Oswaldo Gomes" To: "Douglas Cheline" , "'Firewalls@GreatCircle.COM'" Subject: Re: Firewalls over NT vs. UNIX Date: Wed, 4 Dec 1996 08:45:23 -0300 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Message-ID: <19961204084840622.AAA154@oswaldo40> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I don´t think so... If I use a Windows NT with MS Proxy Server, I´m sure that my network is secure... I can even use IPX on my private LAN... Can you hack this? ;-) Oswaldo Gomes ---------- > From: Douglas Cheline > To: 'Firewalls@GreatCircle.COM' > Subject: RE: Firewalls over NT vs. UNIX > Date: Tuesday, December 03, 1996 9:08 PM > > I guess no-one really wants to touch this subject. Is it perhaps > because NT really is "very secure" and we can trust it to do security > firewalling? grin;-) > > >Douglas Cheline > >Senior Consultant Business Solutions > > > >G E N U I T Y, Inc. > >a Bechtel company > > > >dcheline@genuity.net > http://www.genuity.net > > >---------- > >From: Douglas Cheline > >Sent: Sunday, December 01, 1996 3:12 PM > >To: 'Firewalls@GreatCircle.COM' > >Subject: Firewalls over NT vs. UNIX > > > >The various Firewall vendors that I have spoken to have repeatedly stated > >that, eventhough their product does run over NT, running firewalls over UNIX > >is much more secure. The reasoning I get is that NT has some inherent > >vulnerabilities that cannot be plugged since the code is proprietary and > >closed. UNIX on the other hand is standard based and open, plus it has been > >on the market much longer and more efforts have been placed in plugging the > >holes there. > > > >This sounds nice but not very convincing unless some hard facts are revealed. > > Can knowledgable members of this forum tell me what those 'holes' in NT are? > > and is this a valid argument? > > > >disclaimer: I, myself, prefer UNIX based applications but I don't have a > >facts based argument for that preference when it comes to firewalls. > > > >Thanks in advance for your responses. > > > >Regards, > > > >Douglas Cheline > >Senior Consultant Business Solutions > > > >G E N U I T Y, Inc. > >a Bechtel company > > > >dcheline@genuity.net > >http://www.genuity.net > > From firewalls-owner Wed Dec 4 04:03:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA17834 for firewalls-outgoing; Wed, 4 Dec 1996 03:37:15 -0800 (PST) Received: from deere-bh.dx.deere.com (deere-bh.dx.deere.com [207.122.201.66]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id DAA17685 for ; Wed, 4 Dec 1996 03:36:03 -0800 (PST) Received: (from uucp@localhost) by deere-bh.dx.deere.com (8.6.12/8.6.11) id FAA28318; Wed, 4 Dec 1996 05:36:13 -0600 Received: from deere.com by deere-bh.dx.deere.com via smap (V1.3) id sma028279; Wed Dec 4 05:36:04 1996 Received: from 90.deere.com (dts.90.deere.com) by deere.dx.deere.com (4.1/SMI-4.0) id AA00372; Wed, 4 Dec 96 05:35:52 CST Received: from bc17684.deere.com by 90.deere.com (SMI-8.6/SMI-SVR4) id FAA25545; Wed, 4 Dec 1996 05:34:25 -0600 Message-Id: <32A4B1FC.41C0@90.deere.com> Date: Tue, 03 Dec 1996 17:04:28 -0600 From: Bertrum Carroll Organization: Deere & Company X-Mailer: Mozilla 2.01Gold (Win95; I) Mime-Version: 1.0 To: Nick Keenan Cc: Bill Heiser , firewalls@GreatCircle.COM Subject: Re: restricting OUTBOUND access References: <23514668534765@gsionline.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Unrestricted outbound isn't really that bad. Are your users the only ones on your network? Else you become an internet provider to those connected to your network. Not a really big deal unless your a lawyer. From firewalls-owner Wed Dec 4 04:40:29 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA21188 for firewalls-outgoing; Wed, 4 Dec 1996 04:19:49 -0800 (PST) Received: from sam.networx.ie (ts17-04.dublin.indigo.ie [194.125.134.120]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id EAA21141 for ; Wed, 4 Dec 1996 04:19:09 -0800 (PST) Received: from mip1.networx.ie (mip1.networx.ie [194.9.12.1]) by sam.networx.ie (8.6.12/8.6.12) with SMTP id LAA15501; Wed, 4 Dec 1996 11:14:49 GMT X-Organisation: I.T. NetworX Ltd X-Business: Network Consultancy and Training X-Address: 67 Merrion Square, Dublin 2, Ireland X-Voice: +353-1-676-8866 X-Fax: +353-1-676-8868 Received: from mike.networx.ie by mip1.networx.ie Date: Wed, 4 Dec 1996 12:05:52 GMT From: Michael Ryan Reply-To: mike@NetworX.ie Subject: Re: Q: Free NAT packages for FreeBSD ?? To: "" Cc: Firewalls@GreatCircle.COM Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 4 Dec 1996 16:22:39 +0800 wrote: > Hi, I am looking for a package which would do the functionality > of NAT(Network Address Translation ) on FreeBSD or some other > platforms. I am wondering if there is any one which is freeware > or shareware ? http://cheops.anu.edu.au/~avalon/ip-filter.html Bye, Mike --- From firewalls-owner Wed Dec 4 04:59:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA21844 for firewalls-outgoing; Wed, 4 Dec 1996 04:37:19 -0800 (PST) Received: from wormhole.tds.de (wormhole.tds.de [193.28.100.9]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id EAA21806 for ; Wed, 4 Dec 1996 04:36:57 -0800 (PST) Received: (from uucp@localhost) by wormhole.tds.de (8.8.0/8.6.9) id NAA14748 for ; Wed, 4 Dec 1996 13:32:34 +0100 Received: from nv6000x.hn.tds.de(193.28.102.69) by wormhole.hn.tds.de via smap (V2.0beta) id xma014744; Wed, 4 Dec 96 13:32:22 +0100 Message-ID: <32A56FAE.59E2@dat.tds.de> Date: Wed, 04 Dec 1996 13:33:50 +0100 From: Christopher Tighe Organization: Tele-Daten Service GmbH X-Mailer: Mozilla 3.0 (X11; I; AIX 2) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: Ip Routing on a SUN Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk hi, does anyone know how to turn _OFF_ ip routing (forwarding or whatever else SUN wants to call it) on Solaris 2.5.1??? Do I need to regenerate the Kernal, or is there an option hidden somewhere that I can't find??? any help would be appreciated, thanks chris -- +------------------------------------------------------------+ | Christopher Tighe BSc.(Hons) Tel: ++49 (0)7131 6235-119 | | Network Services Fax: ++49 (0)7131 6235-115 | | tele-daten service GmbH E-Mail: ctighe@tds.de | | Titotstr. 7-9 | | 74072 Heilbronn \"""/ | | Germany (o o) | +------------------------------------.ooO(_)Ooo.-------------+ From firewalls-owner Wed Dec 4 05:26:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA24905 for firewalls-outgoing; Wed, 4 Dec 1996 05:20:17 -0800 (PST) Received: from relay.interserv.com (relay.interserv.com [165.121.1.67]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id FAA24886 for ; Wed, 4 Dec 1996 05:20:05 -0800 (PST) From: x1967@iktmail.cph.ih.dk Received: from 194.182.127.135 ([194.182.127.135]) by relay.interserv.com with SMTP id AA11037 (5.67b/IDA-1.5 for Firewalls@GreatCircle.COM); Wed, 4 Dec 1996 05:20:01 -0800 Date: Wed, 4 Dec 1996 05:20:01 -0800 Message-Id: <199612041320.AA11037@relay.interserv.com> Subject: How do I get off the list ? To: Firewalls@GreatCircle.COM X-Mailer: AIR Mail 3.X (SPRY, Inc.) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, Can anyone help me to get off the list ? Please help me. From firewalls-owner Wed Dec 4 05:40:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA25051 for firewalls-outgoing; Wed, 4 Dec 1996 05:24:40 -0800 (PST) Received: from www.valuu.net (www.valuu.net [204.252.40.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id FAA25043 for ; Wed, 4 Dec 1996 05:24:27 -0800 (PST) Received: from fd.valuu.net ([204.252.40.3]) by www.valuu.net (post.office MTA v1.9.1 ID# 0-11837) with SMTP id AAA492 for ; Wed, 4 Dec 1996 08:25:45 -0500 Received: by fd.valuu.net with Microsoft Mail id <01BBE1BB.EE8D6B40@fd.valuu.net>; Wed, 4 Dec 1996 08:19:56 -0500 Message-ID: <01BBE1BB.EE8D6B40@fd.valuu.net> From: rabbi@www.valuu.net (Rabbi Haim Cassorla) To: "'firewalls@greatcircle.com'" Subject: RE: Firewalls over NT vs. UNIX Date: Wed, 4 Dec 1996 08:19:54 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am, admittedly, not extremely knowledgeable in matters firewallian, = however, this thread returns me to my farming days on the collective. 1. Am I correctly understanding that a firewall is designed to stand = between a "protected" region and a "suspect" region?" 2. Am I correctly understanding that said firewall should/does/(is = designed to) "stand alone?" 3. Did I miss some important piece of data which caused you = professionals to begin slinging that farm product, (fertilizer, = organic, bovine, male), at each other with regard to the vulnerabilities = of the "protected" region, being the dominant determinant as to whether = the firewall can hold back the "fire?" Please enlighten me as to why the firewall should care if it is = protecting unix, nt, cpm, or the farmer's underware. Thank you, =20 "Happy Hanukah to all, and to all eight good nights!!!!" Rabbi ---------- From: Steven Herod[SMTP:sherod@medeserv.com.au] Sent: Tuesday, December 03, 1996 11:33 PM To: William Beem Cc: firewalls@greatcircle.com Subject: Re: Firewalls over NT vs. UNIX William Beem wrote: >=20 > More likely that most folks don't know about the security holes in NT = yet. > UNIX holes receive a fair amount of attention, which often causes a = furor > and a fix. Microsoft remains rather tight-lipped about holes in = Windows NT. I'd have to disagree with that, a hole in NT would cause just as large a furor as one in Solaris or Netware for that matter. After all it's Microsofts flagship OS. "The way of the future...". I'd certainly yell loudly. > I rather prefer the UNIX approach of knowing what's wrong with it, so=20 > I can make a reasonably intelligent assessment regarding the security = > of my servers. Microsoft seems unwilling to tell me what's wrong with = > NT. Maybe that's why I have more UNIX boxes at work than NT servers. Perhaps we need to ask some questions....=20 To decide if NT4.0 is insecure: What holes are in it? What holes have been patched in past versions? What do you have to do to a base NT system to secure it as a firewall?=20 As an apps server?=20 As a file Server? To decide is Unix (brand X) is insecure: What holes are in it? What holes have been patched in past versions? What do you have to do to a base Unix system to secure it as a firewall? = As an apps server?=20 As a file Server? I dare say if Unix wasn't around, and Microsoft launched one of the early implementations of Unix as SuperNT 1.0 the general consensus would have been to avoid it like the plague because of it's security problems. =20 Please correct me if I'm wrong (politely if possible) - I don't intend to cause offence on this prickly subject. From firewalls-owner Wed Dec 4 06:11:17 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA28183 for firewalls-outgoing; Wed, 4 Dec 1996 06:03:39 -0800 (PST) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA28153 for ; Wed, 4 Dec 1996 06:03:23 -0800 (PST) Message-Id: <199612041403.GAA28153@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA106258190; Thu, 5 Dec 1996 01:03:10 +1100 From: Darren Reed Subject: Re: Firewalls over NT vs. UNIX To: rabbi@www.valuu.net (Rabbi Haim Cassorla) Date: Thu, 5 Dec 1996 01:03:10 +1100 (EDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <01BBE1BB.EE8D6B40@fd.valuu.net> from "Rabbi Haim Cassorla" at Dec 4, 96 08:19:54 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Rabbi Haim Cassorla, sie said: > > Please enlighten me as to why the firewall should care if it is = > protecting unix, nt, cpm, or the farmer's underware. You've missed the point of the discussion. The Unix/NT/CPM or farmer's underware is part of the firewall. Firewall software is one part, the hardware is another and the OS yet another. If they can compromise your HW, you've got other problems but if they can compromise your firewall because your OS can't provide the required support for the f/w, do you stick with thatt OS ? Darren From firewalls-owner Wed Dec 4 06:25:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA29620 for firewalls-outgoing; Wed, 4 Dec 1996 06:17:38 -0800 (PST) Received: from srv2.persocom.com.br ([200.239.60.5]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA29553 for ; Wed, 4 Dec 1996 06:17:17 -0800 (PST) Received: from oswaldo40 ([200.239.46.76]) by srv2.persocom.com.br (post.office MTA v2.0 0813 ID# 0-12327) with ESMTP id AAA196; Wed, 4 Dec 1996 11:47:22 +0000 From: "Oswaldo Gomes" To: , Subject: Re: NT firewalls / Eagle Date: Wed, 4 Dec 1996 11:47:03 -0300 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Message-ID: <19961204114721668.AAA196@oswaldo40> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Yes... Microsoft Proxy Server, for example.. ;-) Oswaldo Gomes ---------- > From: Michael.Kespohl@svp-consult.com > To: firewalls@GreatCircle.COM > Subject: NT firewalls / Eagle > Date: Wednesday, December 04, 1996 5:28 AM > > > > > > Hello everybody, > > are there any firewall systems for Windows NT (commercial or not) besides > the Eagle system? > > Thanks for your help > > Michael.Kespohl@svp-consult.com > From firewalls-owner Wed Dec 4 07:12:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA29461 for firewalls-outgoing; Wed, 4 Dec 1996 06:15:11 -0800 (PST) Received: from gw.iai.com (gw.iai.com [206.64.157.62]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA29434 for ; Wed, 4 Dec 1996 06:14:57 -0800 (PST) Received: by gw.iai.com; id JAA21373; Wed, 4 Dec 1996 09:14:52 -0500 (EST) Received: from milford.iai.com(192.206.185.2) by gw.iai.com via smap (3.2) id xma021371; Wed, 4 Dec 96 09:14:34 -0500 Received: by milford.iai.com (AIX 4.1/UCB 5.64/4.03) id AA20162; Wed, 4 Dec 1996 09:14:48 -0500 From: jegan@iai.com (James Egan) Message-Id: <9612041414.AA20162@milford.iai.com> Subject: Re: NT firewalls / Eagle To: Michael.Kespohl@svp-consult.com Date: Wed, 4 Dec 1996 09:14:48 -0500 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Michael.Kespohl@svp-consult.com" at Dec 4, 96 10:28:34 am Reply-To: Jim.Egan@iai.com Organization: Integrated Architectures, Inc. Pgp-Fingerprint: 64 47 DC 51 D9 11 1D FF 31 43 9C 4C E2 A1 FC 04 Pgp-Public-Key: public-key-server@martigny.ai.mit.edu (subject: GET jegan) X-Mailer: ELM [version 2.4 PL24 ME5a] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Michael.Kespohl@svp-consult.com recently wrote: > > > > > > Hello everybody, > > are there any firewall systems for Windows NT (commercial or not) besides > the Eagle system? > > Thanks for your help > > Michael.Kespohl@svp-consult.com > > > Trusted Information Systems (TIS) just announced Gauntlet NT. /Jim/ -- James P. Egan | Jim.Egan@iai.com Integrated Architectures, Inc. | http://www.iai.com 300 East Main Street, Suite 207 | Tel: 508-634-3200 x209 Milford, MA 01757 | Fax: 508-634-8381 Use PGP for more secure email From firewalls-owner Wed Dec 4 07:15:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA00721 for firewalls-outgoing; Wed, 4 Dec 1996 06:31:22 -0800 (PST) Received: from gate.ups.com (gate.ups.com [198.80.14.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA00714 for ; Wed, 4 Dec 1996 06:31:13 -0800 (PST) Received: by gate.ups.com id AA08752 (InterLock SMTP Gateway 3.0 for firewalls@greatcircle.com); Wed, 4 Dec 1996 09:31:10 -0500 Received: by gate.ups.com (Protected-side Proxy Mail Agent-2); Wed, 4 Dec 1996 09:31:10 -0500 Received: by gate.ups.com (Protected-side Proxy Mail Agent-1); Wed, 4 Dec 1996 09:31:10 -0500 Date: Wed, 4 Dec 1996 09:31:06 -0500 (EST) From: Dave Wreski X-Sender: tel1dvw@butthead To: Christopher Tighe Cc: firewalls@greatcircle.com Subject: Re: Ip Routing on a SUN In-Reply-To: <32A56FAE.59E2@dat.tds.de> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I think this will do what you want: # ndd -set /dev/tcp ip_forwarding 0 You can see a list of available tunable parameters by typing: # ndd /dev/tcp \? Dave On Wed, 4 Dec 1996, Christopher Tighe wrote: > hi, > > does anyone know how to turn _OFF_ ip routing (forwarding or > whatever else SUN wants to call it) on Solaris 2.5.1??? Do > I need to regenerate the Kernal, or is there an option > hidden somewhere that I can't find??? ----------------------------------------------------------------------- "The opinions expressed here are my own and do not represent the views or opinions of United Parcel Service, Inc." ----------------------------------------------------------------------- echo '16i[q]sa[ln0=aln100%Pln100/snlbx]sb20293A2058554E494Csnlbxq'|dc From firewalls-owner Wed Dec 4 07:17:56 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA00430 for firewalls-outgoing; Wed, 4 Dec 1996 06:26:45 -0800 (PST) Received: from Arbitrade.COM (iafsrv.arbitrade.com [204.242.156.130]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA00413 for ; Wed, 4 Dec 1996 06:26:31 -0800 (PST) Received: from andrews.Arbitrade.COM (andrews.arbitrade.com [204.242.156.137]) by Arbitrade.COM (8.7.5/8.6.9) with ESMTP id IAA01632; Wed, 4 Dec 1996 08:30:20 -0600 (CST) Received: (from andrew@localhost) by andrews.Arbitrade.COM (SMI-8.6/8.6.9) id IAA01599; Wed, 4 Dec 1996 08:23:24 -0600 From: "Andrew A. Benson" Message-Id: <199612041423.IAA01599@andrews.Arbitrade.COM> Subject: Re: Ip Routing on a SUN To: ctighe@dat.tds.de (Christopher Tighe) Date: Wed, 4 Dec 1996 08:23:24 -0600 (CST) Cc: firewalls@GreatCircle.COM In-Reply-To: <32A56FAE.59E2@dat.tds.de> from "Christopher Tighe" at Dec 4, 96 01:33:50 pm X-Mailer: ELM [version 2.4 PL25] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > hi, > > does anyone know how to turn _OFF_ ip routing (forwarding or > whatever else SUN wants to call it) on Solaris 2.5.1??? Do > I need to regenerate the Kernal, or is there an option > hidden somewhere that I can't find??? > > any help would be appreciated, > > thanks > chris Hi Chris, Try this: /usr/sbin/ndd -set /dev/ip ip_forwarding 0 No kernal rebuild is necessary. Andrew > -- > +------------------------------------------------------------+ > | Christopher Tighe BSc.(Hons) Tel: ++49 (0)7131 6235-119 | > | Network Services Fax: ++49 (0)7131 6235-115 | > | tele-daten service GmbH E-Mail: ctighe@tds.de | > | Titotstr. 7-9 | > | 74072 Heilbronn \"""/ | > | Germany (o o) | > +------------------------------------.ooO(_)Ooo.-------------+ > -- Andrew Benson System & Network Administrator andrew@arbitrade.com Arbitrade, LLC From firewalls-owner Wed Dec 4 07:53:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA04107 for firewalls-outgoing; Wed, 4 Dec 1996 07:23:07 -0800 (PST) Received: from mail13.digital.com (mail13.digital.com [192.208.46.30]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA04076 for ; Wed, 4 Dec 1996 07:22:46 -0800 (PST) From: chen@ibg.ljo.dec.com Received: from vanna.ljo.dec.com by mail13.digital.com (8.7.5/UNX 1.5/1.0/WV) id KAA29424; Wed, 4 Dec 1996 10:14:37 -0500 (EST) Received: from ibgcore1.ibg.ljo.dec.com by vanna.ljo.dec.com; (5.65v3.2/1.1.8.2/07Oct96-0216PM) id AA18102; Wed, 4 Dec 1996 10:15:38 -0500 Received: from tracy.ibg.ljo.dec.com by ibgcore1.ibg.ljo.dec.com; (5.65v3.2/1.1.8.2/18Apr96-1020AM) id AA06657; Wed, 4 Dec 1996 10:14:35 -0500 Message-Id: <9612041514.AA06657@ibgcore1.ibg.ljo.dec.com> To: Michael.Kespohl@svp-consult.com Cc: firewalls@GreatCircle.COM, chen@ibg.ljo.dec.com Subject: Re: NT firewalls / Eagle In-Reply-To: Your message of "Wed, 04 Dec 96 10:28:34 +0200." Date: Wed, 04 Dec 96 10:23:40 -0500 X-Mts: smtp Sender: firewalls-owner@GreatCircle.COM Precedence: bulk AltaVista Firewall for NT, visit http://www.altavista.software.digital.com/firewall/index.htm Tracy From firewalls-owner Wed Dec 4 08:03:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA01347 for firewalls-outgoing; Wed, 4 Dec 1996 06:38:44 -0800 (PST) Received: from gauntlet-1.trusted.com (gauntlet-1.trusted.com [204.254.155.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA01296 for ; Wed, 4 Dec 1996 06:38:11 -0800 (PST) Received: by gauntlet-1.trusted.com; id JAA16119; Wed, 4 Dec 1996 09:47:22 -0500 Received: from dira.rv.tis.com(10.0.1.43) by gauntlet-1.trusted.com via smap (V3.1.1) id xma016073; Wed, 4 Dec 96 09:46:59 -0500 Received: from unit65.rv.tis.com (dyn173.trusted.com [10.0.1.173]) by dira.rv.tis.com (8.7.4/8.7.3) with SMTP id JAA22979; Wed, 4 Dec 1996 09:33:15 -0500 (EST) Message-Id: <3.0.32.19961204092903.006e5088@pop.rv.tis.com> X-Sender: avolio@pop.rv.tis.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Wed, 04 Dec 1996 09:35:44 -0500 To: "Terry L. Bernstein" , mike@ptes.com (Mike Bernhardt) From: Frederick M Avolio Subject: Re: PIX and Gauntlet Cc: firewalls@greatcircle.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Gauntlet: > ... It is much harder to >configure and uses cryptic text files (at least in the last version I saw). > ... will take more effort to install. You must have looked at an old version. GUI interface, installs in a short while. f From firewalls-owner Wed Dec 4 08:04:27 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA03229 for firewalls-outgoing; Wed, 4 Dec 1996 07:11:30 -0800 (PST) Received: from omsk.quadrix.com (omsk.yourtown.com [205.246.66.7]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA03215 for ; Wed, 4 Dec 1996 07:11:23 -0800 (PST) Received: by omsk.quadrix.com (4.1/SMI-4.1) id AA02625; Wed, 4 Dec 96 10:21:53 EST Date: Wed, 4 Dec 96 10:21:53 EST From: bve@yourtown.com (BVE) Message-Id: <9612041521.AA02625@omsk.quadrix.com> To: firewalls@greatcircle.com Subject: Re: Firewalls over NT vs. UNIX Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Date: Wed, 04 Dec 1996 14:33:51 +1000 From: Steven Herod William Beem wrote: > More likely that most folks don't know about the security holes in NT yet > UNIX holes receive a fair amount of attention, which often causes a furor > and a fix. Microsoft remains rather tight-lipped about holes in Windows > NT. I'd have to disagree with that, a hole in NT would cause just as large a furor as one in Solaris or Netware for that matter. After all it's Microsofts flagship OS. "The way of the future...". I'd certainly yell loudly. The problem, IMHO, is finding the bugs, and then advertising their existence, and their fix. MS doesn't let you see the source; Unix does. While you or I may not care to look at it, there are many who do. If you watch some other security lists (like Bugtraq), you will find that people regularly scour the various Unix sources for buffer-overruns, etc. They then report on a "weakness, which may or may not be exploitable." Often, someone else then creates the exploit code, and a fix to prevent the problem (if the fix wasn't already provided by the discoverer). This is good. There is also an extensive reporting system for Unix bugs, and Unix vendors have been trained to respond quickly. My perception is that MS, on the other hand, does not work quite so hard to disseminate bug fixes. They certainly don't like to tell you what problems exist. For other reasons, they don't release their source (except at high cost). This prevents the easy discovery of theoretical problems, which would otherwise be corrected. Don't be fooled by security through obscurity! The hackers find the holes -- we might as well, too! Remember, the MS coders are human, too. Their code contains bugs, just like Unix. It's just a matter of finding them, so the decision is about the difficulties in finding and fixing them.... -- Bill Van Emburg Phone: 908-235-2335 Quadrix Solutions, Inc. Fax: 908-235-2336 (bve@quadrix.com) Check out http://yourtown.com! (http://quadrix.com) "You do what you want, and if you didn't, you don't" From firewalls-owner Wed Dec 4 08:16:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA01346 for firewalls-outgoing; Wed, 4 Dec 1996 06:38:44 -0800 (PST) Received: from gauntlet-1.trusted.com (gauntlet-1.trusted.com [204.254.155.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA01295 for ; Wed, 4 Dec 1996 06:38:10 -0800 (PST) Received: by gauntlet-1.trusted.com; id JAA16093; Wed, 4 Dec 1996 09:47:21 -0500 Received: from dira.rv.tis.com(10.0.1.43) by gauntlet-1.trusted.com via smap (V3.1.1) id xma016074; Wed, 4 Dec 96 09:46:59 -0500 Received: from unit65.rv.tis.com (dyn173.trusted.com [10.0.1.173]) by dira.rv.tis.com (8.7.4/8.7.3) with SMTP id JAA22982; Wed, 4 Dec 1996 09:33:16 -0500 (EST) Message-Id: <3.0.32.19961204093035.006e5ffc@pop.rv.tis.com> X-Sender: avolio@pop.rv.tis.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Wed, 04 Dec 1996 09:35:44 -0500 To: Gilbert Soueidy , Great Circle Firewall Mailing List From: Frederick M Avolio Subject: Re: Sockd on TIS Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:43 AM 12/4/96 +0100, Gilbert Soueidy wrote: >Hi, > >Is there is a Sockd package by default on Gauntlet TIS proxy ? No. Is there a need for one? (I am serious. Wow... my second serious note to this mailing list today! I apologize to those who anxiously read my postings for my wit and whimsy. There, that's better. :-)) Fred From firewalls-owner Wed Dec 4 08:48:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA03591 for firewalls-outgoing; Wed, 4 Dec 1996 07:15:41 -0800 (PST) Received: from ereapp.erenj.com (ereapp.ERENJ.COM [159.70.31.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA03486 for ; Wed, 4 Dec 1996 07:15:13 -0800 (PST) Received: (from smap@localhost) by ereapp.erenj.com (8.8.3/8.8.3) id KAA11427 for ; Wed, 4 Dec 1996 10:15:14 -0500 Received: from eredns.erenj.com(159.70.1.252) by ereapp.erenj.com via smap (V1.3) id sma011408; Wed Dec 4 10:14:53 1996 Received: from clmail1.erenj.com (clmail1.erenj.com [159.70.1.22]) by eredns.erenj.com (8.7.4/8.7.3) with ESMTP id KAA27260 for ; Wed, 4 Dec 1996 10:14:52 -0500 Received: from tiger ([159.129.116.3]) by clmail1.erenj.com (post.office MTA v1.9.3 ID# 0-11437) with SMTP id AAA184; Wed, 4 Dec 1996 09:55:42 -0500 Message-ID: <32A5953E.63DECDAD@erenj.com> Date: Wed, 04 Dec 1996 09:14:06 -0600 From: Andy Howard Organization: Exxon Computing Services X-Mailer: Mozilla 3.0Gold (X11; I; SunOS 4.1.4 sun4c) MIME-Version: 1.0 To: Rabbi Haim Cassorla CC: firewalls@greatcircle.com Subject: Re: Firewalls over NT vs. UNIX References: <01BBE1BB.EE8D6B40@fd.valuu.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Rabbi Haim Cassorla wrote: > > I am, admittedly, not extremely knowledgeable in matters firewallian, however, this thread returns me to my farming days on the collective. > > 1. Am I correctly understanding that a firewall is designed to stand between a "protected" region and a "suspect" region?" Sounds good, so far. > 2. Am I correctly understanding that said firewall should/does/(is designed to) "stand alone?" Uuhhh, okay, it stands alone, but is still subject to the weaknesses of its operating system... from this viewpoint, it is just another device to be attacked. > 3. Did I miss some important piece of data which caused you professionals to begin slinging that farm product, (fertilizer, organic, bovine, male), at each other with regard to the vulnerabilities of the "protected" region, being the dominant determinant as to whether the firewall can hold back the "fire?" > The slinging/discussion is about the operating system of the firewall and its vulnerabilities, I believe, not the protected or unprotected regions. (see #2) > Please enlighten me as to why the firewall should care if it is protecting unix, nt, cpm, or the farmer's underware. > Correct, firewall doesn't care what it is protecting. < rest of msg snipped> -- Andy Howard 713-656-4396 achowar@erenj.com "Think hard! Think Fast! Think Often! But Think!" The contents of this note are my opinion and should be treated only as that. From firewalls-owner Wed Dec 4 09:04:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA09974 for firewalls-outgoing; Wed, 4 Dec 1996 08:33:14 -0800 (PST) Received: from mail-out2.apple.com (mail-out2.apple.com [17.254.0.51]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA09964 for ; Wed, 4 Dec 1996 08:33:05 -0800 (PST) Received: from scv1.apple.com (A17-128-100-119.apple.com [17.128.100.119]) by mail-out2.apple.com (8.7.5/8.7.3) with ESMTP id IAA74756 for ; Wed, 4 Dec 1996 08:31:41 -0800 Received: from [17.221.23.212] (syedri.apple.com [17.221.23.212]) by scv1.apple.com (8.7.5/8.7.3) with SMTP id IAA10244 for ; Wed, 4 Dec 1996 08:33:45 -0800 X-Sender: syed1@mail.apple.com (Unverified) Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 4 Dec 1996 08:33:12 -0800 To: Firewalls@GreatCircle.COM From: syed1@apple.com (riaz syed) Subject: get off the list? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi: Can anyone advise me how to get off the list. I'd appreciate a quick response. Thanks -Riaz From firewalls-owner Wed Dec 4 09:08:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA01085 for firewalls-outgoing; Wed, 4 Dec 1996 06:35:47 -0800 (PST) Received: from gate.ups.com (gate.ups.com [198.80.14.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA01057 for ; Wed, 4 Dec 1996 06:35:35 -0800 (PST) Received: by gate.ups.com id AA08886 (InterLock SMTP Gateway 3.0 for firewalls@greatcircle.com); Wed, 4 Dec 1996 09:35:26 -0500 Received: by gate.ups.com (Protected-side Proxy Mail Agent-2); Wed, 4 Dec 1996 09:35:26 -0500 Received: by gate.ups.com (Protected-side Proxy Mail Agent-1); Wed, 4 Dec 1996 09:35:26 -0500 Date: Wed, 4 Dec 1996 09:35:23 -0500 (EST) From: Dave Wreski X-Sender: tel1dvw@butthead To: Christopher Tighe Cc: firewalls@greatcircle.com Subject: Re: Ip Routing on a SUN In-Reply-To: <32A56FAE.59E2@dat.tds.de> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ah shoot. You ever wish you could take a message back? :) Correction: # ndd -set /dev/ip ip_fowarding 0 will turn it off. Dave ----------------------------------------------------------------------- "The opinions expressed here are my own and do not represent the views or opinions of United Parcel Service, Inc." ----------------------------------------------------------------------- echo '16i[q]sa[ln0=aln100%Pln100/snlbx]sb20293A2058554E494Csnlbxq'|dc From firewalls-owner Wed Dec 4 09:12:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA10041 for firewalls-outgoing; Wed, 4 Dec 1996 08:34:16 -0800 (PST) Received: from mn1.swip.net (mn1.swip.net [192.71.180.97]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA10033 for ; Wed, 4 Dec 1996 08:34:00 -0800 (PST) Received: by mn1.swip.net (8.8.2/2.01) id QAA09674; Wed, 4 Dec 1996 16:31:44 GMT Message-ID: <199612041631.QAA09674@mn1.swip.net> Received: by scc.se (MG PM3-Waf 3.41); Wed, 4 Dec 96 17:01:55 +0100 (GMT) From: KNNSCC@scc.se (Klas Nilsson) To: firewalls@GreatCircle.COM Date: Wed, 4 Dec 1996 10:11:49 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: AltaVista Firewall !? Reply-to: SCCAB_STH1/KNNSCC X-mailer: Pegasus Mail for Windows (v2.23SE) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Howdy ya all... I have followed this group for about one week, havn't heard any of you mention the AltaVista Firewall. I'm evaluating the AltaVista Firewall, for a major company i Sweden. And I'm kind'a new on this territory, of Firewalls. Have YOU any good or bad experience of the AltaVista Firewall (Digital), please send me a line. I'm also evaluating the estimated need for bandwidth, what do you think of this. A company with 1100+ e-mail accounts, and about 50 persons need to surf on this line. Would 256Kbit/s be enough, or does this company need higher capacity? YOU can help me, by telling me what you think. klas@pseci.se Scandiaconsult AB / IT-Avdelningen Klas "Nisse fran TeamWork" Nilsson Tel: 08-615 60 41 Fax: 08-702 19 16 prv i-maejl: klas@pseci.se From firewalls-owner Wed Dec 4 09:14:26 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA05398 for firewalls-outgoing; Wed, 4 Dec 1996 07:44:19 -0800 (PST) Received: from INET-03-IMC.itg.microsoft.com (mail3.microsoft.com [131.107.3.23]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA05382 for ; Wed, 4 Dec 1996 07:44:12 -0800 (PST) Received: by INET-03-IMC.itg.microsoft.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BBE1B7.13848FA0@INET-03-IMC.itg.microsoft.com>; Wed, 4 Dec 1996 07:45:10 -0800 Message-ID: From: Wendy Hedgpeth To: "'firewalls@greatcircle.com'" Cc: Steve Pogge Subject: Netbios proxy Date: Wed, 4 Dec 1996 07:42:26 -0800 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone know of a firewall package that has a netbios proxy? Please reply directly to me. I am not on this alias. thanks, Wendy Hedgpeth Microsoft Premier technical account manager wendyhe@microsoft.com (704)-582-8522 From firewalls-owner Wed Dec 4 09:38:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA05444 for firewalls-outgoing; Wed, 4 Dec 1996 07:44:50 -0800 (PST) Received: from mail-e2b.gnn.com (mail-e2b.gnn.com [204.148.102.170]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA05405 for ; Wed, 4 Dec 1996 07:44:34 -0800 (PST) Received: from 66-7.client.gnn.com (66-7.client.gnn.com [205.188.66.7]) by mail-e2b.gnn.com (8.7.6/8.7.3/GNN-1.0.7) with SMTP id KAA11800; Wed, 4 Dec 1996 10:44:30 -0500 (EST) Date: Wed, 4 Dec 1996 10:44:30 -0500 (EST) Message-Id: <199612041544.KAA11800@mail-e2b.gnn.com> X-Sender: FSymington@pop.gnn.com X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: WarRoom2@aol.com From: "F.S. Symington" Subject: Re: WarRoom ISS Survey -- Gembicki's Comments Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 08:54 AM 12/3/96 -0500, WarRoom2@aol.com wrote: >Anyone interested in WarRoom Research's comments on the 1996 Information >Systems Security Survey should contact me directly at the numbers listed below. I would be happy to discuss the project's >objectives, methodology, and analysis as well as some of the data/information >that was NOT released. > I would be quite interested in reading any papers developed from the survey results. Please let me know what is available and how I would locate such information. Thanks fss ===================================================== Fred Symington || FSymington@gnn.com WYLE Electronics || Voice 203.269.1765 1062 Barnes Road #300 || Fax 203.269.1879 Wallingford, CT 06492 || or .7507 ===================================================== From firewalls-owner Wed Dec 4 09:38:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA01336 for firewalls-outgoing; Wed, 4 Dec 1996 06:38:38 -0800 (PST) Received: from gauntlet-1.trusted.com (gauntlet-1.trusted.com [204.254.155.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA01293 for ; Wed, 4 Dec 1996 06:38:10 -0800 (PST) Received: by gauntlet-1.trusted.com; id JAA16092; Wed, 4 Dec 1996 09:47:20 -0500 Received: from dira.rv.tis.com(10.0.1.43) by gauntlet-1.trusted.com via smap (V3.1.1) id xma016069; Wed, 4 Dec 96 09:46:57 -0500 Received: from unit65.rv.tis.com (dyn173.trusted.com [10.0.1.173]) by dira.rv.tis.com (8.7.4/8.7.3) with SMTP id JAA22976; Wed, 4 Dec 1996 09:33:14 -0500 (EST) Message-Id: <3.0.32.19961204092604.006c0720@pop.rv.tis.com> X-Sender: avolio@pop.rv.tis.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Wed, 04 Dec 1996 09:35:43 -0500 To: mike@ptes.com (Mike Bernhardt), firewalls@greatcircle.com From: Frederick M Avolio Subject: Re: PIX and Gauntlet Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Well, you can imagine my opinion, so I won't give it. I have a question for you though. What do you define as a "real firewall?" I'd not define a packet filter -- dynamic, stateful, or otherwise -- as a real firewall in some discussions. In other discussions, I'd say a router, even without filtering is a firewall. (It depends on your definition of "fire," and I am not being facetious here.) Fred At 05:55 PM 12/3/96 -0900, Mike Bernhardt wrote: >I question as a relative newcomer: >Right now the internet connection at this location is protected with packet >filtering with a Cisco router. I want to put a real firewall product in >place. > >I'd like opinions on which y'all think is better and why (price aside): a >Cisco PIX, or Gauntlet on an Ultra1 with 2 Ethernet cards. > > > >------------------------------------------------------------- >"He who dies with the most toys, still dies." > > > From firewalls-owner Wed Dec 4 09:44:30 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA09580 for firewalls-outgoing; Wed, 4 Dec 1996 08:27:05 -0800 (PST) Received: from litle.net (wizard.litle.com [205.139.20.20]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id IAA09563 for ; Wed, 4 Dec 1996 08:26:55 -0800 (PST) Received: from s_khan.litle.net by litle.net (SMI-8.6/SMI-SVR4) id LAA03217; Wed, 4 Dec 1996 11:23:26 -0500 Message-Id: <2.2.32.19961204164508.009c9820@litle.net> X-Sender: s_khan@litle.net X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 04 Dec 1996 11:45:08 -0500 To: Christopher Tighe , firewalls@greatcircle.com From: "Saqib A. Khan" Subject: Re: Ip Routing on a SUN Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Take a look @ - /etc/init.d/inetinit it'll say something like - ndd -set /dev/ip ip_forwarding 1 1= on, 2=off Change it to 0 ot turn it off. At 01:33 PM 12/4/96 +0100, Christopher Tighe wrote: >hi, > > does anyone know how to turn _OFF_ ip routing (forwarding or >whatever else SUN wants to call it) on Solaris 2.5.1??? Do >I need to regenerate the Kernal, or is there an option >hidden somewhere that I can't find??? > >any help would be appreciated, > >thanks >chris PS: Pls CC all mail to me @ - --------------------------------------------------- Saqib A. Khan, Principal Secure Networks Corporation Main: 800-357-0208 Fax: 617-738-6060 Direct: 617-872-8865 Saqib_Khan@snc-net.com --------------------------------------------------- "Sed quis custodiet ipsos custodes?" -Juvenal, c. 100 C.E. _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ From firewalls-owner Wed Dec 4 09:59:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA01794 for firewalls-outgoing; Wed, 4 Dec 1996 06:47:05 -0800 (PST) Received: from jupiter.kleline.fr (jupiter.kleline.fr [194.250.17.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA01787 for ; Wed, 4 Dec 1996 06:46:55 -0800 (PST) Received: by jupiter.kleline.fr; id PAA04186; Wed, 4 Dec 1996 15:49:10 +0100 (MET) Received: from unknown(172.25.200.22) by jupiter.kleline.fr via smap (V3.1.1) id xma004177; Wed, 4 Dec 96 15:48:46 +0100 Received: from sirene. by zeus.kleline.fr (SMI-8.6/SMI-SVR4) id PAA15786; Wed, 4 Dec 1996 15:44:14 +0100 Received: from sirene by sirene. (SMI-8.6/SMI-SVR4) id PAA09611; Wed, 4 Dec 1996 15:44:55 +0100 Message-ID: <32A58E67.55A5@kleline.fr> Date: Wed, 04 Dec 1996 15:44:55 +0100 From: Gilbert Soueidy Organization: KLELine X-Mailer: Mozilla 3.0Gold (X11; I; SunOS 5.5 sun4m) MIME-Version: 1.0 To: Great Circle Firewall Mailing List Subject: Re: Sockd on TIS References: <3.0.32.19961204093035.006e5ffc@pop.rv.tis.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Frederick M Avolio wrote: > > At 09:43 AM 12/4/96 +0100, Gilbert Soueidy wrote: > >Hi, > > > >Is there is a Sockd package by default on Gauntlet TIS proxy ? > > No. Is there a need for one? (I am serious. Wow... my second serious note > to this mailing list today! I apologize to those who anxiously read my > postings for my wit and whimsy. There, that's better. :-)) > > Fred Well, I don't know there is really a need for one, but some applications that run under win95 and that remote-telnet, have only the socks configuration in their options; they don't support proxy configuration; what is the solution in this case ? -- Gilbert Soueidy KLELine; 8 Rue Galilee-BP 437 System Engineer 75769 Paris Cedex 16-FRANCE Voice: + 33 1 53 57 00 75 mailto:gsoueidy@kleline.fr Fax : + 33 1 53 57 00 50 http://www.kleline.fr From firewalls-owner Wed Dec 4 10:26:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA07642 for firewalls-outgoing; Wed, 4 Dec 1996 08:04:56 -0800 (PST) Received: from efreeti.trigraph.on.ca (trigraph.interlog.com [199.212.152.228]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA07592 for ; Wed, 4 Dec 1996 08:04:33 -0800 (PST) Received: from titan.trigraph.on.ca (titan [199.246.215.1]) by efreeti.trigraph.on.ca (8.7.5/8.7.3) with SMTP id LAA21395; Wed, 4 Dec 1996 11:04:17 -0500 (EST) Received: (from les@localhost) by titan.trigraph.on.ca (8.6.12/8.6.12) id LAA04459; Wed, 4 Dec 1996 11:04:09 -0500 From: Les Gondor Message-Id: <199612041604.LAA04459@titan.trigraph.on.ca> Subject: Re: Ip Routing on a SUN To: firewalls@greatcircle.com Date: Wed, 4 Dec 1996 11:04:08 -0500 (EST) Cc: ctighe@dat.tds.de In-Reply-To: <199612041423.IAA01599@andrews.Arbitrade.COM> from "Andrew A. Benson" at Dec 4, 96 08:23:24 am X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > hi, > > > > does anyone know how to turn _OFF_ ip routing (forwarding or > > whatever else SUN wants to call it) on Solaris 2.5.1??? Do > > I need to regenerate the Kernal, or is there an option > > hidden somewhere that I can't find??? [ snip ] > Hi Chris, > > Try this: > > /usr/sbin/ndd -set /dev/ip ip_forwarding 0 [snip] > -- > Andrew Benson System & Network Administrator > andrew@arbitrade.com Arbitrade, LLC > Besides the use of ndd (which would have to go in /etc/init.d/inetinit), you could also touch /etc/notrouter. Minor surgery performed on inetinit will also prevent routing from coming up. Beware upgrades that may overwrite your changes to inetinit. --- Les Gondor, Gandalf Graphics. les@trigraph.on.ca Let a smile be your umbrella and you'll wind up with a mouthful of rain. From firewalls-owner Wed Dec 4 10:45:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA07797 for firewalls-outgoing; Wed, 4 Dec 1996 08:06:45 -0800 (PST) Received: from relay3.UU.NET (relay3.UU.NET [192.48.96.8]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA07729 for ; Wed, 4 Dec 1996 08:06:13 -0800 (PST) Received: from cwiz.com by relay3.UU.NET with SMTP (peer crosschecked as: [208.194.52.10]) id QQbsqq24061; Wed, 4 Dec 1996 11:06:13 -0500 (EST) Received: by cwiz.com (SMI-8.6/SMI-SVR4) id KAA21301; Wed, 4 Dec 1996 10:05:46 -0600 Date: Wed, 4 Dec 1996 10:05:46 -0600 From: mdb@dosmanos.cwiz.com (Martin D. Baldenegro) Message-Id: <199612041605.KAA21301@cwiz.com> To: ctighe@dat.tds.de Subject: Re: Ip Routing on a SUN Cc: firewalls@greatcircle.com X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Chris, From the man pages for Solaris 2.5.1: The following command sets the value of the parameter ip_forwarding in the IP driver to zero. This disables IP packet forwarding. example% ndd -set /dev/ip ip_forwarding 0 To view the current IP forwarding table, use the following command: example% ndd /dev/ip ip_ire_status You can do a man on ndd to get the information. Martin " Been there, Done it, got a T-shirt " ----- Begin Included Message ----- From ctighe@dat.tds.de Wed Dec 4 08:01:39 1996 Date: Wed, 04 Dec 1996 13:33:50 +0100 From: Christopher Tighe Mime-Version: 1.0 To: firewalls@greatcircle.com Subject: Ip Routing on a SUN Content-Transfer-Encoding: 7bit hi, does anyone know how to turn _OFF_ ip routing (forwarding or whatever else SUN wants to call it) on Solaris 2.5.1??? Do I need to regenerate the Kernal, or is there an option hidden somewhere that I can't find??? any help would be appreciated, thanks chris -- +------------------------------------------------------------+ | Christopher Tighe BSc.(Hons) Tel: ++49 (0)7131 6235-119 | | Network Services Fax: ++49 (0)7131 6235-115 | | tele-daten service GmbH E-Mail: ctighe@tds.de | | Titotstr. 7-9 | | 74072 Heilbronn \"""/ | | Germany (o o) | +------------------------------------.ooO(_)Ooo.-------------+ ----- End Included Message ----- From firewalls-owner Wed Dec 4 10:55:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA06407 for firewalls-outgoing; Wed, 4 Dec 1996 07:54:55 -0800 (PST) Received: from landfield.com (rkive.landfield.com [208.196.145.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA06346 for ; Wed, 4 Dec 1996 07:54:34 -0800 (PST) Received: (from kent@localhost) by landfield.com (8.7.5/8.7.3) id JAA20663; Wed, 4 Dec 1996 09:54:18 -0600 (CST) From: Kent Landfield Message-Id: <199612041554.JAA20663@landfield.com> Subject: Re: Firewalls over NT vs. UNIX To: sherod@medeserv.com.au Date: Wed, 4 Dec 1996 09:54:18 -0600 (CST) Cc: wrbeem@gate.net, firewalls@GreatCircle.COM In-Reply-To: <32A4FF2F.40D7@medeserv.com.au> from "Steven Herod" at Dec 4, 96 02:33:51 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk # > More likely that most folks don't know about the security holes in NT yet. # > UNIX holes receive a fair amount of attention, which often causes a furor # > and a fix. Microsoft remains rather tight-lipped about holes in Windows NT. # # I'd have to disagree with that, a hole in NT would cause just as large a # furor # as one in Solaris or Netware for that matter. After all it's Microsofts # flagship # OS. "The way of the future...". I'd certainly yell loudly. If you knew about it. The point is that the Unix sources which formed the basis for most commercial versions are publicly available. The community can, has, and is reviewing those sources looking for potential vunerabilities. Armed with a base knowledge, some then attempt to exploit them on their favorite verions of Unix. There is no basis for this type of "research" in NT and only after you stumble on a serious problem has any mention been forthcoming from Microsoft. # To decide if NT4.0 is insecure: # What holes are in it? What holes have been patched in past versions? # What do you have to do to a base NT system to secure it as a firewall? # As an apps server? # As a file Server? # # To decide is Unix (brand X) is insecure: # What holes are in it? What holes have been patched in past versions? # What do you have to do to a base Unix system to secure it as a firewall? # As an apps server? # As a file Server? Please compare apples with apples. Unix has been around many years and for the most part, developed within an open community. There will have been many more problems in a 25 year old operating system versus a 5 (??) year old operating system. Then there is the number of different Unix versions versus the tightly controlled Microsoft source baseline. # I dare say if Unix wasn't around, and Microsoft launched one of the # early implementations of Unix as SuperNT 1.0 the general consensus would # have been to avoid it like the plague because of it's security # problems. They did, remember Microsoft's Xenix.. ? ;-) No, if Unix had not been around, the model for open OS development would not have occurred as it did. The reality based attitude towards security (security by obscurity versus security by evalutaion) would have been different. -- Kent Landfield Phone: 1-817-545-2502 The Landfield Group FAX: 1-817-545-7650 Email: kent@landfield.com http://www.landfield.com/ Please send comp.sources.misc related mail to kent@uunet.uu.net. From firewalls-owner Wed Dec 4 11:00:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA01100 for firewalls-outgoing; Wed, 4 Dec 1996 06:35:58 -0800 (PST) Received: from mail.clark.net (mail.clark.net [168.143.0.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA01050 for ; Wed, 4 Dec 1996 06:35:34 -0800 (PST) Received: from mjr.clark.net (mjr.clark.net [168.143.19.61]) by mail.clark.net (8.7.3/8.6.5) with SMTP id JAA26664; Wed, 4 Dec 1996 09:35:09 -0500 (EST) Message-Id: <199612041435.JAA26664@mail.clark.net> Comments: Authenticated sender is From: "Marcus J. Ranum" Organization: V-ONE Corp Baltimore office To: firewalls@GreatCircle.COM Date: Wed, 4 Dec 1996 09:36:02 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Firewalls over NT CC: mjr@clark.net X-mailer: Pegasus Mail for Win32 (v2.42a) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I guess no-one really wants to touch this subject. Is it perhaps > because NT really is "very secure" and we can trust it to do security > firewalling? grin;-) In some firewall architectures, if reasonably implemented, the operating system on which the firewall runs is irrelevant, from a security perspective. Let me try and explain why I believe this - and please bear with a kind of lengthy explanation because it is subtle. I'll use product names as examples but this is not a product plug nor am I saying any approach is better or worse - just different. Firewall software running on an O/S can exist at different levels within the O/S. For example, a FWTK firewall exists purely above and outside of the O/S. A Checkpoint firewall exists (except for its user interface) between the packet input/output queueing code and the routing layer in the kernel's IP stack. A Firewall/Plus replaces the packet input/output queuing code and talks directly to the network interface cards. Those are 3 totally different approaches, and each approach, you'll notice, is "closer to the wire" and takes increasingly less advantage of the O/S. Early versions of Firewall/Plus ran on DOS and used to completely replace the "kernel" while it was running. In the case of a FWTK firewall, the kernel is providing complete services up to the applications. Indeed, the person setting the firewall up needs to know enough to make sure that the hand-off between kernel services (connect system call) and application services (inetd) is coordinated with firewall services (proxies). It's not hard, fortunately, to get that right, because the mechanism in question is simple, well-understood, and reasonably "trustworthy." In the case of a Checkpoint, the kernel is providing a virtual interface to packet buffering and network cards. Other than that, the only thing the kernel does for the Checkpoint is supports logging (filesystem) and user interface (X). What's interesting is that the firewall software, if it works correctly, should be able to completely protect the layers above, using the same technology and code that it uses to protect the network behind the firewall. Unless you tell the firewall layer it's OK for outsiders to talk to the X server on the firewall box, they can't. So, if the firewall is configured sanely, it's a non-issue whether the firewall has an X server running, or even an old buggy version of sendmail. There is a big advantage in this approach because you develop a service/network screening ability for the firewall, which protects the firewall as well. Assuming it's implemented right and configured so nobody can talk to it, you could be running the buggiest, holiest O/S on the planet above that firewall layer, and still be safe. Firewall/Plus (and probably SunScreen) takes matters a step farther down the stack and deals with packets directly. This case is very similar to the Checkpoint approach. From a security perspective, the only major difference is that it doesn't even rely on the O/S having gotten the packet queuing/dequeuing layer right. I don't think that's a big deal, but who knows? Another nice thing it lets you do is not have an IP address for the firewall at all -- it's more like a bridge. In that case, you *REALLY* know an outsider's not going to mess with the applications on that firewall -- it won't recognize packets destined for it, and even if it did it won't propagate them up the IP stack to an application that's listening. In this case, the O/S is really a program loader and file system and GUI sitting above a packet queuing filter. What does this have to do with NT or any other O/S for that matter? Well, depending on where the firewall sits in relation to the O/S, the O/S may be irrelevant to the security of the system. So it could be NT, DOS, UNIX, or whatever, and make no real difference. The one area where the choice of O/S makes a difference is that each firewall, depending on where it sits, relies on the layers below it, as they are provided by the vendor. That means, I suppose, that a clueless vendor *might* have a hole in their packet queuing/dequeuing layer. Suppose Microsoft had a hook in their packet driver that recognized certain packets as undocumented remote management packets. Then, that would be a Bad Thing. Of course the same could happen in UNIX. This is why I worry that a firewall vendor who supports every platform under the sun may not be taking the time to diligently research the peculiarities of the implementation below their firewall level. The only approach that makes the O/S completely, totally irrelevant is the firewall at the packet driver level. As you move up the stack to the purely application firewalls like FWTK then the O/S becomes increasingly relevant. Another issue, of course, is whether the O/S is "ready for prime time." Since the firewall is relying on services below the level where it sits, kludginess and performance flaws at those levels may affect its normal function. A memory leak in the connect() system call with eventually crash a pure application layer firewall like FWTK but won't bother a Checkpoint. A buffer overrun in the mbuf routines will crash both FWTK and Checkpoint-type firewalls but will not affect a packet driver level firewall. And so it goes. I'm not convinced that NT's IP stack is "ready for prime time" yet so I'd hesitate to try to build a pure application level firewall on it. A routing/queueing level firewall would probably be OK since the only things NT would be doing is GUI and filesystem and it doesn't have to do that particularly well. A packet driver level firewall will not give a darn about any of the implementation flaws in the O/S above it -- as long as it stays running. I hope this helps clarify some of my thinking on this matter. A lot of you have grabbed me at conferences and asked this same question and gotten (probably less organized) variations of this response. I know that a number of people have felt that I was somehow repudiating an earlier stated position that "application level firewalls are the best" -- I still believe that with all these things, marketing aside, the key factor is the skills of the people who build them, how well they know their platform, and how clean/generic the design is. mjr. ----- Marcus J. Ranum, Chief Scientist, V-ONE Corporation Work: http://www.v-one.com Personal: http://www.clark.net/pub/mjr From firewalls-owner Wed Dec 4 11:06:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA23651 for firewalls-outgoing; Wed, 4 Dec 1996 10:31:51 -0800 (PST) Received: from news.rc.on.ca ([207.176.151.6]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA23612 for ; Wed, 4 Dec 1996 10:31:34 -0800 (PST) Received: by mail.rc.on.ca with IMAIL 2.0 id <01BBE1E7.22B65410@mail.rc.on.ca>; Wed, 4 Dec 1996 13:29:11 -0500 Message-ID: From: Russ To: "'firewalls@greatcircle.com'" Subject: RE: Firewalls over NT vs. UNIX Date: Wed, 4 Dec 1996 13:29:11 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Connector (Beta) (4.5.1280.0) Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Well, I don't like to get into NT vs. Unix stuff on this list, but I thought of a few comments that might add to the discussion without being religious about it. * If you strip down NT, replace its processes with trusted ones, and build up a Firewall, I'd say you're nuts. That, IMO, is a complete waste of your obvious intelligence, go do it on a Unix box since its been done that way for years and there's lots of instructions on how to do it. * If you are going to use NT as a Firewall platform, there should be only one reason you would do that. You want to integrate your Firewall into your existing NT environment (for any of a number of reasons). If that's not your reasoning, then you shouldn't be considering NT as a Firewall. I do not/will not believe any vendor's claim today that their NT version (or their NT product if they don't have a Unix version) is *more secure* than an existing Unix Firewall product. Its stupid to believe that NT is inherently more secure than brand X Unix, it isn't. It's inherently less secure because of all the bells and whistles that are included and the openness with which things have been implemented. Couple that with the legacy compatibility's it must support and you have an extremely insecure base product. * And this is what you'd think to start with when building a Firewall??? I don't think so. * Now with all that said, that doesn't mean that NT shouldn't/couldn't be secured and built to be a very robust and extremely secure Firewall product, it can, and many vendors are out and about staking their reputations on the fact that they can prove it. Venture Capitalists are a strange lot at the best of times, but if you had a solid Unix product and a good reputation, would you gamble all that against Microsoft's penchant for making subtle unadvertised changes to your underlying OS...without first having a solid understanding of what your dealing with and ensuring you can protect yourself from the Borg? I don't think so. * So I'd venture to suggest that the NT Firewalls that are available are *as secure* as their Unixen brethren, *or*, they are less secure due to NT features which the NT community want to have and have (or can) accept as additional risks. Yes, this might be construed as a bastardization of Firewalls (lowering the security threshold), but as opposed to no Firewall at all its a significant increase in the overall level of security on the Internet. (This isn't to say that a vendor's NT implementation might not be more secure than a Unix version *when protecting an NT environment*, I believe its definitely possible to provide better NT security using some NT Firewalls than some Unix Firewalls). * I'm seeing NT Firewalls deployed in sites where they want to minimize the risk, not eliminate it. They don't want to devote the resources to managing a complete Firewall, they want to re-use existing resources (network admin resources) as Firewall resources. They don't want to introduce a box, that to them, seems obscure and foreign, they'd rather use something their more familiar with. They believe, typically falsely, that an NT Firewall will somehow protect their use of NT services and allow them to extend their NT models beyond their local nets better than if they used a Unix Firewall. They often come from a background that says "if it doesn't do it today, can it do it in the next version?" and buy into the concept that if they build it, Microsoft will come. A lot of people think that because NT is in the headlines, this translates into better NT products vs. Unix (Unix is old, NT is new, new must be better than old)...obvious delusions but beliefs none-the-less. * But beyond this, I've met nobody who thinks that NT is more securable than Unix. I've met nobody who believes they will be more secure behind an NT Firewall rather than a Unix one. I've met nobody who believes that their desktop insecurity will go away because of an NT Firewall. * So NT Firewalls have their place, and Unix Firewalls have theirs. Both, typically, can be configured to be as strong as the other. Both, typically, can be configured to leak like a sieve. Both, typically, can be configured to work with third-party authentication tools, but if your third-party authentication is an NT PDC, you need an NT Firewall to talk to it (today). Now debating the value of the NT SAM as an authentication database, or NT Challenge/Response as an authentication protocol, is a different matter. If the company has already made the investment in that dB, and chooses not to change that, integration with it is very desirable to many. * Also, smaller sites who don't have the time, intelligence, or patience to configure a Linux or FreeBSD box as a complete Internet server with *some protection* see NT Firewalls as a way to get what they want. Of course most of these people believe they can put everything on their Firewall (SMTP, HTTP, POP3, etc...) cause NT can run lots of things and has simple GUI installation programs to get these things up and running. Typically not a very good idea, but at least one vendor of a recently announce NT Firewall actually says that they are happy to run underneath other NT Application services, so the trend may be changing there. * As for this buffer-overrun stuff, could someone please point me to a single example of an NT process overrunning its buffers? I don't mean CMD.EXE, but an actual NT process which is constrained by the Kernel or the Executive to stay within its memory bounds. Its so easy today for people to throw out the "buffer overrun" attack as a latent threat and never have to back it up. NT's memory leaks, to my knowledge, are limited to not recovering its own allocated memory, thereby dwindling resources. Comparisons between NT and any other Windows platform is just plain lack of knowledge. NT does memory management completely differently. * Cheers, Russ R.C. Consulting, Inc. - NT/Internet Security Consulting mailto:Russ.Cooper@RC.on.ca <-- *note the new address* From firewalls-owner Wed Dec 4 11:12:17 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA24373 for firewalls-outgoing; Wed, 4 Dec 1996 10:38:25 -0800 (PST) Received: from relay3.UU.NET (relay3.UU.NET [192.48.96.8]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA24364 for ; Wed, 4 Dec 1996 10:38:17 -0800 (PST) Received: from cwiz.com by relay3.UU.NET with SMTP (peer crosschecked as: [208.194.52.10]) id QQbsra00498; Wed, 4 Dec 1996 13:38:16 -0500 (EST) Received: by cwiz.com (SMI-8.6/SMI-SVR4) id MAA21808; Wed, 4 Dec 1996 12:38:00 -0600 Date: Wed, 4 Dec 1996 12:38:00 -0600 From: mdb@dosmanos.cwiz.com (Martin D. Baldenegro) Message-Id: <199612041838.MAA21808@cwiz.com> To: syed1@apple.com Subject: Re: get off the list? Cc: Firewalls@GreatCircle.COM X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Riaz, Please save this message for future reference. Thank you. If you ever want to remove yourself from this mailing list, you can send mail to with the following command in the body of your email message: unsubscribe firewalls user@domainname Martin " Been there, Done it, got a T-shirt " ----- Begin Included Message ----- From syed1@apple.com Wed Dec 4 12:31:01 1996 X-Sender: syed1@mail.apple.com (Unverified) Mime-Version: 1.0 Date: Wed, 4 Dec 1996 08:33:12 -0800 To: Firewalls@GreatCircle.COM From: syed1@apple.com (riaz syed) Subject: get off the list? Hi: Can anyone advise me how to get off the list. I'd appreciate a quick response. Thanks -Riaz ----- End Included Message ----- From firewalls-owner Wed Dec 4 11:43:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA13391 for firewalls-outgoing; Wed, 4 Dec 1996 09:06:07 -0800 (PST) Received: from mail.baileynm.com (fw.baileynm.com [206.109.159.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id JAA13362 for ; Wed, 4 Dec 1996 09:05:51 -0800 (PST) Received: (qmail 19606 invoked from smtpd); 4 Dec 1996 17:05:51 -0000 Received: from web.nmti.com (root@198.178.0.201) by fw.nmti.com with SMTP; 4 Dec 1996 17:05:51 -0000 Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id LAA11516; Wed, 4 Dec 1996 11:05:50 -0600 Received: by sonic.nmti.com; id AA25301; Wed, 4 Dec 1996 11:05:42 -0600 From: peter@baileynm.com (Peter da Silva) Message-Id: <9612041705.AA25301@sonic.nmti.com.nmti.com> Subject: Re: Firewalls over NT vs. UNIX To: sherod@medeserv.com.au Date: Wed, 4 Dec 1996 11:05:41 -0600 (CST) Cc: wrbeem@gate.net, firewalls@greatcircle.com In-Reply-To: <32A4FF2F.40D7@medeserv.com.au> from "Steven Herod" at Dec 4, 96 02:33:51 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I'd have to disagree with that, a hole in NT would cause just as large a > furor > as one in Solaris or Netware for that matter. After all it's Microsofts > flagship > OS. "The way of the future...". I'd certainly yell loudly. I've posted about several holes in NT that are the precise equivalents of holes in UNIX that NT apologists are always howling about. For example, people always poke at sendmail. But you can *easily* replace sendmail with secure equivalents... it simply happens to be the default configuration. Yet the default configuration of NT is so insecure that the C2 tool in the resource kit lists a dozen security holes that need to be closed... and you can't close them all without breaking applications that depend on being able to, for example, write their INI files in the WINNT directory. Oh, sure, they shouldn't be doing that... but you buy computers to run apps not operating systems and if the app you need to run does things like that what alternative have you got? So you leave WINNT writable. So someone replaces a DLL or installs a CPL file with a trojan horse, you log in as Administrator, and pow... so much for NTFS security. Hell, NT still has the "at" hole, where anyone who has the rights to schedule tasks can run any task they want with system privilege. That's a higher privilege level than administrator since it grants you read-write access to the SAM. Try running REGEDT32.EXE at 1 minute from now and have a look. I last heard of a UNIX box having that hole in 1985, and it took more than that to use it. No doubt I'll get a bunch of flames back saying I don't understand the NT security model, or that these aren't really holes because you have to have an account on the box to use them. Gentlemen... most of the CERT announcements are about security holes you have to have an account to use! From firewalls-owner Wed Dec 4 11:48:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA28563 for firewalls-outgoing; Wed, 4 Dec 1996 11:15:17 -0800 (PST) Received: from pepper.PLU.edu (pepper.PLU.edu [152.117.1.6]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA28495 for ; Wed, 4 Dec 1996 11:14:45 -0800 (PST) Received: from plu.edu by plu.edu (PMDF V5.1-5 #17589) id <01ICLZ59KHG0008TT4@plu.edu> for firewalls@greatcircle.com; Wed, 4 Dec 1996 11:14:32 PST Date: Wed, 04 Dec 1996 11:14:31 -0800 (PST) From: JEFF BAUMAN Subject: need firewall? To: firewalls@greatcircle.com Message-id: <01ICLZ59OJFM008TT4@plu.edu> X-VMS-To: IN%"firewalls@greatcircle.com" X-VMS-Cc: BAUMANJA MIME-version: 1.0 Content-type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk WHAT WE ARE: a public radio station licensed to and housed at a university. WHAT WE HAVE: a small (about 50-node) "free standing" LAN with 2 file servers, running Netware 4.1. (Not a UNIX or NT box in sight.) WHAT WE WANT TO DO: Connect our LAN to the university's fiber backbone to provide Internet access from each workstation on the KPLU LAN. SECURITY REQUIREMENT: something placed between our LAN and the connection to fiber that blocks external (from on-campus or elsewhere on the Internet) access to our LAN, to help protect confidential information on our file servers. QUESTIONS: Can a router, alone, provide reasonable (?!) protection? Is a PIX (or similar) firewall more appropriate/necessary? What kind of up-front cost range am I looking at for this barrier? I like the basic idea of a firewall, and joined this list to learn more about them. After reading posts here for sometime, I'm not sure which way KPLU should go. My education continues... Any assistance would be greatly appreciated. +========================================================================+ | Jeff Bauman Internet: baumanja@PLU.edu | | Director of Computing _/\_ Voice: (206) 536-5009 | | KPLU jb (800) NPR-KPLU | | Tacoma WA 98447 Fax: (206) 535-8332 | +========================================================================+ From firewalls-owner Wed Dec 4 12:41:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA26962 for firewalls-outgoing; Wed, 4 Dec 1996 11:01:11 -0800 (PST) Received: from emout01.mail.aol.com (emout01.mx.aol.com [198.81.11.92]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id LAA26911 for ; Wed, 4 Dec 1996 11:00:54 -0800 (PST) From: B0GDAN@aol.com Received: by emout01.mail.aol.com (8.6.12/8.6.12) id OAA26088 for firewalls@greatcircle.com; Wed, 4 Dec 1996 14:00:53 -0500 Date: Wed, 4 Dec 1996 14:00:53 -0500 Message-ID: <961204140052_939854543@emout01.mail.aol.com> To: firewalls@greatcircle.com Subject: Proxy & illegal IP numbers Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I need help ! I need to allow hosts from the internet connect to our internal hosts. We use a firewall that does proxying and filtering. The problem is that we use illegal IP addresses inside the company so we can not be addressed from the internet. Does anyone knows about a program that will listen to a port on the firewall, and forward that traffic to a specified host (by changeing the IP hedear maybe) ? Thanks, for you help ! DAn From firewalls-owner Wed Dec 4 13:16:01 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA20409 for firewalls-outgoing; Wed, 4 Dec 1996 10:04:15 -0800 (PST) Received: from hidata.com (hidata.com [205.158.61.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA20190 for ; Wed, 4 Dec 1996 10:02:52 -0800 (PST) Received: by hidata.com; id AA27938; Wed, 4 Dec 96 10:02:53 PST Received: from osc.hidata.com(205.158.62.10) by hds-gw.hidata.com via smap (V3.1.1) id xma027936; Wed, 4 Dec 96 10:02:23 -0800 Received: from sysadmin by osc.osc.hidata.com (SMI-8.6/SMI-SVR4) id KAA05751; Wed, 4 Dec 1996 10:02:22 -0800 Message-Id: <2.2.32.19961204175800.012cac44@osc.hidata.com> X-Sender: bstout@osc.hidata.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 04 Dec 1996 09:58:00 -0800 To: Firewalls@GreatCircle.COM From: Bill Stout Subject: Re: NT firewalls / Eagle Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 11:47 AM 12/4/96 -0300, you wrote: >Yes... Microsoft Proxy Server, for example.. ;-) >> are there any firewall systems for Windows NT (commercial or not) besides >> the Eagle system? That's not a firewall. That's a proxy that needs IIS and NT 4.0 to run. Early marketing efforts by MS tried to give the impression that Catapult was a firewall. Firewalls are built, not added to a computer. Next we'll have to deal with 'Steel Head', where MS tries to make NT PCs into a Cisco-level Routers(12/2 Computer World) by adding software over existing exposed and secret security holes. Bill Stout From firewalls-owner Wed Dec 4 13:21:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA21578 for firewalls-outgoing; Wed, 4 Dec 1996 10:15:49 -0800 (PST) Received: from darkstar.sysinfo.com (darkstar.sysinfo.com [204.246.65.62]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA21559 for ; Wed, 4 Dec 1996 10:15:30 -0800 (PST) Received: from parka.winternet.com (dufresne@parka.winternet.com [198.174.169.9]) by darkstar.sysinfo.com (8.8.2/8.8.2) with SMTP id MAA05067; Wed, 4 Dec 1996 12:17:34 -0600 Date: Wed, 4 Dec 1996 12:10:03 -0600 (CST) From: Ron DuFresne To: riaz syed cc: Firewalls@GreatCircle.COM Subject: Re: get off the list? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm reposting this to the list as there have been such a number of folks requesting this info once again: >From vbaca@Coded.COMSat Nov 23 17:25:55 1996 Date: Mon, 25 Mar 1996 09:08:49 -0800 From: "Virginia L. Baca" To: firewalls@GreatCircle.COM Subject: How To get off <--- god I love that subject I know there are lots of you out there who want off this list and are afraid to ask how. Well here it is. Please save this message for future reference. Thank you. Send mail to: Majordomo@GreatCircle.COM To subscribe: subscribe firewalls subscribe firewalls-digest subscribe firewalls-performance-digest To unsubscribe: unsubscribe firewalls unsubscribe firewalls-digest unsubscribe firewalls-performance-digest If you want to subscribe or unsubscribe something other than the account the mail is coming from, such as a local redistribution list, then append that address to the command; for example, to subscribe "local-firewalls": subscribe firewalls-performance-digest local-firewalls@your.domain.net ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. From firewalls-owner Wed Dec 4 13:24:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA20191 for firewalls-outgoing; Wed, 4 Dec 1996 10:02:56 -0800 (PST) Received: from gw.garrison.com (gw.garrison.com [205.241.58.147]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA20151 for ; Wed, 4 Dec 1996 10:02:22 -0800 (PST) Received: by gw.garrison.com; id FAA02156; Wed, 4 Dec 1996 05:54:46 -0600 (CST) Received: from ukn0.garrison.com(10.0.0.2) by gw.garrison.com via smap (3.2) id xma002151; Wed, 4 Dec 96 05:54:34 -0600 Received: by garrison.com. (4.1/Surrogate Sendmail hack) id AA01646; Wed, 4 Dec 96 11:55:22 CST Date: Wed, 4 Dec 96 11:55:22 CST From: jeromie@garrison.com (Jeromie Jackson) Message-Id: <9612041755.AA01646@garrison.com.> To: firewalls@GreatCircle.COM, dochin@cisco.com Subject: Re: Cisco's PIX Firewall Cc: lazar@netevolve.com, mhoward@cisco.com, froys@cisco.com, jlw@cisco.com, afoss@cisco.com, amittal@cisco.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > To clarify the PIX Firewall, it is not a packet filter. It is a dedicated > security device, built with one purpose in mind -- securing the private LAN > to the Internet. > Hmm, from what I've seen, it certainly does qualify as an IP filtering device. It bases its ACLs on header information, namely src,port,dst,port.flags It obviously is not an application level gateway, therefore you may be competing with TIS/Raptor for market share, although it is quite different technology. It appears to be a packet filtering device that has NAT capabilities... > We are in fact directly in competition with Checkpoint, Raptor, TIS, etc. > The "cut-through proxy" feature provides a significant performance > enhancement to the security function since users are authenticated at the > application layer. Once authenticated, the process flow shifts back to the > network layer which provides the high performance. I would have to agree that most likely there is a performance enhancement by using PIX instead of an application level gateway. My question would be, if the PIX product is a firewall, how it it securing the sendmail/mail transport agent for the customers? When mail comes inbound, it has to speak to something.. Since PIX does not have a MTA itself, obviously another box is required. If this is so, the level of security of the MTA is crutial... This seems to be a bad thing. Also, using something like PIX, is there features that allow filtering of data such as email-content, or java/javascript? What about time based access control? Or what about data reduction utilities to utilize the syslog information that I would assume the PIX can provide...? Jeromie Jackson Garrison Technologies jeromie@garrison.com From firewalls-owner Wed Dec 4 13:27:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA26203 for firewalls-outgoing; Wed, 4 Dec 1996 10:54:48 -0800 (PST) Received: from NTWRK1.NETWORK-1.COM (Network-1.com [192.246.254.133]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA26151 for ; Wed, 4 Dec 1996 10:54:31 -0800 (PST) Message-Id: <199612041854.KAA26151@miles.greatcircle.com> Received: from scarlett ([192.246.254.180]) by NTWRK1.NETWORK-1.COM with SMTP; Wed, 4 Dec 1996 12:12:50 -0600 (CST) From: "Kimber Cooper" To: Subject: Re: Support of Firewalls Date: Wed, 4 Dec 1996 11:58:59 -0600 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ron: What do you mean by "support," exactly? When it comes to implementing firewalls, "support" has many, many forms. First, there's basic education; you would be surprised (or not, maybe) to hear how many people are looking to implement a firewall just because they keep reading about them--they actually don't know the definition and don't understand the implications of implementation. Should tech support have that role? Or would you rather have the opportunity to query technically knowledgeable sales reps about this? Or do you, the consumer, have the responsibility to educate yourself, thereby giving the company the right to assume that education? What about implementation of the firewall? I'm talking topology here, not configuration. Not all firewalls are routers; not all firewalls are compatible w/ every piece of hardware. Firewalls won't do diddly to protect the LAN if there are backdoors. Do you expect tech support to look at a topology map and tell you where your holes are and where to place the firewall? Now--after hours of consideration and topological tinkering--now we're ready to talk about the configuration of the software: is _that_ the role you expect out of tech support? I pose these questions to the world at large because I manage a tech support department and would really like to hear what the answers are. When I think about relying on resellers, etc. I have to consider the possibility of a huge margin of error for all of these categories, which, quite frankly, makes my stomach clench. Is there a real issue out there with software companies outsourcing first-level support? Looking forward to hearing from you, --Kimber Cooper "Silliness is the last resort of the doomed." --Opus ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Kimberly Hebert Cooper Manager, Technical Services Network-1 Software & Technology khcooper@network-1.com >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>origina l follows: > Date: Tue, 3 Dec 1996 23:12:42 -0600 > From: "Ron Malone" > Subject: Firewall User Group's *snip* > My company is looking to purchase a firewall product, but find that most > software companies want to shield themselves behind a reseller. They claim > to want to use reseller's distribution system to sell and support the > product. The problem is that purchasing the firewall software via a > middleman allows the firewall company to have less responsibility in > supporting their product. If your 3rd party support is not strong, then you > have a problem obtaining quality support and cannot contact the software > maker to provide direct support. Any comments regarding how to get the > software maker to support the product that created. > *snip* From firewalls-owner Wed Dec 4 13:29:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA04324 for firewalls-outgoing; Wed, 4 Dec 1996 12:03:27 -0800 (PST) Received: from gw.research.megasoft.com (gw.research.megasoft.com [206.230.35.93]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id MAA04099 for ; Wed, 4 Dec 1996 12:01:46 -0800 (PST) Received: (from uucp@localhost) by gw.research.megasoft.com (8.7.5/8.7.3-cmcurtin) id PAA25126; Wed, 4 Dec 1996 15:01:38 -0500 (EST) Received: from goffette.research.megasoft.com(192.168.1.2) by gw.research.megasoft.com via smap (V1.3) id sma025122; Wed Dec 4 15:01:26 1996 Received: by goffette.research.megasoft.com (940816.SGI.8.6.9/940406.SGI) id OAA03818; Wed, 4 Dec 1996 14:54:37 -0500 Date: Wed, 4 Dec 1996 14:54:37 -0500 Message-Id: <199612041954.OAA03818@goffette.research.megasoft.com> From: C Matthew Curtin To: Douglas Cheline Cc: "'Firewalls@GreatCircle.COM'" Subject: Re: Firewalls over NT vs. UNIX In-Reply-To: References: X-Face: "&>g(&eGr?u^F:nFihL%BsyS1[tCqG7}I2rGk4{aKJ5I_5A\*6RYn4"N.`1pPF9LO!Fa<(gj:12)?=uP2l01e10Gij"7j&-)torL^iBrNf\s7PDLm=rf[PjxtSbZ{J(@@j"q2/iV9^Mx>>>> "Douglas" == Douglas Cheline writes: Douglas> The various Firewall vendors that I have spoken to have Douglas> repeatedly stated that, eventhough their product does run Douglas> over NT, running firewalls over UNIX is much more secure. Douglas> The reasoning I get is that NT has some inherent Douglas> vulnerabilities that cannot be plugged since the code is Douglas> proprietary and closed. UNIX on the other hand is standard Douglas> based and open, plus it has been on the market much longer Douglas> and more efforts have been placed in plugging the holes Douglas> there. Running anything on Windows NT isn't necessarily insecure. It certainly can be, if it's configured poorly. However, security cannot be proven. It is only by time and standing up to test after test does anything in security reach a level of probable security. The biggest problem with NT is that it is closed, and its code isn't available to the world to be examined and have bugs eradicated. As a result, the level of security that NT will provide is, at best, unknown. Along these lines, mjr posted a while back that he sent some folks off to Microsoft for NT developer training or something like that. His post noted that the Microsoft trainer asserted that there are 'administrative hooks' in NT that only Microsoft knows about. What are these hooks? Are they really there? What do they do? What happens if someone with a black hat finds one of 'em out? Is that enough to compromise the security of the OS? We can't possibly know without having the source or reverse engineering the whole thing to hell and back. (Which is forbidden by Microsoft by their wonderfully restrictive totalitarian licenses.) That's strike one. Consider something else: Windows NT isn't the subject of advisories like that from CERT simply because Microsoft refuses to participate with the security organiations like CERT. CERT, in its desire to be a white-hat organization that doesn't aid any people wearing black hats, will not release an advisory on a problem to which there is no solution. (Generally, they seem to not stick so closely by this policy anymore, as they published a vulnerability in SATAN before a fix was available. Very strange, that.) Refusing to participate with the security folks is strike two in my book. Furthermore, why would you want to run a firewall on NT? So you can pay $1000 for an operating system that allows you to have more than 10 simultaneous IP connections? Microsoft used to claim that there was a difference between NT workstation and NT server. They were caught in that lie by InfoWorld. A company that is so marketing-driven (as opposed to technology-driven) as Microsoft, has a proven track record of lies and deceit, and makes claims like their proxy server is analogous to the level of security provided by many firewalls, is NOT the kind of vendor that I want to give my company's front door keys to. Also consider the great speed with which NT is developed. They're so hot to get the next version out that things like security can't possibly be scrutinized very carefully, even within their own organization. Back to my question as to why someone would want to run a firewall on NT. It doesn't scale as high as Unix (compare its scalability to Solaris, for example.) It doesn't perform as well as Unix (for 0% of the price, FreeBSD will outperform NT in socket performance), and it doesn't have even a fraction of the security tools available in the Unix world. Things that ARE available for NT typically don't include the source, so you're back to having things that you can't trust running on your firewall again. The only thing that I've ever heard is that they want to run it on NT so that "anyone" can run it. Sorry, but when you're talking about a firewall, it isn't JimBob's home network. You need someone with a clue guarding the front door. Strike three, it's less functional, less scalable, and locks you into a vendor that wants to take over the world. I'm not just bashing, but why in the world would anyone want to make themselves dependant upon an EXTERNAL VENDOR to guard the entry point to the Internet? Firewalls are necessarily technical, folks. Anyone looking for a black box to plug into the wall "and just work" is asking for trouble. -- Matt Curtin cmcurtin@research.megasoft.com Megasoft, Inc Chief Scientist http://www.research.megasoft.com/people/cmcurtin/ I speak only for myself. Hacker Security Firewall Crypto PGP Privacy Unix Perl Java Internet Intranet From firewalls-owner Wed Dec 4 13:31:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA19570 for firewalls-outgoing; Wed, 4 Dec 1996 09:57:39 -0800 (PST) Received: from grab (grab.coslabs.com [199.233.92.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id JAA19530 for ; Wed, 4 Dec 1996 09:57:18 -0800 (PST) Received: from future.mulligan.com by grab (SMI-8.6/SMI-SVR4) id KAA24127; Wed, 4 Dec 1996 10:57:15 -0700 Received: from future by future.mulligan.com (SMI-8.6/SMI-SVR4) id KAA12417; Wed, 4 Dec 1996 10:57:12 -0700 Message-Id: <199612041757.KAA12417@future.mulligan.com> X-Mailer: exmh version 1.6.9 8/22/96 To: Christopher Tighe cc: firewalls@greatcircle.com Subject: Re: Ip Routing on a SUN In-reply-to: Your message of "Wed, 04 Dec 1996 09:35:23 EST." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 04 Dec 1996 10:57:11 -0700 From: Geoff Mulligan Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Don't forget # ndd -set /dev/ip ip_forward_src_routed 0 to turn off source routing. geoff From firewalls-owner Wed Dec 4 13:34:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA03683 for firewalls-outgoing; Wed, 4 Dec 1996 11:56:40 -0800 (PST) Received: from manukau.govt.nz ([202.14.82.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA03563 for ; Wed, 4 Dec 1996 11:56:04 -0800 (PST) Received: by kotuku.manukau.govt.nz id <35726>; Thu, 5 Dec 1996 09:06:12 +1300 Message-Id: <96Dec5.090612nzdt.35726@kotuku.manukau.govt.nz> From: Matthew Thompson To: "'BVE'" , "'firewalls@greatcircle.com'" Subject: RE: Firewalls over NT vs. UNIX Date: Fri, 6 Dec 1996 10:51:33 +1300 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >and their fix. MS doesn't let you see the source; Unix does. While you or I Can someone tell me where I get the source for HP-UX, AIX and Solaris 2, and Borderware's modified BSDI Unix then? Bearing in mind I don't want to sign any agreements of the type I'd have to sign to see the source for NT, or pay any significant money, or do anything lllegal? And no, I don't want source for Linux, I want source for the currently shipping vendor versions of these OS's. --------------------------------------------------------------------- Kiwitech Marine Solutions Ltd. RaceTech, SailTech, PowerTech, Marine Software & Hardware Web: http://www.kiwitech.co.nz, Email: mthomps1@kiwitech.co.nz Phone: +64-9-307-0819 Fax: +64-9-307-6685 Mobile: +64-21-998-600 PO Box 5909, Wellesley Street, Auckland, New Zealand From firewalls-owner Wed Dec 4 13:37:09 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA19472 for firewalls-outgoing; Wed, 4 Dec 1996 09:56:48 -0800 (PST) Received: from smtp1.interramp.com (smtp1.interramp.com [38.8.45.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id JAA19335 for ; Wed, 4 Dec 1996 09:56:13 -0800 (PST) Received: from davidh.interramp.com by smtp1.interramp.com (8.8.1/SMI-4.1.3-PSI-irsmtp) id MAA00759; Wed, 4 Dec 1996 12:56:06 -0500 (EST) Message-ID: <32A5AB1C.1AA4@checkpoint.com> Date: Wed, 04 Dec 1996 10:47:24 -0600 From: David Helms Reply-To: david.helms@checkpoint.com Organization: CheckPoint Software Technologies X-Mailer: Mozilla 3.0 (Win95; I) MIME-Version: 1.0 To: Michael.Kespohl@svp-consult.com CC: firewalls@GreatCircle.COM Subject: Re: NT firewalls / Eagle References: <9612041514.AA06657@ibgcore1.ibg.ljo.dec.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Michael, The December issue of LAN magazine just did a big firewall evaluation that you may want to look at. I obviously point this out because Check Point's FireWall-1 for NT was rated very highly. David chen@ibg.ljo.dec.com wrote: > > AltaVista Firewall for NT, visit > > http://www.altavista.software.digital.com/firewall/index.htm > > Tracy -- __________________________________ David Helms Senior Technical Consultant CheckPoint Software Technologies ph 703.684.4824 fx 703.684.4847 davidh@checkpoint.com __________________________________ From firewalls-owner Wed Dec 4 13:39:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA16285 for firewalls-outgoing; Wed, 4 Dec 1996 09:34:36 -0800 (PST) Received: from ptes.com ([138.112.199.5]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id JAA16251 for ; Wed, 4 Dec 1996 09:34:14 -0800 (PST) Received: by ptes.com (4.1/JMFrom firewalls-owner Wed Dec 4 22:52:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA12213 for firewalls-outgoing; Wed, 4 Dec 1996 21:58:22 -0800 (PST) Received: from translation.com (paoglobal.translation.com [204.30.204.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id VAA12199 for ; Wed, 4 Dec 1996 21:58:13 -0800 (PST) Received: (from audit@localhost) by translation.com (8.6.12/8.6.12) id VAA03069; Wed, 4 Dec 1996 21:58:30 -0800 Received: from bureaucrat.translation.com(10.8.8.2) by pao via smap (V1.3mjr) id sma003065; Wed Dec 4 21:57:41 1996 Message-Id: <2.2.32.19961205055157.00cd6860@politician.translation.com> X-Sender: johnson@politician.translation.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 04 Dec 1996 21:51:57 -0800 To: jeromie@garrison.com (Jeromie Jackson), ahuger@secnet.com From: Johnson Wu Subject: Re: Cisco's PIX Firewall Cc: firewalls@GreatCircle.COM, dochin@cisco.com, mhoward@cisco.com, lazar@netevolve.com, froys@cisco.com, afoss@cisco.com, amittal@cisco.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk To all: PLease use caution when reading the following to avoid confusion. I posted he original statement of "opens up UDP ports 7648 and 7649 BLINDLY to all traffic including attacks" criticizing packet filtering routers. I also contrasted it with the PIX'es adaptive security. I hope readers do not mistake this stateless opening of udp ports applies what the PIX does. As of today, the current official release of PIX still does not have Java filtering or any SMAPd type of mail wrappers. But that does not prevent it from being a stateful firewall being capable of thwarting spoofing and hijacking. Going against IP spoofing, The PIX has cut-through proxies authenticating inbound sessions from trusted hosts to selected internal hosts. This is user-based authentication. It also randomizes TCP sequence numbers to further minimize the chance of a successful spoofing. A packet filtering router exposes internal hosts and is not protocol aware. To allow ftp clients inside going out you basically have to open up TCP SRC=20 and DST gt 1023 for everyone in the whole world. The PIX makes an inside network totally invisible to the outside and only reveals certain IP addresses to the destination host when connections go outbound and only allows the requested data coming in. With due respect, I challenge Mr. Jackson's point saying: >> > As far as being >> > 'spoof proof', that is just not correct. If you are talking to '1.2.3.4', I >> > can send you a packet appearing as though it is originating from '1.2.3.4' In the case where the the client starts a connection from SRC port 2345 to 1.2.3.4's port 80 to get a webpage and then ends the connection. The PIX immediately closes the connection object after that and even if the hacker succeeds in impersonating 1.2.3.4 ( the dest. host ) and tries to come in via SRC=80 dest=2345 with the ACK bit set, the PIX will not let the packets come through. ( Interested PIX owners can try it themselves) -Johnson At 10:35 PM 12/4/96 CST, Jeromie Jackson wrote: >> On Wed, 4 Dec 1996, Jeromie Jackson wrote: >> >> > > >> > > This opens up UDP ports 7648 and 7649 BLINDLY to all traffic including >> > > attacks. Also there's that infamous estab statement where someone who >> > > knows how to doctor the ACK bit can inject TCP packets into the customers' >> > > net. >> > >> > Hmm, That certainly looks like packet filtering to me. Yes you are right. It was my example of a packet filter, not the PIX. >> > Based on header >> > information, you are making decisions about packet flow. As far as being >> > 'spoof proof', that is just not correct. If you are talking to '1.2.3.4', I >> > can send you a packet appearing as though it is originating from '1.2.3.4', >> > you would believe me, because there is no authenticion built into IPV4. I would >> > agree, that the filtering mentioned above is better than that done w/ a standard >> > IP filtering device, although because decisions are being made on objects that >> > are not authenticated (header information), ACL's can, and will be vulerable to >> > spoofing/hijacking. >> > >> >Ahuger@secnet.com wrote: > >> ACL's being vulnerable to spoofing/hijacking..... I am not sure if I am >> reading you clear on this, but what I think I see you saying is that you >> can still spoof Source IP addresses to a Cisco PIX firewall. Also you >> state, trusted connections to the firewall can be hijacked. If this is >> what you are saying, my reply would be such. >> >> Your correct in saying IP4 has no built in authentication, the only thing >> in IPV4, related to security is the Security Field (which denotes how >> classified a datagram is). This being said, anyone, anywhere can slap >> and Source Address on a packet and fire it off their wire. *No* Firewall >> can protect you from this. Cisco PIX or otherwise. If you need to speak >> the outside world (which if you have a Firewall I assume you do) then you >> are subject to packets with questionable Source Addresses. I don't see >> this as a real weakness of any given Firewall, just shortcomings of IPV4. >> > > Agreed. I brought this up, to show the inherent weakness in ACLs. >Obviously both methanisms, ip filtering devices, and application level gateways, are vulerable to such data. An IP filtering device uses this as its primary >access control mechanism though, whereas an application level gateway would >also implement things to force RFC conformance of the protocols, most likely >have data reduction tools, and be able to address issues such as the Mail >Transport Agent problems. App. gateways also have the capability to do things >such as Java/Javascript filtering, Mail filtering, whereas strictly IP filtering >mechanisms do not have such capabilities. > >> As to streams of data (TCP presumably) being open to hijacking. That again >> is another problem which cannot really be addressed by a Firewall itself. >> If an attacker has breached a host whom your firewall allows *unencrypted* >> or even *encrypted* connections from, your had. And it's not your >> Firewalls fault. >> >> Both of these issues are policy issues, Both require a Firewall Admin to >> ask himself how much of the outside world he/she trusts. In the case of >> spoofable addresses, Admins must realize that not all packets coming in >> off the net, are really coming from where they say they are. In respects >> to TCP hijacking, an Admin has to ask his/herself if they want to allow >> TCP connections through their firewall. >> > > Agreed. > > >Jeromie Jackson >Garrison Technologies >jeromie@garrison.com > > Johnson L. Wu Cisco Systems 2464 Embarcadero Way 415/842-2114 voice 415/843-1111 fax jlw@cisco.com so long: johnson@translation.com private: johnson@snoopy.ORG From firewalls-owner Wed Dec 4 23:12:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA15463 for firewalls-outgoing; Wed, 4 Dec 1996 22:25:43 -0800 (PST) Received: from shoukui.pku.edu.cn (shoukui.pku.edu.cn [162.105.127.171]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id WAA15402 for ; Wed, 4 Dec 1996 22:25:19 -0800 (PST) Received: (from ccdzh@localhost) by shoukui.pku.edu.cn (8.6.12/8.6.9) id OAA02144; Thu, 5 Dec 1996 14:27:00 +0900 Date: Thu, 5 Dec 1996 14:27:00 +0900 (JST) From: Duan Zhenhai To: firewalls@greatcircle.com Subject: Firewall on FTP Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Can anybody tell me some information(Documents or Source code) about the packet filter implementing on some specific service, like FTP, X11, etc. or where can I find them? I know that there are some consideration about FTP-Packet Filter. 1. Let the in-bounded packet through if their destination port>1023 but it is not safe for X11,etc. 2. Let the ftp-client issue PASV, that is let the both connection open from internal host. But we have to change the client code. I do think it is useful if We write down some information about the out- bounded packet if it is ftp control connection request. Any comment is appreciated Duan Zhenhai From firewalls-owner Wed Dec 4 23:41:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA21647 for firewalls-outgoing; Wed, 4 Dec 1996 23:18:13 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id XAA20933 for ; Wed, 4 Dec 1996 23:16:04 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-961106) id WAA25101; Wed, 4 Dec 1996 22:46:51 -0800 Received: from stargate.compuware.com(199.186.21.253) by mycroft via smap (V1.3mjr) id sma024990; Wed Dec 4 22:45:08 1996 Received: by stargate.compuware.com id AA06152 (InterLock SMTP Gateway 3.0 for Firewalls@GreatCircle.COM); Thu, 5 Dec 1996 01:44:57 -0500 Message-Id: <199612050644.AA06152@stargate.compuware.com> Received: by stargate.compuware.com (Protected-side Proxy Mail Agent-1); Thu, 5 Dec 1996 01:44:57 -0500 Date: Thu, 05 Dec 96 09:38:17 EDT From: "JOHN CHIN" To: Firewalls@GreatCircle.COM Subject: I-WAYONE Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi firewall folks, I am looking for any information about a software called I-WAYONE. If anybody has used it or know anything about this software, please let me know.. Thanks in Advance .... Regards .. JC From firewalls-owner Wed Dec 4 23:55:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA25585 for firewalls-outgoing; Wed, 4 Dec 1996 23:38:29 -0800 (PST) Received: from omsk.quadrix.com (omsk.yourtown.com [205.246.66.7]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id XAA25528 for ; Wed, 4 Dec 1996 23:38:11 -0800 (PST) Received: by omsk.quadrix.com (4.1/SMI-4.1) id AA05695; Thu, 5 Dec 96 02:48:44 EST Date: Thu, 5 Dec 96 02:48:44 EST From: bve@yourtown.com (BVE) Message-Id: <9612050748.AA05695@omsk.quadrix.com> To: firewalls@greatcircle.com In-Reply-To: <96Dec5.090612nzdt.35726@kotuku.manukau.govt.nz> (message from Matthew Thompson on Fri, 6 Dec 1996 10:51:33 +1300) Subject: Re: RE: Firewalls over NT vs. UNIX Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From: Matthew Thompson Can someone tell me where I get the source for HP-UX, AIX and Solaris 2, and Borderware's modified BSDI Unix then? Bearing in mind I don't want to sign any agreements of the type I'd have to sign to see the source for NT, or pay any significant money, or do anything lllegal? While you may not have the source to a specific vendor version, They're all derived from a relatively small number of places (to which the source *is* available), and they all operate in a similar fashion. Thus, a bug found in the free sources can be tried on the non-free sources. The advantages aren't as good as the real source, but they're better than MS.... -- Bill Van Emburg Phone: 908-235-2335 Quadrix Solutions, Inc. Fax: 908-235-2336 (bve@quadrix.com) Check out http://yourtown.com! (http://quadrix.com) "You do what you want, and if you didn't, you don't" From firewalls-owner Thu Dec 5 00:26:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA29408 for firewalls-outgoing; Thu, 5 Dec 1996 00:14:10 -0800 (PST) Received: from sunrise (sunrise.solmelia.es [194.179.70.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id AAA29401 for ; Thu, 5 Dec 1996 00:14:02 -0800 (PST) Received: from (firewall) by sunrise (5.x/SMI-SVR4) id AA13146; Thu, 5 Dec 1996 09:15:45 +0100 Message-Id: <9612050815.AA13146@sunrise> From: israel.serrano@solmelia.es Date: Thu, 05 Dec 96 08:58:23 To: Firewalls@GreatCircle.COM Subject: VPNs X-Mailer: Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=__===-=-634986872921631734905361273089572987933635179-=-==-_==" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk --=-=__===-=-634986872921631734905361273089572987933635179-=-==-_== Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: QUOTED-PRINTABLE X-Object-Type:"Tun*Mail2-TED" Buenas=2E Hi everyone out there! I just joined the list a couple of weeks ago and maybe you've already discu= ssed the following subject=2E I apologize, just in case=2E My concern, right now, consists basically in the possibity to set up Virtua= l Private Networks in order to reduce the high costs of maintaining a leased = line with some of our international offices (US and Singapore, basically)=2E The= problem we face is the chance to expose confidential information to the Internet=2E= I've read a bunch of stuff about the VPNs and also some 'press release' abo= ut SunScreen device (I don't remember righ now the name, something like s=2E= =2E-100) and Checkpoint's FW-1 VPN=2E IS anyone able to tell me some experiences with this kind of Nets? Which device suits best the VPN deployment, FW-1 or SunScreen? (I guess the= later) Are they really (REALLY) secure? (Technicians! Help!) >From my point of view, I guess that when you expose your Network to the Int= ernet (even through a Firewall device) you can have assume the risks of deploying= a VPN=2E Am I wrong?!?!? Please (again) experiences on VPN (real ones) Thanks a lot=2E Muchas Gracias=2E --=-=__===-=-634986872921631734905361273089572987933635179-=-==-_== Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: QUOTED-PRINTABLE X-Object-Type:"Tun*Mail2-TED" Luis Israel Serrano Barge Departamento de Sistemas de Informaci=F3n / Information Technology Departme= nt Sol Meli=E1 (http://www=2Esolmelia=2Ees) email: israel=2Eserrano@solmelia=2Ees Tlf: +34 (9)71 43 70 57 Fax: +34 (9)71 43 70 52 --=-=__===-=-634986872921631734905361273089572987933635179-=-==-_==-- From firewalls-owner Thu Dec 5 01:28:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA05916 for firewalls-outgoing; Thu, 5 Dec 1996 01:18:06 -0800 (PST) Received: from iq.pvv.ntnu.no (iq.pvv.ntnu.no [129.241.210.223]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id BAA05909 for ; Thu, 5 Dec 1996 01:17:49 -0800 (PST) Received: from ra.pvv.ntnu.no (ra.pvv.ntnu.no [129.241.210.205]) by iq.pvv.ntnu.no (8.7.5/8.7.3) with ESMTP id KAA25600; Thu, 5 Dec 1996 10:17:30 +0100 (MET) Received: from localhost (pladsen@localhost) by ra.pvv.ntnu.no (8.7.5/8.7.3) with SMTP id KAA16808; Thu, 5 Dec 1996 10:17:29 +0100 (MET) X-Authentication-Warning: ra.pvv.ntnu.no: pladsen owned process doing -bs Date: Thu, 5 Dec 1996 10:17:28 +0100 (MET) From: Jan Ivar Pladsen To: Firewalls@GreatCircle.COM cc: pladsen@pvv.ntnu.no Subject: rcp _out_ through firewall, how? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We use rcp to transfer files _from_ our machine _to_ a distant host. Now we are going to install a firewall. *Can we still use rcp? *How do we configure the firewall? *Is it possible using the FWTK? Anyone capable of explaining me what packets and ports rcp use? References to literature are also very much appreciated. TIA Jan Ivar Pladsen From firewalls-owner Thu Dec 5 02:10:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA08116 for firewalls-outgoing; Thu, 5 Dec 1996 01:56:39 -0800 (PST) From: firewalls-owner Received: from mobile.bam.com (mobile.banm.com [199.74.157.50]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id BAA08109 for ; Thu, 5 Dec 1996 01:56:33 -0800 (PST) Received: FROM BAMX400.mobile.bam.com BY mobile.bam.com ; 5 DEC 96 04:56:55 EST Date: 5 DEC 96 04:55:43 EST Subject: Undeliverable Message To: Firewalls@GreatCircle.COM MIME-Version: 1.0 Message-ID: <0005cuamaagg.0005amuoigey@mobile.bam.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk To: Dean E Vaccher@IS_WBRHQ@BAMSWB BAMX400@MGate@BAM [C=US/A=INTERNET/DDA=ID/firewalls-digest(a)GreatCircle.COM] Cc: Subject: Firewalls-Digest V5 #648 Message not delivered to recipients below. VNM3043: Dean E Vaccher@IS_WBRHQ@BAMSWB **** Attachment message(s) will follow in 1 separate transmissions. From firewalls-owner Thu Dec 5 03:10:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA12788 for firewalls-outgoing; Thu, 5 Dec 1996 03:05:03 -0800 (PST) Received: from dns0.ccn.ac.uk (dns0.ccn.ac.uk [194.66.185.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id DAA12768 for ; Thu, 5 Dec 1996 03:04:55 -0800 (PST) Received: from [194.66.185.35] by dns0.ccn.ac.uk (NTMail 3.01.03) id la106325; Thu, 5 Dec 1996 11:05:12 +0100 Received: by mailgate.ccn.ac.uk with Microsoft Mail id <32A71C9D@mailgate.ccn.ac.uk>; Thu, 05 Dec 96 11:03:57 PST From: "Marriage, Michael" To: "'firewalls@greatcircle.com'" Cc: "Bock-Brown, Jeff" Subject: Telnet and AGS + socks/cisco Win95 + MS Netmeeting Date: Thu, 05 Dec 96 11:06:00 PST Message-ID: <32A71C9D@mailgate.ccn.ac.uk> X-Mailer: Microsoft Mail V3.0 X-Info: City College Norwich - SMTP server Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have a number of questions I have bundeled together: How to program AGS+ for telnet only Socks and non socks Telent access Microsoft Netmeeting and security I have a requirement to let Telnet access out of our network in the short term I may have to reprogram our AGS+ router to let telnet access out for specific PC's but last time I tried this although I could specify an individual machine I couldn't specify Telnet only despite using eq 23. It's possible I need to specify something for inbound and outbound telnet but I would be grateful for any example configs. In the long term I am looking for something a bit better and I have been interested in socks and use with Windows 95. The problem I can forsee is some users may wish to access internal unix systems without using the socks server can this be configured ? One of the reasons for looking at socks as a generic way of permitting and monitoring network traffic is because of Microsofts Net meeting and ULS ( now Internet Location Server ). I have seen little information on how to filter these and any newer products and perhaps socks will allow a more general way of dealing with this. Any pointers to information on Netmeeting and use of transports appreciated. I'm not a purist in the firewalls debate I am attempting to implement a flexible security system with good security and a reasonable cost. ( they still think I'm paranoid ). Mike Marriage Systems Engineering Team Leader City College Norwich ( England ) From firewalls-owner Thu Dec 5 04:29:53 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA18521 for firewalls-outgoing; Thu, 5 Dec 1996 04:18:51 -0800 (PST) Received: from gdut.edu.cn (ggdn.gdut.edu.cn [202.116.128.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id EAA17778 for ; Thu, 5 Dec 1996 04:15:01 -0800 (PST) Received: from pentium.ggdn.gdut.edu.cn ([202.116.130.6]) by gdut.edu.cn (5.x/SMI-SVR4) id AA07857; Thu, 5 Dec 1996 20:11:28 +0800 Date: Thu, 5 Dec 1996 20:11:28 +0800 Message-Id: <9612051211.AA07857@ gdut.edu.cn> X-Sender: weijz@gdut.edu.cn (Unverified) X-Mailer: Windows Eudora Version 2.0.3 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: weijz@gdut.edu.cn (Wei Jizhou) Subject: Question? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I have some questions to ask for your help.I want to attend a video conferencing News Group,but I do not know it's IP.Can you tell me that? And would you please tell me some good News Groups about computer science and it's IP?And I also have a question,the question is that how can I realize to transmit audio between two computers? With best regards! Wei Jizhou Dec.5 __ Wei Jizhou Computer Science Department email: weijz@gdut.edu.cn Guangdong University of Technology URL: http://202.116.128.26/wjz/ GuangZhou,China (510090) phone:(86)+(20)+87766069-6553(Lab.) From firewalls-owner Thu Dec 5 04:40:50 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA18453 for firewalls-outgoing; Thu, 5 Dec 1996 04:18:20 -0800 (PST) Received: from gdut.edu.cn (ggdn.gdut.edu.cn [202.116.128.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id EAA17850 for ; Thu, 5 Dec 1996 04:15:32 -0800 (PST) Received: from pentium.ggdn.gdut.edu.cn ([202.116.130.6]) by gdut.edu.cn (5.x/SMI-SVR4) id AA07861; Thu, 5 Dec 1996 20:13:48 +0800 Date: Thu, 5 Dec 1996 20:13:48 +0800 Message-Id: <9612051213.AA07861@ gdut.edu.cn> X-Sender: weijz@gdut.edu.cn (Unverified) X-Mailer: Windows Eudora Version 2.0.3 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: weijz@gdut.edu.cn (Wei Jizhou) Subject: Question? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I have some questions to ask for your help.I want to attend a video conferencing News Group,but I do not know it's IP.Can you tell me that? And would you please tell me some good News Groups about computer science and it's IP?And I also have a question,the question is that how can I realize to transmit audio between two computers? With best regards! Wei Jizhou Dec.5 __ Wei Jizhou Computer Science Department email: weijz@gdut.edu.cn Guangdong University of Technology URL: http://202.116.128.26/wjz/ GuangZhou,China (510090) phone:(86)+(20)+87766069-6553(Lab.) From firewalls-owner Thu Dec 5 04:55:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA18717 for firewalls-outgoing; Thu, 5 Dec 1996 04:23:15 -0800 (PST) Received: from reflections.mindspring.com (reflections.mindspring.com [204.180.142.192]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id EAA18692 for ; Thu, 5 Dec 1996 04:22:57 -0800 (PST) Received: from localhost (lists@localhost) by reflections.mindspring.com (8.7.1/8.7.1) with SMTP id HAA02726; Thu, 5 Dec 1996 07:22:50 -0500 Date: Thu, 5 Dec 1996 07:22:50 -0500 (EST) From: Todd Graham Lewis To: Matthew Thompson cc: "'BVE'" , "'firewalls@greatcircle.com'" Subject: RE: Firewalls over NT vs. UNIX In-Reply-To: <96Dec5.090612nzdt.35726@kotuku.manukau.govt.nz> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 6 Dec 1996, Matthew Thompson wrote: > Can someone tell me where I get the source for HP-UX, AIX and Solaris 2, > and Borderware's modified BSDI Unix then? Bearing in mind I don't want to > sign any agreements of the type I'd have to sign to see the source for NT, > or pay any significant money, or do anything lllegal? > > And no, I don't want source for Linux, I want source for the currently > shipping vendor versions of these OS's. I'd like to stay out of this, given that I've made my views on the topic clear in the past. However, I'll just note that, IMO, Linux and FreeBSD both make very acceptable firewalls. The IPFW packet filtering mechanism is simple and clean, and proxies are a bewwze to set up as chroot'ed and as non-root. Plus, there's always IP Masquerading (and equivs) for NAT. Of course, you have to (gasp!) understand your needs exactly and build them yourself from well-known and -tested tools out there. You have to be able to solve your own problems when they arrise. You have to understand enough about security to be able to pull it off. But isn't that the way it should be for all firewall administrators? $0.02 __ Todd Graham Lewis Linux! Core Engineering Mindspring Enterprises tlewis@mindspring.com (800) 719 4664, x2804 From firewalls-owner Thu Dec 5 06:00:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA25207 for firewalls-outgoing; Thu, 5 Dec 1996 05:55:09 -0800 (PST) Received: from scruz.net (nic.scruz.net [165.227.1.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id FAA25188 for ; Thu, 5 Dec 1996 05:54:58 -0800 (PST) From: raf@ezunx.com Received: from histar2.csxt.csx.com by scruz.net (8.7.3/1.34) id FAA15595; Thu, 5 Dec 1996 05:54:59 -0800 (PST) Date: Thu, 5 Dec 96 08:52:54 PST Subject: network access through wall w/tokens To: firewalls@greatcircle.com X-PRIORITY: 3 (Normal) X-Mailer: Chameleon 4.6.3, TCP/IP for Windows, NetManage Inc. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ok, I know someone will know this --- I remember sometime ago, in a trade show, far far away, I came across an access-token vendor that had a product that was a little different than most. It uses light patterns on a screen and a special device to read them. Question -- Does anyone know of this product, and can it be used in conjunction with a fw to provide something like vpn access?? -rich o' |,=./ `o (o o) -----ooO--(_)--Ooo------- ** Remember -- If you can keep your head when all others around you are losing theirs... You're probably not paying attention! From firewalls-owner Thu Dec 5 06:33:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA26183 for firewalls-outgoing; Thu, 5 Dec 1996 06:09:14 -0800 (PST) Received: from mail.baileynm.com (fw.baileynm.com [206.109.159.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA26115 for ; Thu, 5 Dec 1996 06:08:43 -0800 (PST) Received: (qmail 24081 invoked from smtpd); 5 Dec 1996 14:08:42 -0000 Received: from web.nmti.com (root@198.178.0.201) by fw.nmti.com with SMTP; 5 Dec 1996 14:08:42 -0000 Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id IAA11447; Thu, 5 Dec 1996 08:08:42 -0600 Received: by sonic.nmti.com; id AA24426; Thu, 5 Dec 1996 08:08:33 -0600 From: peter@baileynm.com (Peter da Silva) Message-Id: <9612051408.AA24426@sonic.nmti.com.nmti.com> Subject: Re: Firewalls over NT vs. UNIX To: Russ.Cooper@RC.on.ca (Russ) Date: Thu, 5 Dec 1996 08:08:33 -0600 (CST) Cc: peter@baileynm.com, firewalls@GreatCircle.COM In-Reply-To: from "Russ" at Dec 4, 96 05:51:57 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >If you can feed a program enough data that it starts executing opcodes > >that you've fed it in a carefully constructed command line the > security > >game is lost unless the operating system can prevent that program > >from further compromising the system or opening further holes. > Assuming the process you've done your buffer overrun attack on is > running as SYSTEM (NT's equivalent to root). Not on a firewall. On a firewall it can run as any user and perform a SATAN style attack on hosts beyond the firewall. Whether it can subvert internal security on the firewall is less critical. But even there, the gaps Microsoft has created in NT security (bypassing traverse checking, for example, and the lax permissions you need on system directories) make a trojan horse attack (via the file system or the registry rather than the secured portions of the proxy, for example) quite credible. A similar attack in UNIX, from a chrooted environment, is orders of magnitude more difficult. > I hate to think all the other answers I gave you about this were > fake...;-]...but this isn't actually correct. Its not NT that isn't > built that way, its the application its running that might not be built > that way. NT is not just the kernel and subsystems, it's got to include the applications as well. Just as people consider sendmail holes to be a UNIX security problem, the configuration problems and problems in Microsoft applications and utilities are NT security problems. NT, as a system, has not been given the same overall attention to security as UNIX. And that's truly scary, because UNIX was not originally designed with high levels of security as a goal! > It should be remembered that NT is re-written by each of the different > processor groups from the HAL through the Kernel on up. Much of its > isn't, but its all scrutinized by the programming teams for the Alpha, > PowerPC, and soon to be defunct MIPs vendors. These are not small teams > of programmers sitting waiting to be told what to do by Microsoft, nor > are they Microsoft employees. These people have a vested interest in > examining the code and do so with diligence. To say it doesn't get > scrutiny outside of Microsoft is a fallacy. I didn't say that. What I said is that *I* can not scrutinize the source. Whether some programmer subject to a nondisclosure agreement has seen it is utterly irrelevant to me: his study doesn't benefit me any more than a similar study by a Microsoft programmer... unless I'm already a criminal and are willing to coerce him into violating his NDA. That is, Microsoft's secrecy regarding their source, while completely understandable, does benefit the black hats by keeping most of the white hats away. Most especially, it keeps away the people who will perform the same sort of hostile reviews that have publicised AND CLOSED so many UNIX holes. From firewalls-owner Thu Dec 5 06:42:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA27455 for firewalls-outgoing; Thu, 5 Dec 1996 06:26:44 -0800 (PST) Received: from mail.baileynm.com (fw.baileynm.com [206.109.159.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA27448 for ; Thu, 5 Dec 1996 06:26:33 -0800 (PST) Received: (qmail 24151 invoked from smtpd); 5 Dec 1996 14:26:30 -0000 Received: from web.nmti.com (root@198.178.0.201) by fw.nmti.com with SMTP; 5 Dec 1996 14:26:30 -0000 Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id IAA14787; Thu, 5 Dec 1996 08:26:29 -0600 Received: by sonic.nmti.com; id AA25253; Thu, 5 Dec 1996 08:26:20 -0600 From: peter@baileynm.com (Peter da Silva) Message-Id: <9612051426.AA25253@sonic.nmti.com.nmti.com> Subject: Re: PIX and Gauntlet To: jeromie@garrison.com (Jeromie Jackson) Date: Thu, 5 Dec 1996 08:26:20 -0600 (CST) Cc: tbernstein@sri.com, mike@ptes.com, avolio@tis.com, firewalls@greatcircle.com In-Reply-To: <9612042227.AA01909@garrison.com.> from "Jeromie Jackson" at Dec 4, 96 04:27:53 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > The GUI is useful, however, many administrative type processes still > require manual hacking. For example, if adding a generic proxy the users now > have to go in and modify /usr/local/etc/mgmt/rc/* files. If there is a good editor available, why is this a problem? Novell administration requires manual editing of files now and then, but it seems to be quite within the grasp of PC network admin types. Just because there's not a specific GUI editor that doesn't make it "too hard" for naive users. (IMHO the biggest advantage of GUIs for administrative work is it lets your sales reps give impressive demonstrations. For systems bigger than a single workstation the fact that you're unable to do editing tasks that weren't explicitly programmed into the GUI is a big hindrance. For example, in NT's User Mangler... what if I want to just list the users with disabled accounts?) ((I gave up and added a (disabled) entry to the comment field)) From firewalls-owner Thu Dec 5 06:55:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA28913 for firewalls-outgoing; Thu, 5 Dec 1996 06:51:56 -0800 (PST) Received: from www.cz (www.cz [193.165.192.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA28888 for ; Thu, 5 Dec 1996 06:51:40 -0800 (PST) Received: by www.cz (940816.SGI.8.6.9/940406.SGI.AUTO) id PAA11224; Thu, 5 Dec 1996 15:51:52 -0100 From: pepa@www.cz (Josef Pojsl) Message-Id: <199612051651.PAA11224@www.cz> Subject: Re: rcp _out_ through firewall, how? To: pladsen@pvv.ntnu.no (Jan Ivar Pladsen) Date: Thu, 5 Dec 1996 15:51:48 -0100 (CET) Cc: Firewalls@GreatCircle.COM, pladsen@pvv.ntnu.no In-Reply-To: from "Jan Ivar Pladsen" at Dec 5, 96 10:17:28 am X-Mailer: ELM [version 2.4 PL23-hack] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk hello, > > We use rcp to transfer files _from_ our machine _to_ a distant host. > Now we are going to install a firewall. > > *Can we still use rcp? > > *How do we configure the firewall? > > *Is it possible using the FWTK? > > Anyone capable of explaining me what packets and ports rcp use? > References to literature are also very much appreciated. > > TIA > > Jan Ivar Pladsen rcp uses BSD rsh (Remote SHell) for executing. It runs on "shell" 514 port, and you can conviniently use it in Gauntlet (it comes with "rsh-gw"). However, I am not sure if this could be managed in FWTK. Hope this helps. Josef Pojsl -- -------------------------------------------------------------------------- Josef Pojsl e-mail: Josef.Pojsl@www.cz http://www.cz SkyNet, s.r.o. Internet services provider Kabatnikova 5 tel: +42 5 74 97 75, (749778, 749781, 749786, 748611) 602 00 Brno fax: +42 5 74 97 52 Czech Republic From firewalls-owner Thu Dec 5 07:45:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA28033 for firewalls-outgoing; Thu, 5 Dec 1996 06:38:58 -0800 (PST) Received: from fiji.dna.com (fiji.dna.com [198.135.17.204]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA28015 for ; Thu, 5 Dec 1996 06:38:47 -0800 (PST) From: jsluzewski@dna.com Received: (uucp@localhost) by fiji.dna.com (8.6.9/8.6.5) id JAA20826 for ; Thu, 5 Dec 1996 09:38:14 -0500 Received: from dnanycsmtp.dna.com(198.135.16.205) by fiji.dna.com via smap (V1.3) id sma020823; Thu Dec 5 09:38:07 1996 Received: by dnanycsmtp.dna.com with Network-Courier id <32A6DE8A@dnanycsmtp.dna.com>; Thu, 05 Dec 96 09:39:06 EST Subject: Secondary IP address To: Date: Thu, 05 Dec 96 09:39:00 EST Message-ID: <32A6DE8A@dnanycsmtp.dna.com> X-Mailer: Network Courier V2.1b Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have hard that it is possible to configure secondary IP address on Solaris 2.5.1? If that's true, how it can be done? Thanks for any help. jsluzewski@dna.com From firewalls-owner Thu Dec 5 07:50:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA27520 for firewalls-outgoing; Thu, 5 Dec 1996 06:28:18 -0800 (PST) Received: from calamari.Progressive-Systems.Com (calamari.Progressive-Systems.Com [206.236.37.16]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA27500 for ; Thu, 5 Dec 1996 06:27:57 -0800 (PST) Received: from chumley (chumley.MorningStar.Com [137.175.48.100]) by calamari.Progressive-Systems.Com (8.7.5/8.7.3) with SMTP id JAA09443 for ; Thu, 5 Dec 1996 09:27:58 -0500 (EST) Message-Id: <3.0.32.19961205092752.0090c4e0@calamari.morningstar.com> X-Sender: ge@calamari.morningstar.com X-Mailer: Windows Eudora Pro Version 3.0 Demo (32) Date: Thu, 05 Dec 1996 09:27:56 -0500 To: Firewalls@GreatCircle.COM From: =?iso-8859-1?Q?G=E9_?= Weijers Subject: Re: need firewall? Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jeff, You might get away with a relatively simple solution to protect your network if you use IPX in stead of IP to access files on the Netware systems. Just make sure your router does not pass IPX. This way no one can get at your servers _directly_, they have to go through a PC. A set of static filter rules in a router might be enough to prevent that from happening. You do need to understand the limitations of using a static packet filter for a firewall, though. Read Chapman and Zwicky's firewalls book before you spend money. It's called "Building Internet Firewalls", I think. >SECURITY REQUIREMENT: something placed between our LAN and >the connection to fiber that blocks external (from on-campus >or elsewhere on the Internet) access to our LAN, to help >protect confidential information on our file servers. I don't think this security policy needs to be refined :-). Do you need inbound access to your LAN for e-mail?=20 >QUESTIONS: Can a router, alone, provide reasonable (?!) >protection? Is a PIX (or similar) firewall more >appropriate/necessary? What kind of up-front cost range am I >looking at for this barrier? You won't get a straight answer to this question. It can be anything from, say $1000 to $50,000. The $1000 solution is to buy a cheap but decent PC, a pair of network cards and a $20 Linux CD-ROM, and get somebody knowledgable to configure it as a packet filtering router. The $50k solution is to hire a consultant and let them purchase the hardware.=20 Actually, if you only need outbound access to the Internet Linux can be configured as a decent dynamic firewall using the 'masquerading' feature. The machines on your LAN won't be visible from the outside world, all the packets going out will have the Linux machine's address on it. Ge' _____________________________________________________________ G=E9 Weijers tel. +1(614)326 4600 Progressive Systems, Inc. fax +1(614)326 4601 http://www.progressive-systems.com From firewalls-owner Thu Dec 5 07:52:54 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA00175 for firewalls-outgoing; Thu, 5 Dec 1996 07:07:48 -0800 (PST) Received: from nebula.online.ee (nebula.online.ee [194.106.96.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA00133 for ; Thu, 5 Dec 1996 07:07:12 -0800 (PST) Received: from localhost (jk@localhost) by nebula.online.ee (8.8.3/8.8.3) with SMTP id RAA16409 for ; Thu, 5 Dec 1996 17:06:50 +0200 (EET) Date: Thu, 5 Dec 1996 17:06:48 +0200 (EET) From: Jyri Kaljundi X-Sender: jk@nebula To: Firewalls@GreatCircle.COM Subject: Re: VPNs In-Reply-To: <199612050900.BAA03960@miles.greatcircle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 5 Dec 1996, Firewalls-Digest wrote: > Date: Thu, 05 Dec 96 08:58:23 > From: israel.serrano@solmelia.es > Subject: VPNs > > I've read a bunch of stuff about the VPNs and also some 'press release' abo= > ut > SunScreen device (I don't remember righ now the name, something like s=2E= > =2E-100) > and Checkpoint's FW-1 VPN=2E > IS anyone able to tell me some experiences with this kind of Nets? > Which device suits best the VPN deployment, FW-1 or SunScreen? (I guess the= > later) > Are they really (REALLY) secure? (Technicians! Help!) If you are located in Spain, you can get only the version of FW-1 with weak encryption algorithms. US export restrictions do not allow for real encryption to be exported from US. I would suggest you have a look at F-Secure VPN software, made by Data Fellows in Finland (http://www.datafellows.fi/f-secure/), which is one of the few (if not the only) really strong VPN software products available in Europe (or Africa/Asia etc). Juri Kaljundi jk@stallion.ee From firewalls-owner Thu Dec 5 07:59:29 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA28517 for firewalls-outgoing; Thu, 5 Dec 1996 06:44:36 -0800 (PST) Received: from thewall.harding.edu (thewall.harding.edu [192.133.129.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA28454 for ; Thu, 5 Dec 1996 06:44:10 -0800 (PST) Received: from piggy.harding.edu ([10.1.11.5]) by thewall.harding.edu via smtpd (for miles.greatcircle.com [198.102.244.34]) with SMTP; 5 Dec 1996 14:47:17 UT Received: from Harding.edu by Harding.edu (PMDF V5.0-7 #15469) id <01ICN8BMY2DCAKTJ7I@Harding.edu> for Firewalls@GreatCircle.COM; Thu, 05 Dec 1996 08:46:46 -0500 (CDT) Date: Thu, 05 Dec 1996 08:46:46 -0500 (CDT) From: Adrian Knight Subject: Why would someone want an NT firewall? To: Firewalls@GreatCircle.COM Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've read for over a year about the Unix vs NT messages. For what it's worth, here are the reasons why, after 6 months of research and training, our site specifically chose an NT firewall instead of a Unix firewall. (FYI, we're running Eagle NT by Raptor) 1) We only have 3 Unix computers on our campus. I manage one of them, and after two years still know very little about it. Yes, if I spent "enough time" on it I would probably be a Unix expert by now, but I don't want to spend that much time, nor do I have the option of spending that much time on it. 2) We don't want to hire a rocket scientist to manage our firewall. A message earlier referred to firewalls being "necessarilly technical." That's bogus. I think it's possible that a lot of people making money off of firewalls might want to keep them that way, but there are a lot of average people out there who want to AND CAN handle managing a firewall right along with the MANY other types of systems that are also included in our job responsibilities. In this age of computers, it is no longer valid to try to convince people that computers are just too complicated for the average person. I'm not a Microsoft Groupie or anything, but the reason their company is where they are today is that they realized that! Because our firewall is on an NT platform and has a good GUI, I can be gone for a couple of weeks and even my boss, a manager, can sit down and make changes to the firewall comfortably. Several other people in the computing department with the passowrd could do the same if they had to. After two years, nobody else could sit down to my Solaris box and do anything except manage to shut things down. 3) At the time of my research a year ago, most mainstream firewalls ran on minicomputer-class machines like Sun Sparc, HPUX, AIX. For an educational site with good discounts, a platform like that ran around $15,000. We put our firewall on a well-endowed NT PC for $5,000. Hardware and software maintenance is also much cheaper There are many other reasons that I chose NT over Unix, but I'll leave it here. Adrian Knight | Network Manager Harding University | Internet: KNIGHT@HARDING.EDU 900 E. Center, Box 2264 | Phone: (501) 279-4440 Searcy, AR 72149-0001 | From firewalls-owner Thu Dec 5 08:05:30 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA02298 for firewalls-outgoing; Thu, 5 Dec 1996 07:38:11 -0800 (PST) Received: from dns.ottawa.net (dns.ottawa.net [205.211.4.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA02276 for ; Thu, 5 Dec 1996 07:37:55 -0800 (PST) Received: from slip-ppp27.ottawa.net (slip-ppp27.ottawa.net [205.211.5.27]) by dns.ottawa.net (8.8.4/1.2) with SMTP id KAA03859; Thu, 5 Dec 1996 10:37:22 -0500 (EST) Date: Thu, 5 Dec 1996 10:37:22 -0500 (EST) Message-Id: <199612051537.KAA03859@dns.ottawa.net> X-Sender: bjm@ottawa.net X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: raf@ezunx.com, firewalls@GreatCircle.COM From: bjm@ottawa.com (Brian McIntosh) Subject: Re: network access through wall w/tokens Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Rich, The product you're thinking of is the AccessKey from Vasco Data Security Inc. It can be used in any situation where authentication is needed including VPN access. Several commercial firewall vendors have integrated the AccessKey 'server' code in their products. Check out www.vdsi.com. Regards, Brian At 08:52 AM 96/12/5 PST, raf@ezunx.com wrote: >Ok, I know someone will know this --- > >I remember sometime ago, in a trade show, far far away, I came across >an access-token vendor that had a product that was a little different >than most. It uses light patterns on a screen and a special device to >read them. > >Question -- Does anyone know of this product, and can it be used in >conjunction with a fw to provide something like vpn access?? > >-rich > > o' |,=./ `o > (o o) > -----ooO--(_)--Ooo------- > >** Remember -- If you can keep your head when all others around > you are losing theirs... > >You're probably not paying attention! > > ======================================================== Brian J. McIntosh UniSol Inc. 53 Courtney Road Tel: 613 831 6373 Kanata, Ontario Fax: 613 831 4739 Canada, K2L 1M1 Email: bjm@ottawa.net ======================================================== From firewalls-owner Thu Dec 5 08:45:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA04886 for firewalls-outgoing; Thu, 5 Dec 1996 08:14:58 -0800 (PST) Received: from ayax.uniandes.edu.co (ayax.uniandes.edu.co [157.253.50.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id IAA04819 for ; Thu, 5 Dec 1996 08:14:11 -0800 (PST) Received: from odin.uniandes.edu.co by ayax.uniandes.edu.co (SMI-8.6/SMI-SVR4) id LAA15426; Thu, 5 Dec 1996 11:17:56 +0500 Received: from odin.uniandes.edu.co by odin.uniandes.edu.co; (5.65/1.1.8.2/04Feb96-0101AM) id AA23249; Thu, 5 Dec 1996 11:18:57 -0500 Message-Id: <32A6F5F0.15FB@uniandes.edu.co> Date: Thu, 05 Dec 1996 11:18:56 -0500 From: Carlos Marlon Coral Ortiz Organization: Universidad de los Andes X-Mailer: Mozilla 3.0Gold (X11; I; OSF1 V3.0 alpha) Mime-Version: 1.0 To: firewalls@GreatCircle.COM Subject: Firewall performance??? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Can anyone recommend me good papers or readings about studies comparing the firewall performance and the general impact on network performance. If it is possible that those papers speaks about typical delay times (e.g packet screening delays in mseg)!! -- Thank you!! +--------------------------------------------------+ Carlos Marlon Coral Ortiz - Ing. de sistemas y comp. Est. Magister Sistemas y Computacion (GI:HIDRA) Centro de computo Departamento de Sistemas (MiniMOX) H.Page: http://odin.uniandes.edu.co/marlon.html Tel: 2869211 ext. 2847 Uniandes (Bogota - Colombia) +--------------------------------------------------+ From firewalls-owner Thu Dec 5 08:56:01 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA05095 for firewalls-outgoing; Thu, 5 Dec 1996 08:23:05 -0800 (PST) Received: from cypress.cycon.com (cypress.CYCON.COM [204.5.16.32]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA05080 for ; Thu, 5 Dec 1996 08:22:51 -0800 (PST) Received: from localhost (carlson@localhost) by cypress.cycon.com (8.7.5/8.7.3) with SMTP id LAA27583; Thu, 5 Dec 1996 11:31:19 -0500 Date: Thu, 5 Dec 1996 11:30:52 -0500 (EST) From: Chris Carlson To: raf@ezunx.com cc: firewalls@GreatCircle.COM Subject: Re: network access through wall w/tokens In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk VASCO Data Security (http://www.vasco.com) makes a product called AccessKey II that uses a Java app to receive light pulses for authentication. Chris P.S. I have no affliation with VASCO. -- --------------------------------------------------------------------- Chris Carlson http://www.cycon.com CYCON Technologies info@cycon.com carlson@cycon.com (703) 383-0247 CYCON Labyrinth Firewall - Stateful Inspection & Address Translation --------------------------------------------------------------------- On Thu, 5 Dec 1996 raf@ezunx.com wrote: > Ok, I know someone will know this --- > > I remember sometime ago, in a trade show, far far away, I came across > an access-token vendor that had a product that was a little different > than most. It uses light patterns on a screen and a special device to > read them. > > Question -- Does anyone know of this product, and can it be used in > conjunction with a fw to provide something like vpn access?? > > -rich > > o' |,=./ `o > (o o) > -----ooO--(_)--Ooo------- > > ** Remember -- If you can keep your head when all others around > you are losing theirs... > > You're probably not paying attention! > From firewalls-owner Thu Dec 5 08:59:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA04719 for firewalls-outgoing; Thu, 5 Dec 1996 08:12:14 -0800 (PST) Received: from gw.garrison.com (gw.garrison.com [205.241.58.147]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA04682 for ; Thu, 5 Dec 1996 08:11:49 -0800 (PST) Received: by gw.garrison.com; id EAA05217; Thu, 5 Dec 1996 04:05:46 -0600 (CST) Received: from ukn0.garrison.com(10.0.0.2) by gw.garrison.com via smap (3.2) id xma005211; Thu, 5 Dec 96 04:05:20 -0600 Received: by garrison.com. (4.1/Surrogate Sendmail hack) id AA03136; Thu, 5 Dec 96 10:06:31 CST Date: Thu, 5 Dec 96 10:06:31 CST From: jeromie@garrison.com (Jeromie Jackson) Message-Id: <9612051606.AA03136@garrison.com.> To: peter@baileynm.com Subject: Re: PIX and Gauntlet Cc: tbernstein@sri.com, mike@ptes.com, avolio@tis.com, firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > The GUI is useful, however, many administrative type processes still > > require manual hacking. For example, if adding a generic proxy the users now > > have to go in and modify /usr/local/etc/mgmt/rc/* files. > > If there is a good editor available, why is this a problem? > > Novell administration requires manual editing of files now and then, but it > seems to be quite within the grasp of PC network admin types. Just because > there's not a specific GUI editor that doesn't make it "too hard" for naive > users. > I would agree, I actually like guantlet quite, a bit. Although I would have to say that the documentation on how to write policy for the firewall is quite limited. The Syntax information is contained in the back of the manual, although no real good discussion/documentation is written on netperm-table hacks. I would however have to say, that TIS has done better work on the docs this time (3.2) than previously released manuals. Jeromie Jackson Garrison Technologies jeromie@garrison.com > (IMHO the biggest advantage of GUIs for administrative work is it lets your > sales reps give impressive demonstrations. For systems bigger than a single > workstation the fact that you're unable to do editing tasks that weren't > explicitly programmed into the GUI is a big hindrance. For example, in NT's > User Mangler... what if I want to just list the users with disabled accounts?) > > ((I gave up and added a (disabled) entry to the comment field)) > One advantage I see in GUIs is integrity. If you have used Gauntlet much, you are probably aware of the several syntatical problems that were in the previous manuals, making modification of policy quite difficult. If a GUI were present to implement these tasks, the user community would not have had these problems, & TIS support would not have received as many calls. From firewalls-owner Thu Dec 5 09:25:54 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA07987 for firewalls-outgoing; Thu, 5 Dec 1996 09:07:56 -0800 (PST) Received: from Arbitrade.COM (iafsrv.arbitrade.com [204.242.156.130]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id JAA07649 for ; Thu, 5 Dec 1996 09:05:43 -0800 (PST) Received: from andrews.Arbitrade.COM (andrews.arbitrade.com [204.242.156.137]) by Arbitrade.COM (8.7.5/8.6.9) with ESMTP id LAA07906; Thu, 5 Dec 1996 11:09:35 -0600 (CST) Received: (from andrew@localhost) by andrews.Arbitrade.COM (SMI-8.6/8.6.9) id LAA13850; Thu, 5 Dec 1996 11:02:36 -0600 From: "Andrew A. Benson" Message-Id: <199612051702.LAA13850@andrews.Arbitrade.COM> Subject: Re: Secondary IP address To: jsluzewski@dna.com Date: Thu, 5 Dec 1996 11:02:35 -0600 (CST) Cc: firewalls@GreatCircle.COM In-Reply-To: <32A6DE8A@dnanycsmtp.dna.com> from "jsluzewski@dna.com" at Dec 5, 96 09:39:00 am X-Mailer: ELM [version 2.4 PL25] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I have hard that it is possible to configure secondary IP address on Solaris > 2.5.1? > If that's true, how it can be done? > Thanks for any help. Sure. ifconfig le0:1 aaa.bbb.ccc.ddd netmask eee.fff.ggg.hhh up Replace le0 with whatever your interface is called. You'll have to put the command in an rc file so it happens automatically of course. > jsluzewski@dna.com Andrew From firewalls-owner Thu Dec 5 10:34:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA08956 for firewalls-outgoing; Thu, 5 Dec 1996 09:16:36 -0800 (PST) Received: from hunter.pomona.edu (hunter.pomona.edu [134.173.64.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id JAA08907 for ; Thu, 5 Dec 1996 09:16:15 -0800 (PST) Received: from POMADM.POMONA.EDU by HUNTER.POMONA.EDU (PMDF V5.0-7 #18014) id <01ICN9A3MNY80005V7@HUNTER.POMONA.EDU>; Thu, 05 Dec 1996 09:15:18 -0700 (PDT) Received: from POMADM.POMONA.EDU by POMADM.POMONA.EDU (PMDF V5.0-6 #18021) id <01ICN94VD40O000125@POMADM.POMONA.EDU>; Thu, 05 Dec 1996 09:10:20 -0700 (PDT) Date: Thu, 05 Dec 1996 09:10:20 -0700 (PDT) From: "Dr. Stephan L. Moss" Subject: Re: .edu w/ firewalls In-reply-to: To: Sameer R Manek Cc: Paonia Ezrine , firewalls@GreatCircle.COM Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I think Sameer is right, the greatest threat is already on campus. In addition to our own clever students, the science and engineering school up the street is full of bright, talented kids quite capable of hacking a system. Our network places all of the administrtive machines (servers, main computer, PC's) on one side of the firewall and the rest of the campus and the other schoolls on the other side. ! ! Dr. Stephan L. Moss stevem@pomadm.pomona.edu ! ! Administrative Computing Pomona College ! Claremont, CA 91711 ! (909) 607-1734 From firewalls-owner Thu Dec 5 11:04:19 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA05334 for firewalls-outgoing; Thu, 5 Dec 1996 08:28:37 -0800 (PST) Received: from gw.garrison.com (gw.garrison.com [205.241.58.147]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA05320 for ; Thu, 5 Dec 1996 08:28:21 -0800 (PST) Received: by gw.garrison.com; id EAA05255; Thu, 5 Dec 1996 04:22:15 -0600 (CST) Received: from ukn0.garrison.com(10.0.0.2) by gw.garrison.com via smap (3.2) id xma005250; Thu, 5 Dec 96 04:21:48 -0600 Received: by garrison.com. (4.1/Surrogate Sendmail hack) id AA03141; Thu, 5 Dec 96 10:23:02 CST Date: Thu, 5 Dec 96 10:23:02 CST From: jeromie@garrison.com (Jeromie Jackson) Message-Id: <9612051623.AA03141@garrison.com.> To: firewalls@GreatCircle.COM, Ryan.Russell@sybase.com Subject: Re: Cisco's PIX Firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Fair warning: Probably most reader of this > list know by now that I favor the PIX/Firewall-1/SPF/NAT > type solutions..though I am just a user. I have no > stake in Cisco or Checkpoint. > > The case you mentioned below about the mail server.. > Yes, out of the box, you are reliant totally on the built-in > security of the mail server, so keep up on your sendmail > hole-of-the-week. In most cases, for FW-1 or PIX, for servers, > you need to rely on the host security of the server for the > ports you are "publishing." PIX and FW-1 will block all > the other ports, same as router ACLs. > Food for thought for people like Cisco/FW1... If you were to just make a Mail Transport Agent for the hub, and provide it along with the product, people like me could not bitch, and you could say you covered the bases. I did note in one of the earlier posts from Cisco that they are indeed working on it. > However, I did say out of the box... Apparantly PIX and FW-1 > can go "deeper" into the connection if need be.. they can > deal with protocols that embed the addresses in the data field, > like FTP. FW-1 has add-ons that will do things like virus > scanning, stripping out java and active-x code, content > censoring etc.. So they *can* do the equivalent of an > application proxy..if you ask them to. But, basically by default > it will do the lowest level filtering that it has to for speed reasons. > Also, you don't get things like a log of URLs (by default) like > you can easily do with a traditional proxy. Hmm, I would be interested in comparing audit data to see where, if any data is lacking between the 2 technologies. > > So, back to the mail question, it doesn't check for evil > things in the connection stream, but it could. I think this > is the complaint the most of the people who prefer > proxy-like things have... that PIX and FW-1 don't > assume they have to do a full-blown proxy for > most connection types. A full proxy that > assumes the worst should be more secure than > a PIX or FW-1 that assumes the least, if you consider > one connection only. > > In my case, I prefer FW-1, because I allow a whole > lot of protocols out..and one cohesive solution > makes better security sense than the equivalent > number of proxies. If I was doing just HTTP, a proxy > would make better sense..but it would be hard to convince > me that a whole bank of different proxies in parallel would > have fewer security holes than the FW-1. > > Sorry to babble on...this SPF vs. Proxy issue comes up a lot. > Should we write a FAQ, perhaps debate style, that deals > with the issue? > Hmm, That is a great idea.. We should put one together, and toss it around the list until it is made clear. Jeromie Jackson Garrison Technologies jeromie@garrison.com > Ryan > ---------- Previous Message ---------- > To: firewalls, dochin > cc: lazar, mhoward, froys, jlw, afoss, amittal > From: jeromie @ garrison.com (Jeromie Jackson) @ smtp > Date: 12/04/96 11:55:22 AM > Subject: Re: Cisco's PIX Firewall > > > To clarify the PIX Firewall, it is not a packet filter. It is a dedicated > > security device, built with one purpose in mind -- securing the private LAN > > to the Internet. > > > > Hmm, from what I've seen, it certainly does qualify as an IP filtering > device. It bases its ACLs on header information, namely src,port,dst,port.flags > It obviously is not an application level gateway, therefore you may be competing > with TIS/Raptor for market share, although it is quite different technology. > It appears to be a packet filtering device that has NAT capabilities... > > > We are in fact directly in competition with Checkpoint, Raptor, TIS, etc. > > The "cut-through proxy" feature provides a significant performance > > enhancement to the security function since users are authenticated at the > > application layer. Once authenticated, the process flow shifts back to the > > network layer which provides the high performance. > > I would have to agree that most likely there is a performance > enhancement by using PIX instead of an application level gateway. My question > would be, if the PIX product is a firewall, how it it securing the > sendmail/mail transport agent for the customers? When mail comes inbound, > it has to speak to something.. Since PIX does not have a MTA itself, obviously > another box is required. If this is so, the level of security of the MTA is > crutial... This seems to be a bad thing. > > Also, using something like PIX, is there features that allow filtering > of data such as email-content, or java/javascript? What about time based > access control? Or what about data reduction utilities to utilize the syslog > information that I would assume the PIX can provide...? > > Jeromie Jackson > Garrison Technologies > jeromie@garrison.com > > > > From firewalls-owner Thu Dec 5 11:34:29 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA15524 for firewalls-outgoing; Thu, 5 Dec 1996 10:31:38 -0800 (PST) Received: from mail.ka.inka.de (quechua.inka.de [193.197.84.5]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA15508 for ; Thu, 5 Dec 1996 10:31:19 -0800 (PST) Received: from sapa.inka.de(really [193.197.84.6]) by mail.ka.inka.de via smail with smtp (ident root using rfc1413) id for ; Thu, 5 Dec 1996 19:30:31 +0100 (MET) (Smail-3.2 1996-Jul-4 #3 built 1996-Oct-28) Received: from uu.inka.de ([193.197.84.8]) by sapa.inka.de with smtp (S3.1.29.1) id ; Thu, 5 Dec 96 19:31 MET Received: from lina (lists@lina.inka.de) by uu.inka.de with bsmtp (S3.1.29.1) id ; Thu, 5 Dec 96 19:31 MET Received: by lina id m0vViGT-0004inC (Debian Smail-3.2 1996-Jul-4 #2); Thu, 5 Dec 1996 19:11:17 +0100 (MET) Message-Id: From: lists@lina.inka.de (Bernd Eckenfels) Subject: Re: VPNs To: israel.serrano@solmelia.es Date: Thu, 5 Dec 1996 19:11:15 +0100 (MET) Cc: Firewalls@GreatCircle.COM In-Reply-To: <9612050815.AA13146@sunrise> from "israel.serrano@solmelia.es" at Dec 5, 96 08:58:23 am X-Mailer: ELM [version 2.4 PL25 PGP2] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, > My concern, right now, consists basically in the possibity to set up Virtual > Private Networks in order to reduce the high costs of maintaining a leased > line > with some of our international offices (US and Singapore, basically) The > problem > we face is the chance to expose confidential information to the Internet And expose yourself to attacks from the Internet, yes. > Which device suits best the VPN deployment, FW-1 or SunScreen? (I guess the= > later) > Are they really (REALLY) secure? (Technicians! Help!) There are quite a few more VPN Solutions. The main question is: which data are you going to transfer how often, and which firewall solution do u have? Which know-how do u have to maintain one, and how many money you want to spend? You might consider using alternative transports like: PGP encrypted mail-attachements or ssh's scp, SSLed WWW Server or ssl-ftp. Those are much cheaper and it's security is IMHO often better than the usual on-the-fly IP Packet encryption. If other ppl's are interested: there is a small kernel and userspace solution for Linux for crypted IP tunnels (IDEA based). Its a design study but works well for small bandwith. It's called CIPE an can be obtained from Olaf Titz at . I know the author would like to receive some discusson sof his basiv Design. For now you ave to grab the tar archive, an info page will follow. Greetings Bernd -- (OO) -- Bernd_Eckenfels@Wittumstrasse13.76646Bruchsal.de -- ( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/ o--o *plush* 2048/93600EFD eckes@irc +4972573817 BE5-RIPE (O____O) If privacy is outlawed only Outlaws have privacy From firewalls-owner Thu Dec 5 11:34:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA14549 for firewalls-outgoing; Thu, 5 Dec 1996 10:21:01 -0800 (PST) Received: from gate.csi.co.nz (gate.csi.co.nz [202.49.197.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA14530 for ; Thu, 5 Dec 1996 10:20:43 -0800 (PST) Received: (from root@localhost) by gate.csi.co.nz (8.6.11/8.6.9) id FAA17408 for ; Fri, 6 Dec 1996 05:59:18 GMT Received: from csi6001.csi.co.nz(202.36.193.98) by gate via smap (V1.3) id sma017406; Fri Dec 6 05:58:55 1996 Received: from csiwndm.csi.co.nz by csi6001.csi.co.nz; Fri, 6 Dec 1996 07:24:39 +1200 Received: by csiwndm.csi.co.nz with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5) id <01BBE345.ED2E6570@csiwndm.csi.co.nz>; Fri, 6 Dec 1996 07:20:15 +1300 Message-Id: From: Bevan Thomson To: "'firewalls@GreatCircle.COM'" Subject: RE: Firewall performance??? Date: Fri, 6 Dec 1996 07:20:13 +1300 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is one place that doesn't seem to bad at a glance. http://www.crpht.lu/CNS/html/PubServ/Security/Documents/Data_Comm/Firewa lls.html (Even the performance is really only just one graph) >---------- >From: Carlos Marlon Coral Ortiz[SMTP:c-coral@uniandes.edu.co] >Sent: Friday, 6 December 1996 05:18 >To: firewalls@GreatCircle.COM >Subject: Firewall performance??? > >Can anyone recommend me good papers or readings about studies comparing >the firewall performance and the general impact on network performance. >If it is possible that those papers speaks about typical delay times >(e.g packet screening delays in mseg)!! >-- >Thank you!! >+--------------------------------------------------+ >Carlos Marlon Coral Ortiz - Ing. de sistemas y comp. >Est. Magister Sistemas y Computacion (GI:HIDRA) >Centro de computo Departamento de Sistemas (MiniMOX) >H.Page: http://odin.uniandes.edu.co/marlon.html >Tel: 2869211 ext. 2847 Uniandes (Bogota - Colombia) >+--------------------------------------------------+ > From firewalls-owner Thu Dec 5 11:34:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA16785 for firewalls-outgoing; Thu, 5 Dec 1996 10:47:33 -0800 (PST) Received: from gauntlet-1.trusted.com (gauntlet-1.trusted.com [204.254.155.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA16721 for ; Thu, 5 Dec 1996 10:47:07 -0800 (PST) Received: by gauntlet-1.trusted.com; id NAA14032; Thu, 5 Dec 1996 13:56:24 -0500 Received: from dira.rv.tis.com(10.0.1.43) by gauntlet-1.trusted.com via smap (V3.1.1) id xma014020; Thu, 5 Dec 96 13:55:57 -0500 Received: from unit65.rv.tis.com (dyn116.hq.tis.com [10.33.10.116]) by dira.rv.tis.com (8.7.4/8.7.3) with SMTP id NAA13903; Thu, 5 Dec 1996 13:41:50 -0500 (EST) Message-Id: <3.0.32.19961205134415.006f024c@pop.rv.tis.com> X-Sender: avolio@pop.rv.tis.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Thu, 05 Dec 1996 13:44:17 -0500 To: Terry Bernstein , peter@baileynm.com (Peter da Silva) From: Frederick M Avolio Subject: Re: PIX and Gauntlet Cc: jeromie@garrison.com (Jeromie Jackson), mike@ptes.com, firewalls@greatcircle.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 10:05 AM 12/5/96 -0800, Terry Bernstein wrote: >Also, I believe that if you have multiple TIS firewalls, you'll need to >move these files between machines and manually reconfigure them. If that >is the case, then this introduces yet another place for a possible >misconfiguration. This is probably getting to TIS centric now (not that I mind), but we give you the ability to configure and then remotely load other Gauntlet firewalls. f From firewalls-owner Thu Dec 5 11:35:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA14687 for firewalls-outgoing; Thu, 5 Dec 1996 10:23:02 -0800 (PST) Received: from relay3.UU.NET (relay3.UU.NET [192.48.96.8]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA14667 for ; Thu, 5 Dec 1996 10:22:45 -0800 (PST) Received: from cwiz.com by relay3.UU.NET with SMTP (peer crosschecked as: dosmanos.tx.qualix.com [208.194.52.10]) id QQbsur00558; Thu, 5 Dec 1996 13:22:46 -0500 (EST) Received: by cwiz.com (SMI-8.6/SMI-SVR4) id MAA25836; Thu, 5 Dec 1996 12:22:25 -0600 Date: Thu, 5 Dec 1996 12:22:25 -0600 From: mdb@dosmanos.cwiz.com (Martin D. Baldenegro) Message-Id: <199612051822.MAA25836@cwiz.com> To: jsluzewski@dna.com Subject: Re: Secondary IP address Cc: firewalls@GreatCircle.com X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Are you asking about configuring a secondary IP address on the same physical network card? That would be configuring for virtual networks. Example would be to have two IP addresses on say the same Ethernet interface, like 198.164.2.100 and 192.194.3.100, you would do the following as described from man pages: ifconfig le1 plumb Once a physical interface has been "plumbed", additional local interfaces can be configured by simply naming them in subsequent ifconfig commands. Logical interfaces do not need to be "plumbed". Simply mentioning their name in an ifconfig command is sufficient. For example, the command: ifconfig le1 198.164.2.100 ifconfig le1:1 192.194.3.100 will allocate a logical interface associated with the physi- cal interface le0. A logical interface can be configured with parameters (address, netmask, etc.) different from the physical interface that it is associated with. And logical interfaces that are associated with the same physical inter- face can be given different parameters as well. Each logi- cal interface must be associated with a physical interface. So, for example, the logical interface le0:1 can only be configured after the physical interface le0 has been plumbed. Hope this helps, Martin " Been there, Done it, got a T-shirt " ----- Begin Included Message ----- From jsluzewski@dna.com Thu Dec 5 10:58:32 1996 From: jsluzewski@dna.com Subject: Secondary IP address To: Date: Thu, 05 Dec 96 09:39:00 EST I have hard that it is possible to configure secondary IP address on Solaris 2.5.1? If that's true, how it can be done? Thanks for any help. jsluzewski@dna.com ----- End Included Message ----- From firewalls-owner Thu Dec 5 12:04:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA04338 for firewalls-outgoing; Thu, 5 Dec 1996 08:06:49 -0800 (PST) Received: from gw.garrison.com (gw.garrison.com [205.241.58.147]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA04283 for ; Thu, 5 Dec 1996 08:06:17 -0800 (PST) Received: by gw.garrison.com; id EAA05192; Thu, 5 Dec 1996 04:00:16 -0600 (CST) Received: from ukn0.garrison.com(10.0.0.2) by gw.garrison.com via smap (3.2) id xma005180; Thu, 5 Dec 96 03:59:49 -0600 Received: by garrison.com. (4.1/Surrogate Sendmail hack) id AA03133; Thu, 5 Dec 96 10:01:00 CST Date: Thu, 5 Dec 96 10:01:00 CST From: jeromie@garrison.com (Jeromie Jackson) Message-Id: <9612051601.AA03133@garrison.com.> To: ahuger@secnet.com, jlw@cisco.com Subject: Re: Cisco's PIX Firewall Cc: firewalls@GreatCircle.COM, dochin@cisco.com, mhoward@cisco.com, lazar@netevolve.com, froys@cisco.com, afoss@cisco.com, amittal@cisco.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > To all: > > PLease use caution when reading the following to avoid confusion. > I posted he original statement of "opens up UDP ports 7648 and 7649 > BLINDLY to all traffic including attacks" criticizing packet filtering routers. > I also contrasted it with the PIX'es adaptive security. > > I hope readers do not mistake this stateless opening of > udp ports applies what the PIX does. > > As of today, the current official release of PIX still does not have > Java filtering or any SMAPd type of mail wrappers. But that does not > prevent it from being a stateful firewall being capable of thwarting > spoofing and hijacking. > > Going against IP spoofing, The PIX has cut-through proxies authenticating > inbound sessions from trusted hosts to selected internal hosts. > This is user-based authentication. It also randomizes TCP sequence numbers > to further minimize the chance of a successful spoofing. > > A packet filtering router exposes internal hosts and is not protocol aware. > To allow ftp clients inside going out you basically have to open up > TCP SRC=20 and DST gt 1023 for everyone in the whole world. > Agreed > The PIX makes an inside network totally invisible to the outside and > only reveals certain IP addresses to the destination host when connections > go outbound and only allows the requested data coming in. > > With due respect, I challenge Mr. Jackson's point saying: > >> > As far as being > >> > 'spoof proof', that is just not correct. If you are talking to > '1.2.3.4', I > >> > can send you a packet appearing as though it is originating from '1.2.3.4' > > In the case where the the client starts a connection from SRC port 2345 > to 1.2.3.4's port 80 to get a webpage and then ends the connection. > The PIX immediately closes the connection object after that and even if the > hacker > succeeds in impersonating 1.2.3.4 ( the dest. host ) and tries to come in via > SRC=80 dest=2345 with the ACK bit set, the PIX will not let the packets come > through. > ( Interested PIX owners can try it themselves) > Ok.. Here's the scenario, where you cannot stop the spoof, it it not because of a flaw in the firewall, but a flaw in IPV4... 1) external user requests an inbound telnet connection. 2) User gets Authenticated. 3) User reaches the destination & logs in 4) Hacker find out what sequence number is being used 5) Hacker sends RSTs to the real user, thus causing his session to close 6) Hacker continues sending packets to the internal machine, incrementing the sequence number as necessary. This is obviously a scenario of Hijacking. Your box cannot stop it, Thus, saying it is 'spoof proof' is just _NOT_ correct. Jeromie Jackson Garrison Technologies jeromie@garrison.com > -Johnson > > At 10:35 PM 12/4/96 CST, Jeromie Jackson wrote: > >> On Wed, 4 Dec 1996, Jeromie Jackson wrote: > >> > >> > > > >> > > This opens up UDP ports 7648 and 7649 BLINDLY to all traffic including > >> > > attacks. Also there's that infamous estab statement where someone who > >> > > knows how to doctor the ACK bit can inject TCP packets into the > customers' > >> > > net. > >> > > >> > Hmm, That certainly looks like packet filtering to me. > > Yes you are right. It was my example of a packet filter, not the PIX. > > >> > Based on header > >> > information, you are making decisions about packet flow. As far as being > >> > 'spoof proof', that is just not correct. If you are talking to > '1.2.3.4', I > >> > can send you a packet appearing as though it is originating from '1.2.3.4', > >> > you would believe me, because there is no authenticion built into IPV4. > I would > >> > agree, that the filtering mentioned above is better than that done w/ a > standard > >> > IP filtering device, although because decisions are being made on > objects that > >> > are not authenticated (header information), ACL's can, and will be > vulerable to > >> > spoofing/hijacking. > >> > > >> > >Ahuger@secnet.com wrote: > > > >> ACL's being vulnerable to spoofing/hijacking..... I am not sure if I am > >> reading you clear on this, but what I think I see you saying is that you > >> can still spoof Source IP addresses to a Cisco PIX firewall. Also you > >> state, trusted connections to the firewall can be hijacked. If this is > >> what you are saying, my reply would be such. > >> > >> Your correct in saying IP4 has no built in authentication, the only thing > >> in IPV4, related to security is the Security Field (which denotes how > >> classified a datagram is). This being said, anyone, anywhere can slap > >> and Source Address on a packet and fire it off their wire. *No* Firewall > >> can protect you from this. Cisco PIX or otherwise. If you need to speak > >> the outside world (which if you have a Firewall I assume you do) then you > >> are subject to packets with questionable Source Addresses. I don't see > >> this as a real weakness of any given Firewall, just shortcomings of IPV4. > >> > > > > Agreed. I brought this up, to show the inherent weakness in ACLs. > >Obviously both methanisms, ip filtering devices, and application level > gateways, are vulerable to such data. An IP filtering device uses this as > its primary > >access control mechanism though, whereas an application level gateway would > >also implement things to force RFC conformance of the protocols, most likely > >have data reduction tools, and be able to address issues such as the Mail > >Transport Agent problems. App. gateways also have the capability to do things > >such as Java/Javascript filtering, Mail filtering, whereas strictly IP > filtering > >mechanisms do not have such capabilities. > > > >> As to streams of data (TCP presumably) being open to hijacking. That again > >> is another problem which cannot really be addressed by a Firewall itself. > >> If an attacker has breached a host whom your firewall allows *unencrypted* > >> or even *encrypted* connections from, your had. And it's not your > >> Firewalls fault. > >> > >> Both of these issues are policy issues, Both require a Firewall Admin to > >> ask himself how much of the outside world he/she trusts. In the case of > >> spoofable addresses, Admins must realize that not all packets coming in > >> off the net, are really coming from where they say they are. In respects > >> to TCP hijacking, an Admin has to ask his/herself if they want to allow > >> TCP connections through their firewall. > >> > > > > Agreed. > > > > > >Jeromie Jackson > >Garrison Technologies > >jeromie@garrison.com > > > > > Johnson L. Wu > Cisco Systems > 2464 Embarcadero Way > 415/842-2114 voice > 415/843-1111 fax > jlw@cisco.com > so long: johnson@translation.com > private: johnson@snoopy.ORG > > From firewalls-owner Thu Dec 5 12:15:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA21857 for firewalls-outgoing; Thu, 5 Dec 1996 11:51:10 -0800 (PST) Received: from iceland.it.earthlink.net (iceland-c.it.earthlink.net [204.119.177.28]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA21847 for ; Thu, 5 Dec 1996 11:51:02 -0800 (PST) Received: from Cust31.Max15.San-Francisco.CA.MS.UU.NET (Cust31.Max15.San-Francisco.CA.MS.UU.NET [153.35.240.159]) by iceland.it.earthlink.net (8.7.5/8.7.3) with SMTP id LAA10953 for ; Thu, 5 Dec 1996 11:50:58 -0800 (PST) Received: by Cust31.Max15.San-Francisco.CA.MS.UU.NET with Microsoft Mail id <01BBE2A2.848971C0@Cust31.Max15.San-Francisco.CA.MS.UU.NET>; Thu, 5 Dec 1996 11:50:31 -0800 Message-ID: <01BBE2A2.848971C0@Cust31.Max15.San-Francisco.CA.MS.UU.NET> From: "John L. Hamilton" To: "firewalls@GreatCircle.COM" Subject: Get me off of this list!!!!!!! Date: Thu, 5 Dec 1996 11:50:24 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I sent the message to majordomo and got verification that I was removed but I'm still receiving posts. From firewalls-owner Thu Dec 5 12:34:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA23206 for firewalls-outgoing; Thu, 5 Dec 1996 12:11:28 -0800 (PST) Received: from ftp.com (ftp.com [128.127.2.122]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id MAA23129 for ; Thu, 5 Dec 1996 12:10:47 -0800 (PST) Received: from ftp.com by ftp.com ; Thu, 5 Dec 1996 15:10:49 -0500 Received: from mailserv-2high.ftp.com by ftp.com ; Thu, 5 Dec 1996 15:10:49 -0500 Received: by MAILSERV-2HIGH.FTP.COM (SMI-8.6/SMI-SVR4) id PAA11466; Thu, 5 Dec 1996 15:10:49 -0500 Date: Thu, 5 Dec 1996 15:10:49 -0500 Message-Id: <199612052010.PAA11466@MAILSERV-2HIGH.FTP.COM> To: firewalls@greatcircle.com Subject: Test ! please delete From: shishir@ftp.com Reply-To: shishir@ftp.com Repository: mailserv-2high.ftp.com, [message accepted at Thu Dec 5 15:10:47 1996] Originating-Client: asc-client Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Thu Dec 5 12:40:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA21291 for firewalls-outgoing; Thu, 5 Dec 1996 11:42:01 -0800 (PST) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id LAA21165 for ; Thu, 5 Dec 1996 11:41:11 -0800 (PST) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id NAA02845; Thu, 5 Dec 1996 13:30:32 -0500 Date: Thu, 5 Dec 1996 13:30:30 -0500 (EST) From: Rabid Wombat To: Michael Dillon cc: Great Circle Firewall Mailing List Subject: Re: IRINA is a Hoax In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Yup - sites I'm at get "infected" with "good times" about once a month. It only infects carbon-based systems - end-lusers. They ignore all security procedures and forward copies of the warning to everyone except the designated point of contact for computer security incidents. This behavior is best stopped by killing a few end-lusers, which forces the virus into remission for about 30 days. -r.w. On Wed, 4 Dec 1996, Michael Dillon wrote: > On Wed, 4 Dec 1996, Gilbert Soueidy wrote: > > > Hi folks; > > Irina seems to be a Hoax; Look what says the issue 85 of > > the computer underground digest; > > > The "Irina" virus warnings are a hoax. > > Leave it to the techno-wizards to come up with an idiotic statement like > this. The most effective viruses ever created are the Good Times virus and > its variations such as Deeyenda and Irina. These viruses have propogated > to more systems and people than any other, bypassing just about every > existing virus safeguard. > > Obviously these viruses are not the same sort of organism as the > Pakistani Brain virus or Michaelangelo but they are certainly not > hoaxes. > > It is widely understood that social engineering is the most effective way > to penetrate secure computer networks. We should not be surprised that > viruses based on these techniques are so effective. > > > Michael Dillon - Internet & ISP Consulting > Memra Software Inc. - Fax: +1-604-546-3049 > http://www.memra.com - E-mail: michael@memra.com > > From firewalls-owner Thu Dec 5 12:45:00 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA22780 for firewalls-outgoing; Thu, 5 Dec 1996 12:05:14 -0800 (PST) Received: from habanero.jmu.edu (habanero.jmu.edu [134.126.71.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id MAA22754; Thu, 5 Dec 1996 12:04:51 -0800 (PST) Message-Id: <199612052004.MAA22754@miles.greatcircle.com> Received: by habanero.jmu.edu (1.37.109.16/16.2) id AA064746004; Thu, 5 Dec 1996 15:00:04 -0500 Date: Thu, 5 Dec 1996 15:00:04 -0500 From: gary flynn To: Firewalls@GreatCircle.COM, firewalls-owner@GreatCircle.COM Subject: Re: Why would someone want an NT firewall? Cc: gary@habanero.jmu.edu Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: Adrian Knight > Subject: Why would someone want an NT firewall? > > 2) We don't want to hire a rocket scientist to manage our firewall. A > message earlier referred to firewalls being "necessarilly technical." > That's bogus. I think it's possible that a lot of people making money off > of firewalls might want to keep them that way, but there are a lot of > average people out there who want to AND CAN handle managing a firewall > right along with the MANY other types of systems that are also included in > our job responsibilities. In this age of computers, it is no longer valid > to try to convince people that computers are just too complicated for the > average person. I'm not a Microsoft Groupie or anything, but the reason > their company is where they are today is that they realized that! I believe that the industry's efforts to make computers appear that anyone can operate them has resulted in our present support and security nightmare. Computers are not toasters no matter how many GUIs you lay on top of them. I don't believe it possible to put enough artificial intelligence on a mass-produced, end user administered machine to make it either secure or easily supported in today's environment where the latest applications are downloaded from the Internet at the user's discretion, multivendor hardware and software components are constantly mixed, matched, and updated, and ten or more layers of drivers, protocols, clients, and applications "coexist" each with their own idiosycrocies, bugs, and versions. Windows and particularly MacIntosh machines are absolutely wonderful at making a user friendly DESKTOP environment. But today's PC is no longer a "personal computer". It is a portal into a much larger networked information system. That larger system is getting more complex, layered, and interactive day by day. The security ramifications of that architecture are not easily reduced to a point and click paradigm nor is that type of interface easily kept current with new applications and problems. > Because our firewall is on an NT platform and has a good GUI, I can be > gone for a couple of weeks and even my boss, a manager, can sit down and > make changes to the firewall comfortably. Several other people in the > computing department with the passowrd could do the same if they had to. > After two years, nobody else could sit down to my Solaris box and do > anything except manage to shut things down. Windows promised point and click computing. Yet people are still dealing with INI files, registry editors, and multiple driver and DLL updates. It may be that the product was designed to be point and click but in actual practice it rarely happens that way. Also, the GUI can often cover up an oversimplification of a complex technical issue. When this happens on a device protecting an entire network... My $0.02 worth. Gary Flynn Network Analyst James Madison University From firewalls-owner Thu Dec 5 12:52:53 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA14053 for firewalls-outgoing; Thu, 5 Dec 1996 10:15:29 -0800 (PST) Received: from isl.sri.com (sheffield.isl.SRI.COM [128.18.23.46]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA14046 for ; Thu, 5 Dec 1996 10:15:14 -0800 (PST) Received: by isl.sri.com (SMI-8.6/SMI-SVR4) id KAA06947; Thu, 5 Dec 1996 10:14:05 -0800 Received: from tlb.isl.sri.com(128.18.23.66) by sheffield via smap (V2.0beta) id xmaa06899; Thu, 5 Dec 96 10:13:59 -0800 X-Sender: terry@128.18.23.46 Message-Id: In-Reply-To: <9612051426.AA25253@sonic.nmti.com.nmti.com> References: <9612042227.AA01909@garrison.com.> from "Jeromie Jackson" at Dec 4, 96 04:27:53 pm Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 5 Dec 1996 10:05:41 -0800 To: peter@baileynm.com (Peter da Silva) From: Terry Bernstein Subject: Re: PIX and Gauntlet Cc: jeromie@garrison.com (Jeromie Jackson), mike@ptes.com, avolio@tis.com, firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The problem is not with the manual editing per se, but with the possibility that you could make a mistake and open services on your firewall that you really don't want opened. I just had the impression that the file was a bit complicated and that it would be relatively easy for someone to screw up. This is similar to the problem with Cisco access lists. Yes, you CAN configure them correctly, but in 75% of the security reviews I've done, there was at least 1 mistake in the Cisco ACL. Also, I believe that if you have multiple TIS firewalls, you'll need to move these files between machines and manually reconfigure them. If that is the case, then this introduces yet another place for a possible misconfiguration. -- terry -- At 6:26 AM -0800 12/5/96, Peter da Silva wrote: >> The GUI is useful, however, many administrative type processes still >> require manual hacking. For example, if adding a generic proxy the >>users now >> have to go in and modify /usr/local/etc/mgmt/rc/* files. > >If there is a good editor available, why is this a problem? > >Novell administration requires manual editing of files now and then, but it >seems to be quite within the grasp of PC network admin types. Just because >there's not a specific GUI editor that doesn't make it "too hard" for naive >users. > >(IMHO the biggest advantage of GUIs for administrative work is it lets your >sales reps give impressive demonstrations. For systems bigger than a single >workstation the fact that you're unable to do editing tasks that weren't >explicitly programmed into the GUI is a big hindrance. For example, in NT's >User Mangler... what if I want to just list the users with disabled accounts?) > >((I gave up and added a (disabled) entry to the comment field)) ---------- Terry Bernstein SRI Consulting terry_bernstein@sri.com http://www.ice.sri.com/~terry From firewalls-owner Thu Dec 5 13:15:50 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA11946 for firewalls-outgoing; Thu, 5 Dec 1996 09:53:39 -0800 (PST) Received: from mail.baileynm.com (fw.baileynm.com [206.109.159.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id JAA11933 for ; Thu, 5 Dec 1996 09:53:22 -0800 (PST) Received: (qmail 25296 invoked from smtpd); 5 Dec 1996 17:53:24 -0000 Received: from web.nmti.com (root@198.178.0.201) by fw.nmti.com with SMTP; 5 Dec 1996 17:53:24 -0000 Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id LAA19383; Thu, 5 Dec 1996 11:53:24 -0600 Received: by sonic.nmti.com; id AA01717; Thu, 5 Dec 1996 11:53:15 -0600 From: peter@baileynm.com (Peter da Silva) Message-Id: <9612051753.AA01717@sonic.nmti.com.nmti.com> Subject: Re: Firewalls over NT vs. UNIX To: mthomps1@kiwitech.co.nz (Matthew Thompson) Date: Thu, 5 Dec 1996 11:53:15 -0600 (CST) Cc: bve@yourtown.com, firewalls@greatcircle.com In-Reply-To: <96Dec5.090612nzdt.35726@kotuku.manukau.govt.nz> from "Matthew Thompson" at Dec 6, 96 10:51:33 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Can someone tell me where I get the source for HP-UX, AIX and Solaris 2, > and Borderware's modified BSDI Unix then? Bearing in mind I don't want to > sign any agreements of the type I'd have to sign to see the source for NT, > or pay any significant money, or do anything lllegal? Why, are you planning on running a "crystal box" firewall on them? If so, I'd recommend that you run it on FreeBSD or NetBSD instead, for that very reason. From firewalls-owner Thu Dec 5 14:37:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA12798 for firewalls-outgoing; Thu, 5 Dec 1996 10:01:14 -0800 (PST) Received: from main.geminisecure.com (main.geminisecure.com [205.179.16.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA12771 for ; Thu, 5 Dec 1996 10:01:01 -0800 (PST) Received: (from leonard@localhost) by main.geminisecure.com (8.6.9/8.6.9) id KAA06061; Thu, 5 Dec 1996 10:00:44 -0800 Date: Thu, 5 Dec 1996 10:00:44 -0800 (PST) From: Leonard Miyata To: raf@ezunx.com cc: firewalls@GreatCircle.COM Subject: Re: network access through wall w/tokens In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This sounds like the French ActivCard, a challenge and response token. There is custom software available, that will draw and flash three squares on the screen. Holding the token directly against the screen can receive the challenge, but I've only seen this available for Windows platforms. For more conventional (and secure) platforms you can always enter the challenge on the keypad. The ActivCard also supports multiple personalities (keys). Commerical software support is limited. BSDI does support it as one if its authentication mechanisms. My documentation states their web page is at http://www.francenet.fr/activcard Personal Opinions provided by Leonard Miyata aka leonard@geminisecure.com GEMINI COMPUTERS INC. On Thu, 5 Dec 1996 raf@ezunx.com wrote: > Ok, I know someone will know this --- > > I remember sometime ago, in a trade show, far far away, I came across > an access-token vendor that had a product that was a little different > than most. It uses light patterns on a screen and a special device to > read them. > > Question -- Does anyone know of this product, and can it be used in > conjunction with a fw to provide something like vpn access?? > > -rich > > o' |,=./ `o > (o o) > -----ooO--(_)--Ooo------- > > ** Remember -- If you can keep your head when all others around > you are losing theirs... > > You're probably not paying attention! > From firewalls-owner Thu Dec 5 14:44:19 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA26162 for firewalls-outgoing; Thu, 5 Dec 1996 12:53:59 -0800 (PST) Received: from charon.pjm.com (pjm-gate.pjm.com [198.56.5.30]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id MAA26048 for ; Thu, 5 Dec 1996 12:53:17 -0800 (PST) X-Organization: PJM Interconnection Association X-Complain-To: postmaster@pjm.com Received: from mailman.pjm.com (pjmpost.pjm.com [172.16.0.230]) by charon.pjm.com (8.6.12/8.6.12) with SMTP id PAA15214 for ; Thu, 5 Dec 1996 15:53:09 -0500 Received: by mailman.pjm.com with Microsoft Mail id <32A73630@mailman.pjm.com>; Thu, 05 Dec 96 15:53:04 EST From: "Mix, S.R." To: "'firewalls'" Subject: Serially connected firewalls and FTP Date: Thu, 05 Dec 96 15:54:00 EST Message-ID: <32A73630@mailman.pjm.com> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi: We are attempting to determine how to get FTP sessions established end-to-end between multiple networks, each protected by a firewall: +-----+ +------------+ +--------+ | | | | | | +--+ | +----------+ | | +----------+ | +------------+ |PC| +---|FireWall a|---+ +---|FireWall b|---+ | FTP server | +--+ +----------+ +----------+ +------------+ FireWall b is a TIS Firewall Toolkit Version 2.0 FireWall a so far has been an Eagle Raptor or another TIS FWTK. The question is: how does a user on the "PC" (which might include a UNIX command line) connect through the two firewalls to the FTP server? Thanks, Scott R. Mix PJM Interconnection Association From firewalls-owner Thu Dec 5 14:46:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA28195 for firewalls-outgoing; Thu, 5 Dec 1996 13:15:47 -0800 (PST) Received: from kcsun3.kcstar.com (kcsun3.kcstar.com [207.15.4.13]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id NAA28129 for ; Thu, 5 Dec 1996 13:15:23 -0800 (PST) Received: from kcsun3.kcstar.com (kcsun3.kcstar.com [207.15.4.13]) by kcsun3.kcstar.com (8.7.5/8.7.3) with SMTP id PAA17284 for ; Thu, 5 Dec 1996 15:18:18 -0600 (CST) Date: Thu, 5 Dec 1996 15:18:17 -0600 (CST) From: elroy X-Sender: elroy@kcsun3.kcstar.com To: firewalls@greatcircle.com Subject: Netscape gold ?! Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi everybody - I'm trying to make Netscape Gold publish to a webserver outside of our firewall, but having problems. I know that Netscape Gold can publish either via PASV ftp, or http put. My question is WHAT PORT(S)? This is driving me crazy - I've searched through firewalls-archive, and on the Web, but no joy. Has anyone allowed Netscape Gold to publish outbound through their firewall? Can it be done safely? Thanks to all, in advance - -elroy (elroy@kcstar.com) From firewalls-owner Thu Dec 5 14:49:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA02288 for firewalls-outgoing; Thu, 5 Dec 1996 13:59:54 -0800 (PST) Received: from vrml. (vrml.boulder.vni.com [192.147.250.69]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id NAA02276 for ; Thu, 5 Dec 1996 13:59:42 -0800 (PST) Received: from vrml by vrml. (SMI-8.6/SMI-SVR4) id CAA10007; Thu, 5 Dec 1996 02:57:52 -0700 Message-ID: <32A69C9F.2FDC@ix.netcom.com> Date: Thu, 05 Dec 1996 02:57:52 -0700 From: Christian Kuhtz X-Mailer: Mozilla 3.0Gold (X11; I; SunOS 5.5 sun4u) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: Q: BorderWare Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello: I am implementing a slew of services which are to be offered in the SSN portion of a BorderWare SSN firewall setup and would like to pick someone's brain about it. Please drop me a note via replying to this eMail if you think you have cycles to do that. I am currently not subscribed to the list. Thanks in advance! Best regards, Chris -- Christian Kuhtz Network/UNIX Specialist Paranet, Inc. From firewalls-owner Thu Dec 5 15:19:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA28705 for firewalls-outgoing; Thu, 5 Dec 1996 13:21:39 -0800 (PST) Received: from magneto.acquion.com (magneto.acquion.com [206.154.17.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id NAA28679 for ; Thu, 5 Dec 1996 13:21:12 -0800 (PST) Received: from wolverine (wolverine.acquion.com [206.154.17.12]) by magneto.acquion.com (post.office MTA v2.0 0813 ID# 0-11944) with SMTP id AAA238 for ; Thu, 5 Dec 1996 16:25:58 -0500 Message-Id: <2.2.32.19961205212237.008ff974@mail.acqic.org> X-Sender: oolid@mail.acqic.org X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 05 Dec 1996 16:22:37 -0500 To: firewalls@greatcircle.com From: oolid@acqic.org (Joseph L. Moll) Subject: Vunerabilities in Microsoft's IIS 2.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello all: We have noticed a little problem with IIS 2.0 and were wondering if the problem also exists in IIS 3.0. It seems that anyone can browse the any files in the cgi-bin directory on the server. For example, browse this on your IIS web host: http://your.domain.here/cgi-bin/my_cgi.ini The only catch is that you have to know the name of the file. Good ole security by obscurity? IIS 2.0 in conjunction with M$ Internet Exploder passes the end users domain and username to the IIS for access. Get's logged in the log file as DOMAIN\USERNAME. Anyone else observed this slight problem? Regards, --- Joseph L. (Joe) Moll -- Network and Communications Engineering mailto:jmoll@acquion.com http://www.acquion.com ACQUION, Inc. Greenville, SC USA -- Specialists in Electronic Commerce PGP Fingerprint = 8D E7 F0 E8 8D 67 A8 19 02 CB 83 0F 19 41 D3 A9 From firewalls-owner Thu Dec 5 15:54:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA08706 for firewalls-outgoing; Thu, 5 Dec 1996 09:12:37 -0800 (PST) Received: from poss.com (boole.poss.com [198.70.184.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id JAA08642 for ; Thu, 5 Dec 1996 09:12:13 -0800 (PST) Received: from sunfire (wheat-53.nb.net [204.255.176.153]) by poss.com (8.7/8.7) with ESMTP id MAA19417; Thu, 5 Dec 1996 12:06:33 -0500 Received: from localhost (wilcox@localhost) by sunfire (8.6.12/8.6.9) with ESMTP id MAA10887; Thu, 5 Dec 1996 12:12:34 -0500 Message-Id: <199612051712.MAA10887@sunfire> X-Mailer: exmh version 1.6.2 7/18/95 To: jsluzewski@dna.com cc: firewalls@GreatCircle.COM Subject: Re: Secondary IP address In-reply-to: Message <32A6DE8A@dnanycsmtp.dna.com> from "Thu, 05 Dec 1996 09:39:00 EST." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 05 Dec 1996 12:12:31 -0500 From: Ken Wilcox Sender: firewalls-owner@GreatCircle.COM Precedence: bulk jsluzewski@dna.com writes: > > I have hard that it is possible to configure secondary IP address on Solaris > 2.5.1? > If that's true, how it can be done? > Thanks for any help. > > jsluzewski@dna.com > I think this is what you are referring to. Use ifconfig to bring up a pseudo interface with a different IP address. For example: if you have le0 and want another IP address, do this example% ifconfig le0:1 some-ip netmask some-netmask broadcast + up The :1 is the pseudo interface and if you do an ifconfig -a it will show up like this: example% ifconfig -a lo0: flags=849 mtu 8232 inet 127.0.0.1 netmask ff000000 le0: flags=863 mtu 1500 inet 123.70.146.6 netmask ffffffc0 broadcast 123.70.146.63 le0:1: flags=863 mtu 1500 inet 123.70.146.14 netmask ffffffc0 broadcast 123.70.146.63 le0:2: flags=863 mtu 1500 inet 123.70.146.16 netmask ffffffc0 broadcast 123.70.146.63 le0:3: flags=843 mtu 1500 inet 123.70.146.1 netmask ffffffc0 broadcast 123.70.146.63 I don't know what the limit is but you should have as many as you need. Ken Wilcox Perfect Order Inc. Account Representative Authorized Sun Reseller 2212 Eagles Nest Lane Monroeville PA 15146 Phone: +1 412 373 1528 Email: wilcox@poss.com Fax: +1 412 373 1722 From firewalls-owner Thu Dec 5 16:09:15 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA02586 for firewalls-outgoing; Thu, 5 Dec 1996 14:01:54 -0800 (PST) Received: from deepeddy.com (DeepEddy.Com [192.12.3.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id OAA02532 for ; Thu, 5 Dec 1996 14:01:26 -0800 (PST) Received: (qmail 14346 invoked from network); 5 Dec 1996 22:01:16 -0000 Received: from localhost (HELO deepeddy.DeepEddy.Com) (@127.0.0.1) by localhost with SMTP; 5 Dec 1996 22:01:15 -0000 X-Mailer: exmh version 2.0alpha 12/3/96 To: Adrian Knight Cc: Firewalls@GreatCircle.COM Subject: Re: Why would someone want an NT firewall? In-Reply-To: Your message of "Thu, 05 Dec 1996 08:46:46 EST." X-Url: http://www.DeepEddy.Com/~cwg From: cwg@DeepEddy.Com Cc: cwg@DeepEddy.Com Mime-Version: 1.0 Content-Type: multipart/signed; boundary="==_Exmh_-710954688P"; micalg=pgp-md5; protocol="application/pgp-signature" Content-Transfer-Encoding: 7bit Date: Thu, 05 Dec 1996 16:01:13 -0600 Message-ID: <14343.849823273@deepeddy.DeepEddy.Com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk --==_Exmh_-710954688P Content-Type: text/plain; charset=us-ascii > Because our firewall is on an NT platform and has a good GUI, I can be > gone for a couple of weeks and even my boss, a manager, can sit down and > make changes to the firewall comfortably. Several other people in the > computing department with the passowrd could do the same if they had to. > After two years, nobody else could sit down to my Solaris box and do > anything except manage to shut things down. While you're at it, do you care to announce to the list when your next vacation is? Personally, I don't *want* just anybody to be able to modify the firewall. I also don't want "several other people" to have the password to the firewall. That said, I do understand why a MS based environment would want to run an NT firewall. However, you should note that your policies aren't the tightest I've seen. Chris -- Chris Garrigues O- cwg@DeepEddy.Com Deep Eddy Internet Consulting +1 512 432 4046 609 Deep Eddy Avenue Austin, TX 78703-4513 http://www.DeepEddy.Com/~cwg/ --==_Exmh_-710954688P Content-Type: application/pgp-signature -----BEGIN PGP MESSAGE----- Version: 2.6.2 iQB1AwUBMqdGI5aQnaaFII2dAQG0OAL7BADHemTZPaVA+ffHldppsYmkczP4/UWA AYsP+XEOymSoWOkRzcdKYyIW63+FWcT7tGn4rMelmWSzn8mhS4UUtjIjKlbz0NkS tdg7nK3J98HNmY0FmQLlaNenJbZ1tnpK =3+OK -----END PGP MESSAGE----- --==_Exmh_-710954688P-- From firewalls-owner Thu Dec 5 16:11:37 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA03351 for firewalls-outgoing; Thu, 5 Dec 1996 14:12:58 -0800 (PST) Received: from thewall.harding.edu (thewall.harding.edu [192.133.129.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id OAA03267 for ; Thu, 5 Dec 1996 14:12:16 -0800 (PST) Received: from piggy.harding.edu ([10.1.11.5]) by thewall.harding.edu via smtpd (for miles.greatcircle.com [198.102.244.34]) with SMTP; 5 Dec 1996 22:15:02 UT Received: from Harding.edu by Harding.edu (PMDF V5.0-7 #15469) id <01ICNNYB6FCQAKTJ7I@Harding.edu> for FIREWALLS@GREATCIRCLE.COM; Thu, 05 Dec 1996 16:14:56 -0500 (CDT) Date: Thu, 05 Dec 1996 16:14:56 -0500 (CDT) From: Adrian Knight Subject: Re: Why would someone want an NT firewall? In-reply-to: <14343.849823273@deepeddy.DeepEddy.Com> To: FIREWALLS@GREATCIRCLE.COM Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 5 Dec 1996 cwg@DeepEddy.Com wrote: > > Because our firewall is on an NT platform and has a good GUI, I can be > > gone for a couple of weeks and even my boss, a manager, can sit down and > > make changes to the firewall comfortably. Several other people in the > > computing department with the passowrd could do the same if they had to. > > After two years, nobody else could sit down to my Solaris box and do > > anything except manage to shut things down. > > While you're at it, do you care to announce to the list when your next > vacation > is? > > Personally, I don't *want* just anybody to be able to modify the firewall. I > also don't want "several other people" to have the password to the firewall. > I wholeheartedly agree! But my company does like to have the option of not being dead-in-the-water if something happens and I, their Great Security Guru, am unavailable or in Alaska. For clarification, I didn't say that several people DO make changes to our firewall. I said several other people COULD make changes if they had to. For example, if we had a hardware failure (which has happened) they could fix the hardware and have the operating system knowledge to be able to get the firewall system up and running again. If the same thing happened on our Solaris box they would be hard-pressed to do any of the above. > > Chris > > -- > Chris Garrigues O- cwg@DeepEddy.Com > Deep Eddy Internet Consulting +1 512 432 4046 > 609 Deep Eddy Avenue > Austin, TX 78703-4513 http://www.DeepEddy.Com/~cwg/ > > > From firewalls-owner Thu Dec 5 16:21:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA01473 for firewalls-outgoing; Thu, 5 Dec 1996 13:51:55 -0800 (PST) Received: from phoenix.iss.net (phoenix.iss.net [204.241.60.5]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id NAA01429 for ; Thu, 5 Dec 1996 13:51:37 -0800 (PST) Received: from localhost (davem@localhost) by phoenix.iss.net (8.8.3/8.6.12) with SMTP id QAA07596; Thu, 5 Dec 1996 16:51:10 -0500 Date: Thu, 5 Dec 1996 16:51:10 -0500 (EST) From: "David J. Meltzer" To: Adrian Knight cc: Firewalls@GreatCircle.COM Subject: Re: Why would someone want an NT firewall? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > 2) We don't want to hire a rocket scientist to manage our firewall. A > message earlier referred to firewalls being "necessarilly technical." > That's bogus. I think it's possible that a lot of people making money off > of firewalls might want to keep them that way, but there are a lot of > average people out there who want to AND CAN handle managing a firewall > right along with the MANY other types of systems that are also included in > our job responsibilities. In this age of computers, it is no longer valid > to try to convince people that computers are just too complicated for the > average person. I'm not a Microsoft Groupie or anything, but the reason > their company is where they are today is that they realized that! > > Because our firewall is on an NT platform and has a good GUI, I can be > gone for a couple of weeks and even my boss, a manager, can sit down and > make changes to the firewall comfortably. Several other people in the > computing department with the passowrd could do the same if they had to. > After two years, nobody else could sit down to my Solaris box and do > anything except manage to shut things down. I am all in favor of having an intuitive and easy to use GUI for a firewall. What I am not in favor is letting anyone sit down at your firewall and make changes. Your boss may be able to sit down in 2 minutes on a firewall and figure out how to open up all incoming connections to port 23 on NT and not Solaris (although the similarities between NT and Unix GUIs for many firewalls are very small), but that doesn't mean that he knows enough about your network and network security to determine if what he is changing is potentially opening up security holes in your network. The job of designing a firewall and then actually implementing it are two separate tasks. An intuitive GUI, based on NT or Unix, may aid you in your implementation, but it generally does nothing to help the design process. It is vitally important that a competent person design your firewall, and that whenever changes are made to the implementation, you check and double check that your currently configured firewall is still protecting you in the manner that you have designed it to. I would strongly recommend against letting anyone that does not have a good base of computer security knowledge making changes to a firewall configuration. That doesn't mean you need to be a security expert to be able to run a firewall, but it does mean that you need to have read a few books on computer security and firewalls, and that you keep current with known services and programs that may open up vulnerabilities on your network. --------------------------------+--------------------- David J. Meltzer | Email: davem@iss.net Systems Engineer | Web: www.iss.net Internet Security Systems, Inc. | Fax: (770)395-1972 From firewalls-owner Thu Dec 5 16:32:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA07604 for firewalls-outgoing; Thu, 5 Dec 1996 15:07:57 -0800 (PST) Received: from kcpgw2.kcp.com (kcpgw2.kcp.com [198.62.69.67]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id PAA07597 for ; Thu, 5 Dec 1996 15:07:45 -0800 (PST) From: dharris@kcp.com Received: by kcpgw2.kcp.com id AA12386 (InterLock SMTP Gateway 3.0 for Firewalls@GreatCircle.COM); Thu, 5 Dec 1996 17:07:43 -0600 Message-Id: <199612052307.AA12386@kcpgw2.kcp.com> Received: by kcpgw2.kcp.com (Protected-side Proxy Mail Agent-2); Thu, 5 Dec 1996 17:07:43 -0600 Received: by kcpgw2.kcp.com (Protected-side Proxy Mail Agent-1); Thu, 5 Dec 1996 17:07:43 -0600 Mime-Version: 1.0 Date: Thu, 5 Dec 1996 16:59:46 -0600 Subject: Re: Why would someone want an NT firewall? To: Firewalls@GreatCircle.COM, Adrian Knight Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Why do you consider it a "Good Thing" (TM) that your manager can sit down and modify your firewall? Is he fully aware of the impact his changes will have and how they might affect the ability of your firewall to implement your security policy? I know it reeks of "security by obscurity", but a firewall that is easy to modify is also a firewall that is easy to modify incorrectly. If you have to stop and think about what you are doing before you can do anything you are less apt to just do something to see what happens. My little experience with NT shows that even an experienced person who is just messing around with the GUI can jigger the wrong button and deny a whole LAN segment access to its server. Please notice I specifically did not say that the NT box can't be used as a firewall. It may very well be just what you need to implement your security policy. Delmer D. Harris ______________________________ Reply Separator _________________________________ Subject: Why would someone want an NT firewall? Author: Adrian Knight at INTERNET-MAIL Date: 12/5/96 8:46 AM I've read for over a year about the Unix vs NT messages. For what it's worth, here are the reasons why, after 6 months of research and training, our site specifically chose an NT firewall instead of a Unix firewall. (FYI, we're running Eagle NT by Raptor) 1) We only have 3 Unix computers on our campus. I manage one of them, and after two years still know very little about it. Yes, if I spent "enough time" on it I would probably be a Unix expert by now, but I don't want to spend that much time, nor do I have the option of spending that much time on it. 2) We don't want to hire a rocket scientist to manage our firewall. A message earlier referred to firewalls being "necessarilly technical." That's bogus. I think it's possible that a lot of people making money off of firewalls might want to keep them that way, but there are a lot of average people out there who want to AND CAN handle managing a firewall right along with the MANY other types of systems that are also included in our job responsibilities. In this age of computers, it is no longer valid to try to convince people that computers are just too complicated for the average person. I'm not a Microsoft Groupie or anything, but the reason their company is where they are today is that they realized that! Because our firewall is on an NT platform and has a good GUI, I can be gone for a couple of weeks and even my boss, a manager, can sit down and make changes to the firewall comfortably. Several other people in the computing department with the passowrd could do the same if they had to. After two years, nobody else could sit down to my Solaris box and do anything except manage to shut things down. 3) At the time of my research a year ago, most mainstream firewalls ran on minicomputer-class machines like Sun Sparc, HPUX, AIX. For an educational site with good discounts, a platform like that ran around $15,000. We put our firewall on a well-endowed NT PC for $5,000. Hardware and software maintenance is also much cheaper There are many other reasons that I chose NT over Unix, but I'll leave it here. Adrian Knight | Network Manager Harding University | Internet: KNIGHT@HARDING.EDU 900 E. Center, Box 2264 | Phone: (501) 279-4440 Searcy, AR 72149-0001 | From firewalls-owner Thu Dec 5 16:58:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA11194 for firewalls-outgoing; Thu, 5 Dec 1996 09:44:26 -0800 (PST) Received: from gate3.fmr.com (gate3.fmr.com [192.223.170.13]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id JAA11171 for ; Thu, 5 Dec 1996 09:44:14 -0800 (PST) Received: (from adm@localhost) by gate3.fmr.com (8.7.3/8.6.9) id MAA07574 for ; Thu, 5 Dec 1996 12:44:12 -0500 (EST) Message-Id: <199612051744.MAA07574@gate3.fmr.com> Received: from mail3.fmr.com(137.199.61.18) by gw01i via smap (g3.0.3) id xmaf07509; Thu, 5 Dec 96 12:43:51 -0500 Date: Thu, 05 Dec 1996 12:32 -0500 (EST) From: "Feeney, Tim" Subject: RE: Firewalls over NT To: Firewall Mailing List MIME-version: 1.0 Content-type: TEXT/PLAIN Content-transfer-encoding: 7BIT Posting-date: Thu, 05 Dec 1996 12:32 -0500 (EST) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Well I just could not hold back from jumping into the fray. I will not address the NT vs. Unix fray, or try to comment on Marcus' detailed message. I just would like to make an observation as a "far from expert" systems/firewall administrator. What platform you use comes down to how comfortable you are with the OS. I would not install a firewall on NT/AIX/BSD/Linux/DOS/etc....., not because I feel they are insecure, or not any good, but because I do not know them well enough to be comfortable with using them. The vast majority of break-ins are due to a hacker exploiting an old well known bug, or a configuration mistake. No matter what OS or firewall you use the default configuration will not (99.9%) work for your environment, and will therefore be insecure. As can be seen in the number of "what firewall do I use" posts to this mailing list, there are more and more people being thrown into the firewall administrator position due to lack of resources (bodies or money) or knowledge of scope of the task. I have only seen one post recently (past 6+months) requesting information on firewall/security training. This just bears out some of the numbers out there that show a lack of knowledge, or regard, for system/site security. These opinions are not original and have been voiced by many other more notable people (. disclaimer) in the security arena. Thanks for bearing with me while I satisfied my need. Tim Feeney {As always my opinions are mine and I have no idea at times where they emanate from} From firewalls-owner Thu Dec 5 17:02:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA15314 for firewalls-outgoing; Thu, 5 Dec 1996 16:34:30 -0800 (PST) From: firewalls-owner Received: from mobile.bam.com (mobile.banm.com [199.74.157.50]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id QAA15290 for ; Thu, 5 Dec 1996 16:34:10 -0800 (PST) Received: FROM BAMX400.mobile.bam.com BY mobile.bam.com ; 5 DEC 96 19:34:24 EST Date: 5 DEC 96 19:33:27 EST Subject: Undeliverable Message To: Firewalls@GreatCircle.COM MIME-Version: 1.0 Message-ID: <0005bdxnvttl.0005amuomwsu@mobile.bam.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk To: Dean E Vaccher@IS_WBRHQ@BAMSWB BAMX400@MGate@BAM [C=US/A=INTERNET/DDA=ID/firewalls-digest(a)GreatCircle.COM] Cc: Subject: Firewalls-Digest V5 #649 Message not delivered to recipients below. VNM3043: Dean E Vaccher@IS_WBRHQ@BAMSWB **** Attachment message(s) will follow in 1 separate transmissions. From firewalls-owner Thu Dec 5 17:50:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA11835 for firewalls-outgoing; Thu, 5 Dec 1996 09:52:04 -0800 (PST) Received: from habanero.jmu.edu (habanero.jmu.edu [134.126.71.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id JAA11771; Thu, 5 Dec 1996 09:51:24 -0800 (PST) Message-Id: <199612051751.JAA11771@miles.greatcircle.com> Received: by habanero.jmu.edu (1.37.109.16/16.2) id AA044907979; Thu, 5 Dec 1996 12:46:19 -0500 Date: Thu, 5 Dec 1996 12:46:19 -0500 From: gary flynn To: firewalls-owner@GreatCircle.COM, paonia@exon.massart.mass.edu Subject: Re: .edu w/ firewalls Cc: firewalls@GreatCircle.COM, gary@habanero.jmu.edu Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: Sameer R Manek > To: Paonia Ezrine > Cc: firewalls@GreatCircle.COM > > A firewall on campus would do almost no good as > the biggest threat to the network are already in campus. There are also threats offcampus. Oncampus ones *may* be easier to identify and track. > Using our school as an example we have 3 networks > here, administrative, instructional and student. Admin > net is the actual machines that run admin, plus the machines > in the admin building, and the machines of all the deans. Are you saying you have a firewall between the various networks? How are they three separate networks? I'd be interested in discussing the policies you used to set these up. We're wrestling with that right now. Frankly, I worry more about the risk of denial of service attacks than I do anything else. The auditors and systems administrators worry about the data confidentiality and integrity more. I help them along when I can with encryption, firewalls, etc. Given the uniqueness of the educational environment, I'd love to see a gathering of some sort between the network managers and policy folks of the various institutions. Anyone hear of such a beast? The academic-firewalls list is almost dead. > The instructional net is the machines in the instructor offices, > machines used in computer labs for instructional purposes. Which > students do have access to. And finally the student network > is where student-body owned/operated machines reside. > > Firewalling admin off sounds good but keep in mind instructors > may want to access email (pop) or telnet to admin from their > office/the lab. So firewalling off is not always possible. > > Naturally a packet filtering router is A Good Thing (TM) > > Good luck From firewalls-owner Thu Dec 5 18:12:19 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA15539 for firewalls-outgoing; Thu, 5 Dec 1996 16:37:10 -0800 (PST) Received: from silence.secnet.com (silence.secnet.com [204.191.222.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id QAA15497 for ; Thu, 5 Dec 1996 16:36:30 -0800 (PST) Received: from localhost (ahuger@localhost) by silence.secnet.com (8.8.2/secnet) with SMTP id SAA02718; Thu, 5 Dec 1996 18:37:53 -0700 (MST) Date: Thu, 5 Dec 1996 18:37:53 -0700 (MST) From: Alfred Huger To: Jeromie Jackson cc: firewalls@GreatCircle.COM, Ryan.Russell@sybase.com Subject: Re: Cisco's PIX Firewall In-Reply-To: <9612051623.AA03141@garrison.com.> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 5 Dec 1996, Jeromie Jackson wrote: > > > Food for thought for people like Cisco/FW1... If you were to just make > a Mail Transport Agent for the hub, and provide it along with the product, > people like me could not bitch, and you could say you covered the bases. I did > note in one of the earlier posts from Cisco that they are indeed working on it. > Creating an MTA does not solve the issue. Who is to say that a vendor authored MTA is any more secure than Berkeley Sendmail? At least with Berkeley Sendmail you have the source to review if you so choose. I submit that this is a luxury you would not have with a vendor supplied MTA. People tend to attack Sendmail because it's high profile as far as security errors go. However, DNS and HTTP are just as, if not more serious areas of concern. I think the real solution is to have these services made available with full source code. This being said, I think there are plenty of free software packages available to meet these needs. This software simply needs to be reviewed on a regular basis. ------------------------------------------------------------------------------ Alfred Huger ahuger@secnet.com Secure Networks Inc. ------------------------------------------------------------------------------ From firewalls-owner Thu Dec 5 19:10:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA04621 for firewalls-outgoing; Thu, 5 Dec 1996 19:00:30 -0800 (PST) Received: from mail.ka.inka.de (quechua.inka.de [193.197.84.5]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id SAA04480 for ; Thu, 5 Dec 1996 18:59:56 -0800 (PST) Received: from sapa.inka.de(really [193.197.84.6]) by mail.ka.inka.de via smail with smtp (ident root using rfc1413) id for ; Fri, 6 Dec 1996 03:59:59 +0100 (MET) (Smail-3.2 1996-Jul-4 #3 built 1996-Oct-28) Received: from uu.inka.de (root@[193.197.84.8]) by sapa.inka.de with smtp (S3.1.29.1) id ; Fri, 6 Dec 96 03:59 MET Received: from lina (lists@lina.inka.de) by uu.inka.de with bsmtp (S3.1.29.1) id ; Fri, 6 Dec 96 03:59 MET Received: by lina id m0vVqUE-0004j0C (Debian Smail-3.2 1996-Jul-4 #2); Fri, 6 Dec 1996 03:58:02 +0100 (MET) Message-Id: From: lists@lina.inka.de (Bernd Eckenfels) Subject: Re: VPNs To: jk@stallion.ee (Jyri Kaljundi) Date: Fri, 6 Dec 1996 03:58:01 +0100 (MET) Cc: Firewalls@GreatCircle.COM In-Reply-To: from "Jyri Kaljundi" at Dec 5, 96 05:06:48 pm X-Mailer: ELM [version 2.4 PL25 PGP2] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, > I would suggest you have a look at F-Secure VPN software, made by Data > Fellows in Finland (http://www.datafellows.fi/f-secure/), which is one of > the few (if not the only) really strong VPN software products available in > Europe (or Africa/Asia etc). AFAIK TIS UK is selling reimplemented Gaunteld with Crypto Stuff, but VPns are pending (last time I heared from them). Greetings Bernd From firewalls-owner Thu Dec 5 19:15:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA01804 for firewalls-outgoing; Thu, 5 Dec 1996 18:36:11 -0800 (PST) Received: from ns2.eds.com (ns2.eds.com [199.228.142.78]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id SAA01731 for ; Thu, 5 Dec 1996 18:35:50 -0800 (PST) From: MSITMI02.XZ46G8@eds.com Received: from nnsp.eds.com (nnsp.eds.com [130.174.32.78]) by ns2.eds.com (8.8.2/8.8.2) with ESMTP id VAA16189 for ; Thu, 5 Dec 1996 21:35:53 -0500 (EST) Received: from DNET.EDS.COM (dnet.eds.com [130.174.31.77]) by nnsp.eds.com (8.7.6/8.7.3) with SMTP id VAA31481 for ; Thu, 5 Dec 1996 21:35:21 -0500 (EST) X400-Originator: MSITMI02.XZ46G8@eds.com X400-Recipients: firewalls@GreatCircle.COM X400-MTS-Identifier: [/PRMD=DMN2PILOT/ADMD=TELEMAIL/C=US/;0095000008012031000002] X400-Content-Type: P2-1988 (22) Message-ID: <0095000008012031000002*@MHS> To: "firewalls(a)GreatCircle.COM":; Subject: Firewalls and RAS Date: Thu, 5 Dec 1996 21:38:50 -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Anyone have any recommendations on how to make RAS available to remote clients when the internet gateway is a firewall? Would you have PPP on the Firewall itself, a RAS server outside the Firewall, a modem bank outside the firewall? What protocols have to pass the firewall? distinti saluti/best regards Philip Kerrigan EDS Italia SpA Viale Monza, 257 Milano, Italy tel. + (0)2 2524272 msitmi02.xz46g8@eds.com fax + (0)2 27002588 From firewalls-owner Thu Dec 5 19:26:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA05111 for firewalls-outgoing; Thu, 5 Dec 1996 19:08:10 -0800 (PST) Received: from dns.networx.com.au (dns.networx.com.au [203.21.140.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id TAA05084 for ; Thu, 5 Dec 1996 19:07:55 -0800 (PST) Received: from DEMO.networx.com.au (203.21.140.5) by dns.networx.com.au (EMWAC SMTPRS 0.81) with SMTP id ; Fri, 06 Dec 1996 13:06:25 +1000 Message-ID: From: "Leon O'Brien" To: , "Joseph L. Moll" Subject: Re: Vunerabilities in Microsoft's IIS 2.0 Date: Fri, 6 Dec 1996 13:04:05 +1100 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I think you'll find that if the server turned off directory browsing, surely thats available, it shouldn't be a problem. Were you using IE or NetScape as your browser? IE allows the user to open and browse directories locally and on other servers, who knows if its a feature or what ;-). IE 3.0 can be used to be the front end to an Intranet, used to open applications and the like. Leon ---------- > From: Joseph L. Moll > To: firewalls@greatcircle.com > Subject: Vunerabilities in Microsoft's IIS 2.0 > Date: Friday, December 06, 1996 8:22 AM > > Hello all: > > We have noticed a little problem with IIS 2.0 and were wondering if the > problem also exists in IIS 3.0. > > It seems that anyone can browse the any files in the cgi-bin directory on > the server. For example, browse this on your IIS web host: > > http://your.domain.here/cgi-bin/my_cgi.ini > > The only catch is that you have to know the name of the file. Good ole > security by obscurity? > > IIS 2.0 in conjunction with M$ Internet Exploder passes the end users domain > and username to the IIS for access. Get's logged in the log file as > DOMAIN\USERNAME. > > Anyone else observed this slight problem? > > > Regards, > --- > Joseph L. (Joe) Moll -- Network and Communications Engineering > mailto:jmoll@acquion.com http://www.acquion.com > ACQUION, Inc. Greenville, SC USA -- Specialists in Electronic Commerce > PGP Fingerprint = 8D E7 F0 E8 8D 67 A8 19 02 CB 83 0F 19 41 D3 A9 From firewalls-owner Thu Dec 5 19:28:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA15280 for firewalls-outgoing; Thu, 5 Dec 1996 16:34:01 -0800 (PST) Received: from deepeddy.com (DeepEddy.Com [192.12.3.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id QAA15262 for ; Thu, 5 Dec 1996 16:33:40 -0800 (PST) Received: (qmail 15394 invoked from network); 6 Dec 1996 00:33:40 -0000 Received: from localhost (HELO deepeddy.DeepEddy.Com) (@127.0.0.1) by localhost with SMTP; 6 Dec 1996 00:33:40 -0000 X-Mailer: exmh version 2.0alpha 12/3/96 To: Rabid Wombat Cc: Michael Dillon , Great Circle Firewall Mailing List Subject: Re: IRINA is a Hoax In-Reply-To: Your message of "Thu, 05 Dec 1996 13:30:30 EST." X-Url: http://www.DeepEddy.Com/~cwg From: cwg@DeepEddy.Com Cc: cwg@DeepEddy.Com Mime-Version: 1.0 Content-Type: multipart/signed; boundary="==_Exmh_1881580802P"; micalg=pgp-md5; protocol="application/pgp-signature" Content-Transfer-Encoding: 7bit Date: Thu, 05 Dec 1996 18:33:36 -0600 Message-ID: <15391.849832416@deepeddy.DeepEddy.Com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk --==_Exmh_1881580802P Content-Type: text/plain; charset=us-ascii > > > Yup - sites I'm at get "infected" with "good times" about once a month. > It only infects carbon-based systems - end-lusers. They ignore all > security procedures and forward copies of the warning to everyone except > the designated point of contact for computer security incidents. This > behavior is best stopped by killing a few end-lusers, which forces the > virus into remission for about 30 days. Didn't you know? "XXXX is a hoax" is an anti-virus program for carbon-based systems. It's a shame it isn't more effective. Its biggest problem is that it keeps getting run on systems which are already innoculated against "Good Times" to the point where it's actually more annoying than "Good Times" itself. Chris -- Chris Garrigues O- cwg@DeepEddy.Com Deep Eddy Internet Consulting +1 512 432 4046 609 Deep Eddy Avenue Austin, TX 78703-4513 http://www.DeepEddy.Com/~cwg/ --==_Exmh_1881580802P Content-Type: application/pgp-signature -----BEGIN PGP MESSAGE----- Version: 2.6.2 iQB1AwUBMqdp2paQnaaFII2dAQGlHwMAqFduIGWUgpdvdWAYPHFcgOsocEXzD90u ftONrsYPeD9OKzC4QZPW8L8wyOfx5RxOnJcRdgXNM27G+eIYiK5WrNIkIrl0NySH yNbL8WzPMiB4cRmZ9Qk8U06w6x0vje0g =m8w9 -----END PGP MESSAGE----- --==_Exmh_1881580802P-- From firewalls-owner Thu Dec 5 19:41:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA06587 for firewalls-outgoing; Thu, 5 Dec 1996 19:30:05 -0800 (PST) Received: from silence.secnet.com (silence.secnet.com [204.191.222.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id TAA06563 for ; Thu, 5 Dec 1996 19:29:43 -0800 (PST) Received: from localhost (ahuger@localhost) by silence.secnet.com (8.8.2/secnet) with SMTP id VAA03084; Thu, 5 Dec 1996 21:32:27 -0700 (MST) Date: Thu, 5 Dec 1996 21:32:26 -0700 (MST) From: Alfred Huger To: Jeromie Jackson cc: firewalls@GreatCircle.COM, Ryan.Russell@sybase.com Subject: Re: Cisco's PIX Firewall In-Reply-To: <9612060221.AA03683@garrison.com.> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 5 Dec 1996, Jeromie Jackson wrote: > In reguards to your opinion of the code being more secure because of the > widely publicized source code, I would definitely have to DISAGREE with you. I said no such thing, I stated that it was better to have access to source than not to have access to source. And that there was no gaurentee the vendor is writing secure code. > Just because the code is made public does not make it more secure whatsoever. > Now if you would have said that the code be made public so that a formal > testing methodology be implemented upon it. I believe the last line of my message read: "This software simply needs to be reviewed on a regular basis" And I was not referring to performance tuning........ > code to the public may give random people a chance of finding a security > problem I would agree. However, providing code to the public does not > provide assurance It provides *more* assurance than letting the vendors offer up binaries with no outside body to review the source. Ask yourself how many bugs come to light from end users flipping through source code, as compared to how many bugs the vendors release information on and patch. You will find that bugs are most commonly found by the end user, who in *many* cases is reading the code and posting the bug to a forum where the vendor cannot ignore it (ie: bugtraq etc). ******************************************************************************* Alfred Huger ahuger@secnet.com Secure Networks Inc. 403.262.9211 ******************************************************************************* From firewalls-owner Fri Dec 6 00:27:50 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA05516 for firewalls-outgoing; Thu, 5 Dec 1996 19:14:51 -0800 (PST) Received: from diablo.cisco.com (diablo.cisco.com [171.68.223.106]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id TAA05498 for ; Thu, 5 Dec 1996 19:14:34 -0800 (PST) Received: from mhoward-pc.cisco.com (dhcp-vm1-2-186.cisco.com [171.68.164.186]) by diablo.cisco.com (8.6.12/CISCO.SERVER.1.1) with SMTP id TAA25301; Thu, 5 Dec 1996 19:13:37 -0800 Message-Id: <2.2.32.19961206030011.009863b4@diablo.cisco.com> X-Sender: mhoward@diablo.cisco.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 05 Dec 1996 19:00:11 -0800 To: Alfred Huger , Jeromie Jackson From: Matthew Howard Subject: Re: Cisco's PIX Firewall Cc: firewalls@GreatCircle.COM, dochin@cisco.com, jlw@cisco.com, lazar@netevolve.com, froys@cisco.com, afoss@cisco.com, amittal@cisco.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 10:20 PM 12/4/96 -0700, Alfred Huger wrote: > > >On Wed, 4 Dec 1996, Jeromie Jackson wrote: > >> > >> > This opens up UDP ports 7648 and 7649 BLINDLY to all traffic including >> > attacks. Also there's that infamous estab statement where someone who >> > knows how to doctor the ACK bit can inject TCP packets into the customers' >> > net. >> >> Hmm, That certainly looks like packet filtering to me. Based on header >> information, you are making decisions about packet flow. As far as being >> 'spoof proof', that is just not correct. If you are talking to '1.2.3.4', I >> can send you a packet appearing as though it is originating from '1.2.3.4', >> you would believe me, because there is no authenticion built into IPV4. I would >> agree, that the filtering mentioned above is better than that done w/ a standard >> IP filtering device, although because decisions are being made on objects that >> are not authenticated (header information), ACL's can, and will be vulerable to >> spoofing/hijacking. >> > >ACL's being vulnerable to spoofing/hijacking..... I am not sure if I am >reading you clear on this, but what I think I see you saying is that you >can still spoof Source IP addresses to a Cisco PIX firewall. Also you >state, trusted connections to the firewall can be hijacked. If this is >what you are saying, my reply would be such. We also track all tcp flags including tcp seq numbers. We also randomize each new session through our adaptive security algorithm (stateful). Plus we support ah/esp. Matt > >Your correct in saying IP4 has no built in authentication, the only thing >in IPV4, related to security is the Security Field (which denotes how >classified a datagram is). This being said, anyone, anywhere can slap >and Source Address on a packet and fire it off their wire. *No* Firewall >can protect you from this. Cisco PIX or otherwise. If you need to speak >the outside world (which if you have a Firewall I assume you do) then you >are subject to packets with questionable Source Addresses. I don't see >this as a real weakness of any given Firewall, just shortcomings of IPV4. > >As to streams of data (TCP presumably) being open to hijacking. That again >is another problem which cannot really be addressed by a Firewall itself. >If an attacker has breached a host whom your firewall allows *unencrypted* >or even *encrypted* connections from, your had. And it's not your >Firewalls fault. > >Both of these issues are policy issues, Both require a Firewall Admin to >ask himself how much of the outside world he/she trusts. In the case of >spoofable addresses, Admins must realize that not all packets coming in >off the net, are really coming from where they say they are. In respects >to TCP hijacking, an Admin has to ask his/herself if they want to allow >TCP connections through their firewall. > > >-------------------------------------------------------------------------- >Alfred Huger ahuger@secnet.com >Secure Networks Inc. >--------------------------------------------------------------------------- > > > From firewalls-owner Fri Dec 6 00:52:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA00151 for firewalls-outgoing; Fri, 6 Dec 1996 00:22:24 -0800 (PST) Received: from gw.garrison.com (gw.garrison.com [205.241.58.147]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id TAA08375 for ; Thu, 5 Dec 1996 19:53:26 -0800 (PST) Received: by gw.garrison.com; id PAA06622; Thu, 5 Dec 1996 15:47:16 -0600 (CST) Received: from ukn0.garrison.com(10.0.0.2) by gw.garrison.com via smap (3.2) id xma006616; Thu, 5 Dec 96 15:47:07 -0600 Received: by garrison.com. (4.1/Surrogate Sendmail hack) id AA03816; Thu, 5 Dec 96 21:48:25 CST Date: Thu, 5 Dec 96 21:48:25 CST From: jeromie@garrison.com (Jeromie Jackson) Message-Id: <9612060348.AA03816@garrison.com.> To: ahuger@secnet.com Subject: Re: Cisco's PIX Firewall Cc: firewalls@GreatCircle.COM, Ryan.Russell@sybase.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > On Thu, 5 Dec 1996, Jeromie Jackson wrote: > > > In reguards to your opinion of the code being more secure because of the > > widely publicized source code, I would definitely have to DISAGREE with you. Alfred Huger Wrote: > I said no such thing, I stated that it was better to have access to source > than not to have access to source. And that there was no gaurentee the > vendor is writing secure code. > > Just because the code is made public does not make it more secure whatsoever > > Now if you would have said that the code be made public so that a formal > > testing methodology be implemented upon it. > > I believe the last line of my message read: > > "This software simply needs to be reviewed on a regular basis" > > And I was not referring to performance tuning........ > > I was not referring to performance tuning. If you look @ my statements they are made in relation to ASSURANCE, not performance. Also, you mentioned "This software simply needs to be reviewed on a regular basis." Simple review of the code doesn't provide much whatsovever. I believe it was aparent from my remarks that it is important to have METHODOLOGY within the testing, not just 'simply...reviewing..' > > code to the public may give random people a chance of finding a security > > problem I would agree. However, providing code to the public does not > > provide assurance > > It provides *more* assurance than letting the vendors offer up binaries > with no outside body to review the source. Ask yourself how many bugs > come to light from end users flipping through source code, as compared to > how many bugs the vendors release information on and patch. You will find > that bugs are most commonly found by the end user, who in *many* cases is > reading the code and posting the bug to a forum where the vendor cannot > ignore it (ie: bugtraq etc). > > I would have to agree with you, that providing the code to the public gives a better chance of finding problems, since we know vendors don't have adequate time to prove assurance. I would also submit that if the vendors WERE to implement formal testing methodologies, that their testing would most likely provide better security than that which is found from the public @ large, who is mearly glancing @ the code. I would also like to comment that I agree with you in the fact that releasing code to the public is generally going to provide better code. The reason for this is not because of the large amount of people reviewing the code, but because of the lack of adequate testing methods within the vendor community. To summarize my comments on the usefulness of the MTA for Cisco and the other security vendors. 1. It would be a good thing for organizations such as Cisco/FW-1 to provide an MTA.. The reason I said to 'create' one was mearly so they could 'sell' it as part of their security solution w/o breaking any licensing agreements (IE: using SMAP from the FWTK as part of their commercial solution) 2. Providing code to the community as a whole is not what creates a secure MTA agent, it is formal testing methodologies. Jeromie Jackson Garrison Technologies jeromie@garrison.com From firewalls-owner Fri Dec 6 01:37:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA02188 for firewalls-outgoing; Thu, 5 Dec 1996 18:39:17 -0800 (PST) Received: from gw.iai.com (gw.iai.com [206.64.157.62]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id SAA02169 for ; Thu, 5 Dec 1996 18:38:57 -0800 (PST) Received: by gw.iai.com; id VAA28934; Thu, 5 Dec 1996 21:38:57 -0500 (EST) Received: from milford.iai.com(192.206.185.2) by gw.iai.com via smap (3.2) id xma028932; Thu, 5 Dec 96 21:38:48 -0500 Received: by milford.iai.com (AIX 4.1/UCB 5.64/4.03) id AA23338; Thu, 5 Dec 1996 21:39:04 -0500 From: jegan@iai.com (James Egan) Message-Id: <9612060239.AA23338@milford.iai.com> Subject: Re: Serially connected firewalls and FTP To: MIXSR@pjm.com (Mix, S.R.) Date: Thu, 5 Dec 1996 21:39:04 -0500 (EST) Cc: firewalls@greatcircle.com In-Reply-To: <32A73630@mailman.pjm.com> from "Mix, S.R." at Dec 5, 96 03:54:00 pm Reply-To: Jim.Egan@iai.com Organization: Integrated Architectures, Inc. Pgp-Fingerprint: 64 47 DC 51 D9 11 1D FF 31 43 9C 4C E2 A1 FC 04 Pgp-Public-Key: public-key-server@martigny.ai.mit.edu (subject: GET jegan) X-Mailer: ELM [version 2.4 PL24 ME5a] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mix, S.R. recently wrote: > > > Hi: > > We are attempting to determine how to get FTP sessions established > end-to-end between multiple networks, each protected by a firewall: > > +-----+ +------------+ +--------+ > | | | | | | > +--+ | +----------+ | | +----------+ | +------------+ > |PC| +---|FireWall a|---+ +---|FireWall b|---+ | FTP server | > +--+ +----------+ +----------+ +------------+ > > FireWall b is a TIS Firewall Toolkit Version 2.0 > > FireWall a so far has been an Eagle Raptor or another TIS FWTK. > > The question is: > > how does a user on the "PC" (which might include a UNIX command line) > connect through the two firewalls to the FTP server? > > Thanks, > Scott R. Mix > PJM Interconnection Association > I do this all the time. The procedure below assumes you are using weak authentication and anonymous FTP is OK at Server. >From PC do "ftp FW-a". At the FW-a proxy prompt logon as "ftp@FW-b". At the FW-b proxy prompt logon as "ftp@server". At Server password use "user@PC". /Jim/ -- James P. Egan | Jim.Egan@iai.com Integrated Architectures, Inc. | http://www.iai.com 300 East Main Street, Suite 207 | Tel: 508-634-3200 x209 Milford, MA 01757 | Fax: 508-634-8381 Use PGP for more secure email From firewalls-owner Fri Dec 6 01:51:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA00846 for firewalls-outgoing; Thu, 5 Dec 1996 18:27:22 -0800 (PST) Received: from gw.garrison.com (gw.garrison.com [205.241.58.147]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id SAA00768 for ; Thu, 5 Dec 1996 18:26:53 -0800 (PST) Received: by gw.garrison.com; id OAA06418; Thu, 5 Dec 1996 14:20:45 -0600 (CST) Received: from ukn0.garrison.com(10.0.0.2) by gw.garrison.com via smap (3.2) id xma006414; Thu, 5 Dec 96 14:20:27 -0600 Received: by garrison.com. (4.1/Surrogate Sendmail hack) id AA03683; Thu, 5 Dec 96 20:21:45 CST Date: Thu, 5 Dec 96 20:21:45 CST From: jeromie@garrison.com (Jeromie Jackson) Message-Id: <9612060221.AA03683@garrison.com.> To: ahuger@secnet.com Subject: Re: Cisco's PIX Firewall Cc: firewalls@GreatCircle.COM, Ryan.Russell@sybase.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > On Thu, 5 Dec 1996, Jeromie Jackson wrote: > > > > > > Food for thought for people like Cisco/FW1... If you were to just make > > a Mail Transport Agent for the hub, and provide it along with the product, > > people like me could not bitch, and you could say you covered the bases. I did > > note in one of the earlier posts from Cisco that they are indeed working on it. > > > > Creating an MTA does not solve the issue. Who is to say that a > vendor authored MTA is any more secure than Berkeley Sendmail? At least > with Berkeley Sendmail you have the source to review if you so choose. I > submit that this is a luxury you would not have with a vendor supplied > MTA. People tend to attack Sendmail because it's high profile as far as > security errors go. However, DNS and HTTP are just as, if not more serious > areas of concern. I think the real solution is to have these services made > available with full source code. This being said, I think there are plenty > of free software packages available to meet these needs. This software > simply needs to be reviewed on a regular basis. > Yes, you are right, I should not assume that the vendor of a security product would do any type of assurance testing that would superseed that of the current MTA products. In a decent security world, one might be able to assume something of the sort, but..... I would have to agree with you. In reguards to your opinion of the code being more secure because of the widely publicized source code, I would definitely have to DISAGREE with you. Just because the code is made public does not make it more secure whatsoever. Now if you would have said that the code be made public so that a formal testing methodology be implemented upon it, I would have agreed. Releasing the code to the public may give random people a chance of finding a security problem I would agree. However, providing code to the public does not provide assurance Jeromie Jackson Garrison Technologies jeromie@garrison.com From firewalls-owner Fri Dec 6 02:44:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA29936 for firewalls-outgoing; Thu, 5 Dec 1996 18:21:38 -0800 (PST) Received: from jkt01-omi.jakarta.omnes.net (jkt01-omi.jakarta.omnes.net [163.184.50.33]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id SAA29835 for ; Thu, 5 Dec 1996 18:20:58 -0800 (PST) Received: from [163.184.7.252] ([163.184.50.5]) by jkt01-omi.jakarta.omnes.net (post.office MTA v1.9.3b ID# 0-16271) with ESMTP id AAA312 for ; Fri, 6 Dec 1996 09:19:07 +0000 X-Sender: pollock@jakarta.omnes.net Message-Id: In-Reply-To: <199612052012.MAA23281@miles.greatcircle.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Fri, 6 Dec 1996 09:13:51 +0700 To: Firewalls@GreatCircle.COM From: Don Pollock - Omnes - Engineering Subject: Re: Why would someone want an NT firewall? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk RE: >2) We don't want to hire a rocket scientist to manage our firewall. A >message earlier referred to firewalls being "necessarilly technical."=20 >That's bogus. I think it's possible that a lot of people making money off >of firewalls might want to keep them that way, but there are a lot of >average people out there who want to AND CAN handle managing a firewall >right along with the MANY other types of systems that are also included in >our job responsibilities. In this age of computers, it is no longer valid >to try to convince people that computers are just too complicated for the >average person. I'm not a Microsoft Groupie or anything, but the reason >their company is where they are today is that they realized that! > >Because our firewall is on an NT platform and has a good GUI, I can be >gone for a couple of weeks and even my boss, a manager, can sit down and >make changes to the firewall comfortably. Several other people in the >computing department with the passowrd could do the same if they had to.=20 >After two years, nobody else could sit down to my Solaris box and do >anything except manage to shut things down.=20 This is not an NT vs UNIX issue, but there's a big difference between= *managing a firewall* and *managing security*. While it's easy to learn= the mechanics of how to allow file sharing from security enclave A to= security enclave B, it's harder to learn why you should or shouldn't do it. IMNSHO The proper purpose of the GUI interfaces is so that a security expert= doesn't need to be an NT expert or a UNIX expert also. Anybody who doesn't= understand the overall security implications of his actions should *never*= be allowed to modify a firewall. Manager or not! Rocket Scientist or not!= And the organization's security policy should *clearly* state that! =20 =20 Regards, Don Pollock pollock@houston.omnes.net Network Systems Engineer +1 713 513 3017 Omnes - A Schlumberger/Cable & Wireless Company http://www.omnes.net/=20 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - The true mark of intelligence is to learn from the experiences of others. ------------------------------------------------------------------------- From firewalls-owner Fri Dec 6 03:29:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA17361 for firewalls-outgoing; Thu, 5 Dec 1996 16:54:11 -0800 (PST) Received: from neon.ingenia.ca (neon.ingenia.com [205.207.220.57]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id QAA17319 for ; Thu, 5 Dec 1996 16:53:52 -0800 (PST) Received: (from shaver@localhost) by neon.ingenia.ca (8.8.4/8.7.3) id TAA20235; Thu, 5 Dec 1996 19:53:42 -0500 From: Mike Shaver Message-Id: <199612060053.TAA20235@neon.ingenia.ca> Subject: Re: Netscape gold ?! In-Reply-To: from elroy at "Dec 5, 96 03:18:17 pm" To: elroy@kcsun3.kcstar.com (elroy) Date: Thu, 5 Dec 1996 19:53:42 -0500 (EST) Cc: firewalls@GreatCircle.COM X-Mailer: ELM [version 2.4ME+ PL28 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thus spake elroy: > I know that Netscape Gold can publish either via PASV ftp, or http put. > My question is WHAT PORT(S)? The PASV FTP and HTTP ports. If they can do PASV FTP out to the box, and they can retrieve web pages from it, then there's no port issue. If you've got some application-layer logic in there between them, then you might have some problems; I don't know which proxies do/don't support HTTP PUT. Mike -- #> Mike Shaver (shaver@ingenia.com) Ingenia Communications Corporation #> Commando Developer - Whatever It Takes #> #> "See, you not only have to be a good coder to create a system like #> Linux, you have to be a sneaky bastard too." - Linus Torvalds From firewalls-owner Fri Dec 6 03:58:40 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA26014 for firewalls-outgoing; Thu, 5 Dec 1996 17:56:32 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id RAA25889 for ; Thu, 5 Dec 1996 17:55:50 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-961106) id RAA02246; Thu, 5 Dec 1996 17:55:22 -0800 Received: from panix.com(198.7.0.2) by mycroft via smap (V1.3mjr) id sma002237; Thu Dec 5 17:54:16 1996 Received: from localhost (patlee@localhost) by panix.com (8.8.2/8.7/PanixU1.3) with SMTP id UAA04596; Thu, 5 Dec 1996 20:53:19 -0500 (EST) Date: Thu, 5 Dec 1996 20:53:18 -0500 (EST) From: Patrick Lee To: "Joseph L. Moll" cc: firewalls@GreatCircle.COM Subject: Re: Vunerabilities in Microsoft's IIS 2.0 In-Reply-To: <2.2.32.19961205212237.008ff974@mail.acqic.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 5 Dec 1996, Joseph L. Moll wrote: > We have noticed a little problem with IIS 2.0 and were wondering if the > problem also exists in IIS 3.0. IIS 3.0 and 2.0 are essentially the same product. You can download a number of components (such as Active Server Pages, Index Server, etc.) that enhance the capability of IIS 2.0 -- thus making it 3.0. > It seems that anyone can browse the any files in the cgi-bin directory on > the server. For example, browse this on your IIS web host: Always associate files that are meant to be executed to be executed. If *.cgi files are meant to be executable, then by all means make that file type association. That way, when a user requests a *.cgi file by name, the server will try to execute the script instead of sending it back. Also, _always_ turn off directory browsing. Why make it any easier for anyone to snoop around. Accidents happen and you could leave a file in a publically accessible directory without knowing it. > IIS 2.0 in conjunction with M$ Internet Exploder passes the end users > domain and username to the IIS for access. Get's logged in the log file > as DOMAIN\USERNAME. Read up on the security chapter in the IIS documentation, please. That's a feature. If you don't want it, turn it off. -- Patrick Lee From firewalls-owner Fri Dec 6 04:30:29 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA14909 for firewalls-outgoing; Fri, 6 Dec 1996 03:13:47 -0800 (PST) Received: from E-MAIL.COM (e-mail.com [199.171.26.5]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id DAA14894 for ; Fri, 6 Dec 1996 03:13:34 -0800 (PST) Message-Id: <199612061113.DAA14894@miles.greatcircle.com> Received: from cem-bb.e-mail.com by E-MAIL.COM (IBM VM SMTP V2R3) with BSMTP id 8340; Fri, 06 Dec 96 06:13:01 EST Date: Fri, 06 Dec 1996 06:12:16 EST From: toon@cem-bb.e-mail.com To: firewalls@greatcircle.com MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi firewall-people, Some time ago I read in this list about the firewall-1 mailing list at applicom.co.il. I subscribed to the digest version. This was confirmed but I do not get any messages. At the Checkpoint site, a nice webpage tells me to try again later when I try to look at some maillist info. My question: Is there uberhaupt a firewall-1 mailinglist or not? Next topic: Some1 told me that 'I have to filter out VERIFY and EXPAND when letting mail through my firewall'. Can some1 explain me what this means? Hear from you in the next digest, Toon N.B. If I read any more messages in this list about IRINIA or some other GOOD TIMES I will punish you all by trying to unsubscribe from this list and sending messages that I can not get off the list (-: From firewalls-owner Fri Dec 6 04:52:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA14569 for firewalls-outgoing; Fri, 6 Dec 1996 03:01:48 -0800 (PST) Received: from smtp-relay2.scet.org.uk (smtp-relay2.scet.org.uk [193.123.133.23]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id DAA14528 for ; Fri, 6 Dec 1996 03:01:08 -0800 (PST) Received: from scet.org.uk (193.123.133.20) by smtp-relay2.scet.org.uk with SMTP (Apple Internet Mail Server 1.1.1); Fri, 6 Dec 1996 11:00:31 +0000 Date: Fri, 6 Dec 96 11:00:21 -0000 From: Jim.Egan@iai.com@scet.org.uk (Jim.Egan@iai.com) Organization: SCET Subject: Re: Serially connected firewalls and FTP To: firewalls@greatcircle.com Message-ID: <768540672.ensmtp@scet.org.uk> X-Mailer: ExpressNet/SMTP v1.1.5 MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mix, S.R. recently wrote: > > > Hi: > > We are attempting to determine how to get FTP sessions established > end-to-end between multiple networks, each protected by a firewall: > > +-----+ +------------+ +--------+ > | | | | | | > +--+ | +----------+ | | +----------+ | +------------+ > |PC| +---|FireWall a|---+ +---|FireWall b|---+ | FTP server | > +--+ +----------+ +----------+ +------------+ > > FireWall b is a TIS Firewall Toolkit Version 2.0 > > FireWall a so far has been an Eagle Raptor or another TIS FWTK. > > The question is: > > how does a user on the "PC" (which might include a UNIX command line) > connect through the two firewalls to the FTP server? > > Thanks, > Scott R. Mix > PJM Interconnection Association > I do this all the time. The procedure below assumes you are using weak authentication and anonymous FTP is OK at Server. >From PC do "ftp FW-a". At the FW-a proxy prompt logon as "ftp@FW-b". At the FW-b proxy prompt logon as "ftp@server". At Server password use "user@PC". /Jim/ -- -- _/_/_/ _/_/_/ _/_/_/ _/_/_/ | Tel: (0141) 337 5000 _/ _/ _/ _/ | Fax: (0141) 337 5050 _/_/_/ _/ _/_/ _/ | Net: scet@scet.org.uk _/ _/ _/ _/ | AppleLink: SCET.DEV _/_/_/ _/_/_/ _/_/_/ _/ | WWW: http://www.scet.org.uk ......learning through technology | From firewalls-owner Fri Dec 6 05:28:00 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA14573 for firewalls-outgoing; Fri, 6 Dec 1996 03:01:55 -0800 (PST) Received: from smtp-relay2.scet.org.uk (smtp-relay2.scet.org.uk [193.123.133.23]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id DAA14531 for ; Fri, 6 Dec 1996 03:01:12 -0800 (PST) Received: from scet.org.uk (193.123.133.20) by smtp-relay2.scet.org.uk with SMTP (Apple Internet Mail Server 1.1.1); Fri, 6 Dec 1996 11:00:34 +0000 Date: Fri, 6 Dec 96 11:00:23 -0000 From: jeromie@garrison.com@scet.org.uk (jeromie@garrison.com) Organization: SCET Subject: Re: Cisco's PIX Firewall To: firewalls@greatcircle.com Message-ID: <-607191040.ensmtp@scet.org.uk> X-Mailer: ExpressNet/SMTP v1.1.5 MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > On Thu, 5 Dec 1996, Jeromie Jackson wrote: > > > > > > Food for thought for people like Cisco/FW1... If you were to just make > > a Mail Transport Agent for the hub, and provide it along with the product, > > people like me could not bitch, and you could say you covered the bases. I did > > note in one of the earlier posts from Cisco that they are indeed working on it. > > > > Creating an MTA does not solve the issue. Who is to say that a > vendor authored MTA is any more secure than Berkeley Sendmail? At least > with Berkeley Sendmail you have the source to review if you so choose. I > submit that this is a luxury you would not have with a vendor supplied > MTA. People tend to attack Sendmail because it's high profile as far as > security errors go. However, DNS and HTTP are just as, if not more serious > areas of concern. I think the real solution is to have these services made > available with full source code. This being said, I think there are plenty > of free software packages available to meet these needs. This software > simply needs to be reviewed on a regular basis. > Yes, you are right, I should not assume that the vendor of a security product would do any type of assurance testing that would superseed that of the current MTA products. In a decent security world, one might be able to assume something of the sort, but..... I would have to agree with you. In reguards to your opinion of the code being more secure because of the widely publicized source code, I would definitely have to DISAGREE with you. Just because the code is made public does not make it more secure whatsoever. Now if you would have said that the code be made public so that a formal testing methodology be implemented upon it, I would have agreed. Releasing the code to the public may give random people a chance of finding a security problem I would agree. However, providing code to the public does not provide assurance Jeromie Jackson Garrison Technologies jeromie@garrison.com -- _/_/_/ _/_/_/ _/_/_/ _/_/_/ | Tel: (0141) 337 5000 _/ _/ _/ _/ | Fax: (0141) 337 5050 _/_/_/ _/ _/_/ _/ | Net: scet@scet.org.uk _/ _/ _/ _/ | AppleLink: SCET.DEV _/_/_/ _/_/_/ _/_/_/ _/ | WWW: http://www.scet.org.uk ......learning through technology | From firewalls-owner Fri Dec 6 05:29:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA23447 for firewalls-outgoing; Fri, 6 Dec 1996 05:01:38 -0800 (PST) Received: from smtp-relay2.scet.org.uk (smtp-relay2.scet.org.uk [193.123.133.23]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id FAA23361 for ; Fri, 6 Dec 1996 05:00:56 -0800 (PST) Received: from scet.org.uk (193.123.133.20) by smtp-relay2.scet.org.uk with SMTP (Apple Internet Mail Server 1.1.1); Fri, 6 Dec 1996 13:00:19 +0000 Date: Fri, 6 Dec 96 13:00:10 -0000 From: patlee@panix.com@scet.org.uk (patlee@panix.com) Organization: SCET Subject: Re: Vunerabilities in Microsoft's IIS 2.0 To: firewalls@greatcircle.com Message-ID: <-2033057792.ensmtp@scet.org.uk> X-Mailer: ExpressNet/SMTP v1.1.5 MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 5 Dec 1996, Joseph L. Moll wrote: > We have noticed a little problem with IIS 2.0 and were wondering if the > problem also exists in IIS 3.0. IIS 3.0 and 2.0 are essentially the same product. You can download a number of components (such as Active Server Pages, Index Server, etc.) that enhance the capability of IIS 2.0 -- thus making it 3.0. > It seems that anyone can browse the any files in the cgi-bin directory on > the server. For example, browse this on your IIS web host: Always associate files that are meant to be executed to be executed. If *.cgi files are meant to be executable, then by all means make that file type association. That way, when a user requests a *.cgi file by name, the server will try to execute the script instead of sending it back. Also, _always_ turn off directory browsing. Why make it any easier for anyone to snoop around. Accidents happen and you could leave a file in a publically accessible directory without knowing it. > IIS 2.0 in conjunction with M$ Internet Exploder passes the end users > domain and username to the IIS for access. Get's logged in the log file > as DOMAIN\USERNAME. Read up on the security chapter in the IIS documentation, please. That's a feature. If you don't want it, turn it off. -- -- _/_/_/ _/_/_/ _/_/_/ _/_/_/ | Tel: (0141) 337 5000 _/ _/ _/ _/ | Fax: (0141) 337 5050 _/_/_/ _/ _/_/ _/ | Net: scet@scet.org.uk _/ _/ _/ _/ | AppleLink: SCET.DEV _/_/_/ _/_/_/ _/_/_/ _/ | WWW: http://www.scet.org.uk ......learning through technology | From firewalls-owner Fri Dec 6 05:37:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA25542 for firewalls-outgoing; Fri, 6 Dec 1996 05:24:58 -0800 (PST) Received: from netcom.netcom.com (netcom.netcom.com [192.100.81.100]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id FAA25529 for ; Fri, 6 Dec 1996 05:24:44 -0800 (PST) Received: (from judab@localhost) by netcom.netcom.com (8.6.13/Netcom) id FAA21827; Fri, 6 Dec 1996 05:24:09 -0800 Date: Fri, 6 Dec 1996 05:24:09 -0800 (PST) From: Juda Barnes Subject: Re: Get me off of this list!!!!!!! To: "John L. Hamilton" cc: "firewalls@GreatCircle.COM" In-Reply-To: <01BBE2A2.848971C0@Cust31.Max15.San-Francisco.CA.MS.UU.NET> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 5 Dec 1996, John L. Hamilton wrote: > I sent the message to majordomo and got verification that I was removed but I'm still receiving posts. > > me too From firewalls-owner Fri Dec 6 05:40:31 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA20980 for firewalls-outgoing; Fri, 6 Dec 1996 04:23:09 -0800 (PST) Received: from firewall.tns.co.za (gauntlet.tns.co.za [196.23.1.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id EAA20906 for ; Fri, 6 Dec 1996 04:22:27 -0800 (PST) Received: by firewall.tns.co.za id AA13506; Fri, 6 Dec 96 14:21:51+020 Received: from commerce.tns.co.za(10.0.0.8) by firewall.tns.co.za via smap (V3.1.1) id xma013504; Fri, 6 Dec 96 14:21:50 +0200 Received: from quick.is.co.za (quick.tns.co.za [10.0.0.43]) by commerce (940816.SGI.8.6.9/8.6.12) with SMTP id OAA27990; Fri, 6 Dec 1996 14:20:20 +0200 Message-Id: <199612061220.OAA27990@commerce> Comments: Authenticated sender is From: "David Untiedt" To: Jim.Egan@iai.com Date: Fri, 6 Dec 1996 14:21:36 +0000 Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7BIT Subject: Re: Proxy & illegal IP numbers Cc: firewalls@GreatCircle.COM X-Mailer: Pegasus Mail for Win32 (v2.31) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > I need to allow hosts from the internet connect to our internal hosts. We use > > a firewall that does proxying and filtering. The problem is that we use > > illegal IP addresses inside the company so we can not be addressed from the > > internet. Does anyone knows about a program that will listen to a port on the > > firewall, and forward that traffic to a specified host (by changeing the IP > > hedear maybe) ? > > > > DAn > > > > How illegal? If you are using RFC 1918 compliant addresses inside, you are > doing what many, many others do. Hi DAn Using the RFC1918 addresses is not in anyway illegal. These are legitimate addresses that can be used by anyone legitimately. If you are using IP addresses that are not 'legal' (ie. not in RFC1918, and not allocated to you by your ISP) there is a good chance that they are legitimately in use by someone else on the internet. By hiding your addresses behind some sort of Network Address Translator (eg. a Gauntlet firewall) you get around this problem quite elegantly until you try to connect to a site that is legitimately using your, now hidden, 'illegal' IP addresses. In this case the gateway looks at the destination of the packet and, seeing that it is destined for a network that it knows (it knows your own networks), routes it back to your network instead of along the default route and out to the Internet. This all happens if the destination does not have the same address as a box on your local network. If it does, *that* box simply picks up the packet and looks puzzled. I hope you weren't using Microsoft's address space. > > I am most familiar with TIS FWTK and Gauntlet. With Gauntlet you can plug the > outside machines to inside machines on an IP to IP basis, or create a circuit > gateway for a particular protocol. > > /Jim/ Dave For more information on TNS see http://www.tns.co.za/ ================================================================== David Untiedt ,-| |-, Tel : 2711-447-7171 david@tns.co.za -=( | | )=- Fax : 2711-447-7172 Trusted Network Solutions `-| |-' P.O.Box 3234,Parklands,2121 ================================================================== From firewalls-owner Fri Dec 6 05:58:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA24967 for firewalls-outgoing; Fri, 6 Dec 1996 05:19:34 -0800 (PST) Received: from wormhole.tds.de (wormhole.tds.de [193.28.100.9]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id FAA24916 for ; Fri, 6 Dec 1996 05:19:14 -0800 (PST) Received: (from uucp@localhost) by wormhole.tds.de (8.8.0/8.6.9) id SAA04359 for ; Wed, 13 Nov 1996 18:52:29 +0100 Received: from nv6000x.hn.tds.de(193.28.102.69) by wormhole.hn.tds.de via smap (V2.0beta) id xma004357; Wed, 13 Nov 96 18:52:16 +0100 Message-ID: <328A0ABB.59E2@dat.tds.de> Date: Wed, 13 Nov 1996 18:51:55 +0100 From: Christopher Tighe Organization: Tele-Daten Service GmbH X-Mailer: Mozilla 3.0 (X11; I; AIX 2) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: Tacacs+ Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I know there is often a discussion about Tacacs+ on this list, so I thought I would ask the following: how do you configure a tacacs server to provide authentication for a cisco router for enable (privilaged) mode. for normal login it is okay and works fine, but in enable mode I receive the following error message: Wed Nov 13 18:39:44 1996 [40201]: enable query for tty2 from xxx.xxx.xxx.xxx rejected. I think I need to define some special user in my tacacs passwd file, but I can't find any reference to that so how do I do it? Please help, I am getting desperate..... chris -- +------------------------------------------------------------+ | Christopher Tighe BSc.(Hons) Tel: ++49 (0)7131 6235-119 | | Network Services Fax: ++49 (0)7131 6235-115 | | tele-daten service GmbH E-Mail: ctighe@tds.de | | Titotstr. 7-9 | | 74072 Heilbronn \"""/ | | Germany (o o) | +------------------------------------.ooO(_)Ooo.-------------+ From firewalls-owner Fri Dec 6 06:35:01 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA19673 for firewalls-outgoing; Fri, 6 Dec 1996 04:01:54 -0800 (PST) Received: from smtp-relay2.scet.org.uk (smtp-relay2.scet.org.uk [193.123.133.23]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id EAA19582 for ; Fri, 6 Dec 1996 04:01:04 -0800 (PST) Received: from scet.org.uk (193.123.133.20) by smtp-relay2.scet.org.uk with SMTP (Apple Internet Mail Server 1.1.1); Fri, 6 Dec 1996 12:00:28 +0000 Date: Fri, 6 Dec 96 12:00:15 -0000 From: shaver@neon.ingenia.ca@scet.org.uk (shaver@neon.ingenia.ca) Organization: SCET Subject: Re: Netscape gold ?! To: firewalls@greatcircle.com Message-ID: <1506869248.ensmtp@scet.org.uk> X-Mailer: ExpressNet/SMTP v1.1.5 MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thus spake elroy: > I know that Netscape Gold can publish either via PASV ftp, or http put. > My question is WHAT PORT(S)? The PASV FTP and HTTP ports. If they can do PASV FTP out to the box, and they can retrieve web pages from it, then there's no port issue. If you've got some application-layer logic in there between them, then you might have some problems; I don't know which proxies do/don't support HTTP PUT. Mike -- #> Mike Shaver (shaver@ingenia.com) Ingenia Communications Corporation #> Commando Developer - Whatever It Takes #> #> "See, you not only have to be a good coder to create a system like #> Linux, you have to be a sneaky bastard too." - Linus Torvalds -- _/_/_/ _/_/_/ _/_/_/ _/_/_/ | Tel: (0141) 337 5000 _/ _/ _/ _/ | Fax: (0141) 337 5050 _/_/_/ _/ _/_/ _/ | Net: scet@scet.org.uk _/ _/ _/ _/ | AppleLink: SCET.DEV _/_/_/ _/_/_/ _/_/_/ _/ | WWW: http://www.scet.org.uk ......learning through technology | From firewalls-owner Fri Dec 6 07:04:30 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA28648 for firewalls-outgoing; Fri, 6 Dec 1996 06:02:04 -0800 (PST) Received: from smtp-relay2.scet.org.uk (smtp-relay2.scet.org.uk [193.123.133.23]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA28545 for ; Fri, 6 Dec 1996 06:01:06 -0800 (PST) Received: from scet.org.uk (193.123.133.20) by smtp-relay2.scet.org.uk with SMTP (Apple Internet Mail Server 1.1.1); Fri, 6 Dec 1996 14:00:26 +0000 Date: Fri, 6 Dec 96 14:00:10 -0000 From: toon@cem-bb.e-mail.com@scet.org.uk (toon@cem-bb.e-mail.com) Organization: SCET Subject: None To: firewalls@greatcircle.com Message-ID: <-1949171712.ensmtp@scet.org.uk> X-Mailer: ExpressNet/SMTP v1.1.5 MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi firewall-people, Some time ago I read in this list about the firewall-1 mailing list at applicom.co.il. I subscribed to the digest version. This was confirmed but I do not get any messages. At the Checkpoint site, a nice webpage tells me to try again later when I try to look at some maillist info. My question: Is there uberhaupt a firewall-1 mailinglist or not? Next topic: Some1 told me that 'I have to filter out VERIFY and EXPAND when letting mail through my firewall'. Can some1 explain me what this means? Hear from you in the next digest, Toon N.B. If I read any more messages in this list about IRINIA or some other GOOD TIMES I will punish you all by trying to unsubscribe from this list and sending messages that I can not get off the list (-: -- _/_/_/ _/_/_/ _/_/_/ _/_/_/ | Tel: (0141) 337 5000 _/ _/ _/ _/ | Fax: (0141) 337 5050 _/_/_/ _/ _/_/ _/ | Net: scet@scet.org.uk _/ _/ _/ _/ | AppleLink: SCET.DEV _/_/_/ _/_/_/ _/_/_/ _/ | WWW: http://www.scet.org.uk ......learning through technology | From firewalls-owner Fri Dec 6 07:14:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA24796 for firewalls-outgoing; Fri, 6 Dec 1996 05:17:09 -0800 (PST) Received: from magneto.acquion.com (magneto.acquion.com [206.154.17.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id FAA24751 for ; Fri, 6 Dec 1996 05:16:52 -0800 (PST) Received: from wolverine (wolverine.acquion.com [206.154.17.12]) by magneto.acquion.com (post.office MTA v2.0 0813 ID# 0-11944) with SMTP id AAA229 for ; Fri, 6 Dec 1996 08:21:09 -0500 Message-Id: <2.2.32.19961206131739.00927fec@mail.acqic.org> X-Sender: oolid@mail.acqic.org X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 06 Dec 1996 08:17:39 -0500 To: firewalls@greatcircle.com From: oolid@acqic.org (Joseph L. Moll) Subject: Re: Vunerabilities in Microsoft's IIS 2.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk It appears that I may have been a little premature with this post. With the help of a few of the other firewalls subscribers, hopefully we'll trudge this problem (i.e. Guess we need to RTFM :). Will keep up to date. Regards, Joe At 04:22 PM 12/5/96 -0500, oolid@acqic.org (Joseph L. Moll) wrote: >Hello all: > >We have noticed a little problem with IIS 2.0 and were wondering if the >problem also exists in IIS 3.0. > >It seems that anyone can browse the any files in the cgi-bin directory on >the server. For example, browse this on your IIS web host: > >http://your.domain.here/cgi-bin/my_cgi.ini > >The only catch is that you have to know the name of the file. Good ole >security by obscurity? > >IIS 2.0 in conjunction with M$ Internet Exploder passes the end users domain >and username to the IIS for access. Get's logged in the log file as >DOMAIN\USERNAME. > >Anyone else observed this slight problem? > > >Regards, >--- >Joseph L. (Joe) Moll -- Network and Communications Engineering >mailto:jmoll@acquion.com http://www.acquion.com >ACQUION, Inc. Greenville, SC USA -- Specialists in Electronic Commerce >PGP Fingerprint = 8D E7 F0 E8 8D 67 A8 19 02 CB 83 0F 19 41 D3 A9 > > From firewalls-owner Fri Dec 6 07:28:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA05820 for firewalls-outgoing; Fri, 6 Dec 1996 07:19:45 -0800 (PST) Received: from relay3.UU.NET (relay3.UU.NET [192.48.96.8]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA05812 for ; Fri, 6 Dec 1996 07:19:36 -0800 (PST) Received: from netevolve.com by relay3.UU.NET with SMTP (peer crosschecked as: [206.136.48.11]) id QQbsxx23033; Fri, 6 Dec 1996 10:19:00 -0500 (EST) Received: from lazar by netevolve.com (4.1/SMI-4.1) id AA23397; Fri, 6 Dec 96 10:21:54 EST Message-Id: <3.0.1.32.19961206101328.006bf64c@netevolve.com> X-Sender: lazar@netevolve.com X-Mailer: Windows Eudora Pro Version 3.0.1 beta 1 (32) Date: Fri, 06 Dec 1996 10:13:29 -0500 To: firewalls@greatcircle.com From: Irwin Lazar Subject: Here we go again Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Someone please add "the hoax virus" to the listing of virus types: I just received an e-mail warning of a new virus called DEEYENDA. Like Good Times and IRINA, it warns that if you read an e-mail with DEEYENDA in the subject line, your entire hard drive will be erased. Hey, it even has an FCC warning. According to the FCC warning, Deeyenda: 1. Obliterates your hard drive 2. Sends all your passwords, credit card numbers and other personal info to an unknown e-mail address. 3. stays resident and captures your passwords everytime you log on anywhere and sends them to an unknown e-mail address as well. Not only that, but it infects users who view Java enhanced web pages. The end of the world is near, crawl under your desks and hide. Will it never end?? <><><><><><><><><><> Irwin Lazar Network Consultant Network Evolutions, Inc. http://www.netevolve.com lazar@netevolve.com <><><><><><><><><><> From firewalls-owner Fri Dec 6 07:34:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA28672 for firewalls-outgoing; Fri, 6 Dec 1996 06:02:16 -0800 (PST) Received: from smtp-relay2.scet.org.uk (smtp-relay2.scet.org.uk [193.123.133.23]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA28546 for ; Fri, 6 Dec 1996 06:01:06 -0800 (PST) Received: from scet.org.uk (193.123.133.20) by smtp-relay2.scet.org.uk with SMTP (Apple Internet Mail Server 1.1.1); Fri, 6 Dec 1996 14:00:29 +0000 Date: Fri, 6 Dec 96 14:00:13 -0000 From: Jim.Egan@iai.com@scet.org.uk@scet.org.uk (Jim.Egan@iai.com@scet.org.uk) Organization: SCET Subject: Re: Serially connected firewalls and FTP To: firewalls@greatcircle.com Message-ID: <-1898840064.ensmtp@scet.org.uk> X-Mailer: ExpressNet/SMTP v1.1.5 MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mix, S.R. recently wrote: > > > Hi: > > We are attempting to determine how to get FTP sessions established > end-to-end between multiple networks, each protected by a firewall: > > +-----+ +------------+ +--------+ > | | | | | | > +--+ | +----------+ | | +----------+ | +------------+ > |PC| +---|FireWall a|---+ +---|FireWall b|---+ | FTP server | > +--+ +----------+ +----------+ +------------+ > > FireWall b is a TIS Firewall Toolkit Version 2.0 > > FireWall a so far has been an Eagle Raptor or another TIS FWTK. > > The question is: > > how does a user on the "PC" (which might include a UNIX command line) > connect through the two firewalls to the FTP server? > > Thanks, > Scott R. Mix > PJM Interconnection Association > I do this all the time. The procedure below assumes you are using weak authentication and anonymous FTP is OK at Server. >From PC do "ftp FW-a". At the FW-a proxy prompt logon as "ftp@FW-b". At the FW-b proxy prompt logon as "ftp@server". At Server password use "user@PC". /Jim/ -- -- _/_/_/ _/_/_/ _/_/_/ _/_/_/ | Tel: (0141) 337 5000 _/ _/ _/ _/ | Fax: (0141) 337 5050 _/_/_/ _/ _/_/ _/ | Net: scet@scet.org.uk _/ _/ _/ _/ | AppleLink: SCET.DEV _/_/_/ _/_/_/ _/_/_/ _/ | WWW: http://www.scet.org.uk ......learning through technology | From firewalls-owner Fri Dec 6 07:36:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA28403 for firewalls-outgoing; Fri, 6 Dec 1996 06:00:08 -0800 (PST) Received: from maddie.atlantic.com (maddie.atlantic.com [198.252.200.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id FAA28338 for ; Fri, 6 Dec 1996 05:59:40 -0800 (PST) Received: (from pokey@localhost) by maddie.atlantic.com (8.7.6/8.7.3) id JAA08067; Fri, 6 Dec 1996 09:59:11 -0500 From: Rick Romkey Message-Id: <199612061459.JAA08067@maddie.atlantic.com> Subject: Re: Why would someone want an NT firewall? To: davem@iss.net (David J. Meltzer) Date: Fri, 6 Dec 1996 09:59:10 -0500 (EST) Cc: knight@Harding.edu, Firewalls@GreatCircle.COM In-Reply-To: from "David J. Meltzer" at Dec 5, 96 04:51:10 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > The job of designing a firewall and then actually implementing it are > two separate tasks. An intuitive GUI, based on NT or Unix, may aid you in > your implementation, but it generally does nothing to help the design > process. It is vitally important that a competent person design your > firewall, and that whenever changes are made to the implementation, you > check and double check that your currently configured firewall is still > protecting you in the manner that you have designed it to. > I would strongly recommend against letting anyone that does not have a > good base of computer security knowledge making changes to a firewall > configuration. That doesn't mean you need to be a security expert > to be able to run a firewall, but it does mean that you need to have > read a few books on computer security and firewalls, and that you keep > current with known services and programs that may open up vulnerabilities > on your network. > Well said, David! There is no reason why we can't have a firewall that is easy to use, as long as we have someone who knows what he or she is doing in the driver's seat. Gotta go...have to compile the newest version of Sendmail! -Rick ---------------------------------------------------------------------------- Rick E Romkey | A T L A N T I C | Internet pokey@atlantic.com | Computing Technology Corporation | Specialists (860) 667-9596 | http://www.atlantic.com/ | ----------------------------------------------------------------------------- From firewalls-owner Fri Dec 6 07:38:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA28673 for firewalls-outgoing; Fri, 6 Dec 1996 06:02:16 -0800 (PST) Received: from smtp-relay2.scet.org.uk (smtp-relay2.scet.org.uk [193.123.133.23]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA28555 for ; Fri, 6 Dec 1996 06:01:13 -0800 (PST) Received: from scet.org.uk (193.123.133.20) by smtp-relay2.scet.org.uk with SMTP (Apple Internet Mail Server 1.1.1); Fri, 6 Dec 1996 14:00:32 +0000 Date: Fri, 6 Dec 96 14:00:15 -0000 From: jeromie@garrison.com@scet.org.uk@scet.org.uk (jeromie@garrison.com@scet.org.uk) Organization: SCET Subject: Re: Cisco's PIX Firewall To: firewalls@greatcircle.com Message-ID: <248774656.ensmtp@scet.org.uk> X-Mailer: ExpressNet/SMTP v1.1.5 MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > On Thu, 5 Dec 1996, Jeromie Jackson wrote: > > > > > > Food for thought for people like Cisco/FW1... If you were to just make > > a Mail Transport Agent for the hub, and provide it along with the product, > > people like me could not bitch, and you could say you covered the bases. I did > > note in one of the earlier posts from Cisco that they are indeed working on it. > > > > Creating an MTA does not solve the issue. Who is to say that a > vendor authored MTA is any more secure than Berkeley Sendmail? At least > with Berkeley Sendmail you have the source to review if you so choose. I > submit that this is a luxury you would not have with a vendor supplied > MTA. People tend to attack Sendmail because it's high profile as far as > security errors go. However, DNS and HTTP are just as, if not more serious > areas of concern. I think the real solution is to have these services made > available with full source code. This being said, I think there are plenty > of free software packages available to meet these needs. This software > simply needs to be reviewed on a regular basis. > Yes, you are right, I should not assume that the vendor of a security product would do any type of assurance testing that would superseed that of the current MTA products. In a decent security world, one might be able to assume something of the sort, but..... I would have to agree with you. In reguards to your opinion of the code being more secure because of the widely publicized source code, I would definitely have to DISAGREE with you. Just because the code is made public does not make it more secure whatsoever. Now if you would have said that the code be made public so that a formal testing methodology be implemented upon it, I would have agreed. Releasing the code to the public may give random people a chance of finding a security problem I would agree. However, providing code to the public does not provide assurance Jeromie Jackson Garrison Technologies jeromie@garrison.com -- -- _/_/_/ _/_/_/ _/_/_/ _/_/_/ | Tel: (0141) 337 5000 _/ _/ _/ _/ | Fax: (0141) 337 5050 _/_/_/ _/ _/_/ _/ | Net: scet@scet.org.uk _/ _/ _/ _/ | AppleLink: SCET.DEV _/_/_/ _/_/_/ _/_/_/ _/ | WWW: http://www.scet.org.uk ......learning through technology | From firewalls-owner Fri Dec 6 07:40:40 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA04502 for firewalls-outgoing; Fri, 6 Dec 1996 07:01:34 -0800 (PST) Received: from smtp-relay2.scet.org.uk (smtp-relay2.scet.org.uk [193.123.133.23]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA04475 for ; Fri, 6 Dec 1996 07:01:15 -0800 (PST) Received: from scet.org.uk (193.123.133.20) by smtp-relay2.scet.org.uk with SMTP (Apple Internet Mail Server 1.1.1); Fri, 6 Dec 1996 15:00:37 +0000 Date: Fri, 6 Dec 96 15:00:20 -0000 From: judab@netcom.com@scet.org.uk (judab@netcom.com) Organization: SCET Subject: Re: Get me off of this list!!!!!!! To: firewalls@greatcircle.com Message-ID: <382992384.ensmtp@scet.org.uk> X-Mailer: ExpressNet/SMTP v1.1.5 MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 5 Dec 1996, John L. Hamilton wrote: > I sent the message to majordomo and got verification that I was removed but I'm still receiving posts. > > me too -- _/_/_/ _/_/_/ _/_/_/ _/_/_/ | Tel: (0141) 337 5000 _/ _/ _/ _/ | Fax: (0141) 337 5050 _/_/_/ _/ _/_/ _/ | Net: scet@scet.org.uk _/ _/ _/ _/ | AppleLink: SCET.DEV _/_/_/ _/_/_/ _/_/_/ _/ | WWW: http://www.scet.org.uk ......learning through technology | From firewalls-owner Fri Dec 6 07:42:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA01451 for firewalls-outgoing; Fri, 6 Dec 1996 06:28:51 -0800 (PST) Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA01419 for ; Fri, 6 Dec 1996 06:28:31 -0800 (PST) Received: from big-dogs.cisco.com ([171.68.53.75]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id GAA09623; Fri, 6 Dec 1996 06:27:20 -0800 Message-Id: <2.2.32.19961206142720.00bf1fa4@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 06 Dec 1996 09:27:20 -0500 To: "David Untiedt" From: Paul Ferguson Subject: Re: Proxy & illegal IP numbers Cc: Jim.Egan@iai.com, firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 02:21 PM 12/6/96 +0000, David Untiedt wrote: > >Using the RFC1918 addresses is not in anyway illegal. These are >legitimate addresses that can be used by anyone legitimately. > >If you are using IP addresses that are not 'legal' (ie. not in >RFC1918, and not allocated to you by your ISP) there is a good chance >that they are legitimately in use by someone else on the internet. By >hiding your addresses behind some sort of Network Address Translator >(eg. a Gauntlet firewall) you get around this problem quite elegantly >until you try to connect to a site that is legitimately using your, >now hidden, 'illegal' IP addresses. > Yes, but one should net expect RFC-1918 prefixes to be routable in the global Internet. If you do, you're in for a rude awakening. ;-) - paul -- Paul Ferguson || || Consulting Engineering || || Herndon, Virginia USA |||| |||| tel: +1.703.397.5938 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Fri Dec 6 07:46:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA04868 for firewalls-outgoing; Fri, 6 Dec 1996 07:06:13 -0800 (PST) Received: from individual-bh.individual.com (individual-bh.individual.com [206.35.15.68]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA04812 for ; Fri, 6 Dec 1996 07:05:29 -0800 (PST) Received: (from uucp@localhost) by individual-bh.individual.com (8.6.12/8.6.11) id KAA29761 for ; Fri, 6 Dec 1996 10:05:09 -0500 Received: from woolf.individual.com by individual-bh.individual.com via smap (V1.3) id sma029748; Fri Dec 6 10:05:06 1996 Received: (from bheiser@localhost) by woolf.individual.com (8.7.3/8.7.3) id KAA06917 for Firewalls@GreatCircle.COM; Fri, 6 Dec 1996 10:04:48 -0500 (EST) From: Bill Heiser Message-Id: <199612061504.KAA06917@woolf.individual.com> Subject: Re: why would anyone want an NT firewall To: Firewalls@GreatCircle.COM Date: Fri, 6 Dec 1996 10:04:47 -0500 (EST) In-Reply-To: <199612060829.AAA00387@miles.greatcircle.com> from "Firewalls-Digest" at Dec 6, 96 00:29:36 am X-Organization: Individual, Inc., Engineering Dept X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Firewalls-Digest wrote this: > > > From: Adrian Knight > > Subject: Why would someone want an NT firewall? > > > > but there are a lot of > > average people out there who want to AND CAN handle managing a firewall > > right along with the MANY other types of systems that are also included in > > our job responsibilities. In this age of computers, it is no longer valid > > to try to convince people that computers are just too complicated for the > > average person. The problem with this is not that "computers are too complicated". The problem is that the "average person" simply does not have an understanding of security issues. Yes, it's simple to sit at a FW-1 or other GUI-based firewall console and set it up. But without a solid understanding of the underlying problems and security issues, such firewall management can be a very dangerous thing leading to a false sense of security for the organization behind it. From firewalls-owner Fri Dec 6 07:49:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA28166 for firewalls-outgoing; Fri, 6 Dec 1996 05:56:26 -0800 (PST) Received: from maddie.atlantic.com (maddie.atlantic.com [198.252.200.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id FAA28137 for ; Fri, 6 Dec 1996 05:56:06 -0800 (PST) Received: (from pokey@localhost) by maddie.atlantic.com (8.7.6/8.7.3) id JAA08050; Fri, 6 Dec 1996 09:55:22 -0500 From: Rick Romkey Message-Id: <199612061455.JAA08050@maddie.atlantic.com> Subject: Re: Why would someone want an NT firewall? To: dharris@kcp.com Date: Fri, 6 Dec 1996 09:55:21 -0500 (EST) Cc: Firewalls@GreatCircle.COM, knight@Harding.edu In-Reply-To: <199612052307.AA12386@kcpgw2.kcp.com> from "dharris@kcp.com" at Dec 5, 96 04:59:46 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Why do you consider it a "Good Thing" (TM) that your manager can sit down and > modify your firewall? Is he fully aware of the impact his changes will have and > how they might affect the ability of your firewall to implement your security > policy? I know it reeks of "security by obscurity", but a firewall that is easy > to modify is also a firewall that is easy to modify incorrectly. If you have to > stop and think about what you are doing before you can do anything you are less > apt to just do something to see what happens. My little experience with NT > shows that even an experienced person who is just messing around with the GUI > can jigger the wrong button and deny a whole LAN segment access to its server. I think you are missing the point of the original poster. There is no reason that firewalls need to be difficult to use, under NT or any other operating system.. Companies like Border, Raptor and CheckPoint are proving that. Why does a person need 3 years of Unix in order to figure out how to add a service? However, the fact that a firewall is simple to use has nothing to do with whether or not a person is qualified to actually configure the thing in the first place. -Rick ---------------------------------------------------------------------------- Rick E Romkey | A T L A N T I C | Internet pokey@atlantic.com | Computing Technology Corporation | Specialists (860) 667-9596 | http://www.atlantic.com/ | ----------------------------------------------------------------------------- From firewalls-owner Fri Dec 6 07:51:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA04532 for firewalls-outgoing; Fri, 6 Dec 1996 07:01:45 -0800 (PST) Received: from smtp-relay2.scet.org.uk (smtp-relay2.scet.org.uk [193.123.133.23]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA04477 for ; Fri, 6 Dec 1996 07:01:18 -0800 (PST) Received: from scet.org.uk (193.123.133.20) by smtp-relay2.scet.org.uk with SMTP (Apple Internet Mail Server 1.1.1); Fri, 6 Dec 1996 15:00:40 +0000 Date: Fri, 6 Dec 96 15:00:22 -0000 From: patlee@panix.com@scet.org.uk@scet.org.uk (patlee@panix.com@scet.org.uk) Organization: SCET Subject: Re: Vunerabilities in Microsoft's IIS 2.0 To: firewalls@greatcircle.com Message-ID: <399769600.ensmtp@scet.org.uk> X-Mailer: ExpressNet/SMTP v1.1.5 MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 5 Dec 1996, Joseph L. Moll wrote: > We have noticed a little problem with IIS 2.0 and were wondering if the > problem also exists in IIS 3.0. IIS 3.0 and 2.0 are essentially the same product. You can download a number of components (such as Active Server Pages, Index Server, etc.) that enhance the capability of IIS 2.0 -- thus making it 3.0. > It seems that anyone can browse the any files in the cgi-bin directory on > the server. For example, browse this on your IIS web host: Always associate files that are meant to be executed to be executed. If *.cgi files are meant to be executable, then by all means make that file type association. That way, when a user requests a *.cgi file by name, the server will try to execute the script instead of sending it back. Also, _always_ turn off directory browsing. Why make it any easier for anyone to snoop around. Accidents happen and you could leave a file in a publically accessible directory without knowing it. > IIS 2.0 in conjunction with M$ Internet Exploder passes the end users > domain and username to the IIS for access. Get's logged in the log file > as DOMAIN\USERNAME. Read up on the security chapter in the IIS documentation, please. That's a feature. If you don't want it, turn it off. -- -- _/_/_/ _/_/_/ _/_/_/ _/_/_/ | Tel: (0141) 337 5000 _/ _/ _/ _/ | Fax: (0141) 337 5050 _/_/_/ _/ _/_/ _/ | Net: scet@scet.org.uk _/ _/ _/ _/ | AppleLink: SCET.DEV _/_/_/ _/_/_/ _/_/_/ _/ | WWW: http://www.scet.org.uk ......learning through technology | From firewalls-owner Fri Dec 6 07:52:42 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA19661 for firewalls-outgoing; Fri, 6 Dec 1996 04:01:49 -0800 (PST) Received: from smtp-relay2.scet.org.uk (smtp-relay2.scet.org.uk [193.123.133.23]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id EAA19580 for ; Fri, 6 Dec 1996 04:01:01 -0800 (PST) Received: from scet.org.uk (193.123.133.20) by smtp-relay2.scet.org.uk with SMTP (Apple Internet Mail Server 1.1.1); Fri, 6 Dec 1996 12:00:25 +0000 Date: Fri, 6 Dec 96 12:00:12 -0000 From: pollock@houston.omnes.net@scet.org.uk (pollock@houston.omnes.net) Organization: SCET Subject: Re: Why would someone want an NT firewall? To: firewalls@greatcircle.com Message-ID: <1540358144.ensmtp@scet.org.uk> X-Mailer: ExpressNet/SMTP v1.1.5 MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk RE: >2) We don't want to hire a rocket scientist to manage our firewall. A >message earlier referred to firewalls being "necessarilly technical." >That's bogus. I think it's possible that a lot of people making money off >of firewalls might want to keep them that way, but there are a lot of >average people out there who want to AND CAN handle managing a firewall >right along with the MANY other types of systems that are also included in >our job responsibilities. In this age of computers, it is no longer valid >to try to convince people that computers are just too complicated for the >average person. I'm not a Microsoft Groupie or anything, but the reason >their company is where they are today is that they realized that! > >Because our firewall is on an NT platform and has a good GUI, I can be >gone for a couple of weeks and even my boss, a manager, can sit down and >make changes to the firewall comfortably. Several other people in the >computing department with the passowrd could do the same if they had to. >After two years, nobody else could sit down to my Solaris box and do >anything except manage to shut things down. This is not an NT vs UNIX issue, but there's a big difference between *managing a firewall* and *managing security*. While it's easy to learn the mechanics of how to allow file sharing from security enclave A to security enclave B, it's harder to learn why you should or shouldn't do it. IMNSHO The proper purpose of the GUI interfaces is so that a security expert doesn't need to be an NT expert or a UNIX expert also. Anybody who doesn't understand the overall security implications of his actions should *never* be allowed to modify a firewall. Manager or not! Rocket Scientist or not! And the organization's security policy should *clearly* state that! Regards, Don Pollock pollock@houston.omnes.net Network Systems Engineer +1 713 513 3017 Omnes - A Schlumberger/Cable & Wireless Company http://www.omnes.net/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - The true mark of intelligence is to learn from the experiences of others. ------------------------------------------------------------------------- -- _/_/_/ _/_/_/ _/_/_/ _/_/_/ | Tel: (0141) 337 5000 _/ _/ _/ _/ | Fax: (0141) 337 5050 _/_/_/ _/ _/_/ _/ | Net: scet@scet.org.uk _/ _/ _/ _/ | AppleLink: SCET.DEV _/_/_/ _/_/_/ _/_/_/ _/ | WWW: http://www.scet.org.uk ......learning through technology | From firewalls-owner Fri Dec 6 07:55:01 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA05536 for firewalls-outgoing; Fri, 6 Dec 1996 01:24:40 -0800 (PST) From: firewalls-owner Received: from mobile.bam.com (mobile.banm.com [199.74.157.50]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id BAA05502 for ; Fri, 6 Dec 1996 01:24:18 -0800 (PST) Received: FROM BAMX400.mobile.bam.com BY mobile.bam.com ; 6 DEC 96 04:24:06 EST Date: 6 DEC 96 04:23:11 EST Subject: Undeliverable Message To: Firewalls@GreatCircle.COM MIME-Version: 1.0 Message-ID: <0005ecgkwcgu.0005cuameiem@mobile.bam.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk To: Dean E Vaccher@IS_WBRHQ@BAMSWB BAMX400@MGate@BAM [C=US/A=INTERNET/DDA=ID/firewalls-digest(a)GreatCircle.COM] Cc: Subject: Firewalls-Digest V5 #650 Message not delivered to recipients below. VNM3043: Dean E Vaccher@IS_WBRHQ@BAMSWB **** Attachment message(s) will follow in 1 separate transmissions. From firewalls-owner Fri Dec 6 09:03:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA08408 for firewalls-outgoing; Fri, 6 Dec 1996 07:54:36 -0800 (PST) Received: from gw.iai.com (gw.iai.com [206.64.157.62]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA08383 for ; Fri, 6 Dec 1996 07:54:15 -0800 (PST) Received: by gw.iai.com; id KAA01266; Fri, 6 Dec 1996 10:53:33 -0500 (EST) Received: from milford.iai.com(192.206.185.2) by gw.iai.com via smap (3.2) id xma001264; Fri, 6 Dec 96 10:53:23 -0500 Received: by milford.iai.com (AIX 4.1/UCB 5.64/4.03) id AA17016; Fri, 6 Dec 1996 10:53:39 -0500 From: jegan@iai.com (James Egan) Message-Id: <9612061553.AA17016@milford.iai.com> Subject: Re: your mail To: firewalls@greatcircle.com Date: Fri, 6 Dec 1996 10:53:39 -0500 (EST) In-Reply-To: <199612061113.DAA14894@miles.greatcircle.com> from "toon@cem-bb.e-mail.com" at Dec 6, 96 06:12:16 am Reply-To: Jim.Egan@iai.com Organization: Integrated Architectures, Inc. Pgp-Fingerprint: 64 47 DC 51 D9 11 1D FF 31 43 9C 4C E2 A1 FC 04 Pgp-Public-Key: public-key-server@martigny.ai.mit.edu (subject: GET jegan) X-Mailer: ELM [version 2.4 PL24 ME5a] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk toon@cem-bb.e-mail.com recently wrote: > > > Hi firewall-people, > > Some time ago I read in this list about the firewall-1 mailing list > at applicom.co.il. I subscribed to the digest version. This was > confirmed but I do not get any messages. > At the Checkpoint site, a nice webpage tells me to try again later > when I try to look at some maillist info. > My question: Is there uberhaupt a firewall-1 mailinglist or not? > > Next topic: > > Some1 told me that 'I have to filter out VERIFY and EXPAND when letting > mail through my firewall'. Can some1 explain me what this means? > > Hear from you in the next digest, > Toon > > N.B. If I read any more messages in this list about IRINIA or some > other GOOD TIMES I will punish you all by trying to unsubscribe from > this list and sending messages that I can not get off the list (-: > If you run smap on your firewall, VRFY and EXPN are NOPs. /Jim/ -- James P. Egan | Jim.Egan@iai.com Integrated Architectures, Inc. | http://www.iai.com 300 East Main Street, Suite 207 | Tel: 508-634-3200 x209 Milford, MA 01757 | Fax: 508-634-8381 Use PGP for more secure email From firewalls-owner Fri Dec 6 09:04:39 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA06298 for firewalls-outgoing; Fri, 6 Dec 1996 07:27:41 -0800 (PST) Received: from thewall.harding.edu (thewall.harding.edu [192.133.129.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA06250 for ; Fri, 6 Dec 1996 07:27:25 -0800 (PST) Received: from piggy.harding.edu ([10.1.11.5]) by thewall.harding.edu via smtpd (for miles.greatcircle.com [198.102.244.34]) with SMTP; 6 Dec 1996 15:29:35 UT Received: from Harding.edu by Harding.edu (PMDF V5.0-7 #15469) id <01ICOO3NXGHGAKTJ7I@Harding.edu> for Firewalls@greatcircle.com; Fri, 06 Dec 1996 09:29:16 -0500 (CDT) Date: Fri, 06 Dec 1996 09:29:16 -0500 (CDT) From: Adrian Knight Subject: Re: Why would someone want an NT firewall? In-reply-to: <199612061459.JAA08067@maddie.atlantic.com> To: Firewalls@greatcircle.com Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Many people made very good points about the pros and cons of Unix and NT. I agree there is not ONE good solution. The point from about the push from the desktop up for NT and from the Datacenter down for Unix was very on target, IMHO. It was not my intention to bring up "The O/S Wars - part MMXXXXVVII" and I applaud most for not taking it that way and getting in the trenches. I just thought it might be useful to other part-time security folks on the list (who have security as one of their many duties) to hear from someone who has made a very thoughtful decision to use an NT firewall. It was not a trendy thing or an "MS is great, use it"-thing, it was a well-researched and thought out decision. Your mileage may vary. I've learned a lot from this list and I respect the people who contribute to it. But I've often felt like the commercial where the guy shyly stands up and confesses "I'm a Hyundai owner too" for having a firewall running on a non-unix platform. Again, I thought it might help some "Hyundai owners" to hear of others' well-thought-out, semi-objective (I tried) reasons. For what it's worth, I am not an NT expert nor had I even touched NT before putting our firewall on it. Adrian Knight | Network Manager Harding University | Internet: KNIGHT@HARDING.EDU 900 E. Center, Box 2264 | Phone: (501) 279-4440 Searcy, AR 72149-0001 | From firewalls-owner Fri Dec 6 09:59:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA11603 for firewalls-outgoing; Fri, 6 Dec 1996 08:34:48 -0800 (PST) Received: from exodus (exodus.content.earthlink.net [206.250.94.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id IAA11587 for ; Fri, 6 Dec 1996 08:34:39 -0800 (PST) Received: from [152.15.61.4] (barn109A-4.uncc.edu [152.15.61.4]) by exodus (950413.SGI.8.6.12/950213.SGI.AUTOCF) via SMTP id IAA15722 for ; Fri, 6 Dec 1996 08:34:54 -0800 Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Priority: 1 (Highest) Date: Fri, 6 Dec 1996 11:34:53 -0500 To: "firewalls@GreatCircle.COM" From: a3rdeye@earthlink.net (3rd Eye) Subject: Get me off of this list!!!!!!! Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I sent the message to majordomo and got verification that I was removed but I'm still receiving posts. From firewalls-owner Fri Dec 6 10:02:50 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA11293 for firewalls-outgoing; Fri, 6 Dec 1996 08:29:52 -0800 (PST) Received: from ns-1.csn.net (ns-1.csn.net [199.117.27.21]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id IAA11248 for ; Fri, 6 Dec 1996 08:29:38 -0800 (PST) Received: from cobe.com by ns-1.csn.net with SMTP id AA01151 (5.65c/IDA-1.4.4 for ); Fri, 6 Dec 1996 09:28:56 -0700 Received: from itsaxp6 by cobe.com (4.1/SMI-4.1) id AA09122; Fri, 6 Dec 96 09:28:54 MST Received: by itsaxp6; (5.65v3.2/1.1.8.2/18Jun96-0851AM) id AA24818; Fri, 6 Dec 1996 09:28:47 -0700 Date: Fri, 6 Dec 1996 09:28:47 -0700 From: "Richard E. Obrecht" Message-Id: <9612061628.AA24818@itsaxp6> To: Firewalls@GreatCircle.COM, pollock@houston.omnes.net Subject: Re: Why would someone want an NT firewall? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Don, Hello again! How's southeast Asia? Warm? I'll bet your tan is getting better! 8^). I've not responded to you because I've been in Nashville (with no laptop). I'll send you a message this weekend, when I get home. I'm with a guy named Tom Stewart, and he says your name is familiar. He asked if you ever worked at Manville. Did you? Lemme konw. See ya, Rich From firewalls-owner Fri Dec 6 10:05:17 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA11417 for firewalls-outgoing; Fri, 6 Dec 1996 08:31:45 -0800 (PST) Received: from ncar.UCAR.EDU (ncar.ucar.edu [192.52.106.6]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA11400 for ; Fri, 6 Dec 1996 08:31:33 -0800 (PST) Message-Id: <199612061625.JAA19247@ncar.ucar.EDU> Received: by ncar.ucar.EDU (NCAR 12/5/96/ NCAR Central Post Office 03/11/93) id JAA19247; Fri, 6 Dec 1996 09:25:40 -0700 (MST) Subject: Re: Tacacs+ To: ctighe@dat.tds.de (Christopher Tighe) Date: Fri, 6 Dec 96 9:25:39 MST Cc: firewalls@GreatCircle.COM In-Reply-To: <328A0ABB.59E2@dat.tds.de>; from "Christopher Tighe" at Nov 13, 96 6:51 pm From: woods@ucar.edu (Greg Woods) X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Wed Nov 13 18:39:44 1996 [40201]: enable query for tty2 from > xxx.xxx.xxx.xxx rejected. > > I think I need to define some special user in my tacacs passwd > file, but I can't find any reference to that so how do I do > it? Please help, I am getting desperate..... I ended up having to look at the source code to determine this one; it is fairly obscure. The user is "$enab15$". What I would like to know is whether there is a way to restrict which users can enable. enable is not a command in the usual sense; that is, something like cmd=enable { deny .* } does not work. You can set the privilege level for a user, so that once they've enabled, they can't do any commands that actually require that privilege. But this seems kludgy; I wish there were a better way. I'd also like to be able to restrict commands based on which NAS as well as which user, which xtacacs seems to be able to do, but I have not found a way to do this in tacacs+ yet. --Greg From firewalls-owner Fri Dec 6 10:08:01 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA10177 for firewalls-outgoing; Fri, 6 Dec 1996 08:17:22 -0800 (PST) Received: from rodan.UU.NET (rodan.UU.NET [153.39.130.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA10159 for ; Fri, 6 Dec 1996 08:17:12 -0800 (PST) Received: from woobie.uu.net by rodan.UU.NET with SMTP (peer crosschecked as: woobie.UU.NET [153.39.253.138]) id QQbsyb13668; Fri, 6 Dec 1996 11:16:28 -0500 (EST) Message-ID: <32A846DB.69D8BD19@uu.net> Date: Fri, 06 Dec 1996 11:16:27 -0500 From: Mark Krause Organization: UUNET Technologies, Inc. X-Mailer: Mozilla 3.0 (X11; I; SunOS 4.1.3_U1 sun4c) MIME-Version: 1.0 To: Christopher Tighe CC: firewalls@greatcircle.com Subject: Re: Tacacs+ References: <328A0ABB.59E2@dat.tds.de> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Christopher Tighe wrote: > > how do you configure a tacacs server to provide authentication > for a cisco router for enable (privilaged) mode. > for normal login it is okay and works fine, but in enable > mode I receive the following error message: > > I think I need to define some special user in my tacacs passwd > file, but I can't find any reference to that so how do I do > it? Please help, I am getting desperate..... Yes, you do need to define a special user. You need to create a user called "$enable$" for the default enable. For other privilege levels create users of the form "$enab$" where is the privilege level. For example user = $enable$ { login = } user = $enab9$ { login = } -- Mark Krause UUNET Technologies, Inc. http://www.uu.net/ Senior Security Engineer 3060 Williams Drive mkrause@uu.net Fairfax, VA 22031-4648 USA Tel: +1 703 208 5349 Fax: +1 703 206 5493 PGP Key fingerprint = CD CE 5F C2 DD 7A A6 A3 11 8C 9D 05 48 DA 4F 18 From firewalls-owner Fri Dec 6 10:10:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA16385 for firewalls-outgoing; Fri, 6 Dec 1996 09:36:28 -0800 (PST) Received: from unexexch.unex.ucla.edu ([128.97.115.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id JAA16378 for ; Fri, 6 Dec 1996 09:36:20 -0800 (PST) Received: by unexexch.unex.ucla.edu with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BBE358.6EAEFE90@unexexch.unex.ucla.edu>; Fri, 6 Dec 1996 09:32:43 -0800 Message-ID: From: "Goodin, Bill" To: List-IEEE Cipher , List-Security firewalls , "'List-Computer security (RISKS)'" Subject: UCLA Short Course on "Establishing an Internet/Intranet Presence" Date: Fri, 6 Dec 1996 09:32:00 -0800 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On March 5-7, 1997, UCLA Extension will present the short course, "Establishing an Internet/Intranet Presence: Server, Content, and Connectivity", on the UCLA campus in Los Angeles. The instructors are: o Laurence I. Press, PhD, Professor and Chairman, Computer Information Systems Department, California State University, Dominguez Hills; o Bruce Chapman, PhD, Member Technical Staff, Jet Propulsion Laboratory; o Robert B. Denny, WebSite Developer; o Victor B. Taylor, MSEE, Member Technical Staff, Jet Propulsion Laboratory. Each participant receives a 60-day trial version of "WebSite" (O'Reilly and Associates); a discount on the purchase of the full version of "WebSite"; and extensive lecture notes. The rapid growth of the Internet was fueled by invention of the World Wide Web (WWW) protocols. Universities, government agencies, small and large companies, and individuals quickly adapted it for a wide variety of services, including marketing. At the same time, corporations and other organizations realized that the open communication protocols developed for the Internet could be used for proprietary corporate intranets, which are now used for communication within organizations (distributing information and collaboration support), as well as with stakeholders (suppliers and customers). This course describes how the internet and/or an intranet can help you and your organization. It covers the hardware, software, and services needed to establish server, ISP, and connectivity options; server management and maintenance options; security issues; and application design and implementation from basic HTML to advanced applications that interact with databases and other programs running on your Web server. About half the course is spend on hands-on exercises in the lab; installing and configuring server software and building options. The course should enable participants to: o Become familiar with Internets/Intranets and their benefits o Learn the basics of HTML markup and scripting o Design and build a home page; o Learn about advanced features including database access and Java o Install and configure a Web server; o Evaluate connectivity choices and service providers o Understand the relative positions of Microsoft, Netscape, and other players o Glimpse the future of HTTP, HTML, VRML, and other protocols. The course fee is $1295, which includes course materials. These materials are for participants only, and are not for sale. For additional information and a complete course description, please contact Marcus Hennessy at: (310) 825-1047 (310) 206-2815 fax mhenness@unex.ucla.edu http://www.unex.ucla.edu/shortcourses This course may also be presented on-site at company locations. From firewalls-owner Fri Dec 6 10:12:54 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA14392 for firewalls-outgoing; Fri, 6 Dec 1996 09:11:53 -0800 (PST) Received: from nt_server.rmsbus.com ([204.126.30.55]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id JAA14328 for ; Fri, 6 Dec 1996 09:11:17 -0800 (PST) Received: by nt_server.rmsbus.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5) id <01BBE365.9FF61FD0@nt_server.rmsbus.com>; Fri, 6 Dec 1996 11:07:09 -0600 Message-ID: From: Chris Michael To: "'firewall-list'" Subject: Breakin through firewall. Date: Fri, 6 Dec 1996 11:07:02 -0600 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've never seen anything on the net about breakins through correctly configured firewalls. Is this because it doesn't happen or because people aren't talking? Chris From firewalls-owner Fri Dec 6 10:14:56 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA14529 for firewalls-outgoing; Fri, 6 Dec 1996 09:15:53 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id JAA14498 for ; Fri, 6 Dec 1996 09:15:24 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-961106) id JAA08060; Fri, 6 Dec 1996 09:14:20 -0800 Received: from pony-express.ims.advantis.com(192.231.11.167) by mycroft via smap (V1.3mjr) id sma008052; Fri Dec 6 09:13:34 1996 Received: (from hfarkas@localhost) by lab58-12.ims.advantis.com (8.6.9/95.10.11) id MAA14162 for ; Fri, 6 Dec 1996 12:11:11 -0500 Received: from carfax.ims.advantis.com(164.120.32.46) by lab58_12 via smap (V1.3) id sma014160; Fri Dec 6 12:11:04 1996 Received: by carfax.ims.advantis.com (8.6.9/4.03) id MAA122343; Fri, 6 Dec 1996 12:20:36 -0500 Date: Fri, 6 Dec 1996 12:20:36 -0500 (EST) From: Peter Yau To: firewalls@GreatCircle.COM Subject: ip forwarding? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have a question here that I'd like clarification. IP forwarding is off for firewalls that use proxy and socks, else will be left on. Correct me if I am wrong. I have a situation whereby from within the internal network, I am able to ping both the internal and the external adapter of the fw-1. Is that because ip forwarding is left on? From firewalls-owner Fri Dec 6 10:17:04 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA13887 for firewalls-outgoing; Fri, 6 Dec 1996 09:01:44 -0800 (PST) Received: from math.umn.edu (baobab.math.umn.edu [128.101.154.28]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id JAA13678 for ; Fri, 6 Dec 1996 09:00:30 -0800 (PST) From: riordan@math.umn.edu Received: from birch.math.umn.edu (riordan@birch.math.umn.edu [128.101.154.132]) by math.umn.edu (8.7.5/8.7.2) with ESMTP id LAA22790; Fri, 6 Dec 1996 11:01:53 -0600 (CST) Received: (from riordan@localhost) by birch.math.umn.edu (8.7.5/8.7.2) id KAA07608; Fri, 6 Dec 1996 10:58:47 -0600 (CST) Date: Fri, 6 Dec 1996 10:58:47 -0600 (CST) Message-Id: <199612061658.KAA07608@birch.math.umn.edu> To: firewalls@greatcircle.com CC: Russ.Cooper@RC.on.ca Subject: RE: Firewalls over NT vs. UNIX Reply-to: riordan@math.umn.edu Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 4 Dec 1996, Russ, making several good points, wrote: > If you are going to use NT as a Firewall platform, there should be only > one reason you would do that. You want to integrate your Firewall into > your existing NT environment (for any of a number of reasons). I would generally think of that as an argument against an NT firewall: You have two doors each of which a bad guy must pass through to get to your goods. Do you really want to use the same key for both doors? Naturally, there are maintenance related security issues but I think that, in todays market, good Unix based firewalls do not require that one be a Unix guru in order to manage them (several will not even permit access on that level). -- james riordan@math.umn.edu / http://www.math.umn.edu/~riordan From firewalls-owner Fri Dec 6 10:25:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA01323 for firewalls-outgoing; Fri, 6 Dec 1996 06:26:59 -0800 (PST) Received: from mercury.telecheck.com (mercury.telecheck.com [205.245.65.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA01173 for ; Fri, 6 Dec 1996 06:26:14 -0800 (PST) From: wyer@TeleCheck.com Received: from localhost by mercury.telecheck.com; (5.65v3.2/1.1.8.2/05Sep96-1016AM) id AA23089; Fri, 6 Dec 1996 08:25:30 -0600 Message-Id: <9612061425.AA23089@mercury.telecheck.com> X-Mailer: exmh version 1.6.5 12/11/95 To: firewalls@greatcircle.com Subject: Oracle SQL/Net Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 06 Dec 96 08:25:30 -0600 X-Mts: smtp Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, We've recently acquired a company which is accessing an Oracle database on a remote network via TCP/IP. Due to addressing conflicts, we have installed back-to-back PIX boxes to do two-way address translation between both networks. Unfortunately, we've discovered that Oracle's SQL/Net product passes IP addresses back and forth during the handshaking phase of their ODBC drivers. This makes it impossible to successfully do address translation, since the addresses which are being passed are the native addresses, rather than the translated addresses. I spoke to Oracle about this to try to find out if it were possible to convince SQL/Net to pass hostnames rather than IP addresses and got some bonehead that said that SQL/Net has nothing to do with the data in the packet... TCP/IP is putting strings like "HOST=123.111.232.12" into the packet. Yeah, right. In any case, is there some sort of proxy agent which will handle Oracle's SQL/Net / ODBC stuff in a graceful fashion between two conflicting IP networks somewhat like the Web proxy agent? Brett Wyer +----------------------------------------------------------------------------+ | Brett Wyer | The difference between the men and the | | Manager, Systems Support | boys... | | TeleCheck International, Inc. | '89 Corvette - Black/Grey Leather | | (713) 439-6474 | '95 CBR600F3 - Black/Purple/Yellow | | e-mail: wyer@telecheck.com | "I was going _how_ fast, Officer?!?" | +---------------------------------+------------------------------------------+ | Opinions are my own and don't reflect the opinion of TeleCheck. | +----------------------------------------------------------------------------+ From firewalls-owner Fri Dec 6 10:27:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA16945 for firewalls-outgoing; Fri, 6 Dec 1996 09:49:43 -0800 (PST) Received: from srv2.persocom.com.br ([200.239.60.5]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id JAA16907 for ; Fri, 6 Dec 1996 09:49:28 -0800 (PST) Received: from oswaldo40 ([200.239.46.76]) by srv2.persocom.com.br (post.office MTA v2.0 0813 ID# 0-12327) with ESMTP id AAB132; Fri, 6 Dec 1996 15:36:39 +0000 From: "Oswaldo Gomes" To: , "Bill Stout" Subject: Re: NT firewalls / Eagle Date: Fri, 6 Dec 1996 15:36:47 -0300 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Message-ID: <19961206153637500.AAB132@oswaldo40> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk That´s not true.. A Proxy is a method of Firewall... MS Proxy Server is a Proxy... So...??? Concepts are much more open... and the concept of "Firewall" brings not only the fact that the firewall is built or added to the system, but all the security policies of your network... You can even say that MS Proxy Server isn´t a perfect firewall, but it IS a firewall... Oswaldo Gomes ---------- > From: Bill Stout > To: Firewalls@GreatCircle.COM > Subject: Re: NT firewalls / Eagle > Date: Wednesday, December 04, 1996 2:58 PM > > At 11:47 AM 12/4/96 -0300, you wrote: > >Yes... Microsoft Proxy Server, for example.. ;-) > > >> are there any firewall systems for Windows NT (commercial or not) besides > >> the Eagle system? > > > That's not a firewall. That's a proxy that needs IIS and NT 4.0 > to run. > > Early marketing efforts by MS tried to give the impression that > Catapult was a firewall. > > Firewalls are built, not added to a computer. > > Next we'll have to deal with 'Steel Head', where MS tries to make > NT PCs into a Cisco-level Routers(12/2 Computer World) by adding > software over existing exposed and secret security holes. > > Bill Stout > From firewalls-owner Fri Dec 6 10:42:31 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA13529 for firewalls-outgoing; Fri, 6 Dec 1996 08:59:09 -0800 (PST) Received: from Walden.MO.NET (walden.mo.net [199.250.196.5]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA13459 for ; Fri, 6 Dec 1996 08:58:37 -0800 (PST) Received: from gate.hussmann.com (gate.hussmann.com [205.139.246.2]) by Walden.MO.NET (8.8.3/8.6.10) with ESMTP id LAA26199 for ; Fri, 6 Dec 1996 11:03:48 -0600 (CST) Received: (from nobody@localhost) by gate.hussmann.com (8.7.1/8.7.3) id KAA23518 for ; Fri, 6 Dec 1996 10:04:11 -0600 Message-Id: <199612061604.KAA23518@gate.hussmann.com> Received: from mail-gate.hussmann.com(129.1.5.4) by gate.hussmann.com via smap (V1.3) id tmp023510; Fri Dec 6 10:03:43 1996 Date: Fri, 6 Dec 1996 10:51:00 -0600 From: "Hicks, Rick" Subject: RE: Why would someone want an NT firewal To: "'Firewalls List'" X-Mailer: Worldtalk (NetConnex V4.00a)/MIME Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >1) We only have 3 Unix computers on our campus. I manage one of them, >and after two years still know very little about it. Yes, if I spent >"enough time" on it I would probably be a Unix expert by now, but I don't >want to spend that much time, nor do I have the option of spending that >much time on it. Wow, how did you become an NT expert so fast? Two years with UNIX and nothing; but suddenly you're an NT expert? >2) We don't want to hire a rocket scientist to manage our firewall. Sure, but you don't want an uneducated person doing it either. Ease of use should not top the list when you're shopping for a firewall, security should. What good is it to allow others to change things on the firewall easily if they do not know the implications of what their doing? BTW, UNIX firewalls are just as easy to administer as any NT firewall, so this whole issue may be moot. How come you're boss and staff can use an NT admin tool and not an X admin tool? The applications are exactly the same, they just use a different window manager. >Because our firewall is on an NT platform and has a good GUI, I can be >gone for a couple of weeks and even my boss, a manager, can sit down and >make changes to the firewall comfortably. Several other people in the >computing department with the password could do the same if they had to. >After two years, nobody else could sit down to my Solaris box and do >anything except manage to shut things down. First, I think you're confusing the term 'good GUI' with 'familiar GUI'. NTs GUI is no better than X, in fact until NT 4.0 it wasn't even close; X was and still is, in my opinion, a better GUI. I am already on my soapbox, but allow me to stand a little taller for a moment. ;-) NT is not easier than Unix to learn or administer. People see the 'familiar' interface and feel secure, but how much do they really know about NT? Do they know all the intricacies of the registry and the ini files? Do they understand the filesystem security (if using NTFS) and the shortcomings of it? What about DLL management? I have taught people how to use Unix in the same amount of time it took to show them NT. Don't let the interface fool you into thinking that you know the system, its much more complicated than that. >3) At the time of my research a year ago, most mainstream firewalls ran >on minicomputer-class machines like Sun Sparc, HPUX, AIX. For an >educational site with good discounts, a platform like that ran around >$15,000. We put our firewall on a well-endowed NT PC for $5,000. >Hardware and software maintenance is also much cheaper A valid point, cost is always an issue. But, look at it this way: What is the cost of a security breach? If our systems are down most our business comes to a halt, and I think this applies to all of us. When our workers cannot work and orders can't be entered or shipped that costs us 100's of thousands of dollars every hour they are standing around. Wow, doesn't that $15,000 seem cheap now! I'm not trying to say that you're firewall is inherently insecure, but from what you have disclosed on this list it isn't what I consider a secure environment. You seem to have placed price and ease of use above security concerns, and that should not happen. If you truly know NT security better than Unix then I guess you made a valid decision, but too many people think they know NT when all they really know is that 'familiar' interface. It takes just as much time and effort to know NT security as it does Unix. I really wish more people could see this fact, but perception is reality I guess, and Microsoft has control over our perceptions. Rick ________________________________________________ Rick Hicks Systems Specialist Hussmann Corporation rhicks@hussmann.com http://www.hussmann.com From firewalls-owner Fri Dec 6 10:51:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA01641 for firewalls-outgoing; Fri, 6 Dec 1996 01:00:55 -0800 (PST) Received: from challenger.atc.fhda.edu (challenger.atc.fhda.edu [153.18.32.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id BAA01629; Fri, 6 Dec 1996 01:00:43 -0800 (PST) Received: from localhost (manek@localhost) by challenger.atc.fhda.edu (8.8.0/8.7.3) with SMTP id AAA01382; Fri, 6 Dec 1996 00:59:46 -0800 (PST) Date: Fri, 6 Dec 1996 00:59:46 -0800 (PST) From: Sameer R Manek To: gary flynn cc: firewalls-owner@GreatCircle.COM, paonia@exon.massart.mass.edu, firewalls@GreatCircle.COM Subject: Re: .edu w/ firewalls In-Reply-To: <199612051751.JAA11771@miles.greatcircle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 5 Dec 1996, gary flynn wrote: > > From: Sameer R Manek > > A firewall on campus would do almost no good as > > the biggest threat to the network are already in campus. > > There are also threats offcampus. Oncampus ones *may* be > easier to identify and track. Oh i don't doubt for a minute that there are people off campus folks who have/will attempt to crack us. However since firewalls are all about risk management (how much we let through vs stop) I'm making the assertion that the biggest threat is inside. > > > Using our school as an example we have 3 networks > > here, administrative, instructional and student. Admin > > net is the actual machines that run admin, plus the machines > > in the admin building, and the machines of all the deans. > > Are you saying you have a firewall between the various networks? > How are they three separate networks? I'd be interested in discussing > the policies you used to set these up. We're wrestling with that > right now. Frankly, I worry more about the risk of denial of service > attacks than I do anything else. The auditors and systems administrators > worry about the data confidentiality and integrity more. I help them > along when I can with encryption, firewalls, etc. Being a student employee i'm told very little of the admin network, part of that good old security through obscurity. Its all on a need to know basis. But as far as i can tell only packet filtering routers exist for the administrative networks. Though i've heard rumors of a software firewall package being installed. One feature as a student I really love about our setup is that the powers-that-be above me allow you to attempt to probe for system insecurities, provided you get permission beforehand. Their only stipulation is that we tell them what we found/didn't find. Quite possbly that is the greatest asset that the admins here have, anyone who wants to try their luck is welcome to. This way the 'hackers' get to learn and in return the school gets a network security checks for free. From firewalls-owner Fri Dec 6 11:15:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA20114 for firewalls-outgoing; Fri, 6 Dec 1996 10:53:18 -0800 (PST) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA20098 for ; Fri, 6 Dec 1996 10:53:05 -0800 (PST) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id MAA05178; Fri, 6 Dec 1996 12:42:21 -0500 Date: Fri, 6 Dec 1996 12:42:17 -0500 (EST) From: Rabid Wombat To: toon@cem-bb.e-mail.com cc: firewalls@GreatCircle.COM Subject: Re: None In-Reply-To: <-1949171712.ensmtp@scet.org.uk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 6 Dec 1996 toon@cem-bb.e-mail.com wrote: > Next topic: > > Some1 told me that 'I have to filter out VERIFY and EXPAND when letting > mail through my firewall'. Can some1 explain me what this means? > VERIFY and EXPAND are commands that can be issued to SENDMAIL. Their legitimate uses are: Verify: determines if the username you've spcified exists Expand: determines which usernames will recivie the mial sent to the address specified - for example, the account "root" might expand to usernames "bob" and "alice" if they are the sysadmins, and don't want to log in as "root" to check for root mail. An intruder can telnet to port 25 and run these commands to gather information. You shouldn't allow access to port 25 on systems that AREN'T supposed to be receiving mail, anyway. You may want to block EXPAND, possibly verify as well, on the others. -r.w. From firewalls-owner Fri Dec 6 11:52:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA23194 for firewalls-outgoing; Fri, 6 Dec 1996 11:49:26 -0800 (PST) From: firewalls-owner Received: from mobile.bam.com (mobile.banm.com [199.74.157.50]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id LAA23169 for ; Fri, 6 Dec 1996 11:49:18 -0800 (PST) Received: FROM BAMX400.mobile.bam.com BY mobile.bam.com ; 6 DEC 96 14:49:18 EST Date: 6 DEC 96 14:48:01 EST Subject: Undeliverable Message To: Firewalls@GreatCircle.COM MIME-Version: 1.0 Message-ID: <0005bdxnzhpx.0005amuoqkog@mobile.bam.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk To: Dean E Vaccher@IS_WBRHQ@BAMSWB BAMX400@MGate@BAM [C=US/A=INTERNET/DDA=ID/firewalls-digest(a)GreatCircle.COM] Cc: Subject: Firewalls-Digest V5 #652 Message not delivered to recipients below. VNM3043: Dean E Vaccher@IS_WBRHQ@BAMSWB **** Attachment message(s) will follow in 1 separate transmissions. From firewalls-owner Fri Dec 6 12:07:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA24268 for firewalls-outgoing; Fri, 6 Dec 1996 12:05:06 -0800 (PST) Received: from trumpet.aix.calpoly.edu (trumpet.aix.calpoly.edu [129.65.65.6]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id MAA24261 for ; Fri, 6 Dec 1996 12:04:57 -0800 (PST) Received: by trumpet.aix.calpoly.edu (AIX 3.2/UCB 5.64/4.03) id AA25499; Fri, 6 Dec 1996 12:04:13 -0800 Date: Fri, 6 Dec 1996 12:04:10 -0800 (PST) From: "R. E. Paret" To: toon@cem-bb.e-mail.com Cc: firewalls@GreatCircle.COM Subject: Re: your mail In-Reply-To: <199612061113.DAA14894@miles.greatcircle.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Can't help you with the FW-1 digest, sorry. But in regards to your sendmail question: It is a good idea(tm) to turn off the sendmail commands EXPN and VRFY because they can be used by potential intruders to either gain access to your system or gain more targets for a possible attack. To turn these off you need to edit your /etc/sendmail.cf file. Add this line: O novrfy, noexpn That will turn off VRFY and EXPN on sendmail 8.7.x . You might also want to add the need/helo commands (ie needmailhelo, needvrfyhelo, needexpnhelo) so that the requester will at least have to identify himself (or his proxy) before attempting to access your mail daemon. Rich On Fri, 6 Dec 1996 toon@cem-bb.e-mail.com wrote: > > Hi firewall-people, > > Some time ago I read in this list about the firewall-1 mailing list > at applicom.co.il. I subscribed to the digest version. This was > confirmed but I do not get any messages. > At the Checkpoint site, a nice webpage tells me to try again later > when I try to look at some maillist info. > My question: Is there uberhaupt a firewall-1 mailinglist or not? > > Next topic: > > Some1 told me that 'I have to filter out VERIFY and EXPAND when letting > mail through my firewall'. Can some1 explain me what this means? > > Hear from you in the next digest, > Toon > > N.B. If I read any more messages in this list about IRINIA or some > other GOOD TIMES I will punish you all by trying to unsubscribe from > this list and sending messages that I can not get off the list (-: > From firewalls-owner Fri Dec 6 12:09:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA05446 for firewalls-outgoing; Fri, 6 Dec 1996 01:23:34 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id BAA04038 for ; Fri, 6 Dec 1996 01:18:59 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-961106) id WAA04523; Thu, 5 Dec 1996 22:24:56 -0800 Received: from mail.surf-line.or.jp(202.231.74.34) by mycroft via smap (V1.3mjr) id sma004511; Thu Dec 5 22:24:04 1996 Received: from geneh (mx123.surf-line.or.jp [202.231.74.123]) by mail.surf-line.or.jp (8.6.12+2.5Wb7/3.4W21) with SMTP id PAA13823; Fri, 6 Dec 1996 15:23:34 +0900 Message-ID: <32A68B35.34FC@surf-line.or.jp> Date: Thu, 05 Dec 1996 17:43:33 +0900 From: Gene Hardesty Reply-To: geneh@surf-line.or.jp X-Mailer: Mozilla 3.0 (Win95; I) MIME-Version: 1.0 To: lsmith@jrctc.com CC: firewalls@GreatCircle.COM, www-security@ns2.rutgers.edu Subject: Re: FW: virus on the internet References: <199612031959.LAA00596@ctcaps1.jrctc.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Yeah, I'm familiar with it. It's a hoax. Since when did the Federal Communication Commission take on the role of virus-hunting!?!? Here, I'll also send you a copy of the proof I have. lsmith@jrctc.com wrote: > > Is anyone familiar with this WARNING??? > > Is it authentic? > > What are the remedies? > > ---------- > Forwarded Message: > > Date: Tuesday, December 03, 1996 11:08AM > > Just got this off the internet. If you "surf the net", you might be > interested: > > > **********VIRUS ALERT********** > > > >VERY IMPORTANT INFORMATION, PLEASE READ! > > > >There is a computer virus that is being sent across the Internet. If > >you receive an email message with the subject line "Deeyenda", DO NOT > >read the message, DELETE it immediately! > > > >Some miscreant is sending email under the title "Deeyenda" nationwide, > >if you get anything like this DON'T DOWNLOAD THE FILE! It has a > >virus > >that rewrites your hard drive, obliterates anything on it. Please be > >careful and forward this e-mail to anyone you care about. > > > >Please read the message below. > > > >Alex > > > >----------- > > > > FCC WARNING!!!!! -----DEEYENDA PLAGUES INTERNET > > > >The Internet community has again been plagued by another computer > >virus. This message is being spread throughout the Internet, > >including > >USENET posting, EMAIL, and other Internet activities. The reason for > >all the attention is because of the nature of this virus and the > >potential security risk it makes. Instead of a destructive Trojan > >virus (like most viruses!), this virus referred to as Deeyenda > >Maddick, > >performs a comprehensive search on your computer, looking for valuable > >information, such as email and login passwords, credit cards, personal > >inf., etc. > > > >The Deeyenda virus also has the capability to stay memory resident > >while running a host of applications and operation systems, such as > >Windows 3.11 and Windows 95. What this means to Internet users is > >that > >when a login and password are send to the server, this virus can copy > >this information and SEND IT OUT TO UN UNKNOWN ADDRESS (varies). > > > >The reason for this warning is because the Deeyenda virus is virtually > >undetectable. Once attacked your computer will be unsecure. Although > >it can attack any O/S this virus is most likely to attack those users > >viewing Java enhanced Web Pages (Netscape 2.0+ and Microsoft Internet > >Explorer 3.0+ which are running under Windows 95). Researchers at > >Princeton University have found this virus on a number of World Wide > >Web pagesand fear its spread. > > > >Please pass this on, for we must alert the general public at the > >security risks. > > > > > > > > > > ----- End Included Message ----- From firewalls-owner Fri Dec 6 12:40:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA05077 for firewalls-outgoing; Fri, 6 Dec 1996 01:22:07 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id BAA04103 for ; Fri, 6 Dec 1996 01:19:19 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-961106) id WAA04569; Thu, 5 Dec 1996 22:29:58 -0800 Received: from po-external.fcnbd.com(147.113.146.4) by mycroft via smap (V1.3mjr) id sma004565; Thu Dec 5 22:29:24 1996 Received: from po-internal.FCNBD.COM (internalhost.FCNBD.COM [147.113.104.10]) by po-external.FCNBD.COM (8.7.5/fcnbd/domain/1.5.1) with ESMTP id AAA27162; Fri, 6 Dec 1996 00:29:48 -0600 (CST) Received: from abacab.cmg.FCNBD.COM (abacab.cmg.FCNBD.COM [147.113.160.227]) by po-internal.FCNBD.COM (8.7.5/fcnbd/internal-domain/1.4.1) with ESMTP id AAA10766; Fri, 6 Dec 1996 00:27:06 -0600 (CST) Received: from abernathy.cmg.fcnbd.com (root@abernathy.cmg.FCNBD.COM [147.113.118.125]) by abacab.cmg.FCNBD.COM (8.7.5/fcnbd/server-subdomain/2.3) with ESMTP id AAA04792; Fri, 6 Dec 1996 00:25:51 -0600 (CST) Received: (from pmarc@localhost) by abernathy (8.7.5/8.7.5) id SAA00269; Thu, 5 Dec 1996 18:37:58 -0600 (CST) Message-Id: <199612060037.SAA00269@abernathy> Content-Type: text/plain MIME-Version: 1.0 (NeXT Mail 4.1mach v148) In-Reply-To: X-Nextstep-Mailer: Mail 4.1mach (Enhance 2.0b5) Received: by NeXT.Mailer (1.148) From: "Paul M. Cardon" Date: Thu, 5 Dec 96 18:37:57 -0600 To: Adrian Knight Subject: Re: Why would someone want an NT firewall? cc: Firewalls@GreatCircle.COM Reply-To: pmarc@cmg.fcnbd.com References: X-Warners: Yakko, Wakko & Dot Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A little green man told me Adrian Knight said: > 2) We don't want to hire a rocket scientist to manage our firewall. A > message earlier referred to firewalls being "necessarilly technical." > That's bogus. I think it's possible that a lot of people making money off > of firewalls might want to keep them that way, but there are a lot of > average people out there who want to AND CAN handle managing a firewall > right along with the MANY other types of systems that are also included in > our job responsibilities. In this age of computers, it is no longer valid > to try to convince people that computers are just too complicated for the > average person. > > Because our firewall is on an NT platform and has a good GUI, I can be > gone for a couple of weeks and even my boss, a manager, can sit down and > make changes to the firewall comfortably. Several other people in the > computing department with the passowrd could do the same if they had to. > After two years, nobody else could sit down to my Solaris box and do > anything except manage to shut things down. Oh boy, where's my soapbox. Grrr... I'll give you #1 and #3. The fact that your expertise is with Windows NT rather than Unix and the price comparison of the system hardware and software were both valid factors to be considered in your decision. This shows a very naive view of security. Your argument about vendors realizing that computers and software are too complicated may be valid for the end-user, but important systems such as security systems are much different. They are necessarily technical because they are only tools. Improved user interfaces or programming logic are a long way from being able to completely replace a skilled individual making decisions on technical issues. Personally, I doubt they ever will. Computers can decrease the amount of time it takes to perform a task or reduce the complexity of managing a task but will never eliminate the need for expertise in a particular field. It is quite possible to comfortably make changes to a firewall and end up with an insecure configuration and be none the wiser. The same holds for trading systems, medical systems, etc. They essentially magnify the skill of the person using them. If the operator is clueless, the system will often be perfectly willing to let them to do foolish things. I know of no commercial firewall on any platform that will totally prevent an administrator from setting up an insecure configuration. If anybody who is permitted to make changes to a firewall does not have a thorough understanding of "technical" security issues then their problems will not be solved by ANY product. Even a fool can be sincere in their intentions. Claiming that managing a firewall shouldn't require significant expertise contradicts your first reason for choosing NT. It is no more or less difficult in general to properly administer a Windows NT environment than a Solaris environment. Windows NT does not even come close to the goal of being easily managed compared to any other major OS. Look at the level of in-depth knowledge that Russ displays about NT security. Particular tasks are easier in one or the other environment but I would want equally skilled administrators in either environment (I am part of a team that manages a large mixed NT and Solaris environment with a significant investment in both operating systems. I am the principle member of the team who works heavily with both. This provides its own unique challenges. See my .sig ;-) The OS issue is much less important than a thorough understanding of security implications. Unfortunately, a lot of people are spending far too much time debating the platform when it doesn't really matter as long as it can cover security requirements to some verifiable extent that satisfies an organization's risk management objectives. I was much more verbose than I intended to be, but that's what happens when somebody pushes my vent button. It's really sad to think that I'm probably not biting on a troll either. --- Paul M. Cardon - System Officer Capital Markets Systems - First Chicago NBD Corporation pmarc@cmg.fcnbd.com - (312) 732-7392 Sisyphus and loving it. I never give them hell. I just tell the truth and they think it's hell. - H. Truman MD5 (/dev/null) = d41d8cd98f00b204e9800998ecf8427e From firewalls-owner Fri Dec 6 13:09:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA24446 for firewalls-outgoing; Fri, 6 Dec 1996 12:07:30 -0800 (PST) Received: from interlock.ans.net (interlock.ans.net [147.225.5.5]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id MAA24411 for ; Fri, 6 Dec 1996 12:07:18 -0800 (PST) Received: by interlock.ans.net id AA08614 (InterLock SMTP Gateway 3.0 for firewalls@GreatCircle.COM); Fri, 6 Dec 1996 15:06:24 -0500 Message-Id: <199612062006.AA08614@interlock.ans.net> Received: by interlock.ans.net (Internal Mail Agent-2); Fri, 6 Dec 1996 15:06:24 -0500 Received: by interlock.ans.net (Internal Mail Agent-1); Fri, 6 Dec 1996 15:06:24 -0500 From: Dan Simoes Subject: Re: None To: wombat@mcfeely.bsfs.org (Rabid Wombat) Date: Fri, 6 Dec 1996 15:06:22 -0500 (EST) Cc: toon@cem-bb.e-mail.com, firewalls@GreatCircle.COM In-Reply-To: from "Rabid Wombat" at Dec 6, 96 12:42:17 pm X-Mailer: ELM [version 2.4 PL25 PGP6] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Verify: determines if the username you've spcified exists > Expand: determines which usernames will recivie the mial sent to the > address specified - for example, the account "root" might expand to > usernames "bob" and "alice" if they are the sysadmins, and don't want to > log in as "root" to check for root mail. Also, the expn command can be used to expand the addresses contained in a mailing list, including a majordomo list if you know how those are typically set up, even if you have defined the list as a "private" list (meaning only list members get to see who else is on the list). EXPN also will show you where mail filters and forwarders are in place, exposing possible holes. Leaving VRFY on allows legitimate users to verify that an address is a valid one, but EXPN gives you much, much more information. I generally turn off EXPN on all machines and leave VRFY on. | Dan | -- Dan Simoes dans@ans.net ANS http://coimbra.ans.net/dans.html 100 Clearbrook Road (914) 789-5378 (voice) Elmsford, NY 10523 (914) 789-5310 (fax) From firewalls-owner Fri Dec 6 13:14:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA26183 for firewalls-outgoing; Fri, 6 Dec 1996 12:26:09 -0800 (PST) Received: from gryzmak.lodz.pdi.net (gryzmak.lodz.pdi.net [194.92.208.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id MAA26175 for ; Fri, 6 Dec 1996 12:25:57 -0800 (PST) Received: from localhost (pisarski@localhost) by gryzmak.lodz.pdi.net (8.8.4/1.6/L) with SMTP id VAA31426 for ; Fri, 6 Dec 1996 21:25:16 +0100 Date: Fri, 6 Dec 1996 21:24:55 +0100 (MET) From: Emes To: firewalls@greatcircle.com Subject: take off me from the list Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk take off me from the list From firewalls-owner Fri Dec 6 13:34:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA05184 for firewalls-outgoing; Fri, 6 Dec 1996 01:22:26 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id BAA04111 for ; Fri, 6 Dec 1996 01:19:20 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-961106) id WAA04648; Thu, 5 Dec 1996 22:40:59 -0800 Received: from gw.research.megasoft.com(206.230.35.93) by mycroft via smap (V1.3mjr) id sma004644; Thu Dec 5 22:40:37 1996 Received: (from uucp@localhost) by gw.research.megasoft.com (8.7.5/8.7.3-cmcurtin) id BAA13943; Fri, 6 Dec 1996 01:39:50 -0500 (EST) Received: from goffette.research.megasoft.com(192.168.1.2) by gw.research.megasoft.com via smap (V1.3) id sma013941; Fri Dec 6 01:39:31 1996 Received: by goffette.research.megasoft.com (940816.SGI.8.6.9/940406.SGI) id BAA06238; Fri, 6 Dec 1996 01:32:22 -0500 Date: Fri, 6 Dec 1996 01:32:22 -0500 Message-Id: <199612060632.BAA06238@goffette.research.megasoft.com> From: C Matthew Curtin To: Adrian Knight Cc: Firewalls@GreatCircle.COM Subject: Re: Why would someone want an NT firewall? In-Reply-To: References: X-Face: "&>g(&eGr?u^F:nFihL%BsyS1[tCqG7}I2rGk4{aKJ5I_5A\*6RYn4"N.`1pPF9LO!Fa<(gj:12)?=uP2l01e10Gij"7j&-)torL^iBrNf\s7PDLm=rf[PjxtSbZ{J(@@j"q2/iV9^Mx>>>> "Adrian" == Adrian Knight writes: Adrian> 2) We don't want to hire a rocket scientist to manage our Adrian> firewall. A message earlier referred to firewalls being Adrian> "necessarilly technical." That's bogus. I think it's Adrian> possible that a lot of people making money off of firewalls Adrian> might want to keep them that way, but there are a lot of Adrian> average people out there who want to AND CAN handle managing a Adrian> firewall right along with the MANY other types of systems that Adrian> are also included in our job responsibilities. Firewalls *are* necessarily technical. Security -- computer or otherwise -- is difficult business. The white hats need to attempt to imagine every single possible avenue of attack that a black hat might use against him, and build a security system that will protect his organization against all of those attacks. A black hat only needs to find one vulnerability to be able to completely put to shame all of the hard work of the white hats. Bruce Schneier tells the following in http://www.counterpane.com/whycrypto.html Attackers don't follow rules; they cheat. They can attack a system using techniques the designers never thought of. Art thieves have burgled homes by cutting through the walls with a chain saw. Home security systems, no matter how expensive and sophisticated, won't stand a chance against this attack. Computer thieves come through the walls too. They steal technical data, bribe insiders, modify software, and collude. They take advantage of technologies newer than the system, and even invent new mathematics to attack the system with. Although he's talking about cryptography, many of the problems that cryptography addresses are the same as what we address in building any security systems, including firewalls. Keeping a system up and running to support organizational business requirements is a completely different game from keeping a system up and running against the constant threat of attack. It requires a completely different mindset, because the rules of the game are completely different. [I'm going to be talking to "you" as an example, but I'm not putting you, Adrian, on the spot here. I mean this generally.] In your environment, what exactly *is* your firewall? Is it the single NT machine that says "firewall" on the side? Are there other components involved here? How do your routers work to help protect your bastion host? Very often, the answers to these questions shows that there is a fundamental misunderstanding about what exactly a firewall is in the industry. Even the very basic security principle of avoiding building systems with a single point of failure (i.e., the bastion host being the only lock) is commonly overlooked, or simply not followed. Now, I don't mean to confuse issues of firewall design with day-to-day firewall management, but I'm making a point: seemingly small technicalities can be big deals. (For example, what exactly does it mean when you get a bunch of ICMP redirect messages hitting your bastion host? What do you do about it? How is your system configured to prevent someone from messing things up for you this way?) Firewalls are necessarily technical, and those who are running them must have sufficient grasp of the technology with which they're dealing in order to be successful. This is a different level of understanding than designing firewalls, for example. But in any case, the firewall can't be some black box that someone plugs into the wall and all of a sudden everyone can have a warm fuzzy because now they're "secure." Adrian> Because our firewall is on an NT platform and has a good GUI, The operating system that the firewall is running on top of is irrelevant in this case. It isn't NT that you're going for, it's the Interface. As I mentioned earlier, a Unixless company of ~250 with one administrator for essentially all PCs, Macs, and Netware servers was able to configure the BSDI Unix version of Gauntlet without problems. Adrian> I can be gone for a couple of weeks and even my boss, a Adrian> manager, can sit down and make changes to the firewall Adrian> comfortably. Allowing perhaps inbound [insert favorite service here] connections in the process? Again, this isn't a simple matter of things just being broken, a screwup here likely won't cause you to notice any changes in functionality: it's much more likely that the level of security you have is simply dropped. And if you're gone for several weeks, how long will your front door be wide open for attack before someone notices it and fixes it? (How long will it be open if someone makes a change when you're around?) Adrian> 3) At the time of my research a year ago, most mainstream Adrian> firewalls ran on minicomputer-class machines like Sun Sparc, Adrian> HPUX, AIX. For an educational site with good discounts, a Adrian> platform like that ran around $15,000. We put our firewall on Adrian> a well-endowed NT PC for $5,000. Hardware and software Adrian> maintenance is also much cheaper And I can build a FreeBSD-based firewall for $2000 that will (1) be made of much-studied, mature components, and (2) kick the snot out of NT for performance. (And I don't have to pay $1000 for an operating system that comes with a license that allows me to use more than 10 simultaneous IP connections.) -- Matt Curtin cmcurtin@research.megasoft.com Megasoft, Inc Chief Scientist http://www.research.megasoft.com/people/cmcurtin/ I speak only for myself. Hacker Security Firewall Crypto PGP Privacy Unix Perl Java Internet Intranet From firewalls-owner Fri Dec 6 14:08:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA05044 for firewalls-outgoing; Fri, 6 Dec 1996 01:22:01 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id BAA04118 for ; Fri, 6 Dec 1996 01:19:21 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-961106) id WAA04668; Thu, 5 Dec 1996 22:46:58 -0800 Received: from sprite.acsacs.com(206.16.240.1) by mycroft via smap (V1.3mjr) id sma004662; Thu Dec 5 22:45:53 1996 Date: Thu, 5 Dec 1996 22:43:04 -0800 From: "Daniel J Blander - Sr. Systems Engineer for ACS" X-Sender: phaedrus@ferrari To: Adrian Knight cc: firewalls@GreatCircle.COM Subject: Re: Why would someone want an NT firewall? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have a few disagreements here - perhaps they should be termed clarifications and I hope both parties in this debate benefit here.... I want to point out that each platform has some strengths - and the arguements can be balanced, but I find that the arguements placed on this list often tend to be tainted by a bias one way or the other, despite "humbled opinions". Knowledge is the most important tool. Any administrator who believes they can just plug in a firewall and not know anything about TCP/IP or protocols and services is taking a big risk in thinking they are secure. As many have said - naievity is your own worst enemy. On Thu, 5 Dec 1996, Adrian Knight wrote: > 2) We don't want to hire a rocket scientist to manage our firewall. A > message earlier referred to firewalls being "necessarilly technical." > That's bogus. A good point here is that you should not have to be necessarily technical to build a firewall, but you need to be necessarily technical to configure it in a manner that is as secure as possible. That means knowing things like why you don't want to allow access to X-windows, or r* services (rlogin), or why udp has a high probability of being insecure. Or most notably why random modems with auto-answer turned on are necessarily bad things... These are not simple issues and the reasons are not simple (although breaking in via these services usually is). The technical issue is not necessarily on building it - its on knowing why you are building it - what you are trying to protect yourself from. > I think it's possible that a lot of people making money off > of firewalls might want to keep them that way, but there are a lot of > average people out there who want to AND CAN handle managing a firewall > right along with the MANY other types of systems that are also included in > our job responsibilities. In this age of computers, it is no longer valid > to try to convince people that computers are just too complicated for the > average person. I'm not a Microsoft Groupie or anything, but the reason > their company is where they are today is that they realized that! And people do it, even with UNIX. The key is that the tools need to be clear enough for the user, and the user needs to be aware of them (and they need to be documented). HP did a good job of this with SAM. Solaris started doing this with AdminSuite. I have users with antiquated SCO UNIX boxes who think its the cats meow but still have a command line interface. I have other customers who have a spanking new Solaris box and are scared of it even though you can even format your disk drives from a GUI and manage users and groups as well. Its all in what you know. Most of my belief in selling systems to customers follows your comments about making a system simple. It should be easy to use and simple. It should be reliable and well tested. It should be walk-up-and-do-it-yourself simple (although I wouldn't trust anyone to do it...see above about necessary knowledge). UNIX can be and often is that. But unfortunately Microsoft has been trying to snow the public for too long. > Because our firewall is on an NT platform and has a good GUI, I can be > gone for a couple of weeks and even my boss, a manager, can sit down and > make changes to the firewall comfortably. Several other people in the > computing department with the passowrd could do the same if they had to. > After two years, nobody else could sit down to my Solaris box and do > anything except manage to shut things down. Training, training, training. You think your manager or boss understands why you don't let things like telnet incoming or file shares going out on the Internet? If he does, then he can touch it. If he doesn't then I wouldn't do it. Just because the interface is easy doesn't mean anyone can do it right. > 3) At the time of my research a year ago, most mainstream firewalls ran > on minicomputer-class machines like Sun Sparc, HPUX, AIX. For an > educational site with good discounts, a platform like that ran around > $15,000. Try list of $7995 (street price $$6500?? - educational for far,far less) for an UltraSPARC 1 Model 140 32mb, 2.1gb....or maybe a PC. (Not necessarily NT mind you!! Why not Linux or Solaris?) >We put our firewall on a well-endowed NT PC for $5,000. My last one cost $4,500 on a SPARC and the software was $4,995 > Hardware and software maintenance is also much cheaper Not last time I looked for service contracts that gave me free updates of the OS and all patches shipped to my door, or unlimited phone support on an instant connection.... > There are many other reasons that I chose NT over Unix, but I'll leave it > here. NT has its strengths, but listening to the NT security lists as I have, I am not happy with the security and stability. It scares me when the system will take a dump under routing loads (or can't route if its 3.51). Will NT get there? Good chance of it. Do many people feel comfortable with it? Yes. Why? They have all used the interface in one form or another in the past - and think the interface is the whole story. And NT is much cleaner and free of GPFs than Windows 3.1x But that is short of what UNIX has been doing for years. I think the two worlds are colliding, but have not overlapped. Just be careful to correctly judge your adversary (sp?) on the truth - it makes your disagreements much more truthful. You have good points - UNIX vendors and users have not focused on ease of use - thats not where they came from. UNIX came from the top and is working its way down. Windows came from the desktop and is working its way up. Each has its issues and now the users are invading each others territory..... The fireworks will be very amusing to say the least.... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Daniel Blander =8^) Sr. Systems Engineer Applied Computer Solutions ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Phone: (714) 842.7800 Fax: (714) 842.8299 Email: Daniel.Blander@acsacs.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The Official Applied Computer Solutions Home Page and Tech Tip of the Week: http://www.acsacs.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From firewalls-owner Fri Dec 6 14:08:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA00903 for firewalls-outgoing; Fri, 6 Dec 1996 13:09:19 -0800 (PST) Received: from smtp.msp.tsg-usa.com (mntsg.tsg-usa.com [206.185.177.223]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id NAA00896 for ; Fri, 6 Dec 1996 13:09:08 -0800 (PST) From: uhaas@tsg-usa.com Received: by smtp.msp.tsg-usa.com(Lotus SMTP MTA v1.01 (214.1 9-9-1996)) id 862563F8.00746A50 ; Fri, 6 Dec 1996 15:11:33 -0500 X-Lotus-FromDomain: TSG To: firewalls@greatcircle.com Message-ID: <062563F8:0072C989.00@smtp.msp.tsg-usa.com> Date: Fri, 6 Dec 1996 14:58:34 -0500 Subject: Re: .edu w/ firewalls Mime-Version: 1.0 Content-type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk His biggest threat may be from within (I believe you are talking about students), but lets look at this like professionals. How about putting a firewall between important information (administration) and the students/professors that spend the most time hacking/cracking. For an outside threat, a second could be added to the Internet connection point. The real question is, what is a university/college/school trying to protect. Probably information in the administration nets. They need to be protected from the Internet and from the students with access to the schools nets. (Remember, firewalls aren't just for protecting you from the Internet, but also more secure Intranets from less secure ones). Please focus your discussion there. We all know that students are a pain when it comes to hacking. Urban ------------------------------------------------------------ Urban A. Haas Open Systems and Network Consulting Total Solutions Group Phone: (800) 423-8741 Ext. 133; Fax: (612) 831-0509 Internet: uhaas@tsg-usa.com -or- mailto:uhaas@tsg-usa.com ------------------------------------------------------------ From firewalls-owner Fri Dec 6 14:54:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA01991 for firewalls-outgoing; Fri, 6 Dec 1996 13:18:26 -0800 (PST) Received: from eloi.inel.gov (eloi.INEL.GOV [134.20.173.29]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id NAA01978 for ; Fri, 6 Dec 1996 13:18:13 -0800 (PST) Received: from sixmile ([134.20.173.76]) by eloi.inel.gov (post.office MTA v2.0 0813 ID# 0-12374) with SMTP id AAA19400 for ; Fri, 6 Dec 1996 14:18:19 -0700 Message-ID: <32A88D70.21D2@inel.gov> Date: Fri, 06 Dec 1996 14:17:36 -0700 From: Bill Gray X-Mailer: Mozilla 3.0 (X11; I; SunOS 5.5.1 sun4u) MIME-Version: 1.0 To: firewalls-digest@GreatCircle.COM Subject: VERIFY and EXPAND on Mail Thru Firewall Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk toon@cem-bb.e-mail.com wrote: >Some1 told me that 'I have to filter out VERIFY and EXPAND when letting >mail through my firewall'. Can some1 explain me what this means? >From CIAC G-09 (http://ciac.llnl.gov/): >SUMMARY: All versions of "sendmail" prior to Version 8.6.10, >including Sendmail 5.67+IDA-1.5 and most vendor versions, contain >a vulnerability that could allow unauthorized root access. This >vulnerability is being actively exploited on the Internet. >BACKGROUND: The vulnerability is exploited through the use of the SMTP >"EXPN" and "VRFY" commands offered by all versions of "sendmail." A >buffer-overrun problem is present in the implementation of these >commands that allows the executable code of the "sendmail" process to >be overwritten. This executable code can do anything the author >wants, and is run with super-user permissions. This can be fixed by patching the sendmail binary; the CIAC bulletin has directions on how to do this. Alternatively, use an appropriate (8.6.10 or later) version of sendmail. -- Bill Gray ID Nat'l Eng Lab | Lockheed-Martin Idaho Technologies Co whg@inel.gov From firewalls-owner Fri Dec 6 15:12:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA08641 for firewalls-outgoing; Fri, 6 Dec 1996 14:38:18 -0800 (PST) Received: from orca.sitesonthe.net (orca.sitesonthe.net [207.16.80.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id OAA08602 for ; Fri, 6 Dec 1996 14:38:07 -0800 (PST) Received: from golgi.sitesonthe.net by orca.sitesonthe.net (SMI-8.6/SMI-SVR4) id RAA10319; Fri, 6 Dec 1996 17:46:18 -0500 Message-ID: <32A8A35F.7CC5@sitesonthe.net> Date: Fri, 06 Dec 1996 17:51:11 -0500 From: Robert Evans Reply-To: pedro@orca.sitesonthe.net Organization: GETtheNET, Inc. X-Mailer: Mozilla 3.0 (Win95; I) MIME-Version: 1.0 To: inet-access@earth.com CC: firewalls@greatcircle.com Subject: Can You Believe It? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi All, I am working with this company that is mostly old iron and we are helping them add tcp/ip into their 3000+ workstation environment spread across 5 buildings. We are adding Unix boxes into their network, switched atm. Today I found out that they have 300 - 400 devices using tcp/ip and the whole network is on one class b network. No subnets anywhere. Eventually they are going to be adding other facilities online and they expect that the tcp/ip services are going to catch on like wildfire in the organization. Any ideas on how I am going to convince these guys that this is ridiculous? Any other good stories about such situations? I could use a laugh after this one. Bob From firewalls-owner Fri Dec 6 15:16:16 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA08786 for firewalls-outgoing; Fri, 6 Dec 1996 14:40:14 -0800 (PST) Received: from anixter.com (mailhost.anixter.com [149.128.100.246]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id OAA08779 for ; Fri, 6 Dec 1996 14:40:05 -0800 (PST) Received: from ts244rff (rich-friedeman.anixter.com) by anixter.com (4.1/SMI-4.1) id AA09954; Fri, 6 Dec 96 16:32:10 CST Message-Id: <3.0.32.19961206163656.0092b840@tech-web.anixter.com> X-Sender: rich@tech-web.anixter.com X-Mailer: Windows Eudora Pro Version 3.0 Demo (32) Date: Fri, 06 Dec 1996 16:36:57 -0600 To: pmarc@cmg.fcnbd.com, Adrian Knight From: Rich Friedeman Subject: Re: Why would someone want an NT firewall? Cc: Firewalls@GreatCircle.COM Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I know of no >commercial firewall on any platform that will totally prevent an >administrator from setting up an insecure configuration. > Nor will you ever. What is acceptable security in one place is absolutely unacceptable somewhere else. Maybe I want everyone in the world to be able to telnet to any machine on my network. I could have a reason for it. Firewall vendors would be doing themselves and me a disservice if they assumed to know better than I did what results I wanted. Of course, what goes hand in hand with this is exactly your point. It thus behooves me to know better than the firewall vendors what results I want to produce and how to get there. A good GUI only makes the task of implementing that plan easier. It can't replace the planning. Rich rich.friedeman@anixter.com From firewalls-owner Fri Dec 6 15:33:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA08441 for firewalls-outgoing; Fri, 6 Dec 1996 01:57:27 -0800 (PST) From: firewalls-owner Received: from mobile.bam.com (mobile.banm.com [199.74.157.50]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id BAA08410 for ; Fri, 6 Dec 1996 01:57:07 -0800 (PST) Received: FROM BAMX400.mobile.bam.com BY mobile.bam.com ; 6 DEC 96 04:56:56 EST Date: 6 DEC 96 04:56:07 EST Subject: Undeliverable Message To: Firewalls@GreatCircle.COM MIME-Version: 1.0 Message-ID: <0005zvrpdvtp.0005yeoquysy@mobile.bam.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk To: Dean E Vaccher@IS_WBRHQ@BAMSWB BAMX400@MGate@BAM [C=US/A=INTERNET/DDA=ID/firewalls-digest(a)GreatCircle.COM] Cc: Subject: Firewalls-Digest V5 #651 Message not delivered to recipients below. VNM3043: Dean E Vaccher@IS_WBRHQ@BAMSWB From firewalls-owner Fri Dec 6 15:43:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA10225 for firewalls-outgoing; Fri, 6 Dec 1996 15:05:53 -0800 (PST) Received: from mail.clark.net (mail.clark.net [168.143.0.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id PAA10216 for ; Fri, 6 Dec 1996 15:05:44 -0800 (PST) Received: from mjr.clark.net (mjr.clark.net [168.143.19.61]) by mail.clark.net (8.7.3/8.6.5) with SMTP id SAA05500 for ; Fri, 6 Dec 1996 18:04:48 -0500 (EST) Message-Id: <199612062304.SAA05500@mail.clark.net> Comments: Authenticated sender is From: "Marcus J. Ranum" Organization: V-ONE Corp Baltimore office To: Firewalls@GreatCircle.COM Date: Fri, 6 Dec 1996 18:05:33 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: firewall performance X-mailer: Pegasus Mail for Win32 (v2.42a) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk There is a firewall performance mailing list at greatcircle.com and some white papers and data on the topic attached to http://www.clark.net/pub/mjr/pubs The firewall performance mailing list was created in response to frequent discussions of the topic in the firewalls mailing list. I proposed a moderated list (which I moderate) in which those who had actually performed measures and tests or who had other significant results could present them. Of course, the list is extremely quiet, perhaps morbidly so. For a long time there were any number of people who were prepared to hypothesize about factors that would influence firewall performance but still very few interested in actually studying it. Of course, as an almost silent and moderated list, its signal-to-noise ratio blows the firewall mailing list completely into the weeds. :) mjr. ----- Marcus J. Ranum, Chief Scientist, V-ONE Corporation Work: http://www.v-one.com Personal: http://www.clark.net/pub/mjr "I'll have time to be laid back when I'm laid out on a slab" From firewalls-owner Fri Dec 6 15:47:40 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA23456 for firewalls-outgoing; Thu, 5 Dec 1996 17:39:51 -0800 (PST) Received: from relay3.UU.NET (relay3.UU.NET [192.48.96.8]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id RAA23331 for ; Thu, 5 Dec 1996 17:39:11 -0800 (PST) Received: from cwiz.com by relay3.UU.NET with SMTP (peer crosschecked as: dosmanos.tx.qualix.com [208.194.52.10]) id QQbsvu29014; Thu, 5 Dec 1996 20:39:14 -0500 (EST) Received: by cwiz.com (SMI-8.6/SMI-SVR4) id TAA27423; Thu, 5 Dec 1996 19:38:51 -0600 Date: Thu, 5 Dec 1996 19:38:51 -0600 From: mdb@dosmanos.cwiz.com (Martin D. Baldenegro) Message-Id: <199612060138.TAA27423@cwiz.com> To: wilcox@poss.com Subject: Re: Secondary IP address Cc: firewalls@GreatCircle.COM X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ->From wilcox@poss.com Thu Dec 5 18:54:14 1996 ->To: jsluzewski@dna.com ->Cc: firewalls@GreatCircle.COM ->Subject: Re: Secondary IP address ->Mime-Version: 1.0 ->Date: Thu, 05 Dec 1996 12:12:31 -0500 ->From: Ken Wilcox -> ->jsluzewski@dna.com writes: ->> ->> I have hard that it is possible to configure secondary IP address on Solaris ->> 2.5.1? ->> If that's true, how it can be done? ->> Thanks for any help. ->> ->> jsluzewski@dna.com ->> ->I think this is what you are referring to. -> ->Use ifconfig to bring up a pseudo interface with a different IP address. -> ->For example: if you have le0 and want another IP address, do this -> ->example% ifconfig le0:1 some-ip netmask some-netmask broadcast + up -> ->The :1 is the pseudo interface and if you do an ifconfig -a it will show up ->like ->this: -> ->example% ifconfig -a ->lo0: flags=849 mtu 8232 -> inet 127.0.0.1 netmask ff000000 ->le0: flags=863 mtu 1500 -> inet 123.70.146.6 netmask ffffffc0 broadcast 123.70.146.63 ->le0:1: flags=863 mtu 1500 -> inet 123.70.146.14 netmask ffffffc0 broadcast 123.70.146.63 ->le0:2: flags=863 mtu 1500 -> inet 123.70.146.16 netmask ffffffc0 broadcast 123.70.146.63 ->le0:3: flags=843 mtu 1500 -> inet 123.70.146.1 netmask ffffffc0 broadcast 123.70.146.63 -> ->I don't know what the limit is but you should have as many as you need. -> The limit is 255 IPs per physical board. le1:0 thru le1:254 Regards, Martin -> ->Ken Wilcox Perfect Order Inc. ->Account Representative Authorized Sun Reseller ->2212 Eagles Nest Lane ->Monroeville PA 15146 ->Phone: +1 412 373 1528 Email: wilcox@poss.com ->Fax: +1 412 373 1722 -> -> -> From firewalls-owner Fri Dec 6 16:23:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA14432 for firewalls-outgoing; Fri, 6 Dec 1996 16:12:11 -0800 (PST) From: firewalls-owner Received: from mobile.bam.com (mobile.banm.com [199.74.157.50]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id QAA14421 for ; Fri, 6 Dec 1996 16:12:00 -0800 (PST) Received: FROM BAMX400.mobile.bam.com BY mobile.bam.com ; 6 DEC 96 19:12:07 EST Date: 6 DEC 96 19:10:41 EST Subject: Undeliverable Message To: Firewalls@GreatCircle.COM MIME-Version: 1.0 Message-ID: <0005hbphbnnn.0005gkmisqmw@mobile.bam.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk To: Dean E Vaccher@IS_WBRHQ@BAMSWB BAMX400@MGate@BAM [C=US/A=INTERNET/DDA=ID/firewalls-digest(a)GreatCircle.COM] Cc: Subject: Firewalls-Digest V5 #653 Message not delivered to recipients below. VNM3043: Dean E Vaccher@IS_WBRHQ@BAMSWB **** Attachment message(s) will follow in 1 separate transmissions. From firewalls-owner Fri Dec 6 17:43:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA20532 for firewalls-outgoing; Fri, 6 Dec 1996 16:55:16 -0800 (PST) Received: from q7.q7.com (q7.q7.com [206.58.126.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id QAA20220 for ; Fri, 6 Dec 1996 16:53:52 -0800 (PST) Received: (from nuucp@localhost) by q7.q7.com (8.8.4/8.8.4) id QAA21133; Fri, 6 Dec 1996 16:53:15 -0800 (PST) X-Authentication-Warning: q7.q7.com: nuucp set sender to darrell@grumblesmurf.net using -f >Received: (from darrell@localhost) by xian.grumblesmurf.net (8.7.6/8.7.3) id QAA11230; Fri, 6 Dec 1996 16:49:05 -0800 To: inet-access@earth.com Cc: firewalls@greatcircle.com Subject: Re: Can You Believe It? References: <32A8A35F.7CC5@sitesonthe.net> From: Darrell Fuhriman Date: 06 Dec 1996 16:49:05 -0800 In-Reply-To: Robert Evans's message of Fri, 06 Dec 1996 17:51:11 -0500 Message-ID: Lines: 15 X-Mailer: Gnus v5.2.40/Emacs 19.31 Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Robert Evans writes: > Any ideas on how I am going to convince these guys that this is > ridiculous? Any other good stories about such situations? I could use a > laugh after this one. Intel was the same way until just a few years ago... and they had way more than 3 or 400 hosts. They used to distribute passwd and hosts files via FTP. No DNS/NIS whatever.. I know at least one of the people who helped them transition away from that mess... he has some pretty good stories about the way it (didn't) work... Darrell From firewalls-owner Fri Dec 6 17:53:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA19340 for firewalls-outgoing; Fri, 6 Dec 1996 16:49:52 -0800 (PST) Received: from xyzzy.plugh.edmonton.ab.ca (xyzzy.plugh.edmonton.ab.ca [198.161.22.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id QAA19252 for ; Fri, 6 Dec 1996 16:49:28 -0800 (PST) Received: (from uucp@localhost) by xyzzy.plugh.edmonton.ab.ca (8.6.12/8.6.9) id RAA01809; Fri, 6 Dec 1996 17:48:46 -0700 Received: from beckio.precise.ab.ca(192.168.30.61), claiming to be "snouts.obtuse.com" via SMTP by mailhost.plugh.edmonton.ab.ca, id smtpd01807aaa; Fri Dec 6 17:48:43 1996 Received: (from beck@localhost) by snouts.obtuse.com (8.7.5/8.7.3) id RAA05842; Fri, 6 Dec 1996 17:48:47 -0700 From: Bob Beck Message-Id: <199612070048.RAA05842@snouts.obtuse.com> Subject: Re: VERIFY and EXPAND on Mail Thru Firewall To: whg@inel.gov (Bill Gray) Date: Fri, 6 Dec 1996 17:48:46 -0700 (MST) Cc: firewalls-digest@GreatCircle.COM In-Reply-To: <32A88D70.21D2@inel.gov> from "Bill Gray" at Dec 6, 96 02:17:36 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > toon@cem-bb.e-mail.com wrote: > >Some1 told me that 'I have to filter out VERIFY and EXPAND when letting > >mail through my firewall'. Can some1 explain me what this means? > > > >BACKGROUND: The vulnerability is exploited through the use of the SMTP > >"EXPN" and "VRFY" commands offered by all versions of "sendmail." A > >buffer-overrun problem is present in the implementation of these > >commands that allows the executable code of the "sendmail" process to > >be overwritten. This executable code can do anything the author > >wants, and is run with super-user permissions. > > This can be fixed by patching the sendmail binary; the CIAC bulletin > has directions on how to do this. Alternatively, use an appropriate > (8.6.10 or later) version of sendmail. Until the next time they add some creeping featureism that is implemented sloppily so you can overrun a buffer. Hmm.. that can't happen that often with sendmail can it? ;-) Seriously though the point is that VRFY and EXPAND can be used by an attacker to get potentially useful information. Run a store-forward proxy like smtpd/smtpfwdd or smapd/smap upstream of your "real" sendmail/Big-Honking-MTA-of-The-Week. Then you have much less concern about either problem. -Bob -- Bob Beck Obtuse Systems Corporation beck@obtuse.com http://www.obtuse.com/ True Evil hides its real intentions in its street address. Search and you shall find it, and the truth shall set you free. From firewalls-owner Fri Dec 6 18:07:50 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA26713 for firewalls-outgoing; Fri, 6 Dec 1996 17:40:41 -0800 (PST) Received: from reflections.mindspring.com (reflections.mindspring.com [204.180.142.192]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id RAA26695 for ; Fri, 6 Dec 1996 17:40:32 -0800 (PST) Received: from localhost (lists@localhost) by reflections.mindspring.com (8.7.1/8.7.1) with SMTP id UAA18067; Fri, 6 Dec 1996 20:39:55 -0500 Date: Fri, 6 Dec 1996 20:39:55 -0500 (EST) From: Todd Graham Lewis To: riordan@math.umn.edu cc: firewalls@GreatCircle.COM Subject: RE: Firewalls over NT vs. UNIX In-Reply-To: <199612061658.KAA07608@birch.math.umn.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 6 Dec 1996 riordan@math.umn.edu wrote: > On Wed, 4 Dec 1996, Russ, making several good points, wrote: > > > If you are going to use NT as a Firewall platform, there should be only > > one reason you would do that. You want to integrate your Firewall into > > your existing NT environment (for any of a number of reasons). > > I would generally think of that as an argument against an NT firewall: > You have two doors each of which a bad guy must pass through to get to > your goods. Do you really want to use the same key for both doors? I concur. E.g., in a two-level firewall (app gateway protected by a packet filter), OS diversity is a nice touch for exactly this reason. (We use FreeBSD and Linux for exactly that reason, but I think I've already mentioned that. 8^) __ Todd Graham Lewis Linux! Core Engineering Mindspring Enterprises tlewis@mindspring.com (800) 719 4664, x2804 From firewalls-owner Fri Dec 6 18:49:29 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA15378 for firewalls-outgoing; Thu, 5 Dec 1996 16:35:14 -0800 (PST) Received: from news.rc.on.ca ([207.176.151.6]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id QAA15331 for ; Thu, 5 Dec 1996 16:34:36 -0800 (PST) Received: by mail.rc.on.ca with IMAIL 2.0 id <01BBE2E2.FFB07020@mail.rc.on.ca>; Thu, 5 Dec 1996 19:32:06 -0500 Message-ID: From: Russ To: "'peter@baileynm.com'" Cc: firewalls@GreatCircle.COM Subject: RE: Firewalls over NT vs. UNIX Date: Thu, 5 Dec 1996 19:32:05 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Connector (Beta) (4.5.1280.0) Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Not on a firewall. On a firewall it can run as any user and perform >a SATAN style attack on hosts beyond the firewall. Whether it can >subvert internal security on the firewall is less critical. But even >there, the gaps Microsoft has created in NT security (bypassing >traverse checking, for example, and the lax permissions you need >on system directories) make a trojan horse attack (via the file >system or the registry rather than the secured portions of the >proxy, for example) quite credible. A similar attack in UNIX, >from a chrooted environment, is orders of magnitude more >difficult. * Your "gaps" are based on your understanding of how NT works with particular applications (some belonging to Microsoft), and in a particular environment which NT was not designed to function within (Citrix, WinDD, et al). This was precisely what I was referring to when I said that applications are not built properly, but that NT is. Lax permissions on the system directories only need to be Lax if you need to run programs which were poorly designed (Microsoft Office is a perfect example), your Firewall is definitely not going to need this capability. I've said it before, and I'll say it again, no properly written application needs to have anything beyond read access to the %systemroot% directory or any of its subdirectories, so the OS files can be completely secured from all but the SYSTEM user and any user you permit CONSOLE access. * Bypassing traverse checking is only required if something plans on scanning the directory trees, again, not something that has much to do with the needs of a Firewall application (if the Firewall doesn't know already what directories it needs to go to, there's something wrong with its design). So neither of these "gaps" you put forth have anything to do with the issue at hand and would be the simplest part of securing the OS that a Firewall would have to deal with. * A simple way to kill the Trojan horse issue completely is to run something akin to Raptor's Vulture process, which sits on the Firewall and constantly scans for changes to critical files (including its own). No big deal and your Trojan Horse threat disappears. * >NT is not just the kernel and subsystems, it's got to include the >applications as well. Just as people consider sendmail holes to >be a UNIX security problem, the configuration problems and problems >in Microsoft applications and utilities are NT security problems. * Sorry, so you patch the Unix OS to fix Sendmail problems? I must have missed that CERT advisory. * >NT, as a system, has not been given the same overall attention to >security as UNIX. And that's truly scary, because UNIX was not >originally designed with high levels of security as a goal! * Well, that's not what their stated design goals were, so your information comes from where? I'll happily accept that this is your opinion, but you make it sound like fact. I won't argue that Microsoft does not employ a lot of the security techniques it could/should, but NT has the facilities built-in designed from the beginning, what's at issue is what uses them and what doesn't, IMO. * >I didn't say that. What I said is that *I* can not scrutinize the source. >Whether some programmer subject to a nondisclosure agreement >has seen it is utterly irrelevant to me: his study doesn't benefit me >any more than a similar study by a Microsoft programmer... unless >I'm already a criminal and are willing to coerce him into violating >his NDA. * There are a lot of things which you cannot do personally, if you tried to scrutinize the NT source code it would probably take you a considerable amount of time. *You* can scrutinize NT's source code if you want, you just have to buy a license. If this is the only issue you have in this area, then its one of cost, not ability. Microsoft's not hiding anything, their just charging for it. * >That is, Microsoft's secrecy regarding their source, * What secrecy, see above. * >while completely understandable, does benefit the black hats by keeping >most of the white hats away. Most especially, it keeps away the people >who will perform the same sort of hostile reviews that have publicised AND >CLOSED so many UNIX * For one thing, I don't believe that "most of the white hats" are being kept away. I think "most of the white hats" are very busy doing other things. If the companies that "most of the white hats" worked for wanted to do some really secure stuff with NT, you'd be surprised at how accommodating Microsoft can be. But its market driven, so if you can't show how your work is going to provide significant revenue to Microsoft, you're probably going to have to pay. The other option is to do what most of the NT Firewall vendors are doing, and that's to implant yourself far enough down to catch things before NT has a chance to be exploited, or, do enough testing to derive functionality and capability. There are other ways that violate Microsoft's license, but its been known to happen. * Cheers, Russ R.C. Consulting, Inc. - NT/Internet Security Consulting mailto:Russ.Cooper@RC.on.ca <-- *note the new address* From firewalls-owner Fri Dec 6 18:52:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA00572 for firewalls-outgoing; Fri, 6 Dec 1996 18:19:03 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id SAA29873 for ; Fri, 6 Dec 1996 18:16:47 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-961106) id RAA10397; Fri, 6 Dec 1996 17:58:28 -0800 Received: from reflections.mindspring.com(204.180.142.192) by mycroft via smap (V1.3mjr) id sma010359; Fri Dec 6 17:57:51 1996 Received: from localhost (lists@localhost) by reflections.mindspring.com (8.7.1/8.7.1) with SMTP id UAA31922; Fri, 6 Dec 1996 20:58:00 -0500 Date: Fri, 6 Dec 1996 20:58:00 -0500 (EST) From: Todd Graham Lewis To: Paul Ferguson cc: firewalls@GreatCircle.COM Subject: Re: Proxy & illegal IP numbers In-Reply-To: <2.2.32.19961206142720.00bf1fa4@lint.cisco.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 6 Dec 1996, Paul Ferguson wrote: > Yes, but one should net expect RFC-1918 prefixes to be routable in > the global Internet. If you do, you're in for a rude awakening. ;-) One should not expect that RFC-1918 prefixes will never be routed in the global Internet. If you do, you're in for a rude awakening. :-( __ Todd Graham Lewis Linux! Core Engineering Mindspring Enterprises tlewis@mindspring.com (800) 719 4664, x2804 From firewalls-owner Fri Dec 6 19:08:05 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA28186 for firewalls-outgoing; Fri, 6 Dec 1996 17:54:28 -0800 (PST) Received: from radar (radar.vertx.com [207.170.65.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id RAA28106 for ; Fri, 6 Dec 1996 17:53:57 -0800 (PST) Received: from radar by radar (SMI-8.6/SMI-SVR4) id TAA06181; Fri, 6 Dec 1996 19:53:13 -0600 Date: Fri, 6 Dec 1996 19:53:12 -0600 (CST) From: David Marcoux X-Sender: dmarcoux@radar To: Robert Evans cc: inet-access@earth.com, firewalls@greatcircle.com Subject: Re: Can You Believe It? In-Reply-To: <32A8A35F.7CC5@sitesonthe.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 6 Dec 1996, Robert Evans wrote: > Hi All, > I am working with this company that is mostly old iron and we are > helping them add tcp/ip into their 3000+ workstation environment spread > across 5 buildings. We are adding Unix boxes into their network, > switched atm. > Today I found out that they have 300 - 400 devices using tcp/ip and the > whole network is on one class b network. No subnets anywhere. Eventually > they are going to be adding other facilities online and they expect that > the tcp/ip services are going to catch on like wildfire in the > organization. > Any ideas on how I am going to convince these guys that this is > ridiculous? Any other good stories about such situations? I could use a > laugh after this one. Well, a large state school in Texas (20k students) is also on a class B network with no subnetting. And as you would expect "wildfire" can't even describe how popular IP has become there in recent years. ------------------------------------------------------------------ David Marcoux System Administrator / Web Master dmarcoux@vertx.com Vertex Software Corporation http://www.vertx.com (512) 328-3700 voice From firewalls-owner Fri Dec 6 19:23:29 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA16113 for firewalls-outgoing; Fri, 6 Dec 1996 16:26:52 -0800 (PST) Received: from hp427u.tus.ssi1.com (hp427u.tus.ssi1.com [146.252.25.27]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id QAA16021 for ; Fri, 6 Dec 1996 16:26:17 -0800 (PST) Received: from atlas.tus.ssi1.com (atlas.tus.ssi1.com [146.252.27.210]) by hp427u.tus.ssi1.com (8.6.12/8.6.12) with ESMTP id QAA08515 for ; Fri, 6 Dec 1996 16:25:45 -0800 Received: from tu228.tus.ssi1.com (tu228.tus.ssi1.com [146.252.27.228]) by atlas.tus.ssi1.com (8.6.12/8.6.12) with ESMTP id QAA27584 for ; Fri, 6 Dec 1996 16:27:27 -0800 Received: (from tcokelys@localhost) by tu228.tus.ssi1.com (8.6.12/8.6.12) id QAA26433 for firewalls@GreatCircle.COM; Fri, 6 Dec 1996 16:25:42 -0800 From: Scott Cokely Message-Id: <199612070025.QAA26433@tu228.tus.ssi1.com> Subject: Re: Can You Believe It? To: firewalls@GreatCircle.COM Date: Fri, 6 Dec 1996 16:25:42 -0800 (PST) X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Responding to Robert Evans, who said: > > Hi All, > I am working with this company that is mostly old iron and we are > helping them add tcp/ip into their 3000+ workstation environment spread > across 5 buildings. We are adding Unix boxes into their network, > switched atm. > Today I found out that they have 300 - 400 devices using tcp/ip and the > whole network is on one class b network. No subnets anywhere. Two words: Broadcast Storm > Any ideas on how I am going to convince these guys that this is > ridiculous? Tell them that their entire network could be paralyzed by a single bad PC Ethernet card. > Any other good stories about such situations? We had a guy here who believed that our class B address should be treated like a DECNet address block. Further, he thought that two seperate physical networks should be installed for the entire company -- one for DECNet, and one for TCP/IP. > I could use a laugh after this one. I still laugh about that one. I tried to envision twelve ports in every office cube -- two for TCP/IP, two for DECNet, two for IPX, two for NetBeui, two for Appletalk, and two for some future protocol. Also, I tried to picture what the wiring closet would look like, since you'd need six times as many hubs.... -- Scott Cokely |* The Internet interprets censorship as damage, * Silicon Systems, Inc. |* and ROUTES AROUND IT. * scott.cokely@tus.ssi1.com |*************************************************** require "disclaimer.pl"; | I'd love to help but my head is full of birdseed ---------------------------- and my pants are glued to this chair. From firewalls-owner Fri Dec 6 19:21:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA28038 for firewalls-outgoing; Fri, 6 Dec 1996 17:53:42 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id RAA27931 for ; Fri, 6 Dec 1996 17:53:09 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-961106) id RAA10281; Fri, 6 Dec 1996 17:52:06 -0800 Received: from turtle.mcc.com(128.62.1.215) by mycroft via smap (V1.3mjr) id sma010263; Fri Dec 6 17:51:50 1996 Received: from geryon.mcc.com (geryon.mcc.com [128.62.90.26]) by turtle.mcc.com (8.6.10/mcc.8.6.9) with ESMTP id TAA14720; Fri, 6 Dec 1996 19:48:21 -0600 Received: from [128.62.65.94] (chrisslip.mcc.com [128.62.65.94]) by geryon.mcc.com (8.6.12/mccsun-9509201604) with SMTP id TAA01995; Fri, 6 Dec 1996 19:48:07 -0600 Date: Fri, 6 Dec 1996 19:48:07 -0600 X-Sender: chris@geryon.mcc.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: pedro@orca.sitesonthe.net, inet-access@earth.com From: chris@mcc.com (Chris E Creighton) Subject: Re: Can You Believe It? Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 5:51 PM 12/6/96, Robert Evans wrote: >Hi All, > I am working with this company that is mostly old iron and we are >helping them add tcp/ip into their 3000+ workstation environment spread >across 5 buildings. We are adding Unix boxes into their network, >switched atm. > Today I found out that they have 300 - 400 devices using tcp/ip and the >whole network is on one class b network. No subnets anywhere. Eventually >they are going to be adding other facilities online and they expect that >the tcp/ip services are going to catch on like wildfire in the >organization. > Any ideas on how I am going to convince these guys that this is >ridiculous? Any other good stories about such situations? I could use a >laugh after this one. >Bob Once upon a time, I'd probably have the same reaction, but not any more. It's not as far fetched as you think. There's a well written white paper out on Madge Networks web site called, "The Architecture of Switched LANS". Read it and ponder the possibilities. Don't forget to discount the small amount of ATM proselytizing. Don't get the wrong idea, I think thousands is pushing it, but the principles that we've grown accustomed to, i.e. designing networks based on the mechanics of IP addressing, are becoming a bit obsolete. If we don't reevaluate our basic principles occasionally, we may suffer the same fate. chris From firewalls-owner Fri Dec 6 20:21:19 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA10682 for firewalls-outgoing; Thu, 5 Dec 1996 15:45:12 -0800 (PST) Received: from gw.garrison.com (gw.garrison.com [205.241.58.147]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id PAA10570 for ; Thu, 5 Dec 1996 15:44:24 -0800 (PST) Received: by gw.garrison.com; id LAA06116; Thu, 5 Dec 1996 11:38:15 -0600 (CST) Received: from ukn0.garrison.com(10.0.0.2) by gw.garrison.com via smap (3.2) id xma006108; Thu, 5 Dec 96 11:38:10 -0600 Received: by garrison.com. (4.1/Surrogate Sendmail hack) id AA03523; Thu, 5 Dec 96 17:39:29 CST Date: Thu, 5 Dec 96 17:39:29 CST From: jeromie@garrison.com (Jeromie Jackson) Message-Id: <9612052339.AA03523@garrison.com.> To: firewalls@GreatCircle.COM, dochin@cisco.com, jlw@cisco.com, mhoward@cisco.com Subject: Re: Cisco's PIX Firewall Cc: lazar@netevolve.com, froys@cisco.com, afoss@cisco.com, amittal@cisco.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Do you consider Checkpoint a packet filter? > I would say in the first release, they were pretty much JUST a packet filter.. now they have a few actual proxies as well, so I would say it's rather grey. Jeromie Jackson Garrison Technologies jeromie@garrison.com From firewalls-owner Fri Dec 6 20:48:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA20977 for firewalls-outgoing; Thu, 5 Dec 1996 17:18:52 -0800 (PST) Received: from pdv.com (PDV.COM [200.1.171.129]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id RAA20901 for ; Thu, 5 Dec 1996 17:18:08 -0800 (PST) Received: by pdv.com; id AA00823; Thu, 5 Dec 96 21:18:22 WDT Received: from ccredes.lagoven.pdv.com(170.179.129.10) by firewall.pdv.com via smap (3.2) id xma000793; Thu, 5 Dec 96 21:17:56 -0300 Received: from email.lagoven.pdv.com ([170.179.167.70]) by ccredes.lagoven.pdv.com (Netscape Mail Server v1.1) with SMTP id AAA16768 for ; Thu, 5 Dec 1996 17:17:58 -0500 Received: from cc:Mail by email.lagoven.pdv.com id AA849838313; Thu, 05 Dec 96 18:01:37 EST Date: Thu, 05 Dec 96 18:01:37 EST From: "IFOP52" Message-Id: <9611058498.AA849838313@email.lagoven.pdv.com> To: firewalls@greatcircle.com Subject: I need help Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, i try to get information about the process in the TIS GAUNTLET, for send the daily-report and the weekly-report to the firewalladmin user. I try to send e-mail from the Unix station to the Users in automatic way. Any help . . . . Thanks in advance . . . William Rodriguez C. From firewalls-owner Fri Dec 6 20:59:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA15959 for firewalls-outgoing; Fri, 6 Dec 1996 20:23:46 -0800 (PST) Received: from ashanti.webmaster.net (ashanti.webmaster.net [205.160.174.210]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id UAA15888 for ; Fri, 6 Dec 1996 20:23:04 -0800 (PST) Received: (from jason@localhost) by ashanti.webmaster.net (8.8.4/8.8.4) id XAA14772; Fri, 6 Dec 1996 23:22:07 -0500 (EST) To: Paonia Ezrine Cc: firewalls@GreatCircle.COM Subject: Re: .edu w/ firewalls References: <199612042329.SAA16354@exon.massart.mass.edu> From: jason@Mastaler.COM (Jason R. Mastaler) Date: 06 Dec 1996 23:22:06 -0500 In-Reply-To: Paonia Ezrine's message of Wed, 4 Dec 1996 18:29:12 -0500 (EST) Message-ID: Lines: 41 X-Mailer: Red Gnus v0.73/XEmacs 19.14 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Paonia Ezrine writes: > Can any .edu's with firewalls email me. You might be interested in the Academic-Firewalls mailing list.. ---------------------------------------------------------------------------- Academic Firewalls To join, send e-mail to majordomo@net.tamu.edu and, in the text of your message (not the subject line), write: SUBSCRIBE Academic-Firewalls This is an unmoderated list maintained by Texas A&M University. Its purpose is to promote the discussion and use of firewalls and other security tools in an academic environment. It is complementary to the Firewalls list maintained by Brent Chapman (send subscription requests to Majordomo@GreatCircle.COM) which deals primarily with firewall issues in a commercial environment. Academic environments have different political structures, ethical issues, expectations of privacy and expectations of access. Many documented incidents of cracker intrusions have either originated at or passed through academic institutions. The security at most universities is notoriously lax or even in some cases completely absent. Most institutions don't use firewalls because they either don't care about their institution's security, they feel firewalls are not appropriate or practical, or they don't know the extent to which they are under attack from the Internet. At Texas A&M University we have been using a combination of a flexible packet filter, intrusion detection tools, and Unix security audit utilities for almost two years. We have found that simple firewalls combined with other tools are feasible in an academic environment. Hopefully the discussion on this list will begin to raise the awareness of other institutions also. ---------------------------------------------------------------------------- -- Jason R. Mastaler jason@Mastaler.COM From firewalls-owner Fri Dec 6 22:10:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA19793 for firewalls-outgoing; Thu, 5 Dec 1996 17:10:35 -0800 (PST) Received: from mail.baileynm.com (fw.baileynm.com [206.109.159.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id RAA19557 for ; Thu, 5 Dec 1996 17:09:21 -0800 (PST) Received: (qmail 27496 invoked from smtpd); 6 Dec 1996 01:08:57 -0000 Received: from web.nmti.com (root@198.178.0.201) by fw.nmti.com with SMTP; 6 Dec 1996 01:08:57 -0000 Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id TAA02078; Thu, 5 Dec 1996 19:08:56 -0600 Received: by sonic.nmti.com; id AA26928; Thu, 5 Dec 1996 19:08:47 -0600 From: peter@baileynm.com (Peter da Silva) Message-Id: <9612060108.AA26928@sonic.nmti.com.nmti.com> Subject: Re: Firewalls over NT vs. UNIX To: Russ.Cooper@RC.on.ca (Russ) Date: Thu, 5 Dec 1996 19:08:47 -0600 (CST) Cc: peter@baileynm.com, firewalls@GreatCircle.COM In-Reply-To: from "Russ" at Dec 5, 96 07:32:05 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Your "gaps" are based on your understanding of how NT works with > particular applications (some belonging to Microsoft), and in a > particular environment which NT was not designed to function within > (Citrix, WinDD, et al). Yes, sir. I expected this response. You're still not being paranoid enough. Let's look at this again. I have found a number of security problems that if I were as well acquainted with NT as I am with UNIX would lead to violations of the security policy, in an NT system on which untrusted applications run. The environment with which I am familiar is such a system... but so is a firewall running proxies. My experience with WinDD is definitely relevant to this situation. Some of these holes can certainly be closed on a firewall, as can similar holes in UNIX... but I'm not convinced that all of them can, because NT does not have any analog to a chrooted jail, and you have to actually take the necessary actions to close them. > Bypassing traverse checking is only required if something plans on > scanning the directory trees, Actually, that's not right. You need to bypass traverse checking to let applications access anything in the registry after you disable access to the registry root to keep external programs from getting into the registry through the network. > >NT, as a system, has not been given the same overall attention to > >security as UNIX. And that's truly scary, because UNIX was not > >originally designed with high levels of security as a goal! > * > Well, that's not what their stated design goals were, so your > information comes from where? My experience with NT, looking at it as a potential cracker would. There are some potentially good security facilities, but the system as a whole does not build on them in a secure fashion. > There are a lot of things which you cannot do personally, if you tried > to scrutinize the NT source code it would probably take you a > considerable amount of time. Other people who think like me can scrutinize UNIX, but they don't have access to NT for the same reason I don't. > *You* can scrutinize NT's source code if > you want, you just have to buy a license. And sign an NDA which limits my ability to pass on the lessons learned from this excersize. Did you miss that point? From firewalls-owner Fri Dec 6 23:08:04 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA18675 for firewalls-outgoing; Fri, 6 Dec 1996 20:53:29 -0800 (PST) Received: from mail.securities.com (market.securities.com [199.234.112.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id UAA18599 for ; Fri, 6 Dec 1996 20:52:56 -0800 (PST) Received: from leopard.securities.co.in by mail.securities.com with smtp (Smail3.1.29.0 #17) id m0vWEk0-0003soC; Fri, 6 Dec 96 23:51 EST Message-ID: <32A9B5B1.6BF5@securities.com> Date: Sat, 07 Dec 1996 10:21:37 -0800 From: Sameer Anja Reply-To: sameer@securities.com Organization: Internet Securities,Mumbai, India X-Mailer: Mozilla 3.0Gold (Win95; I; 16bit) MIME-Version: 1.0 To: Christopher Tighe CC: firewalls@greatcircle.com Subject: Re: Tacacs+ References: <328A0ABB.59E2@dat.tds.de> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk hi- How about an entry like this in the config file?? user=xyz { default service=permit login = des something } The enable should work from this account.Email me if u have any more problems.And if u get a better solution do tell me also. -Sam Christopher Tighe wrote: > > Hi, > > I know there is often a discussion about Tacacs+ on this > list, so I thought I would ask the following: > > how do you configure a tacacs server to provide authentication > for a cisco router for enable (privilaged) mode. > for normal login it is okay and works fine, but in enable > mode I receive the following error message: > > Wed Nov 13 18:39:44 1996 [40201]: enable query for tty2 from > xxx.xxx.xxx.xxx rejected. > > I think I need to define some special user in my tacacs passwd > file, but I can't find any reference to that so how do I do > it? Please help, I am getting desperate..... > > chris > > -- > +------------------------------------------------------------+ > | Christopher Tighe BSc.(Hons) Tel: ++49 (0)7131 6235-119 | > | Network Services Fax: ++49 (0)7131 6235-115 | > | tele-daten service GmbH E-Mail: ctighe@tds.de | > | Titotstr. 7-9 | > | 74072 Heilbronn \"""/ | > | Germany (o o) | > +------------------------------------.ooO(_)Ooo.-------------+ -- *************************************************************** Sameer Anja | ("`-/")_.-'"``-. Systems and Network Administrator | . . `; -._ )-;-,_`) Internet Securities Inc. Mumbai | (v_,)' _ )`-.\ ``-' 309,Churchgate Chambers, | _.- _..-_/ / ((.' New Marine Lines,Mumbai-400 020 | ((,.-' ((,/ Phone : 91-22-2674126 | Fax : 91-22-2624635 | Email : sameer@securities.com | Internet : http://www.securities.com| *************************************************************** All Cats look grey in the dark... You may delegate AUTHORITY, but not RESPONSIBILITY. *************************************************************** From firewalls-owner Fri Dec 6 23:09:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA00718 for firewalls-outgoing; Fri, 6 Dec 1996 22:01:02 -0800 (PST) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id WAA00394 for firewalls@greatcircle.com; Fri, 6 Dec 1996 22:00:05 -0800 (PST) Received: from europa.lif.icnet.uk (europa.lif.icnet.uk [143.65.1.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id FAA17731 for ; Tue, 3 Dec 1996 05:06:17 -0800 (PST) From: harley@icrf.icnet.uk Message-Id: <199612031306.FAA17731@miles.greatcircle.com> Received: by europa.lif.icnet.uk; Tue, 3 Dec 1996 13:05:59 GMT Subject: RE: [Fwd: Caution : Internet Virus] (fwd) To: firewalls@GreatCircle.COM Date: Tue, 3 Dec 1996 13:05:59 +0000 (GMT) X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I really wish discussion on this stuff could be kept to more appropriate lists. I spend a lot of time on virus control, and I'm happy to discuss it with my peers, but that's not why I subscribe to this particular list. So is there any chance we could dispose of the topics below and get back to firewalls? Michael Paris wrote: > If the virus was sent attached in a .zip or .exe and the infected file was > run it would infect the computer. This is, of course, true. But irrelevant to this particular alert. Nevertheless, mail programs and web browsers should not be configured to execute downloaded executables or attachments automatically. > > I believe he was talking here of a Word Macro Virus, attached as a .DOC > file, that when opened by Microsoft Word would trash the hard disk. > This is a possible attack. But Irina/Irenia/Irinia is a hoax. Please check the CIAC bulletion H-05: I've previously posted the URL. And you're talking about a hypothetical trojan, not a virus. Irena was originally a publicity stunt generated by Penguin Books. It's been seized upon by hoaxers and the technically-challenged. > Some users use a program CC Mail that would automagicly open Microsoft > Word and load the file sent in the e-mail. This could result in the loss > of the hard disk if the Macro Virus was opened in Microsoft word. > This is a possible attack. Other mailreaders and web-browsers can be configured similarly (and shouldn't be). > I do have a large collection of Word Viruses, one in my collection, > (FORMAT-C Word Macro Virus) will do just this in CC-Mail or if opened in > Microsoft Word. > FormatC is a trojan, not a virus. It's too busy trying to trash your disk to replicate. Destructive trojans and viruses are a possible threat, though. > There was a wide spread message that went out about 'The Good Times Virus' > This indeed was a Hoax! No Virus can wipe the hard disk just by reading > an e-mail message. BUT, this message below told of an attachment that if > run would cause dammage! It could be read that way. And such threats are perfectly feasible. But this alert is untrue and unhelpful. The Chinon CD trojan existed but is long past its best-by date. EOT. -- David Harley \ | / alt.comp.virus FAQ D.Harley@icrf.icnet.uk \ | / & Anti-Virus Web Page Support & Security Analyst \ | / Folk London On-Line gig-list Imperial Cancer Research Fund ____\|/____ http://webworlds.co.uk/dharley/ From firewalls-owner Fri Dec 6 23:11:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA00807 for firewalls-outgoing; Fri, 6 Dec 1996 22:01:23 -0800 (PST) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id WAA00631 for firewalls@greatcircle.com; Fri, 6 Dec 1996 22:00:41 -0800 (PST) Received: from europa.lif.icnet.uk (europa.lif.icnet.uk [143.65.1.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA22225 for ; Tue, 3 Dec 1996 06:24:47 -0800 (PST) From: harley@icrf.icnet.uk Message-Id: <199612031424.GAA22225@miles.greatcircle.com> Received: by europa.lif.icnet.uk; Tue, 3 Dec 1996 14:24:53 GMT Subject: Internet virus: can we drop it now? To: firewalls@GreatCircle.COM Date: Tue, 3 Dec 1996 14:24:53 +0000 (GMT) X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I think a server glitch probably chopped my previous attempt to post this. Apologies if it turns up twice in your mailbox. I really wish discussion on this stuff could be kept to more appropriate lists. I spend a lot of time on virus control, and I'm happy to discuss it with my peers, but that's not why I subscribe to this particular list. So is there any chance we could dispose of the topics below and get back to firewalls? Michael Paris wrote: > > If the virus was sent attached in a .zip or .exe and the infected file was > > run it would infect the computer. > This is, of course, true. But irrelevant to this particular alert. Nevertheless, mail programs and web browsers should not be configured to execute downloaded executables or attachments automatically. > > > > I believe he was talking here of a Word Macro Virus, attached as a .DOC > > file, that when opened by Microsoft Word would trash the hard disk. > > This is a possible attack. But Irina/Irenia/Irinia is a hoax. Please check the CIAC bulletion H-05: I've previously posted the URL. And you're talking about a hypothetical trojan, not a virus. Irena was originally a publicity stunt generated by Penguin Books. It's been seized upon by hoaxers and the technically-challenged. > > > Some users use a program CC Mail that would automagicly open Microsoft > > Word and load the file sent in the e-mail. This could result in the loss > > of the hard disk if the Macro Virus was opened in Microsoft word. > > This is a possible attack. Other mailreaders and web-browsers can be configured similarly (and shouldn't be). > > > I do have a large collection of Word Viruses, one in my collection, > > (FORMAT-C Word Macro Virus) will do just this in CC-Mail or if opened in > > Microsoft Word. > > FormatC is a trojan, not a virus. It's too busy trying to trash your disk to replicate. Destructive trojans and viruses are a possible threat, though. > > > There was a wide spread message that went out about 'The Good Times Virus' > > This indeed was a Hoax! No Virus can wipe the hard disk just by reading > > an e-mail message. BUT, this message below told of an attachment that if > > run would cause dammage! > It could be read that way. And such threats are perfectly feasible. But this alert is untrue and unhelpful. > The Chinon CD trojan existed but is long past its best-by date. EOT. -- David Harley \ | / alt.comp.virus FAQ D.Harley@icrf.icnet.uk \ | / & Anti-Virus Web Page Support & Security Analyst \ | / Folk London On-Line gig-list Imperial Cancer Research Fund ____\|/____ http://webworlds.co.uk/dharley/ From firewalls-owner Fri Dec 6 23:40:07 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA10036 for firewalls-outgoing; Thu, 5 Dec 1996 15:39:58 -0800 (PST) Received: from diablo.cisco.com (diablo.cisco.com [171.68.223.106]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id PAA10018 for ; Thu, 5 Dec 1996 15:39:44 -0800 (PST) Received: from mhoward-pc.cisco.com (dhcp-vm1-2-186.cisco.com [171.68.164.186]) by diablo.cisco.com (8.6.12/CISCO.SERVER.1.1) with SMTP id PAA20194; Thu, 5 Dec 1996 15:39:28 -0800 Message-Id: <2.2.32.19961205232601.00975468@diablo.cisco.com> X-Sender: mhoward@diablo.cisco.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 05 Dec 1996 15:26:01 -0800 To: jeromie@garrison.com (Jeromie Jackson), firewalls@GreatCircle.COM, dochin@cisco.com, jlw@cisco.com From: Matthew Howard Subject: Re: Cisco's PIX Firewall Cc: lazar@netevolve.com, froys@cisco.com, afoss@cisco.com, amittal@cisco.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 04:52 PM 12/4/96 CST, Jeromie Jackson wrote: >> At 04:17 PM 12/4/96 CST, Jeromie Jackson wrote: >> > The exploits of sendmail are not based on the vulerabilities associated >> >with the sequence number, or the state of the connection. If you are running >> >sendmail 4.1 on both machines, looking @ such criteria is not fixing the >> >problem. Sendmail is still VERY vulerable. >> >> MailGuard is an upcoming feature to be released real soon which >> is designed specifically to protect the inside mailhubs' >> sendmail daemons. Stay tuned. >> >> > For just a bit more money, it appears the user community can get an >> >application level gateway that would provide more functionality, as well as >> >better security. If someone is just wanting to do IP filtering & NAT for >> >their i-net connection, something like a linux box running ipfw would be >> MUCH cheaper, >> >and @ T1 speeds, or below, I believe there would be minimal degregation. >> >> Speed and Scalability are 2 different things. >> Degradation on proxy servers occur sharply when there is a large number of >> client connections it has to "proxy for". With 3 clients pumping ftp data >> across a proxy server firewall on ethernet you probably won't see a lot of >> degradation. >> Try using 100 clients going out to a remote site over a T1, you will >> probably wonder why >> your T1 is not saturated if you use a Linux box. >> >> > Here's the problem with packet-filtering in a nutshell... >> > >> > 1) Packet filtering cannot evaluate data-based attacks. >> > >> > 2) Packet filtering bases access control on header information >> > (src,port,dst,port,flags). As we all know, this data is not >> > authenticated whatsoever, thus spoofing can subvert the ACLs >> >> Not only is the PIX not a packet filter, it is spoof-proof and protocol aware. >> >> Take the example of CuSeeMee, on ORDINARY PACKET FILTERS you'd have to say: >> >> access-list 101 permit tcp 0.0.0.0 255.255.255.255 x.x.x.x 0.0.0.255 estab >> access-list 101 permit udp 0.0.0.0 255.255.255.255 x.x.x.x 0.0.0.255 eq 7648 >> access-list 101 permit udp 0.0.0.0 255.255.255.255 x.x.x.x 0.0.0.255 eq 7649 >> or >> set fil inet.in 11 per 0.0.0.0/0 x.x.x.0/24 tcp estab >> set fil inet.in 12 per 0.0.0.0/0 x.x.x.0/24 udp src eq 7648 dst eq 7649 >> set fil inet.in 11 per 0.0.0.0/0 x.x.x.0/24 tcp src eq 7649 dst eq 7648 >> >> This opens up UDP ports 7648 and 7649 BLINDLY to all traffic including >> attacks. Also there's that infamous estab statement where someone who >> knows how to doctor the ACK bit can inject TCP packets into the customers' >> net. > > Hmm, That certainly looks like packet filtering to me. Based on header >information, you are making decisions about packet flow. As far as being >'spoof proof', that is just not correct. If you are talking to '1.2.3.4', I >can send you a packet appearing as though it is originating from '1.2.3.4', >you would believe me, because there is no authenticion built into IPV4. I would >agree, that the filtering mentioned above is better than that done w/ a standard >IP filtering device, although because decisions are being made on objects that >are not authenticated (header information), ACL's can, and will be vulerable to >spoofing/hijacking. Do you consider Checkpoint a packet filter? matt > > >Jeromie Jackson >Garrison Technologies >jeromie@garrison.com > > Matthew Howard Product Line Manager mhoward@cisco.com Internet Business Unit 408-526-4720 (voice) Cisco Systems Inc. 408-527-8122 (fax) 170 West Tasman Drive Building VM2 (corner of First & Vista Montana) San Jose, CA 95134 From firewalls-owner Sat Dec 7 00:37:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA21690 for firewalls-outgoing; Sat, 7 Dec 1996 00:30:36 -0800 (PST) From: firewalls-owner Received: from mobile.bam.com (mobile.banm.com [199.74.157.50]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id AAA21659 for ; Sat, 7 Dec 1996 00:30:25 -0800 (PST) Received: FROM BAMX400.mobile.bam.com BY mobile.bam.com ; 7 DEC 96 03:30:42 EST Date: 7 DEC 96 03:29:07 EST Subject: Undeliverable Message To: Firewalls@GreatCircle.COM MIME-Version: 1.0 Message-ID: <0005phnzzzrt.0005miecyioq@mobile.bam.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk To: Dean E Vaccher@IS_WBRHQ@BAMSWB BAMX400@MGate@BAM [C=US/A=INTERNET/DDA=ID/firewalls-digest(a)GreatCircle.COM] Cc: Subject: Firewalls-Digest V5 #654 Message not delivered to recipients below. VNM3043: Dean E Vaccher@IS_WBRHQ@BAMSWB **** Attachment message(s) will follow in 1 separate transmissions. From firewalls-owner Sat Dec 7 01:37:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA27158 for firewalls-outgoing; Sat, 7 Dec 1996 01:31:29 -0800 (PST) From: firewalls-owner Received: from mobile.bam.com (mobile.banm.com [199.74.157.50]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id BAA27108 for ; Sat, 7 Dec 1996 01:31:16 -0800 (PST) Received: FROM BAMX400.mobile.bam.com BY mobile.bam.com ; 7 DEC 96 04:31:35 EST Date: 7 DEC 96 04:29:37 EST Subject: Undeliverable Message To: Firewalls@GreatCircle.COM MIME-Version: 1.0 Message-ID: <0005lrbdptpn.0005zvrplddn@mobile.bam.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk To: Dean E Vaccher@IS_WBRHQ@BAMSWB BAMX400@MGate@BAM [C=US/A=INTERNET/DDA=ID/firewalls-digest(a)GreatCircle.COM] Cc: Subject: Firewalls-Digest V5 #655 Message not delivered to recipients below. VNM3043: Dean E Vaccher@IS_WBRHQ@BAMSWB **** Attachment message(s) will follow in 1 separate transmissions. From firewalls-owner Sat Dec 7 01:52:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA27306 for firewalls-outgoing; Sat, 7 Dec 1996 01:32:37 -0800 (PST) From: firewalls-owner Received: from mobile.bam.com (mobile.banm.com [199.74.157.50]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id BAA27267 for ; Sat, 7 Dec 1996 01:32:20 -0800 (PST) Received: FROM BAMX400.mobile.bam.com BY mobile.bam.com ; 7 DEC 96 04:32:38 EST Date: 7 DEC 96 04:29:37 EST Subject: Undeliverable Message To: Firewalls@GreatCircle.COM MIME-Version: 1.0 Message-ID: <1.0005lrbdptpn.0005zvrplddn@mobile.bam.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk **** Main message start To: Dean E Vaccher@IS_WBRHQ@BAMSWB BAMX400@MGate@BAM [C=US/A=INTERNET/DDA=ID/firewalls-digest(a)GreatCircle.COM] Cc: Subject: Firewalls-Digest V5 #655 Message not delivered to recipients below. VNM3043: Dean E Vaccher@IS_WBRHQ@BAMSWB **** Main message end **** An attachment message follows ... Firewalls-Digest Saturday, December 7 1996 Volume 05 : Number 655 In this issue: Internet virus: can we drop it now? Re: Cisco's PIX Firewall Undeliverable Message See the end of the digest for information on subscribing to the Firewalls or Firewalls-Digest mailing lists and on how to retrieve back issues. ---------------------------------------------------------------------- Date: Tue, 3 Dec 1996 14:24:53 +0000 (GMT) From: harley@icrf.icnet.uk Subject: Internet virus: can we drop it now? I think a server glitch probably chopped my previous attempt to post this. Apologies if it turns up twice in your mailbox. I really wish discussion on this stuff could be kept to more appropriate lists. I spend a lot of time on virus control, and I'm happy to discuss it with my peers, but that's not why I subscribe to this particular list. So is there any chance we could dispose of the topics below and get back to firewalls? Michael Paris wrote: > > If the virus was sent attached in a .zip or .exe and the infected file was > > run it would infect the computer. > This is, of course, true. But irrelevant to this particular alert. Nevertheless, mail programs and web browsers should not be configured to execute downloaded executables or attachments automatically. > > > > I believe he was talking here of a Word Macro Virus, attached as a .DOC > > file, that when opened by Microsoft Word would trash the hard disk. > > This is a possible attack. But Irina/Irenia/Irinia is a hoax. Please check the CIAC bulletion H-05: I've previously posted the URL. And you're talking about a hypothetical trojan, not a virus. Irena was originally a publicity stunt generated by Penguin Books. It's been seized upon by hoaxers and the technically-challenged. > > > Some users use a program CC Mail that would automagicly open Microsoft > > Word and load the file sent in the e-mail. This could result in the loss > > of the hard disk if the Macro Virus was opened in Microsoft word. > > This is a possible attack. Other mailreaders and web-browsers can be configured similarly (and shouldn't be). > > > I do have a large collection of Word Viruses, one in my collection, > > (FORMAT-C Word Macro Virus) will do just this in CC-Mail or if opened in > > Microsoft Word. > > FormatC is a trojan, not a virus. It's too busy trying to trash your disk to replicate. Destructive trojans and viruses are a possible threat, though. > > > There was a wide spread message that went out about 'The Good Times Virus' > > This indeed was a Hoax! No Virus can wipe the hard disk just by reading > > an e-mail message. BUT, this message below told of an attachment that if > > run would cause dammage! > It could be read that way. And such threats are perfectly feasible. But this alert is untrue and unhelpful. > The Chinon CD trojan existed but is long past its best-by date. EOT. - -- David Harley \ | / alt.comp.virus FAQ D.Harley@icrf.icnet.uk \ | / & Anti-Virus Web Page Support & Security Analyst \ | / Folk London On-Line gig-list Imperial Cancer Research Fund ____\|/____ http://webworlds.co.uk/dharley/ ------------------------------ Date: Thu, 05 Dec 1996 15:26:01 -0800 From: Matthew Howard Subject: Re: Cisco's PIX Firewall At 04:52 PM 12/4/96 CST, Jeromie Jackson wrote: >> At 04:17 PM 12/4/96 CST, Jeromie Jackson wrote: >> > The exploits of sendmail are not based on the vulerabilities associated >> >with the sequence number, or the state of the connection. If you are running >> >sendmail 4.1 on both machines, looking @ such criteria is not fixing the >> >problem. Sendmail is still VERY vulerable. >> >> MailGuard is an upcoming feature to be released real soon which >> is designed specifically to protect the inside mailhubs' >> sendmail daemons. Stay tuned. >> >> > For just a bit more money, it appears the user community can get an >> >application level gateway that would provide more functionality, as well as >> >better security. If someone is just wanting to do IP filtering & NAT for >> >their i-net connection, something like a linux box running ipfw would be >> MUCH cheaper, >> >and @ T1 speeds, or below, I believe there would be minimal degregation. >> >> Speed and Scalability are 2 different things. >> Degradation on proxy servers occur sharply when there is a large number of >> client connections it has to "proxy for". With 3 clients pumping ftp data >> across a proxy server firewall on ethernet you probably won't see a lot of >> degradation. >> Try using 100 clients going out to a remote site over a T1, you will >> probably wonder why >> your T1 is not saturated if you use a Linux box. >> >> > Here's the problem with packet-filtering in a nutshell... >> > >> > 1) Packet filtering cannot evaluate data-based attacks. >> > >> > 2) Packet filtering bases access control on header information >> > (src,port,dst,port,flags). As we all know, this data is not >> > authenticated whatsoever, thus spoofing can subvert the ACLs >> >> Not only is the PIX not a packet filter, it is spoof-proof and protocol aware. >> >> Take the example of CuSeeMee, on ORDINARY PACKET FILTERS you'd have to say: >> >> access-list 101 permit tcp 0.0.0.0 255.255.255.255 x.x.x.x 0.0.0.255 estab >> access-list 101 permit udp 0.0.0.0 255.255.255.255 x.x.x.x 0.0.0.255 eq 7648 >> access-list 101 permit udp 0.0.0.0 255.255.255.255 x.x.x.x 0.0.0.255 eq 7649 >> or >> set fil inet.in 11 per 0.0.0.0/0 x.x.x.0/24 tcp estab >> set fil inet.in 12 per 0.0.0.0/0 x.x.x.0/24 udp src eq 7648 dst eq 7649 >> set fil inet.in 11 per 0.0.0.0/0 x.x.x.0/24 tcp src eq 7649 dst eq 7648 >> >> This opens up UDP ports 7648 and 7649 BLINDLY to all traffic including >> attacks. Also there's that infamous estab statement where someone who >> knows how to doctor the ACK bit can inject TCP packets into the customers' >> net. > > Hmm, That certainly looks like packet filtering to me. Based on header >information, you are making decisions about packet flow. As far as being >'spoof proof', that is just not correct. If you are talking to '1.2.3.4', I >can send you a packet appearing as though it is originating from '1.2.3.4', >you would believe me, because there is no authenticion built into IPV4. I would >agree, that the filtering mentioned above is better than that done w/ a standard >IP filtering device, although because decisions are being made on objects that >are not authenticated (header information), ACL's can, and will be vulerable to >spoofing/hijacking. Do you consider Checkpoint a packet filter? matt > > >Jeromie Jackson >Garrison Technologies >jeromie@garrison.com > > Matthew Howard Product Line Manager mhoward@cisco.com Internet Business Unit 408-526-4720 (voice) Cisco Systems Inc. 408-527-8122 (fax) 170 West Tasman Drive Building VM2 (corner of First & Vista Montana) San Jose, CA 95134 ------------------------------ Date: 7 DEC 96 03:29:07 EST From: firewalls-owner Subject: Undeliverable Message To: Dean E Vaccher@IS_WBRHQ@BAMSWB BAMX400@MGate@BAM [C=US/A=INTERNET/DDA=ID/firewalls-digest(a)GreatCircle.COM] Cc: Subject: Firewalls-Digest V5 #654 Message not delivered to recipients below. VNM3043: Dean E Vaccher@IS_WBRHQ@BAMSWB **** Attachment message(s) will follow in 1 separate transmissions. ------------------------------ End of Firewalls-Digest V5 #655 ******************************* To unsubscribe from Firewalls-Digest, send the following command in the body of a message to "Majordomo@GreatCircle.COM": unsubscribe firewalls-digest If you want to subscribe or unsubscribe an address other than the account the mail is coming from, such as a local redistribution list, then append that address to the command; for example, to subscribe "local-firewalls": subscribe firewalls-digest local-firewalls@your.domain.net A non-digest (direct mail) version of this list is also available; to subscribe to that instead, replace all instances of "firewalls-digest" in the commands above with "firewalls". Compressed back issues are available for anonymous FTP from FTP.GreatCircle.COM, in pub/firewalls/digest/vNN.nMMM.Z (where "NN" is the volume number, and "MMM" is the issue number). From firewalls-owner Sat Dec 7 02:08:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA28398 for firewalls-outgoing; Sat, 7 Dec 1996 01:47:11 -0800 (PST) Received: from relay-7.mail.demon.net (relay-7.mail.demon.net [194.217.242.9]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id BAA28360 for ; Sat, 7 Dec 1996 01:46:59 -0800 (PST) Received: from dowrmain.demon.co.uk ([158.152.123.251]) by relay-5.mail.demon.net id aa529999; 7 Dec 96 9:43 GMT Message-ID: <7aZAABABZTqyEw2r@dowrmain.demon.co.uk> Date: Sat, 7 Dec 1996 09:17:53 +0000 To: firewalls@greatcircle.com From: Ian Wade Reply-To: Ian Wade Subject: Re: Can You Believe It? In-Reply-To: <199612070025.QAA26433@tu228.tus.ssi1.com> MIME-Version: 1.0 X-Mailer: Turnpike Version 3.00 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In article <199612070025.QAA26433@tu228.tus.ssi1.com>, Scott Cokely writes >Responding to Robert Evans, who said: >> >> Hi All, >> I am working with this company that is mostly old iron and we are >> helping them add tcp/ip into their 3000+ workstation environment spread >> across 5 buildings. We are adding Unix boxes into their network, >> switched atm. > >Tell them that their entire network could be paralyzed by a single bad PC >Ethernet card. > Tell them also that someone could cause mayhem by adding a new host to the network with the same IP address as an existing host. This happened several times at a customer I did work for whose Class B net used to span several *countries*. Tracking down the offending hosts wasted a *lot* of time. Ian -- \|--------\|--------\|--------\| Ian Wade |\--------|\--------|\--------|\ | | | | http://www.netro.co.uk/nosintro.html | Netro | Press | (tm)| for all about KA9Q NOS. From firewalls-owner Sat Dec 7 02:23:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA00982 for firewalls-outgoing; Sat, 7 Dec 1996 02:14:02 -0800 (PST) Received: from news.rc.on.ca ([207.176.151.6]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id CAA00939 for ; Sat, 7 Dec 1996 02:13:37 -0800 (PST) Received: by mail.rc.on.ca with IMAIL 2.0 id <01BBE3FC.FC5BF7D0@mail.rc.on.ca>; Sat, 7 Dec 1996 05:10:38 -0500 Message-ID: From: Russ To: "'Richard E. Obrecht'" Cc: "'Firewalls Mailing List'" Subject: RE: Why would someone want an NT firewall? Date: Sat, 7 Dec 1996 05:10:38 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Connector (Beta) (4.5.1280.0) Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi again, southeast Asia? Not sure, I could check cnn.com's weather site if you need me to. My tan is actually fading, what with the snow and all up here in Canada. * No hurry in responding, I didn't send you a message anyway. Too bad about Nashville, but it should have been fun to be free from the laptop for a change. Ooh, another message from you?, when your home?, this should be fun. * Tom Stewart, hey, my parents name is Stewart, maybe Tom knows them. My name is familiar to lots of people, its always in the mailing lists so lots of people have heard it. I've never worked at Manville, though, but I did have a friend in High School named Brent Manville, maybe Tom knows him? * Cheers, Russ R.C. Consulting, Inc. - NT/Internet Security Consulting mailto:Russ.Cooper@RC.on.ca <-- *note the new address* ---------- From: firewalls-owner@GreatCircle.COM[SMTP:firewalls-owner@GreatCircle.COM] on behalf of Richard E. Obrecht[SMTP:ro03868%itsaxp6@cobe.com] Sent: Friday, December 06, 1996 11:28 AM To: Firewalls@GreatCircle.COM; pollock@houston.omnes.net Subject: Re: Why would someone want an NT firewall? Don, Hello again! How's southeast Asia? Warm? I'll bet your tan is getting=20 better! 8^). I've not responded to you because I've been in Nashville (with no laptop). I'll send you a message this weekend, when I get home. I'm with a guy named Tom Stewart, and he says your name is familiar. He asked if you ever worked at Manville. Did you? Lemme konw. See ya, Rich From firewalls-owner Sat Dec 7 03:52:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA07543 for firewalls-outgoing; Sat, 7 Dec 1996 03:42:00 -0800 (PST) Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id DAA07525 for ; Sat, 7 Dec 1996 03:41:41 -0800 (PST) Received: from big-dogs.cisco.com ([171.68.53.75]) by lint.cisco.com (8.6.10/CISCO.SERVER.1.1) with SMTP id DAA08982; Sat, 7 Dec 1996 03:40:58 -0800 Message-Id: <2.2.32.19961207114102.006ca734@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sat, 07 Dec 1996 06:41:02 -0500 To: Todd Graham Lewis From: Paul Ferguson Subject: Re: Proxy & illegal IP numbers Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 08:58 PM 12/6/96 -0500, Todd Graham Lewis wrote: > >> Yes, but one should net expect RFC-1918 prefixes to be routable in >> the global Internet. If you do, you're in for a rude awakening. ;-) > >One should not expect that RFC-1918 prefixes will never be routed in the >global Internet. If you do, you're in for a rude awakening. :-( > Well, they do occasionally leak, but that's not intentional (at least we hope not). It is not the intent to intentionally allow RFC-1918 prefixes to be globally routed. - paul -- Paul Ferguson || || Consulting Engineering || || Herndon, Virginia USA |||| |||| tel: +1.703.397.5938 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Sat Dec 7 04:07:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA07794 for firewalls-outgoing; Sat, 7 Dec 1996 03:55:00 -0800 (PST) Received: from news.rc.on.ca ([207.176.151.6]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id DAA07774 for ; Sat, 7 Dec 1996 03:54:23 -0800 (PST) Received: by mail.rc.on.ca with IMAIL 2.0 id <01BBE40A.F9D2D390@mail.rc.on.ca>; Sat, 7 Dec 1996 06:50:47 -0500 Message-ID: From: Russ To: "'Adrian Knight'" Cc: "'Firewalls Mailing List'" Subject: Flood Insurance (was Why would someone want an NT firewall?) Date: Sat, 7 Dec 1996 06:50:46 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Connector (Beta) (4.5.1280.0) Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Adrian brought up some good points, and much of the response to his message was based on very sound security knowledge. Of course the assumption was that he had missed a few too many security classes and wasn't addressing the issues that Gatekeepers have faced for ages. Some of his comments flew in the face of convention, and people responded accordingly. O.K., that's understandable, nobody wants lurkers to come away with the impression that you don't need to think of all the woes that might befall a Firewall that isn't adequately maintained. * Hence my reference to flood insurance. Most home-owners don't have flood insurance, but yet floods are the single biggest cause of home damage in the U.S. But just because someone doesn't have flood insurance doesn't mean that they don't have home insurance. I'm applying this analogy to Firewalls, where flood insurance plus home insurance equals a Firewall and a very technically knowledgeable staff, site security policy, etc. Home insurance equals a Firewall, by itself, without an administratively knowledgeable staff, no site security policy, etc. * There are a lot of places where security is not paramount, functionality is. Their environment has been running without a security policy for years, and all security centered around the password they typed into Windows, or Netware. The number of nodes isn't important, but for the sake of the discussion, lets say there are 100 Win95 machines and an NT server using TCP/IP in a single subnet 10.1.1.x. They trust each other, and thus far (to their knowledge) their biggest problems wrt security are trying to keep people from putting too many icons in the public shares, or making copies of games available to others on the LAN. Payroll, the one place where they have put some security in place, is on a separate physical network. * Now they want to provide outbound access to the Internet for their users, Web and Email, that's all for now. They want to put up a web site, run their own DNS, and do email with the 'net. They've got a few people who dial-in now to a Shiva box to get connected to their net. They've heard about hacking and know that they can't just connect their network to the Internet, so they've asked you to come in and give them a Firewall to protect them. * They've got 2 LAN admins (neither with more than 5 years experience, they install software and punch down cable) and a Manager (she's got 10 years experience and does most of the trouble-shooting). All of them are going to be Firewall Administrators. * --------- So here's their requirement; * We need to be able to give people outbound access to HTTP, FTP, NNTP, and POP3 (some users want to read their mail from their own ISPs sites). The web server isn't sophisticated, just some plain pages with pretty pictures and our phone number, but we can update content using floppy diskettes if we have to. There's a LAN mail system, which the clients connect to, so its the only box that needs to talk SMTP, its inside the LAN. The ISP is hosting the NNTP. We want to be able to have a document that says precisely what we're supposed to do to add a new user to the Firewall using that standard user configuration. We want to have reports come off the Firewall that tell us what people are doing, in a summary form. We don't want to know we're being attacked, we just want the attack to be thwarted. If someone is doing a denial of service attack on us, we want to be able to call the consultant and have them tell us what to do. We believe that if we were down for 24 hours, it wouldn't seriously impact our business, more than that and it gets more serious. We want to watch an installation of the Firewall, and we'll document everything that has to be done to get to the point where our standard user configuration is set up so we can put the users back in if the box blows up. * We don't have lots of money, we don't want to learn lots about any particular OS, we don't want to learn about hacking. Maybe over the next year or two we'll read some books if you'd like to recommend some, but since we just want to add or remove users with our standard user configuration, we don't think we should have to do a whole lot. If we run into something that looks really weird, we'll call you. We'll buy a maintenance contract if you can explain to us why we would have to (I mean, if a hacker finds a way to get through your Firewall, doesn't that mean that your Firewall has a bug? And if it has a bug, shouldn't you fix it for free?) ------------ * Sound familiar to you consultants out there? What do you do? Do you spend days explaining to them all the pitfalls in the lack of a security policy? to the point of pissing them off so much that they send you away? Do you make them aware of how insecure their site would be without knowledge/secpolicy and get them to sign an acknowledgment? Do you say you can't help them since you can't guarantee any level of service? * Its not a matter of Linux, NT, or Solaris. Its a matter of giving them something that will meet *their* stated requirements. Its not a matter of them learning security, employing security, or reviewing security, its a matter of them being able to follow a list of instructions to be performed on a reasonably intelligent tool. * This list is dedicated to selling flood insurance, and for many sites, rightfully so. But its a fact that the vast majority of sites getting connected to the Internet today want home insurance only. Something similar to what I've described above, and are as unwilling as my pretend client to put the time/money/effort into maintaining that security. They believe that for the money they will spend, they should get something that can do most, if not all, the work itself. To many, the Firewall system (router, hub, Firewall box, Firewall software, land-line to CO, CSU/DSU, and Internet feed) represents the most expensive single system they have in their network. It better be better than all the rest. * So here comes the part I expect to get flamed over...where do these people go to get advice about what system will do that for them? If they come here and say something like that, they'll get raked over the coals for not being paranoid enough, or being too lax, or being too foolish. If they suggest that their boss might need to make a change to their Firewall in their absence, their belittled to the point of embarrassment because their allowing anyone to touch their box who hasn't had the proper training (yet all that the boss needs to do is follow a simple set of instructions). If they wanted to ask about home insurance, their told they *must* buy flood insurance as well. * Where's the "middle-of-the-road" security policy discussions? Where's the discussions that talk about the "realistic" chances of a particular hack happening to someone? Is making a connection to the Internet as fatal a decision as we all might make it seem? Its so easy to be purists, and say "without everything you have nothing". Without flood insurance your home insurance is useless. To the lurkers, the wanna-bes, the people thinking about getting connected, is the only option available to them the one that requires them to learn the nuances of each protocol? Can't they just turn off all but the ones their business needs, and rely on the Firewall documentation to say that this protocol or that is a scary thought? Couldn't there be a web site somewhere that has simple and realistic descriptions of the potential problems that might occur for each protocol? Couldn't they want to be reactive instead of proactive if it means they can continue to do things they way they have been (...customer says "I enabled NetMeeting a couple of weeks ago, and yesterday somebody's word document started changing in front of them, so I disabled NetMeeting"). * Couldn't they just accept the fact that a flood is going to wipe them out, and keep an eye on the waterline and weather reports? * Comments? * Cheers, Russ R.C. Consulting, Inc. - NT/Internet Security Consulting mailto:Russ.Cooper@RC.on.ca <-- *note the new address* From firewalls-owner Sat Dec 7 04:37:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA08683 for firewalls-outgoing; Sat, 7 Dec 1996 04:29:42 -0800 (PST) Received: from netcom.netcom.com (netcom.netcom.com [192.100.81.100]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id EAA08673 for ; Sat, 7 Dec 1996 04:29:23 -0800 (PST) Received: (from judab@localhost) by netcom.netcom.com (8.6.13/Netcom) id EAA25120; Sat, 7 Dec 1996 04:28:45 -0800 Date: Sat, 7 Dec 1996 04:28:44 -0800 (PST) From: Juda Barnes To: firewalls@greatcircle.com Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Date: Fri, 6 Dec 1996 04:02:07 -0800 (PST) From: Majordomo@GreatCircle.COM To: judab@netcom.com Subject: Majordomo results -- >>>> unsubscribe firewalls Succeeded. >>>> unsubscribe firewalls-digest **** unsubscribe: 'judab@netcom.com' is not a member of list 'firewalls-digest'. **** contact "firewalls-digest-approval" if you need help. >>>> unsubscribe firewalls-performance-digest **** unsubscribe: 'judab@netcom.com' is not a member of list 'firewalls-performance-digest'. **** contact "firewalls-performance-digest-approval" if you need help. >>>> >>>> for safety i sent unsubscribe to the all mailing list in geratcircle.com and i still get the mailing list, SOME1 HELP ME i dont want to read the firewall mailing list i have about 300 Messages in 2 days, that's cost me alot of money/space time to delete the messategs! From firewalls-owner Sat Dec 7 07:53:31 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA16332 for firewalls-outgoing; Sat, 7 Dec 1996 07:40:17 -0800 (PST) Received: from mail.crl.com (mail.crl.com [165.113.1.22]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA16303 for ; Sat, 7 Dec 1996 07:40:02 -0800 (PST) Received: from crl12.crl.com by mail.crl.com with SMTP id AA10515 (5.65c/IDA-1.5 for ); Sat, 7 Dec 1996 07:40:01 -0800 Received: by crl12.crl.com id AA24872 (5.65c/IDA-1.5); Sat, 7 Dec 1996 07:31:13 -0800 Date: Sat, 7 Dec 1996 07:31:11 -0800 (PST) From: "Joseph W. Stroup" To: James Egan Cc: firewalls@greatcircle.com Subject: Re: your mail/Personal/Help In-Reply-To: <9612061553.AA17016@milford.iai.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have a bitch about this list. Its the lame header people use. When I see a subject header (out of 2,000 e-mail) that says "your mail" or URGENT or HELP. People use your brains. "It's 88ms to Phoenix, we've got a full disk of Gif's, a full meg of Hypertext, it's dark and we're wearing sunglasses." "Click it." From firewalls-owner Sat Dec 7 08:09:30 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA16385 for firewalls-outgoing; Sat, 7 Dec 1996 07:40:56 -0800 (PST) Received: from mail.crl.com (mail.crl.com [165.113.1.22]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA16352 for ; Sat, 7 Dec 1996 07:40:39 -0800 (PST) Received: from crl12.crl.com by mail.crl.com with SMTP id AA10532 (5.65c/IDA-1.5 for ); Sat, 7 Dec 1996 07:40:03 -0800 Received: by crl12.crl.com id AA24884 (5.65c/IDA-1.5); Sat, 7 Dec 1996 07:32:38 -0800 Date: Sat, 7 Dec 1996 07:32:37 -0800 (PST) From: "Joseph W. Stroup" To: Rabid Wombat Cc: toon@cem-bb.e-mail.com, firewalls@GreatCircle.COM Subject: Re: None In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk HERE WE GO AGAIN. WHAT THE HECK KIND OF SUBJECT LINE IS NONE ? > > > On Fri, 6 Dec 1996 toon@cem-bb.e-mail.com wrote: > > > Next topic: > > > > Some1 told me that 'I have to filter out VERIFY and EXPAND when letting > > mail through my firewall'. Can some1 explain me what this means? > > > > VERIFY and EXPAND are commands that can be issued to SENDMAIL. Their > legitimate uses are: > > Verify: determines if the username you've spcified exists > Expand: determines which usernames will recivie the mial sent to the > address specified - for example, the account "root" might expand to > usernames "bob" and "alice" if they are the sysadmins, and don't want to > log in as "root" to check for root mail. > > An intruder can telnet to port 25 and run these commands to gather > information. You shouldn't allow access to port 25 on systems that AREN'T > supposed to be receiving mail, anyway. You may want to block EXPAND, > possibly verify as well, on the others. > > -r.w. > > "It's 88ms to Phoenix, we've got a full disk of Gif's, a full meg of Hypertext, it's dark and we're wearing sunglasses." "Click it." From firewalls-owner Sat Dec 7 08:23:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA18908 for firewalls-outgoing; Sat, 7 Dec 1996 08:08:14 -0800 (PST) Received: from gargoyle.clark.net (gargoyle.clark.net [168.143.0.250]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA18859 for ; Sat, 7 Dec 1996 08:07:45 -0800 (PST) Received: (from proberts@localhost) by gargoyle.clark.net (8.7.4/8.7.3) id LAA10070; Sat, 7 Dec 1996 11:08:38 -0500 Date: Sat, 7 Dec 1996 11:08:37 -0500 (EST) From: "Paul D. Robertson" X-Sender: proberts@localhost To: Russ cc: "'Adrian Knight'" , "'Firewalls Mailing List'" Subject: Re: Flood Insurance (was Why would someone want an NT firewall?) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sat, 7 Dec 1996, Russ wrote: > Its not a matter of Linux, NT, or Solaris. Its a matter of giving them > something that will meet *their* stated requirements. Its not a matter > of them learning security, employing security, or reviewing security, > its a matter of them being able to follow a list of instructions to be > performed on a reasonably intelligent tool. You're mixing a lot of levels of knowlege in what you've come up with. But, if the above is true, then perhaps it is *good* that they don't use NT. "Configuration Changes" normally don't mean adding users, they mean adding protocols, and if you do that without the requsite protocol knowlege, and allow something silly in, you're not just not getting flood insurance, you're invalidating your whole policy. Remember when Progresive Networks said "Tell your firewall administrator to open UDP."? > * > security. They believe that for the money they will spend, they should > get something that can do most, if not all, the work itself. To many, > the Firewall system (router, hub, Firewall box, Firewall software, > land-line to CO, CSU/DSU, and Internet feed) represents the most > expensive single system they have in their network. It better be better > than all the rest. > * Which means that they expect it to be 100% effective. If they don't understand the issues, and they don't understand the model(s) that exist in this area, then they will not have their expectations met, and worse, they could be opening themselves up for an attack. That doesn't _just_ impact them, it impacts almost every single one of us on this list who run firewalls. We have a difficult enough job trying to quantify the need for security without massive numbers of break-ins at supposedly "protected" sites. If someone isn't willing to spend a few hundred dollars and two days on training their people, then they should buy their firewall from someone with configuration and installation, and not worry about it running NT _at_all_. > So here comes the part I expect to get flamed over...where do these > people go to get advice about what system will do that for them? If > they come here and say something like that, they'll get raked over the > coals for not being paranoid enough, or being too lax, or being too > foolish. If they suggest that their boss might need to make a change to > their Firewall in their absence, their belittled to the point of > embarrassment because their allowing anyone to touch their box who > hasn't had the proper training (yet all that the boss needs to do is > follow a simple set of instructions). If they wanted to ask about home > insurance, their told they *must* buy flood insurance as well. They _want_ a comprehensive insurance policy, they've been told they're buying one. "Open all UDP ports" is a farily simple set of instructions, on some firewalls it's a couple of mouse clicks. Would you =really= advocate that someone blindly change the configuration of their firewall? > nuances of each protocol? Can't they just turn off all but the ones > their business needs, and rely on the Firewall documentation to say > that this protocol or that is a scary thought? Couldn't there be a web The problem is they don't *know enough* to turn off all but the ones their business needs. > site somewhere that has simple and realistic descriptions of the > potential problems that might occur for each protocol? Couldn't they Knowing what you know about the Internet, you'd honestly advocate relying on a web site for novice admins? > Couldn't they just accept the fact that a flood is going to wipe them > out, and keep an eye on the waterline and weather reports? This, unfortunately means that you have to know what "rain", "snow", and things like that mean in conjunction with your area. "What is UDP", a question I've seen a handfull of times on comp.security.firewalls, isn't the type of question I'd want someone changing filter rules to be asking. If you don't have the knowlege in-house, and aren't willing to train, or hire it, you should stick with buying it from a reputable consultant, and not even worry about specifying platforms, products, or the like. If you're gonna play weatherman, you have to know that pressure rises and falls. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@clark.net which may have no basis whatsoever in fact." PSB#9280 From firewalls-owner Sat Dec 7 09:22:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA23917 for firewalls-outgoing; Sat, 7 Dec 1996 09:10:18 -0800 (PST) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id JAA23877 for ; Sat, 7 Dec 1996 09:09:56 -0800 (PST) Received: (adam@localhost) by homeport.org (8.6.9/8.6.9) id MAA05108; Sat, 7 Dec 1996 12:06:27 -0500 From: Adam Shostack Message-Id: <199612071706.MAA05108@homeport.org> Subject: Re: Breakin through firewall. In-Reply-To: from Chris Michael at "Dec 6, 96 11:07:02 am" To: cm@rmsbus.com (Chris Michael) Date: Sat, 7 Dec 1996 12:05:33 -0500 (EST) Cc: firewalls@GreatCircle.COM X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Chris Michael wrote: | I've never seen anything on the net about breakins through correctly | configured firewalls. Is this because it doesn't happen or because | people aren't talking? People don't talk about breakins, but usually, there is a way around the firewall, via dialups, leased lines, etc. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Sat Dec 7 09:37:32 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA24039 for firewalls-outgoing; Sat, 7 Dec 1996 09:12:15 -0800 (PST) Received: from scifi.squawk.com (scifi.squawk.com [208.2.80.64]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id JAA23963 for ; Sat, 7 Dec 1996 09:10:57 -0800 (PST) Received: (from njs@localhost) by scifi.squawk.com (8.6.11/8.6.9) id NAA28725; Sat, 7 Dec 1996 13:05:46 -0500 Date: Sat, 7 Dec 1996 13:05:46 -0500 (EST) From: Nick Simicich To: Chris Michael cc: "'firewall-list'" Subject: Re: Breakin through firewall. In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 6 Dec 1996, Chris Michael wrote: > I've never seen anything on the net about breakins through correctly > configured firewalls. Is this because it doesn't happen or because > people aren't talking? There have been stories about breakins through firewalls because of bugs in firewalls posted to this list. I've also heard of cases where known bugs were not thwarted by firewalls, but there were no stories of break-ins (that I heard), and then the firewalls were fixed. However, 'properly configured' is sort of an odd thing. At one level, properly configured means configured so that no breakins are possible. At another level, properly configured means configured so that an internet use (I won't call it a security) policy is correctly implemented. I can say, "My Internet Use policy is to allow direct connection from the internet for mail delivery. I will therefore configure my firewall to accept connections from any internet address to port 25 on any internal box." And if someone breaks in to a site that is configured like that, they have technically broken in through the firewall. It is exactly this sort of mis-configuration that can occur if someone inexperienced tries to configure a firewall. To allow port mode FTP from inside sites, you allow connections from port 21 to any inside port higher than 1023 (1024+). Is that safe? Noooooo.....but it is a correct implementation tof a security policy I've seen in a filtering router spec. There has to be someone who says, "I don't care how much you want to do this thing, it is just unsafe. You'll have to find another way to do your job." This is the job of the security officer, and this person will, perforce, be unpopular, because it is this person's job to say, "No." or maybe "you can do that, but it will cost you X more to do it securely - this is how." And when this person tells the executive management of the company, "No reading your mail from Eudora by calling MCInet directly - we are going to disallow POP3 connections from outside the firewall to inside the firewall." s/he is likely to be on the street, and there are going to be holes poked through the firewall willy-nilly. This is a correct configuration of the firewall, of course, regarding this use policy, and I think that the consensus is that it is not a 'safe' policy regarding break-ins. Especially at places that have been freely connected to the internet, there may be a large amount of existing, security free use of the internet. I was called to help a place secure their connection a while back, and told, "We have quite a bit of X-window use to multiple sites and to home systems via ISPs. We want to install a firewall and we want to be secure, but we don't want to impact X-Windows. We are not willing to consider things like ssh and so forth, as they would impact our use." I withdrew from the project, because it was clear that the network management were going to tell overall management that this was secure and that the 'Security Consultants' had worked on it and blessed it. And if someone had broken in, they would have 'broken in through the firewall'. Is it "Net Surfing" or "Net Serfing"? - a slave of the net... Nick Simicich (last choice) http://scifi.squawk.com/njs.html -- Stop by and Light Up The World! From firewalls-owner Sat Dec 7 10:22:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA28041 for firewalls-outgoing; Sat, 7 Dec 1996 10:18:39 -0800 (PST) Received: from hp01.vak12ed.edu (hp01.vak12ed.edu [141.104.150.251]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA27969 for ; Sat, 7 Dec 1996 10:18:20 -0800 (PST) Message-Id: <199612071818.KAA27969@miles.greatcircle.com> Received: by hp01.vak12ed.edu (1.37.109.20/16.2) id AA112272631; Sat, 7 Dec 1996 13:17:11 -0500 From: "W.C. Epperson" Subject: Re: Why would someone want a moron security manager? To: firewalls@greatcircle.com Date: Sat, 07 Dec 1996 13:17:11 EST Reply-To: epperson@vak12ed.edu X-Mailer: Elm [revision: 109.18] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>>>> "Adrian" == Adrian Knight writes: Adrian> 2) We don't want to hire a rocket scientist to manage our Adrian> firewall. A message earlier referred to firewalls being Adrian> "necessarilly technical." That's bogus. I think it's Adrian> possible that a lot of people making money off of firewalls Adrian> might want to keep them that way, but there are a lot of Adrian> average people out there who want to AND CAN handle managing a Adrian> firewall right along with the MANY other types of systems that Adrian> are also included in our job responsibilities. Nor does NASA want to hire Steve Bellovin to run Mission Control. The idea that a security policy can be established and implemented via a firewall without bothering to gain a degree of understanding of the technical threats is _way_ beyond bogus, regardless of the interface involved. Adrian> I can be gone for a couple of weeks and even my boss, a Adrian> manager, can sit down and make changes to the firewall Adrian> comfortably. Jeez. I'm glad you're not in charge of the water plant. Adrian> 3) At the time of my research a year ago, most mainstream Adrian> firewalls ran on minicomputer-class machines like Sun Sparc, Adrian> HPUX, AIX. For an educational site with good discounts, a Adrian> platform like that ran around $15,000. We put our firewall on Adrian> a well-endowed NT PC for $5,000. Hardware and software Adrian> maintenance is also much cheaper I take it this is pure flame bait. Any numbers to back up the "most" assertion? I'd conjecture that at the time a large proportion, if not the majority, of the installed base, were FWTK setups and Gauntlets. At that time I think the turn-key price for a Gauntlet, including hardware, software, and installation, was $15K. And I have year old HP9000/800s and RS6000s that cost significantly under $15K. And if you compare piecemeal component support to the fully integrated problem resolution services typical of the minicomputer class vendors, well, I reckon it _is_ cheaper, at least til you factor in the downtime.... -- W.C. Epperson "I have great faith in fools. Senior SE Self-confidence, my friends call it." Information Security Officer --Edgar Allan Poe-- DBA Emeritus Curmudgeon-for-Life Virginia Dept. of Education epperson@pen.k12.va.us From firewalls-owner Sat Dec 7 10:43:40 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA28149 for firewalls-outgoing; Sat, 7 Dec 1996 10:20:09 -0800 (PST) Received: from klawatti.inside.sealabs.com (klawatti.sealabs.com [207.54.9.49]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA28094 for ; Sat, 7 Dec 1996 10:19:28 -0800 (PST) Received: from torment.sealabs.com (torment.inside.sealabs.com [192.168.49.53]) by klawatti.inside.sealabs.com (8.7.6/8.7.4) with ESMTP id KAA29335; Sat, 7 Dec 1996 10:18:26 -0800 Received: (from david@localhost) by torment.sealabs.com (8.7.4/8.7.4) id KAA06173; Sat, 7 Dec 1996 10:18:29 -0800 Date: Sat, 7 Dec 1996 10:18:29 -0800 Message-Id: <199612071818.KAA06173@torment.sealabs.com> From: David Bonn To: Russ Cc: "'Firewalls Mailing List'" Subject: Re: Flood Insurance (was Why would someone want an NT firewall?) In-Reply-To: References: X-Face: XqRX&d@*a1_=Sj'S2uy!1yF*A;#j3jP MlQ~tg6Wz[+$c~|cKDX; Sat, 7 Dec 1996 10:44:11 -0800 (PST) Received: (http://www.hotmail.com 8886 invoked by uid 0); 7 Dec 1996 18:43:37 -0000 Date: 7 Dec 1996 18:43:37 -0000 Message-ID: <19961207184337.8885.qmail@hotmail.com> Received: from 206.86.127.204 by www.hotmail.com with HTTP; Sat, 07 Dec 1996 10:43:37 PST From: "Adnan Shubber" To: raoof@alnadeem.com.bh Cc: krumb@proaxis.com, ssl-talk@netscape.com, firewalls@greatcircle.com Subject: Fwd: CROATION RADIO STATION (fwd) Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From krumb@proaxis.com Thu Dec 5 07:43:21 1996 >Received: from krumb (pr04-59.proaxis.com [206.163.143.121]) by speedy.proaxis.com (8.8.3/8.6.12) with SMTP id HAA16609; Thu, 5 Dec 1996 07:41:44 -0800 (PST) >Message-ID: <32A6EC4C.7A5C@proaxis.com> >Date: Thu, 05 Dec 1996 07:37:48 -0800 >From: "Greg A. Leytem" >X-Mailer: Mozilla 2.01 (Win95; U) >MIME-Version: 1.0 >To: zacjaz@proaxis.com, zoe@proaxis.com, rickcaro@pty.com, > spiroux@compumedia.com, ske676@airmail.net, RShapiro@worldnet.att.net, > jesse.miner@Connects.Com, edavis@nuri.net, DHerron227@aol.com, > spboy@geocities.com, shubber@hotmail.com >Subject: CROATION RADIO STATION (fwd) >Content-Type: text/plain; charset=us-ascii >Content-Transfer-Encoding: 7bit >>Subject: CROATION RADIO STATION (fwd) >>To: Tadeusz Lesiecki >>Date: Wed, 4 Dec 1996 11:24:32 +0000 (MET) >>From: Dominik Uhlig >>Content-Length: 5386 >> >>Forwarded message: >>> From usctoux1 Mon Dec 2 11:22:35 1996 >>> Date: Mon, 2 Dec 1996 11:25:54 -0800 (PST) >>> From: "C.I. van Bochove" <157292cb@student.eur.nl> >>> To: jeroen Kulk , >>> Dominik Uhlig , martin , >>> Darlyn Rodriguez >>> Subject: CROATION RADIO STATION (fwd) >>> X-Sender: 157292cb@mstore.eur.nl >>> Message-Id: >>> Mime-Version: 1.0 >>> Content-Type: TEXT/PLAIN; charset=US-ASCII >>> Content-Transfer-Encoding: QUOTED-PRINTABLE >>> >>> >>> >>> >>> ---------- Forwarded message ---------- >>> Date: Sat, 30 Nov 1996 16:21:19 -0500 (EST) >>> From: xLanax >>> To: anschorr@vassar.edu, lesliew9@tcd.net, boris.laharnar@kiss.uni-lj.si, >>> trev@local.net, VISBRE06@pct.edu, bkantore@astro.ocis.temple.edu, >>> 157292cb@student.eur.nl, Carsten.Bogler@informatik.tu-chemnitz.de, >>> crazy@sisna.com, Daniel.Herman@oberlin.edu, XDANX@EROLS.COM, >>> naccarat@TCNJ.EDU, xabyssx@wam.umd.edu, evens@netpower.no, >>> ian@liquidsky.com, xlurkerx@grotl.com, sneek@juno.com, jinx@direct.ca, >>> Dead.end@edeneast.com, jpeterso@nimbus.ocis.temple.edu, >>> jet200@is6.nyu.edu, XsnapX@aol.com, lifetime@enter.net, >>> volvo3@ix.netcom.com, ghasemlo@total.net, jfox@csrlink.net, >>> xvincex@westcomputer.be, erik@frontier.net, seiferw1@alpha.lasalle.edu, >>> gatton@tiac.net, scotts@kenyon.edu, jlopilato@hotmail.com, >>> sjm6@cornell.edu, ehigbee@epix.net, brabon@komet.teuto.de, >>> nremonde@astro.ocis.temple.edu, maroman@vt.edu >>> Subject: CROATION RADIO STATION > > Dear Friends: > Please help save Radio 101 in Zagreb, Croatia from being >canceled!!! >Just add your name to the list and send the message to everyone you >know. > > This message is brought to you by the letter "H" (for HELP) and the > number "1,000,000" (for the number of names we want to sign). > > THANK YOU. > __________________________________________ > > Save RADIO 101 from being cancelled!!!!!! > > This is a petition to save Radio 101 in Zagreb, Croatia. ALL > YOU DO IS ADD YOUR NAME TO THE LIST AT THE BOTTOM, then forward it to > everyone you know. > The only time you send it to the included address is if > you are the 50th,100th, etc. Send it on to everyone you > know. > > Croatian "democraty" goverment belives that this radio station >is dealing >against state, while this is the ONLY station left which is dealing with >democraty information in Croatia! > > Please add your name to this list if you believe in what we stand for. > > This list will be forwarded to the Goverment of the Republic >Croatia! > If you happen to be the 50th, 100th, 150th, etc. signer of this >petition, please >forward to: > > > root@r101.com.hr > > and > > www-admin@vlada.hr > > > This way we can keep track of the lists and organize them. > Forward this to everyone you know, and help us to keep > this radio station ALIVE!. > > Thank you. > > ------------------------------------ > > SIGNATURES > > 1. Drago Markovic, Zagreb, Croatia > 2. Sanda Petris, Zagreb, Croatia > 3. Antun Sunjic, Zagreb, Croatia > 4. Maja Dawidowsky, Zagreb, Croatia > 5. Maja Vickovic, Zagreb, Croatia > 6. Vladimir Vuksan, Albuquerque, USA > 7. Bruno Scap, Chico, USA > 8. Bruno Ancic,Zagreb,Croatia > 9. Lovro Seder, Zagreb, Croatia > 10.Nikola Fox, Zagreb, Croatia > 11.Zvonko Tesic, Zagreb, Croatia > 12. Neven Jacmenovic, Zagreb, Croatia > 13. Daniel Kasaj, Zagreb, Croatia > 14. Koraljka Haberle, Zagreb, Croatia > 15. Darko Bunic, Koprivnica, Croatia > 16. Lidija Kesak, Zagreb, Croatia > 17. Robert Petracic, Zagreb, Croatia > 18. Renata Marusic, Zagreb, Croatia > 19. Mirana Koljatic, Zagreb, Croatia > 20. Rima Venturin, Skjetten, Norway > 21. Dario Filjar, Athlone, Ireland > 22. Alan Skarica, Zagreb, Croatia > 23. Dario Mavric, Sisak, Croatia > 24. Drazen Stolar, Osijek, Croatia > 25. Alan Jobst, Zagreb, Croatia > 26. Maja Cepak, Zagreb, Croatia > 27. Eta Paro Crnosija, Zagreb, Croatia > 28. Maja Veldt-Poklepovic, Amsterdam, Nederland > 29. Piet Veldt, Amsterdam, Nederland > 30. Zvonimir Bakotin, Amsterdam, Nederland > 31. Paul Garrin, NYC, USA > 32. Johnny Temple, NYC > 33. Dolf Hermannstaedter, Augsburg, Germany > 34. Berry Evers, Amsterdam, Holland > 35. Jerry Goossens, Utrecht, Holland > 36. Linda Lindmark, Goteborg, Sweden > 37. Jesper Lundqvist, Ume=E5, Sweden > 38. Jose Saxlund, Ume=E5, Sweden > 39. Marie Werngren, Karlstad, Sweden > 40. Jimmi Johansson, Karlstad, Sweden > 41. Eric Thorkelsson, Vancouver, Canada > 42. Lana Gillis, Mt. Laurel, New Jersey > 43. Chris van Bochove, Zwijndrecht, Nederland > 44. Dominik Uhlig, Siemianowice, Poland > 45. Tadeusz Lesiecki, Katowice, Poland > "failure is not an option" -lana b. gillis > 50. Alicia Leytem, Corvallis, USA > 51. S. Adnan S. Shubber how About that ? --------------------------------------------------------- Get Your *Web-Based* Free Email at http://www.hotmail.com --------------------------------------------------------- From firewalls-owner Sat Dec 7 12:07:37 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA09772 for firewalls-outgoing; Sat, 7 Dec 1996 11:59:48 -0800 (PST) Received: from hal-pc.org (hal-pc.org [204.52.135.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA09764 for ; Sat, 7 Dec 1996 11:59:39 -0800 (PST) Received: from pm7-109.hal-pc.org (pm7-109.hal-pc.org [206.222.161.109]) by hal-pc.org (8.7.5/8.6.9) with SMTP id NAA14967 for ; Sat, 7 Dec 1996 13:58:56 -0600 (CST) Message-Id: <199612071958.NAA14967@hal-pc.org> Comments: Authenticated sender is From: "robertp@hal-pc.org" Organization: hal-pc.org To: firewalls@GreatCircle.com Date: Sat, 7 Dec 1996 13:53:33 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: TEMPEST X-mailer: Pegasus Mail for Windows (v2.42a) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk While not on the specific subject of firewalls, I was researching TEMPEST or electromagnetic eminations and discovered there is very little on the net (outside of some on wiretapping and some very interesting white papers from Codex.). Perhaps if you have any URL's, or other information, you could send it to me direct so as not clutter up this forum with non-related information many thanks Bob Plaumann It is difficult to say what is impossible for the dream of yesterday is the reality of tomorrow - Dr. Robert H. Goddard From firewalls-owner Sat Dec 7 12:29:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA10288 for firewalls-outgoing; Sat, 7 Dec 1996 12:09:21 -0800 (PST) Received: from bernie.compusmart.ab.ca (bernie.compusmart.ab.ca [199.185.130.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id MAA10281 for ; Sat, 7 Dec 1996 12:09:09 -0800 (PST) Received: from jabel (remote473.compusmart.ab.ca [206.75.85.190]) by bernie.compusmart.ab.ca (8.7.4/8.6.5) with ESMTP id NAA03199 for ; Sat, 7 Dec 1996 13:36:41 -0700 (MST) Message-Id: <199612072036.NAA03199@bernie.compusmart.ab.ca> From: "Justin Abel" To: Subject: Livingstone Firewalls Date: Thu, 5 Dec 1996 10:44:04 -0500 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am looking for some comments on the security of Livingstone Firewalls (if anyone has any experience with them!). From firewalls-owner Sat Dec 7 12:38:00 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA11137 for firewalls-outgoing; Sat, 7 Dec 1996 12:27:13 -0800 (PST) From: firewalls-owner Received: from mobile.bam.com (mobile.banm.com [199.74.157.50]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id MAA11128 for ; Sat, 7 Dec 1996 12:26:59 -0800 (PST) Received: FROM BAMX400.mobile.bam.com BY mobile.bam.com ; 7 DEC 96 15:26:38 EST Date: 7 DEC 96 15:25:25 EST Subject: Undeliverable Message To: Firewalls@GreatCircle.COM MIME-Version: 1.0 Message-ID: <0005vfftfpzp.0005uocuwsyy@mobile.bam.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk To: Dean E Vaccher@IS_WBRHQ@BAMSWB BAMX400@MGate@BAM [C=US/A=INTERNET/DDA=ID/firewalls-digest(a)GreatCircle.COM] Cc: Subject: Firewalls-Digest V5 #656 Message not delivered to recipients below. VNM3043: Dean E Vaccher@IS_WBRHQ@BAMSWB **** Attachment message(s) will follow in 1 separate transmissions. From firewalls-owner Sat Dec 7 12:59:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA11733 for firewalls-outgoing; Sat, 7 Dec 1996 12:35:54 -0800 (PST) Received: from xyzzy.plugh.edmonton.ab.ca (xyzzy.plugh.edmonton.ab.ca [198.161.22.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id MAA11717 for ; Sat, 7 Dec 1996 12:35:44 -0800 (PST) Received: (from uucp@localhost) by xyzzy.plugh.edmonton.ab.ca (8.6.12/8.6.9) id NAA04000; Sat, 7 Dec 1996 13:35:08 -0700 Received: from beckio.precise.ab.ca(192.168.30.61), claiming to be "snouts.obtuse.com" via SMTP by mailhost.plugh.edmonton.ab.ca, id smtpd03996aaa; Sat Dec 7 13:34:58 1996 Received: (from uucp@localhost) by snouts.obtuse.com (8.7.5/8.7.3) id NAA06986; Sat, 7 Dec 1996 13:34:52 -0700 From: Bob Beck Received: from UNKNOWN(192.168.20.5), claiming to be "chocolate.obtuse.com" via SMTP by snouts.obtuse.com, id smtpd06984aaa; Sat Dec 7 13:34:45 1996 Received: (from beck@localhost) by chocolate.obtuse.com (8.7.5/8.7.3) id OAA00860; Sat, 7 Dec 1996 14:20:24 -0700 Message-Id: <199612072120.OAA00860@chocolate.obtuse.com> Subject: Obtuse smtpd 1.12 released. To: firewalls@greatcircle.com Date: Sat, 7 Dec 1996 14:20:23 -0700 (MST) Cc: info@obtuse.com X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Obtuse smtpd version 1.12 is now available at ftp://ftp.obtuse.com/pub/smtpd. Obtuse smtpd is a free store/forward smtp proxy. version 1.12 fixes a couple of bugs from 1.11: - smtpd could emit multiple "421 XXX" messages when exiting. - smtpfwdd would sometimes exit after attempting to process a sibling-processed spoolfile. MD5 sums for the relase and patch are below ---------------------------------------------------------------- 7c816744c9767431a101c68196c44ed1 patch-smtpd_1.11-1.12.gz edd8b1474d5cb428d60e0ddd4d0feecd smtpd_1.12.tar.gz ---------------------------------------------------------------- Enjoy, -Bob -- Bob Beck Obtuse Systems Corporation beck@obtuse.com http://www.obtuse.com/ True Evil hides its real intentions in its street address. Search and you shall find it, and the truth shall set you free. From firewalls-owner Sat Dec 7 13:38:36 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA15047 for firewalls-outgoing; Sat, 7 Dec 1996 13:02:40 -0800 (PST) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id NAA14925 for firewalls@greatcircle.com; Sat, 7 Dec 1996 13:02:00 -0800 (PST) Received: from pinky.junction.net (pinky.junction.net [199.166.227.12]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id VAA05502 for ; Wed, 4 Dec 1996 21:05:22 -0800 (PST) Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by pinky.junction.net (8.6.12/8.6.12) with ESMTP id VAA29227 for ; Wed, 4 Dec 1996 21:21:40 -0800 Received: from localhost (michael@localhost) by sidhe.memra.com (8.6.12/8.6.12) with SMTP id VAA28985 for ; Wed, 4 Dec 1996 21:01:43 -0800 Date: Wed, 4 Dec 1996 21:01:42 -0800 (PST) From: Michael Dillon To: firewalls@GreatCircle.COM Subject: Re: need firewall? (fwd) In-Reply-To: Message-ID: Organization: Memra Software Inc. - Internet consulting MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 4 Dec 1996, Jeff Bauman wrote: > [I got a msg back that said this original msg didn't go through; I > sure want it to, so I'm forwarding it to the list to try again.] > > (If it came through already, I'd appreciate knowing.) Your message came through. It's just that this list is plagued with people who subscribe from addresses behind broken mail gateways that don't return the errors to the list-owner but send it to the original writer instead. Michael Dillon - Internet & ISP Consulting Memra Software Inc. - Fax: +1-604-546-3049 http://www.memra.com - E-mail: michael@memra.com From firewalls-owner Sat Dec 7 14:22:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA22146 for firewalls-outgoing; Sat, 7 Dec 1996 14:10:51 -0800 (PST) Received: from sgi.sgi.com (SGI.COM [192.48.153.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id OAA22126 for ; Sat, 7 Dec 1996 14:10:31 -0800 (PST) Received: from vengeance.csd.sgi.com ([150.166.144.150]) by sgi.sgi.com (950413.SGI.8.6.12/950213.SGI.AUTOCF) via ESMTP id OAA01270 for <@sgi.sgi.com:Firewalls@GreatCircle.COM>; Sat, 7 Dec 1996 14:10:01 -0800 Received: from localhost by vengeance.csd.sgi.com via SMTP (951211.SGI.8.6.12.PATCH1042/911001.SGI) for id OAA18874; Sat, 7 Dec 1996 14:09:56 -0800 Date: Sat, 7 Dec 1996 14:09:55 -0800 (PST) From: Darryl John Ong To: Firewalls@GreatCircle.COM Subject: Test, please ignore Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Test From firewalls-owner Sat Dec 7 15:28:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA26400 for firewalls-outgoing; Sat, 7 Dec 1996 15:00:50 -0800 (PST) Received: from [198.102.244.42] (pb520.greatcircle.com [198.102.244.42]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id PAA26376; Sat, 7 Dec 1996 15:00:40 -0800 (PST) X-Sender: brent@miles.greatcircle.com Message-Id: In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sat, 7 Dec 1996 15:01:32 -0800 To: Darryl John Ong , Firewalls@GreatCircle.COM From: Brent Chapman Subject: Re: Test, please ignore Cc: postmaster@csd.sgi.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 2:09 PM -0800 12/7/96, Darryl John Ong wrote: >Test The Firewalls@GreatCircle.COM mailing list is NOT for use for testing. If you believe that there is some problem with the list, please discuss your concerns with Firewalls-Owner@GreatCircle.COM or Postmaster@GreatCircle.COM, but do NOT post test messages to the list. That just annoys about 20,000 people all over the world... -Brent ----------------------+----------------------------+------------------------ Brent Chapman | Great Circle Associates | 1057 West Dana Street Brent@GreatCircle.COM | http://www.greatcircle.com | Mountain View, CA 94041 ----------------------+----------------------------+------------------------ Internet Tutorials from the Experts! From firewalls-owner Sat Dec 7 15:29:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA26752 for firewalls-outgoing; Sat, 7 Dec 1996 15:04:12 -0800 (PST) Received: from news.rc.on.ca ([207.176.151.6]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id PAA26745 for ; Sat, 7 Dec 1996 15:04:05 -0800 (PST) Received: by mail.rc.on.ca with IMAIL 2.0 id <01BBE468.9DECBC90@mail.rc.on.ca>; Sat, 7 Dec 1996 18:01:06 -0500 Message-ID: From: Russ To: "firewalls@greatcircle.com" Subject: RE: CROATION RADIO STATION (fwd) Date: Sat, 7 Dec 1996 18:01:04 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Connector (Beta) (4.5.1280.0) Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Great, now we get spam from "The World's Only Web-Based Free Email", Hotmail, wonderful. I've sent their postmaster a note. * >From their membership terms; * 12. MEMBER CONDUCT * [snip] The Service makes use of the Internet to send and receive certain messages; therefore, Member's conduct is subject to Internet regulations, policies and procedures. Member will not use the Service for chain letters, junk mail, spamming or any use of distribution lists to any person who has not given specific permission to be included in such a process. [snip] HoTMaiL may, at its sole discretion, immediately terminate Service should Member's conduct fail to conform with these terms and conditions of the HTS. * Cheers, Russ R.C. Consulting, Inc. - NT/Internet Security Consulting mailto:Russ.Cooper@RC.on.ca <-- *note the new address* From firewalls-owner Sat Dec 7 16:06:28 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA25044 for firewalls-outgoing; Sat, 7 Dec 1996 14:50:19 -0800 (PST) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id OAA25036 for firewalls@greatcircle.com; Sat, 7 Dec 1996 14:50:16 -0800 (PST) Received: from hq1xfwa.freddiemac.com (hq1xfwa1.freddiemac.com [204.253.137.241]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA28480 for ; Fri, 6 Dec 1996 06:00:33 -0800 (PST) Received: from mailgate.freddiemac.com ([161.107.79.103]) by hq1xfwa.freddiemac.com (Hah!/nope) with ESMTP id IAA08859 for ; Fri, 6 Dec 1996 08:58:46 -0500 (EST) Received: from msmail.freddiemac.com (msmail.freddiemac.com [161.107.79.90]) by mailgate.freddiemac.com (8.7.5/8.7.2) with ESMTP id IAA15300 for ; Fri, 6 Dec 1996 08:57:31 -0500 (EST) Received: from Microsoft Mail (PU Serial #1065) by msmail.freddiemac.com (PostalUnion/SMTP(tm) v2.1.9c for Windows NT(tm)) id AA-1996Dec06.090329.1065.40966; Fri, 06 Dec 1996 09:05:01 -0500 From: Barney_Bethke@freddiemac.com (Bethke, Barney) To: firewalls@GreatCircle.COM (Firewalls list) Message-ID: <1996Dec06.090329.1065.40966@msmail.freddiemac.com> X-Mailer: Microsoft Mail via PostalUnion/SMTP for Windows NT Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Organization: Freddie Mac Date: Fri, 06 Dec 1996 09:05:01 -0500 Subject: Procom Question Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This isn't exactly a firewall question but closely related. Perhaps within the vast security expertise of the Firewalls list, someone could answer a PC dialup question. What could someone (a hacker) could do if they established a Procom connection to a PC? Is it similar to using Carbon Copy or does it depend on some type of software being up and running on the target PC? Could a Procom hacker get at files on the target PC? If the target PC were on a LAN, could an intruder also get at the LAN files/systems? From firewalls-owner Sat Dec 7 16:06:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA25145 for firewalls-outgoing; Sat, 7 Dec 1996 14:51:15 -0800 (PST) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id OAA25135 for firewalls@greatcircle.com; Sat, 7 Dec 1996 14:51:11 -0800 (PST) Received: from CMSSOFT.STATE.IL.US (mvstcpa.state.il.us [163.191.193.129]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA05381 for ; Fri, 6 Dec 1996 07:12:19 -0800 (PST) Received: from INS084R1.STATE.IL.US by CMSSOFT.STATE.IL.US (Soft*Switch Central V4L40P1A) id 171208090096341FINS084R1; 06 Dec 1996 09:08:09 GMT Message-Id: Date: 06 Dec 1996 09:08:09 GMT From: "Duston Suits" Subject: Re[2]: Why would someone want an NT firewall? To: firewalls@greatcircle.com, knight@HARDING.EDU Comment: MEMO 12/06/96 09:08:00 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have to agree with Chris. Saying that a product is inferior because it's easier to use is ridiculous. The computer industry has a long history of people who for their own reasons ("job security", ego, paranoia, etc) build the system so complex and difficult that they feel their employers "couldn't afford to get rid of them" because they (the programmer) is the only one who understands the system ("Jurassic Park" is a good example). Then look at what happens to these people, they get fired, and their brainchilds get scrapped, although they are not frequently killed by a dinosaur. Duston Suits LAN Administrator, Web Master State of Illinois, Department of Insurance ______________________________ Reply Separator _________________________________ Subject: Re: Why would someone want an NT firewall? Author: KNIGHT (INTERNET.KNIGHT1) at INSSNAPI Date: 12/6/96 8:19 AM Received: from RELAY2.UU.NET by CMSSOFT.STATE.IL.US (Soft*Switch Central V4L40P1A); 06 Dec 1996 08:19:08 GMT Received: from miles.greatcircle.com by relay2.UU.NET with ESMTP (peer crosschecked as: miles.greatcircle.com [198.102.244.34]) id QQbsvz13820; Thu, 5 Dec 1996 21:54:43 -0500 (EST) Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA03351 for firewalls-outgoing; Thu, 5 Dec 1996 14:12:58 -0800 (PST) Received: from thewall.harding.edu (thewall.harding.edu [192.133.129.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id OAA03267 for ; Thu, 5 Dec 1996 14:12:16 -0800 (PST) Received: from piggy.harding.edu ([10.1.11.5]) by thewall.harding.edu via smtpd (for miles.greatcircle.com [198.102.244.34]) with SMTP; 5 Dec 1996 22:15:02 UT Received: from Harding.edu by Harding.edu (PMDF V5.0-7 #15469) id <01ICNNYB6FCQAKTJ7I@Harding.edu> for FIREWALLS@GREATCIRCLE.COM; Thu, 05 Dec 1996 16:14:56 -0500 (CDT) Date: Thu, 05 Dec 1996 16:14:56 -0500 (CDT) From: Adrian Knight Subject: Re: Why would someone want an NT firewall? In-reply-to: <14343.849823273@deepeddy.DeepEddy.Com> To: FIREWALLS@GREATCIRCLE.COM Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 5 Dec 1996 cwg@DeepEddy.Com wrote: > > Because our firewall is on an NT platform and has a good GUI, I can be > > gone for a couple of weeks and even my boss, a manager, can sit down and > > make changes to the firewall comfortably. Several other people in the > > computing department with the passowrd could do the same if they had to. > > After two years, nobody else could sit down to my Solaris box and do > > anything except manage to shut things down. > > While you're at it, do you care to announce to the list when your next > vacation > is? > > Personally, I don't *want* just anybody to be able to modify the firewall. I > also don't want "several other people" to have the password to the firewall. > I wholeheartedly agree! But my company does like to have the option of not being dead-in-the-water if something happens and I, their Great Security Guru, am unavailable or in Alaska. For clarification, I didn't say that several people DO make changes to our firewall. I said several other people COULD make changes if they had to. For example, if we had a hardware failure (which has happened) they could fix the hardware and have the operating system knowledge to be able to get the firewall system up and running again. If the same thing happened on our Solaris box they would be hard-pressed to do any of the above. > > Chris > > -- > Chris Garrigues O- cwg@DeepEddy.Com > Deep Eddy Internet Consulting +1 512 432 4046 > 609 Deep Eddy Avenue > Austin, TX 78703-4513 http://www.DeepEddy.Com/~cwg/ > > > From firewalls-owner Sat Dec 7 16:42:04 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA22271 for firewalls-outgoing; Sat, 7 Dec 1996 14:12:38 -0800 (PST) Received: from sgi.sgi.com (SGI.COM [192.48.153.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id OAA22232 for ; Sat, 7 Dec 1996 14:12:20 -0800 (PST) Received: from vengeance.csd.sgi.com ([150.166.144.150]) by sgi.sgi.com (950413.SGI.8.6.12/950213.SGI.AUTOCF) via ESMTP id OAA01587 for <@sgi.sgi.com:Firewalls@GreatCircle.COM>; Sat, 7 Dec 1996 14:11:48 -0800 Received: from localhost by vengeance.csd.sgi.com via SMTP (951211.SGI.8.6.12.PATCH1042/911001.SGI) id OAA18889; Sat, 7 Dec 1996 14:11:46 -0800 Date: Sat, 7 Dec 1996 14:11:46 -0800 (PST) From: Darryl John Ong To: Darryl John Ong cc: Firewalls@GreatCircle.COM Subject: test, please ignore Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Test again From firewalls-owner Sat Dec 7 17:07:46 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA09012 for firewalls-outgoing; Sat, 7 Dec 1996 17:00:18 -0800 (PST) Received: from cih-gw.cih.com (cih-gw.cih.com [204.69.206.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id RAA08957 for ; Sat, 7 Dec 1996 17:00:03 -0800 (PST) Received: (from mail@localhost) by cih-gw.cih.com (8.7.6/8.6.9) id TAA06226; Sat, 7 Dec 1996 19:58:02 -0500 X-Authentication-Warning: cih-gw.cih.com: mail set sender to using -f Received: from cih-gw(204.69.206.1) by cih-gw.cih.com via smap (V2.0alpha) id sma006222; Sat Dec 7 19:57:50 1996 Date: Sat, 7 Dec 1996 19:57:50 -0500 (EST) From: "Craig I. Hagan" Reply-To: hagan@cih.com To: Duston Suits cc: firewalls@GreatCircle.COM, knight@HARDING.EDU Subject: Re: Re[2]: Why would someone want an NT firewall? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk being that i am in a heretical mood, i'm going to comment that i've seen the follwing two threads in this debate: * i don't like microsoft nor their way of conducting businness in the OS/firewall market because of X, Y, Z reasons. * @#%&! setting up and administering a firewall is getting easier. the impact of this is X, Y, Z. it is my opinion that the demand in the industry requires that implementing security policy will become a task that non-techies can perform. I think that it could be directly inferred from this that, yes, there is a finite amount of time in the future after which techies will not be needed for most security tasks. obviously, one would want to invest a great deal of thought behind policy, but, the implementation of that policy need not be complex. NT appears to provide an environment which is much easier for the lay person to navigate than unix. this is unfortunate, but, it is also reality. This states that i am recognizing that doing what i do will not bring chickens in for the pot in a few years. Lastly, people mention that the best firewall solution is one in which you can freely review the sources. i totally agree with this. However, i think that most people/companies are willing (due to lack of available expertise) to accept another party's word for it (even a consultant) and be done with the problem. Being that this is the case, what _reasonable_ arguments are their against using an NT based firewall, assuming that it is capable of reliably implementing one's policy in a secure manner. -- craig ------------------------------------------------------------------------------- Craig I. Hagan "It's a small world, but I wouldn't want to back it up" hagan@cih.com "True hackers don't die, their ttl expires" From firewalls-owner Sat Dec 7 17:37:39 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA09926 for firewalls-outgoing; Sat, 7 Dec 1996 17:23:37 -0800 (PST) Received: from pinky.junction.net (pinky.junction.net [199.166.227.12]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id RAA09919 for ; Sat, 7 Dec 1996 17:23:31 -0800 (PST) Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by pinky.junction.net (8.6.12/8.6.12) with ESMTP id RAA18217 for ; Sat, 7 Dec 1996 17:39:11 -0800 Received: from localhost (michael@localhost) by sidhe.memra.com (8.6.12/8.6.12) with SMTP id RAA07244 for ; Sat, 7 Dec 1996 17:19:20 -0800 Date: Sat, 7 Dec 1996 17:19:19 -0800 (PST) From: Michael Dillon To: Firewalls@GreatCircle.COM Subject: Re: Why would someone want an NT firewall? In-Reply-To: <199612060632.BAA06238@goffette.research.megasoft.com> Message-ID: Organization: Memra Software Inc. - Internet consulting MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 6 Dec 1996, C Matthew Curtin wrote: > And I can build a FreeBSD-based firewall for $2000 that will (1) be > made of much-studied, mature components, and (2) kick the snot out of > NT for performance. (And I don't have to pay $1000 for an operating > system that comes with a license that allows me to use more than 10 > simultaneous IP connections.) Can you do this for clients as well as yourself? If so, what are these much-studied, mature components? Michael Dillon - Internet & ISP Consulting Memra Software Inc. - Fax: +1-604-546-3049 http://www.memra.com - E-mail: michael@memra.com From firewalls-owner Sat Dec 7 18:22:53 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA13419 for firewalls-outgoing; Sat, 7 Dec 1996 18:11:00 -0800 (PST) Received: from myall.awadi.com.au (myall.awadi.com.AU [150.207.2.65]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id SAA13412 for ; Sat, 7 Dec 1996 18:10:51 -0800 (PST) Received: from bunya.awadi ([150.207.2.63]) by myall.awadi.com.au (8.7.5/8.7.3) with SMTP id MAA09951; Sun, 8 Dec 1996 12:40:02 +1030 (CST) Received: from mallee.awadi by bunya.awadi (SMI-8.6/SMI-SVR4) id MAA09329; Sun, 8 Dec 1996 12:40:01 +1030 Received: by mallee.awadi (SMI-8.6/SMI-SVR4) id MAA13065; Sun, 8 Dec 1996 12:39:59 +1030 From: blymn@awadi.com.au (Brett Lymn) Message-Id: <199612080209.MAA13065@mallee.awadi> Subject: Re: Re[2]: Why would someone want an NT firewall? To: DSUITS@INS084R1.STATE.IL.US (Duston Suits) Date: Sun, 8 Dec 1996 12:39:58 +1030 (CST) Cc: firewalls@greatcircle.com In-Reply-To: from "Duston Suits" at Dec 6, 96 09:08:09 am X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk According to Duston Suits: > > I have to agree with Chris. Saying that a product is inferior because > it's easier to use is ridiculous. > Yes this is true but, on the other hand, if something is easy to use then it may seduce some people into thinking they have this "firewall thingy" all under control when they have managed to open gaping holes. I mean, would having an easy to use interface help you decide whether or not you allow ICMP through? What's so bad about letting people in organisation A look at our files since they are the only ones with the password then that should be ok shouldn't it? OK you can have big warnings in the software that say you should not do this but it still will get done. You can have long detailed explanations in the manual as to why you should not do this or that but then who reads that stuff anyway since you can do it all from the GUI interface. To do the job properly the person(s) controlling the firewall need to have enough knowledge to know the impact of their decisions, putting a pretty inferface on something will not help with that. I am not arguing that a firewall should be something the blessed few should be able to understand but that the thing needs to be managed correctly for it to work properly something the proponents of the GUI firewall seem to like to gloss over. If you don't believe that this can happen then just take a look at how many hits you get on ports 137 & 139 for machines you have never heard of - there are people out there that have put their NT/Win95 machine on the internet and it is merrily broadcasting for name services. When you ask these people to stop their standard response is "I didn't know it was doing that!" > The computer industry has a long history of people who for their own > reasons ("job security", ego, paranoia, etc) build the system so > complex and difficult that they feel their employers "couldn't afford > to get rid of them" because they (the programmer) is the only one who > understands the system ("Jurassic Park" is a good example). Uhhh get real! Jurassic park was a movie, the actual computer stuff in that was so off beam as to be laughable (typical hollywood). Any decent manager should kick anyone in the head that thinks they can secure their job in this manner - NOBODY is indispensible. > Then look > at what happens to these people, they get fired, and their brainchilds > get scrapped, although they are not frequently killed by a dinosaur. Which is what should happen. -- Brett Lymn, Computer Systems Administrator, AWA Defence Industries =============================================================================== "Upgrading your memory gives you MORE RAM!" - ad in MacWAREHOUSE catalogue. From firewalls-owner Sat Dec 7 19:37:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA17939 for firewalls-outgoing; Sat, 7 Dec 1996 19:31:45 -0800 (PST) Received: from gw.research.megasoft.com (gw.research.megasoft.com [206.230.35.93]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id TAA17930 for ; Sat, 7 Dec 1996 19:31:36 -0800 (PST) Received: (from uucp@localhost) by gw.research.megasoft.com (8.7.5/8.7.3-cmcurtin) id WAA10249; Sat, 7 Dec 1996 22:31:29 -0500 (EST) Received: from goffette.research.megasoft.com(192.168.1.2) by gw.research.megasoft.com via smap (V1.3) id sma010247; Sat Dec 7 22:31:15 1996 Received: by goffette.research.megasoft.com (940816.SGI.8.6.9/940406.SGI) id WAA08189; Sat, 7 Dec 1996 22:24:01 -0500 Date: Sat, 7 Dec 1996 22:24:01 -0500 Message-Id: <199612080324.WAA08189@goffette.research.megasoft.com> From: C Matthew Curtin To: Michael Dillon Cc: Firewalls@GreatCircle.COM Subject: Re: Why would someone want an NT firewall? In-Reply-To: References: <199612060632.BAA06238@goffette.research.megasoft.com> X-Face: "&>g(&eGr?u^F:nFihL%BsyS1[tCqG7}I2rGk4{aKJ5I_5A\*6RYn4"N.`1pPF9LO!Fa<(gj:12)?=uP2l01e10Gij"7j&-)torL^iBrNf\s7PDLm=rf[PjxtSbZ{J(@@j"q2/iV9^Mx>>>> "Michael" == Michael Dillon writes: Michael> Can you do this for clients as well as yourself? If so, what Michael> are these much-studied, mature components? No, I don't do this for clients. Components are FreeBSD, FWTK pieces (smap, plug-gw), tcp_wrappers, squid proxy cache... The reason I don't do this for clients is primarily because of my reliance on the FWTK. (Their license for its use specifies that individuals may use it for themselves and for their own organizations. Doing this sort of thing for clients is violating the license. The whole point behind the FWTK is for people with sufficient clue to have good tools to help them build their own system. TIS is in the business of helping everyone else enjoy the same security, too.) I suppose I could go and write my own replacements for the FWTK pieces that I use, but what's the point? I'd basically be making Yet Another Firewall. I'd rather see an organization that doesn't have the skills to implement the darn thing themselves to get a good product from (for example) TIS, and then have someone with a clue help them understand how to use that product (along with routers, and other components) to build the firewall. The point behind my original comment about being able to build a firewall as I've described for $2000 was that Unix doesn't have to mean more expensive. And if you look at total cost of running the stuff over time, software, etc., very often Unix comes out way ahead in terms of bang for the buck. All of the software that people want to use for network applications and such is out there and available for folks to use. Essentially everything costs an arm and a leg in NT, including the OS itself. -- Matt Curtin cmcurtin@research.megasoft.com Megasoft, Inc Chief Scientist http://www.research.megasoft.com/people/cmcurtin/ I speak only for myself. Hacker Security Firewall Crypto PGP Privacy Unix Perl Java Internet Intranet From firewalls-owner Sat Dec 7 19:52:40 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA18392 for firewalls-outgoing; Sat, 7 Dec 1996 19:46:21 -0800 (PST) Received: from mailhub.hcl.com (mhoutside.hcl.com [205.211.178.111]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id TAA18356 for ; Sat, 7 Dec 1996 19:46:06 -0800 (PST) Received: from hclmail.hcl.com (hclmail.hcl.com [198.231.99.250]) by mailhub.hcl.com (8.7.6/8.7.3) with SMTP id WAA15125 for ; Sat, 7 Dec 1996 22:45:35 -0500 (EST) Received: from 199.71.120.12 by hclmail.hcl.com(Warp-9/NT) id 17315511.0; Sun, 08 Dec 96 03:45:31 GMT Date: Sat, 7 Dec 1996 22:45:32 -0500 () From: Rudy Amid To: Pauline van Winsen - Uniq Professional Services cc: firewalls@GreatCircle.COM, heiser@world.std.com Subject: Re: restricting OUTBOUND access In-Reply-To: <199612030735.SAA07796@basil.uniq.com.au> Message-ID: X-X-Sender: rudy@hclmail.hcl.com MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Usually, though perhaps only in my organization, most of these outgoing "attacks" are all if not mostly all but accidents. They're probably running demo programs that are written to request restricted ports. A good example is the variety of Web Search programs. What needs to be enforced is a written/signed agreement that employees must not attempt to do damage otuside the LAN. It's far more effective to general trust your users, have them be productive, and raise awareness of netiquette. --- Rudy Amid (rudy@hcl.com), Systems "I'm IT!" Administrator NB: IMHO! >/` Hummingbird Communications, Ltd. 1 Sparks Ave. Toronto, Ont. __ " Canada. M2H 2W1. 416-496-2200 Fax 496-2207 [URL] http://www.hcl.com | PGP key fingerprint is on my home page at http://www.warped.com/~radix \_) On Tue, 3 Dec 1996, Pauline van Winsen - Uniq Professional Services wrote: > the reason i routinely restrict all outgoing traffic to a known set of > IP address & protocols is that you significantly reduce the chance of > one of your own users launching attacks on other sites on the Internet. > the risks to your organisation from this sort of activity may be quite large. > damage to reputation being the major risk. > > if all sites restricted outgoing traffic to a known set of IP addresses, the > risk of attacks such as the TCP SYN denial of service attack would be > reduced as the perpertrators would be easier to track down. this requires > co-operation from all internet users, but you have to start somewhere. > > cheers, > pauline > > Pauline van Winsen pauline@uniq.com.au > Uniq Professional Services Pty Ltd www.uniq.com.au > PO Box 70, Paddington, NSW 2021, (Sydney) Australia > Phone: +61-2-9380-6360 Fax: +61-2-9380-6416 Pager: 016 287 000 > "Never try to flirt with your boss... he's your bread & butter and > not your honey." > The boss is not your honey - Book 3, Woman's World, circa 1964. > > From firewalls-owner Sat Dec 7 20:37:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA21544 for firewalls-outgoing; Sat, 7 Dec 1996 20:24:55 -0800 (PST) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id UAA21518 for ; Sat, 7 Dec 1996 20:24:43 -0800 (PST) Message-Id: <199612080424.UAA21518@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA276149051; Sun, 8 Dec 1996 15:24:11 +1100 From: Darren Reed Subject: screend To: Firewalls@GreatCircle.COM (Firewalls Mailing List) Date: Sun, 8 Dec 1996 15:24:10 +1100 (EDT) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Looking at screend, and its advances, are there any .o files for Ultrix 4.[345] which bring its interface upto date with the recent changes for BSD (such as passing ifp to ip_forwardscreen) ? What about Digital Unix (or OSF/1) ? Also, something which I find a little concerning is the limit of 120 bytes in the ioctl, allowing only 98 bytes (or less) of IP header info to be passed back. This is less than the maximum size of a combined TCP/IP header (both of which can be 64 bytes in size). Has a solution to this problem ever been found ? Darren From firewalls-owner Sat Dec 7 21:10:10 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA23601 for firewalls-outgoing; Sat, 7 Dec 1996 21:05:56 -0800 (PST) Received: from news.rc.on.ca ([207.176.151.6]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id VAA23594 for ; Sat, 7 Dec 1996 21:05:48 -0800 (PST) Received: by mail.rc.on.ca with IMAIL 2.0 id <01BBE49B.22A76480@mail.rc.on.ca>; Sun, 8 Dec 1996 00:02:43 -0500 Message-ID: From: Russ To: Michael Dillon , "'cmcurtin@research.megasoft.com'" Cc: "Firewalls@GreatCircle.COM" Subject: RE: Why would someone want an NT firewall? Date: Sun, 8 Dec 1996 00:02:43 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Connector (Beta) (4.5.1280.0) Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >The point behind my original comment about being able to build a >firewall as I've described for $2000 was that Unix doesn't have to >mean more expensive. And if you look at total cost of running the >stuff over time, software, etc., very often Unix comes out way ahead * Matt, could you send me the email addresses of the people I can hire for FREE to build your $2000 box? Or do you expect my customer's companies to expect all of their security employees to learn FreeBSD, FWTK pieces (smap, plug-gw), tcp_wrappers, squid proxy cache... in their spare time at home? * Get real man, you're not playing by the same rules the rest of the business world is. Most people have to pay their employees...and unless you hadn't noticed, that would add a considerable amount to your $2000 fee, not to mention the amount of time that the company would not be on the Internet while their people learned how to do it all, not to mention the *real* security that wouldn't be in such a box made for the first time by people who had never touched Unix before in their lives. Where would they test their box (do you think they have spare hubs and such lying around to simulate an Internet connection)? Who could tell them whether or not its set up properly (should they post a message to alt.2600 and ask how to verify their Firewall configuration)? * And if you think you can come back with the argument that the company should just go out and hire in someone who can do this, think again. Either they have to create a new headcount for that person (which would cost more than a managed Firewall would if they expect to keep the person), or do you suggest they fire one of their capable IS people who would take on the Gatekeeper duties in addition to their other duties? * Ivory Towers and Rose Colored Glasses lead to a tainted view of reality. Maybe this stuff was possible when you're in school, or when your the Chief Scientist, but in-between there are a ton of people without those luxuries. * Cheers, Russ R.C. Consulting, Inc. - NT/Internet Security Consulting mailto:Russ.Cooper@RC.on.ca <-- *note the new address* From firewalls-owner Sat Dec 7 21:22:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA24373 for firewalls-outgoing; Sat, 7 Dec 1996 21:17:12 -0800 (PST) Received: from karthika.reccal.ernet.in (reccal.ernet.in [202.41.105.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id VAA24355 for ; Sat, 7 Dec 1996 21:16:42 -0800 (PST) Received: from rohini.reccal.ernet.in by karthika.reccal.ernet.in (8.6.12/gw.1.0) id KAA00597; Sun, 8 Dec 1996 10:52:31 +0500 Received: by rohini.reccal.ernet.in (8.6.12/920502.SGI) id KAA13597; Sun, 8 Dec 1996 10:52:26 +0500 Date: Sun, 8 Dec 1996 10:52:25 +0500 (GMT+0500) From: RAGHAVENDRA M To: firewalls@GreatCircle.COM Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please Inform me about other mailing list operated by Great Circle Inc. Thank you in advance. From firewalls-owner Sat Dec 7 21:52:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA26493 for firewalls-outgoing; Sat, 7 Dec 1996 21:48:11 -0800 (PST) Received: from gw.research.megasoft.com (gw.research.megasoft.com [206.230.35.93]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id VAA26421 for ; Sat, 7 Dec 1996 21:47:47 -0800 (PST) Received: (from uucp@localhost) by gw.research.megasoft.com (8.7.5/8.7.3-cmcurtin) id AAA11692; Sun, 8 Dec 1996 00:47:32 -0500 (EST) Received: from goffette.research.megasoft.com(192.168.1.2) by gw.research.megasoft.com via smap (V1.3) id sma011688; Sun Dec 8 00:47:05 1996 Received: by goffette.research.megasoft.com (940816.SGI.8.6.9/940406.SGI) id AAA08245; Sun, 8 Dec 1996 00:39:50 -0500 Date: Sun, 8 Dec 1996 00:39:50 -0500 Message-Id: <199612080539.AAA08245@goffette.research.megasoft.com> From: C Matthew Curtin To: Russ Cc: Michael Dillon , "'cmcurtin@research.megasoft.com'" , "Firewalls@GreatCircle.COM" Subject: RE: Why would someone want an NT firewall? In-Reply-To: References: X-Face: "&>g(&eGr?u^F:nFihL%BsyS1[tCqG7}I2rGk4{aKJ5I_5A\*6RYn4"N.`1pPF9LO!Fa<(gj:12)?=uP2l01e10Gij"7j&-)torL^iBrNf\s7PDLm=rf[PjxtSbZ{J(@@j"q2/iV9^Mx>>>> "Russ" == Russ writes: Hi, Russ. Russ> Matt, could you send me the email addresses of the people I Russ> can hire for FREE to build your $2000 box? Or do you expect my Russ> customer's companies to expect all of their security employees Russ> to learn FreeBSD, FWTK pieces (smap, plug-gw), tcp_wrappers, Russ> squid proxy cache... in their spare time at home? Bastion hosts that I build cost about $2000, plus my time... Let's say about 20-40 hours for installing the OS, building the apps, etc. (If I'm building a number of them - maybe to run side-by-side or something - then that figure will drop significantly on a time-per-box basis, needing just a few more hours to do it on two machines than one.) I build them using FreeBSD, FWTK, etc., because (a) I'm most familiar with that environment ... Unixy things, and (b) the pieces are good, freely available, and much more likely to be deserving of trust than anything to which you can't see source, or even get a straight answer from the vendor about how the darn thing *really* works under the hood. Russ> * Get real Russ> man, you're not playing by the same rules the rest of the Russ> business world is. Most people have to pay their employees...and Russ> unless you hadn't noticed, that would add a considerable amount Russ> to your $2000 fee, not to mention the amount of time that the Russ> company would not be on the Internet while their people learned Russ> how to do it all, not to mention the *real* security that Russ> wouldn't be in such a box made for the first time by people who Russ> had never touched Unix before in their lives. Where would they Russ> test their box (do you think they have spare hubs and such lying Russ> around to simulate an Internet connection)? Who could tell them Russ> whether or not its set up properly (should they post a message Russ> to alt.2600 and ask how to verify their Firewall configuration)? You're suggesting that it's possible to buy a "firewall" from a vendor that's totally black-box, plug it in, have no idea what it does, and be safe? You're suggesting that they won't have to be paid for its configuration, its testing, etc.? You're suggesting that the black box is any more likely to be "safe" by a random MIS type? Or perhaps I should simply redirect all of these questions back at you, replacing NT for Unix. Let's not kid ourselves: time is needed, whether you roll your own firewall, or buy something. It needs to be configured, it needs to be tested, and it needs to be managed. How that time is spent in various activities (i.e., development, configuration, and training) will vary from organization to organization depending on their resources. (In the case of a place with in-house expertise, all of that time might be spent in development and configuration, whereas another might spend it all in configuration and training.) (NT isn't automatically cheaper, and I stand by my statement that it's cheaper over time: a competant NT admin and a competant Unix admin will both get the job done, but the Unix admin will often be able to do so less expensively. But this really goes way beyond firewalls, so this point can probably sufficiently put to rest by us agreeing to disagree here. There are mor appropriate places for us to argue about this :-) I don't advocate running out and using FreeBSD if you've got an NT expert on staff. A crystal-box OS is simply a more optimal environment for building secure systems. Regardless of the OS, those who run it need to really understand the OS to be successful firewall administrators. (NT's has a familiar GUI doesn't constitute knowing NT, as you're well aware.) It's important to have an architectural understanding of the OS: its features, its limitations, and what you can do with it in order to accomplish the task at hand. Lots of people wanting to run stuff on NT seem to want to do so because of that pretty user interface that they're used to seeing and automatically assume that somehow it'll be easier to run than some other non-NT-based system. However, an organization with good NT expertise and a complete lack of Unix expertise is certainly better off using NT, much in the same way that someone who knows how to move himself about only by riding a bicycle is better off using that method than trying to figure out how to use that alternative made by Porsche. Naturally, if he took the necessary time to figure that Porsche out, he'd find it to be much more optimal for the task at hand. But trying to drive a Porsche without knowing how it works is stupid, since it'll probably get wrapped around a tree. Of course, lots of folks only know how to run AS/400s. Why don't we have a mad rush for AS/400-based firewalls? Firewalls for MVS, anyone? -- Matt Curtin cmcurtin@research.megasoft.com Megasoft, Inc Chief Scientist http://www.research.megasoft.com/people/cmcurtin/ I speak only for myself. Hacker Security Firewall Crypto PGP Privacy Unix Perl Java Internet Intranet From firewalls-owner Sun Dec 8 02:26:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA09002 for firewalls-outgoing; Sun, 8 Dec 1996 02:12:08 -0800 (PST) Received: from mailhost.onramp.net (mailhost.onramp.net [199.1.11.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id CAA08984 for ; Sun, 8 Dec 1996 02:11:53 -0800 (PST) Received: from sage1 (jerry.mckane.com [206.50.176.226]) by mailhost.onramp.net (8.7.3/8.6.5) with ESMTP id EAA06634; Sun, 8 Dec 1996 04:11:22 -0600 (CST) Message-Id: <199612081011.EAA06634@mailhost.onramp.net> From: "Jerry McKane" To: "RAGHAVENDRA M" , Subject: Re: Date: Sun, 8 Dec 1996 04:11:19 -0600 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Try this http://www.greatcircle.com/lists.html ---------- > From: RAGHAVENDRA M > To: firewalls@GreatCircle.COM > Subject: > Date: Saturday, December 07, 1996 11:52 PM > > > > Please Inform me about other mailing list operated > by Great Circle Inc. > > Thank you in advance. From firewalls-owner Sun Dec 8 07:52:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA19413 for firewalls-outgoing; Sun, 8 Dec 1996 07:42:45 -0800 (PST) Received: from email.acsinc.net ([206.156.73.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA19405 for ; Sun, 8 Dec 1996 07:42:37 -0800 (PST) Received: from keith.acsinc.net (arisiasoft.acsinc.net [206.156.73.34]) by email.acsinc.net (Netscape Mail Server v1.1) with ESMTP id AAA84 for ; Sun, 8 Dec 1996 10:42:54 -0500 From: keithstevens@acsinc.net (Keith Stevens) To: Subject: NT firewall debate Date: Sun, 8 Dec 1996 11:38:52 -0500 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Message-ID: <19961208154253131.AAA84@keith.acsinc.net> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I want an NT firewall CONFIGURATION WIZARD. The purpose: to let people like myself - CNE/sys admin/webmaster/programmer/grunt who must use firewall technology but are constantly scrambling to keep up with new and improved(?) servers, operating systems, routers (and their software updates and patches), not to mention constantly expanding the hardware to accomodate the constantly expanding bandwidth, and pleading with sewn pockets management, dealing with the phone company, writing custom scripts, creating webs, troubleshooting and repairing hardware, start early, no lunch, leave late, work weekends. And now I have to learn firewall technology in my spare time? Im living on coffee, Bayer and Tums now! I don't give a loop if it works as good as a *ix firewall - at this stage of the game if it works at all and its quik and dirty - gimme. Anyway it would let us use the technology without having to develop plans and devise implementations - the stuff we don't know how to do anyway (you guys speak a different language I don't pretend to understand). The wizard would tell me something like: "theres ABCD protocol packets you want to let these in if you must do bla bla however a hacker could use this to bla bla, do you need to allow ABCD in? Y or N (not sure? see filtering ABCD packets)". A lot of us are too small to hire a pro security specialist (my guess would be most) but need fair to middling firewalls. If one of you who does know wants help me create the above described tool... From firewalls-owner Sun Dec 8 09:11:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA22836 for firewalls-outgoing; Sun, 8 Dec 1996 09:01:27 -0800 (PST) Received: from nova.umuc.edu (nova.umuc.edu [131.171.11.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id JAA22829 for ; Sun, 8 Dec 1996 09:01:21 -0800 (PST) Received: from cm370a06@localhost ("localhost") by nova.umuc.edu (8.8.3/16.2) with SMTP; id MAA24279 Sun, 8 Dec 1996 12:00:50 -0500 (EST) Date: Sun, 8 Dec 1996 12:00:49 -0500 (EST) From: CMIS 370-5161 Student 06 X-Sender: cm370a06@nova To: firewalls@GreatCircle.COM Subject: BorderWare Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is VaporWare another name for BorderWare....I hear it refered to that often? From firewalls-owner Sun Dec 8 09:22:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA22579 for firewalls-outgoing; Sun, 8 Dec 1996 08:55:42 -0800 (PST) Received: from nova.umuc.edu (nova.umuc.edu [131.171.11.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA22570 for ; Sun, 8 Dec 1996 08:55:33 -0800 (PST) Received: from cm370a06@localhost ("localhost") by nova.umuc.edu (8.8.3/16.2) with SMTP; id LAA18940 Sun, 8 Dec 1996 11:55:01 -0500 (EST) Date: Sun, 8 Dec 1996 11:55:00 -0500 (EST) From: CMIS 370-5161 Student 06 X-Sender: cm370a06@nova Reply-To: CMIS 370-5161 Student 06 To: firewalls@GreatCircle.COM Subject: Re: Q: BorderWare In-Reply-To: <32A69C9F.2FDC@ix.netcom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is BorderWare also known as VaporWare......is this another name for it? I hear it refered to VaporWare constantly. What does this mean if anything? On Thu, 5 Dec 1996, Christian Kuhtz wrote: > Hello: > > I am implementing a slew of services which are to be offered in the SSN > portion of a BorderWare SSN firewall setup and would like to pick > someone's brain about it. > > Please drop me a note via replying to this eMail if you think you have > cycles to do that. I am currently not subscribed to the list. > > Thanks in advance! > > Best regards, > Chris > > -- > Christian Kuhtz > Network/UNIX Specialist > Paranet, Inc. > From firewalls-owner Sun Dec 8 09:56:12 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA25259 for firewalls-outgoing; Sun, 8 Dec 1996 09:49:51 -0800 (PST) Received: from mothra.io.com.au (mels2-07.ocean.com.au [203.12.234.177]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id JAA25230 for ; Sun, 8 Dec 1996 09:49:40 -0800 (PST) Received: from localhost (localhost.0.0.127.IN-ADDR.ARPA [127.0.0.1]) by mothra.io.com.au (8.8.3/8.8.3) with SMTP id DAA00419; Mon, 9 Dec 1996 03:14:26 +1100 Date: Mon, 9 Dec 1996 03:14:26 +1100 (EST) From: Damien Miller X-Sender: dmiller@mothra.io.com.au To: Oswaldo Gomes cc: Firewalls@GreatCircle.COM, Bill Stout Subject: Re: NT firewalls / Eagle In-Reply-To: <19961206153637500.AAB132@oswaldo40> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- On Fri, 6 Dec 1996, Oswaldo Gomes wrote: > You can even say that MS Proxy Server isn=B4t a perfect firewall, but it = IS a > firewall... No. A proxy is a *component* of a firewall, one of many component with which we translate a security policy into an operable system. Oh. I see Micro$oft's strategy now - first they will release 'MS Proxy Server', then 'MS Audit Server', then 'MS Auth Server'. Then they will bundle and offer the whole bunch as 'MS Firewall'. ;) Regards, Damien Miller | Damien Miller -=20 | Email: dmiller@vitnet.com.sg (PGP and MIME ok) | WWW: http://www.vitnet.com.sg/dmiller | PGP public key: send me an email with "send file pgp_key" as the subject -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQEVAwUBMqrpNbrHgZ2SMrItAQHvzwf/WfOgaLWJZTwlA2rT+9gTo7+vUJBcbDfU 0KFi9I0ncKgHN1EOPsyX+EeSNlGkbqiR/uHaci3D9FUZHzJp2M+x767f4F0hipa3 jmVTR6iQ7OwA3VLXsvX3mhaFE6m70T70Xr5cfjDNY9LznEUIfjVkdHoGyq9Gjhc2 CX8eU4xVCILlWP3jrEd7ox4/d73RN+yQVTtJeYD7BSamg7bEVY4BxhTDG7HHFwGD R9ABAxzuvHQOmTG1XK7sTrTNm5uAFZ0LgRt6OeDiGxa0VaMcEOi2VToZhaxmlzOz toTJhuNSWmLKIFEzEO0lrSHldGUNqGToK5cGIxAOdxjfQmUp+pjPcQ=3D=3D =3DiF1g -----END PGP SIGNATURE----- From firewalls-owner Sun Dec 8 12:12:57 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA02680 for firewalls-outgoing; Sun, 8 Dec 1996 11:53:56 -0800 (PST) Received: from mail.baileynm.com (fw.baileynm.com [206.109.159.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id LAA02673 for ; Sun, 8 Dec 1996 11:53:49 -0800 (PST) Received: (qmail 9149 invoked from smtpd); 8 Dec 1996 19:53:20 -0000 Received: from web.nmti.com (root@198.178.0.201) by fw.nmti.com with SMTP; 8 Dec 1996 19:53:20 -0000 Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id NAA09557; Sun, 8 Dec 1996 13:53:19 -0600 Received: by sonic.nmti.com; id AA07299; Sun, 8 Dec 1996 13:53:10 -0600 From: peter@baileynm.com (Peter da Silva) Message-Id: <9612081953.AA07299@sonic.nmti.com.nmti.com> Subject: Re: Why would someone want an NT firewall? To: Russ.Cooper@RC.on.ca (Russ) Date: Sun, 8 Dec 1996 13:53:10 -0600 (CST) Cc: michael@memra.com, cmcurtin@research.megasoft.com, firewalls@GreatCircle.COM In-Reply-To: from "Russ" at Dec 8, 96 00:02:43 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Ivory Towers and Rose Colored Glasses lead to a tainted view of > reality. Maybe this stuff was possible when you're in school, or when > your the Chief Scientist, but in-between there are a ton of people > without those luxuries. *shrug* And do you expect that Gauntlet NT is going to cost any less than the BSDI version? After all, NT costs more than BSDI. The point that "UNIX" doesn't mean "ten thousand dollar workstation" is still valid. From firewalls-owner Sun Dec 8 12:22:48 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA02895 for firewalls-outgoing; Sun, 8 Dec 1996 11:58:17 -0800 (PST) Received: from mail.baileynm.com (fw.baileynm.com [206.109.159.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id LAA02870 for ; Sun, 8 Dec 1996 11:58:07 -0800 (PST) Received: (qmail 9161 invoked from smtpd); 8 Dec 1996 19:57:38 -0000 Received: from web.nmti.com (root@198.178.0.201) by fw.nmti.com with SMTP; 8 Dec 1996 19:57:38 -0000 Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id NAA10295; Sun, 8 Dec 1996 13:57:38 -0600 Received: by sonic.nmti.com; id AA08872; Sun, 8 Dec 1996 13:57:28 -0600 From: peter@baileynm.com (Peter da Silva) Message-Id: <9612081957.AA08872@sonic.nmti.com.nmti.com> Subject: Re: Why would someone want an NT firewall? To: cmcurtin@research.megasoft.com Date: Sun, 8 Dec 1996 13:57:28 -0600 (CST) Cc: Russ.Cooper@RC.on.ca, michael@memra.com, firewalls@GreatCircle.COM In-Reply-To: <199612080539.AAA08245@goffette.research.megasoft.com> from "C Matthew Curtin" at Dec 8, 96 00:39:50 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Bastion hosts that I build cost about $2000, plus my time... Let's say > about 20-40 hours for installing the OS, building the apps, etc. (If > I'm building a number of them - maybe to run side-by-side or something > - then that figure will drop significantly on a time-per-box basis, > needing just a few more hours to do it on two machines than one.) I > build them using FreeBSD, FWTK, etc... You're not allowed to build FWTK-based firewalls for other people. Read the license agreement. I don't know what the restrictions on Freestone are... you might want to check them. From firewalls-owner Sun Dec 8 12:42:01 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA03489 for firewalls-outgoing; Sun, 8 Dec 1996 12:08:23 -0800 (PST) Received: from xyzzy.plugh.edmonton.ab.ca (xyzzy.plugh.edmonton.ab.ca [198.161.22.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id MAA03482 for ; Sun, 8 Dec 1996 12:08:13 -0800 (PST) Received: (from uucp@localhost) by xyzzy.plugh.edmonton.ab.ca (8.6.12/8.6.9) id NAA06583; Sun, 8 Dec 1996 13:07:32 -0700 Received: from beckio.precise.ab.ca(192.168.30.61), claiming to be "snouts.obtuse.com" via SMTP by mailhost.plugh.edmonton.ab.ca, id smtpd06581aaa; Sun Dec 8 13:07:29 1996 Received: (from uucp@localhost) by snouts.obtuse.com (8.7.5/8.7.3) id NAA00826; Sun, 8 Dec 1996 13:07:25 -0700 From: Bob Beck Received: from UNKNOWN(192.168.20.5), claiming to be "chocolate.obtuse.com" via SMTP by snouts.obtuse.com, id smtpd00824aaa; Sun Dec 8 13:07:13 1996 Received: (from beck@localhost) by chocolate.obtuse.com (8.7.5/8.7.3) id NAA01086; Sun, 8 Dec 1996 13:53:11 -0700 Message-Id: <199612082053.NAA01086@chocolate.obtuse.com> Subject: "Fair to Middling" firewalls and "Firewall Wizard" To: keithstevens@acsinc.net (Keith Stevens) Date: Sun, 8 Dec 1996 13:53:10 -0700 (MST) Cc: firewalls@greatcircle.com In-Reply-To: <19961208154253131.AAA84@keith.acsinc.net> from "Keith Stevens" at Dec 8, 96 11:38:52 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > me something like: "theres ABCD protocol packets you want to let these in > if you must do bla bla however a hacker could use this to bla bla, do you > need to allow ABCD in? Y or N (not sure? see filtering ABCD packets)". A > lot of us are too small to hire a pro security specialist Then learn what you need yourself. Go get Chapman & Zwickey's "Building Internet Firewalls". Spend a weekend reading it so you have some background. You might want to get your management to send you on a short course. > (my guess would > be most) but need fair to middling firewalls. If one of you who does know > wants help me create the above described tool... If you don't have the time or resources to do it right. I.E. in your words you want a "fair to middling firewall", then Why bother at all? I don't mean that in a nasty way. Simply put, review how likely you think your organization is to be targeted, and what it will cost if you are targeted successfully. You say, "a lot of us need fair to middling firewalls", I would contend that you might not need one at all, Believe it or not, I think that's the appropriate stance in many cases. Take those views to management. Either they give you resources to do it right, or they don't. It may be that they company has better uses for your time and it's resources than worring about and internet security threat when all factors are considered. Some of my favorite consults have been being called in on a referral to talk to a manager of a small outfit about net security and a firewall because he's heard about it and "Byte Magazine said I needed one". After describing the risks involved in plain english and asking him straight: "What do you have to protect, and how much is it worth". Some of them realize that hey, maybe (for them) the risk isn't worth the insurance. I.E. considering all other exposures not related to the net, their profile, and the value of what they have, It's not worth the money, time, inconvenience, and complexity, no matter how quick and easy it is to do. You don't make money that way, but you can walk away from it knowing you were honest about it and not preying on fear and ignorance. (Boy I hope Scott Adams isn't watching this list or I'll be excommunicated from Dogbert's New Ruling Class) I'm assuming that since you only think you need a "fair to middling" firewall then you must think that it your security risks aren't that great. If your firewall won't stop a determined attacker, then chances are you might be better off just using conventional security, and maybe the odd filter on your router. A good firewall takes time to plan, implement, and educate the rest of the organization about. The complexity of it is definately *NOT* the choice of hardware, software, OS, or GUI, There are lots of choices available for that. Most of the "fair to middling" firewalls I've seen implemented really provided no security, because they were usually implemented "on Tums and Coffee" in a heck of a hurry with no planning and user/management involvement. The result is that the users have no respect for it because the reasons it's "fair to middling" become apparent to them, and their impression of it is that it exists soley so that that "Jerk who runs on Tums and Coffee" can make their life miserable with that "Firewall Thing" getting in their way. The result is a "fair to middling" firewall that doesn't really provide security, no policy defining what it is supposed to do, no user participation, and everybody hating the "Guy with the Jackboots on". Yes, I think this is a bad thing. IMNSHO, if you can't afford the time to do it right, you are probably (unless you are at high risk) better off not doing it at all. Why put your users and yourself to great inconvenience to ineffectively counter a threat that (at least from your indication) appears not to be a significant concern? Sure you'll be at risk of an intrusion, but what have you saved in terms of your time, resources, user convenience, user's respect for you, etc.? You may do more harm than good with a "fair to middling" solution. Don't think you need a firewall just because it's the "thing to do". Do you have armed guards at the door and in the office to prevent random violence? Are your company deposits sent to the bank by a team of the same? If not it may be because the risks don't justify that type solution. Review your needs and resources and decide intelligently. Choose your battles very carefully, then fight them hard. -Bob -- Bob Beck Obtuse Systems Corporation beck@obtuse.com http://www.obtuse.com/ True Evil hides its real intentions in its street address. Search and you shall find it, and the truth shall set you free. From firewalls-owner Sun Dec 8 13:22:45 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA08196 for firewalls-outgoing; Sun, 8 Dec 1996 13:15:46 -0800 (PST) Received: from relay-11.mail.demon.net (relay-11.mail.demon.net [194.217.242.137]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id NAA08176 for ; Sun, 8 Dec 1996 13:15:36 -0800 (PST) Received: from tracker.demon.co.uk ([158.152.150.126]) by relay-9.mail.demon.net id ab910420; 8 Dec 96 20:51 GMT From: Les Carleton To: wyer@telecheck.com Cc: firewalls@greatcircle.com Subject: Re: Oracle SQL/Net Date: Sun, 08 Dec 1996 20:51:53 GMT Organization: The Doghouse Reply-To: les@tracker.demon.co.uk Message-ID: <32b8296a.3681785@post.demon.co.uk> References: <9612061425.AA23089@mercury.telecheck.com> In-Reply-To: <9612061425.AA23089@mercury.telecheck.com> X-Mailer: Forte Agent .99f/32.299 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 06 Dec 96 08:25:30 -0600, you wrote: >In any case, is there some sort of proxy agent which will handle = Oracle's=20 >SQL/Net / ODBC stuff in a graceful fashion between two conflicting IP = networks >somewhat like the Web proxy agent? There are firewall vendors working with Oracle to put together a real = SQL*Net proxy. I belive that Raptor, Checkpoint and TIS, at least, have some form= of SQL network proxy. ...Les... From firewalls-owner Sun Dec 8 13:42:23 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA08328 for firewalls-outgoing; Sun, 8 Dec 1996 13:17:03 -0800 (PST) Received: from pinky.junction.net (pinky.junction.net [199.166.227.12]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id NAA08314 for ; Sun, 8 Dec 1996 13:16:50 -0800 (PST) Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by pinky.junction.net (8.6.12/8.6.12) with ESMTP id NAA00695 for ; Sun, 8 Dec 1996 13:32:39 -0800 Received: from localhost (michael@localhost) by sidhe.memra.com (8.6.12/8.6.12) with SMTP id NAA09971 for ; Sun, 8 Dec 1996 13:11:58 -0800 Date: Sun, 8 Dec 1996 13:11:57 -0800 (PST) From: Michael Dillon To: firewalls@GreatCircle.COM Subject: Re: Why would someone want an NT firewall? In-Reply-To: <9612081957.AA08872@sonic.nmti.com.nmti.com> Message-ID: Organization: Memra Software Inc. - Internet consulting MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sun, 8 Dec 1996, Peter da Silva wrote: > > Bastion hosts that I build cost about $2000, plus my time... Let's say > > about 20-40 hours for installing the OS, building the apps, etc. (If > > I'm building a number of them - maybe to run side-by-side or something > > - then that figure will drop significantly on a time-per-box basis, > > needing just a few more hours to do it on two machines than one.) I > > build them using FreeBSD, FWTK, etc... > > You're not allowed to build FWTK-based firewalls for other people. Read > the license agreement. Actually, TIS doesn't forbid you from building FWTK firewalls for other people, it just requires a commercial license to do this, presumably because they want to charge a fee. I expect this also has something to do with liability since if you build your own FWTK firewall then you have already agreed to accept full liability but if you do it for someone else then they haven't specifically agreed that TIS has no liability. Anyway, I reproduce the relevant section from the current FWTK licence here: b. No part of the FWTK may be incorporated into any program or other product that is sold, or for which any revenue is received without written permission of Trusted Information Systems, Inc. A commercial license will be required in this case. Maybe someone from TIS can expand on just what this means. Michael Dillon - Internet & ISP Consulting Memra Software Inc. - Fax: +1-604-546-3049 http://www.memra.com - E-mail: michael@memra.com From firewalls-owner Sun Dec 8 15:23:09 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA18113 for firewalls-outgoing; Sun, 8 Dec 1996 15:11:14 -0800 (PST) Received: from xyzzy.plugh.edmonton.ab.ca (xyzzy.plugh.edmonton.ab.ca [198.161.22.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id PAA18089 for ; Sun, 8 Dec 1996 15:11:04 -0800 (PST) Received: (from uucp@localhost) by xyzzy.plugh.edmonton.ab.ca (8.6.12/8.6.9) id QAA06812; Sun, 8 Dec 1996 16:10:24 -0700 Received: from beckio.precise.ab.ca(192.168.30.61), claiming to be "snouts.obtuse.com" via SMTP by mailhost.plugh.edmonton.ab.ca, id smtpd06810aaa; Sun Dec 8 16:10:19 1996 Received: (from uucp@localhost) by snouts.obtuse.com (8.7.5/8.7.3) id QAA00954; Sun, 8 Dec 1996 16:10:15 -0700 From: Bob Beck Received: from UNKNOWN(192.168.20.5), claiming to be "chocolate.obtuse.com" via SMTP by snouts.obtuse.com, id smtpd00950aaa; Sun Dec 8 16:10:08 1996 Received: (from beck@localhost) by chocolate.obtuse.com (8.7.5/8.7.3) id QAA01269; Sun, 8 Dec 1996 16:56:03 -0700 Message-Id: <199612082356.QAA01269@chocolate.obtuse.com> Subject: FWTK/Freestone Licensing (Was Yet Another NT Flamefest) To: michael@memra.com (Michael Dillon) Date: Sun, 8 Dec 1996 16:56:02 -0700 (MST) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Michael Dillon" at Dec 8, 96 01:11:57 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > needing just a few more hours to do it on two machines than one.) I > > > build them using FreeBSD, FWTK, etc... > > > > You're not allowed to build FWTK-based firewalls for other people. Read > > the license agreement. > > Actually, TIS doesn't forbid you from building FWTK firewalls for other > people, it just requires a commercial license to do this, presumably > because they want to charge a fee. I expect this also has something to do > with liability since if you build your own FWTK firewall then you have > already agreed to accept full liability but if you do it for someone else > then they haven't specifically agreed that TIS has no liability. Anyway, > I reproduce the relevant section from the current FWTK licence here: > > b. No part of the FWTK may be incorporated into any > program or other product that is sold, or for which any > revenue is received without written permission of > Trusted Information Systems, Inc. A commercial license > will be required in this case. > > Maybe someone from TIS can expand on just what this means. > Looks pretty clear to me. Consultants shouldn't use the FWTK to build firewalls for other people if they want to get paid. If you ask TIS for permission, the answer will be "Would you like to be a Gauntlet Reseller?". This has been gone over many times. The party line I've gotten from TIS is don't use FWTK to build firewalls for other people unless you're doing it for free. When I read FreeStone's license it reads almost word for word the same. Given the amount of people I've seen selling their services to install it I'm sure it's one of the most ignored licensing provisions in history, but nevertheless them's the rules, and you gotta live with them if you're going to be honest. I think the short answer is "don't use FWTK or Freestone to make anything you want to get paid for by someone else". Anyone from TIS or Livingstone is welcome to elaborate. If you do want something for FreeBSD that you can get paid to install check out Juniper at http://www.obtuse.com/juniper -Bob -- Bob Beck Obtuse Systems Corporation beck@obtuse.com http://www.obtuse.com/ True Evil hides its real intentions in its street address. Search and you shall find it, and the truth shall set you free. From firewalls-owner Sun Dec 8 16:34:54 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA21220 for firewalls-outgoing; Sun, 8 Dec 1996 16:14:11 -0800 (PST) Received: from mail-gw.pacbell.net (mail-gw.pacbell.net [206.13.28.25]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id QAA21206 for ; Sun, 8 Dec 1996 16:14:04 -0800 (PST) Received: from p133 (ppp-206-170-30-44.hywr01.pacbell.net [206.170.30.44]) by mail-gw.pacbell.net (8.8.3/8.7.1) with SMTP id QAA14765; Sun, 8 Dec 1996 16:13:28 -0800 (PST) Message-ID: <32AB58D9.16FB@pacbell.net> Date: Sun, 08 Dec 1996 16:10:01 -0800 From: Dave Sroelov X-Mailer: Mozilla 3.01Gold (WinNT; I) MIME-Version: 1.0 To: "Joseph W. Stroup" CC: Rabid Wombat , toon@cem-bb.e-mail.com, firewalls@GreatCircle.COM Subject: Re: None References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Joseph W. Stroup wrote: > > HERE WE GO AGAIN. WHAT THE HECK KIND OF SUBJECT LINE IS NONE ? > > > > it's like the floppy sitting on a desk. no label. not write protected. it's blank, no matter what's on it. if it had something on it there would be a label and it would be write protected... From firewalls-owner Sun Dec 8 16:38:01 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA21246 for firewalls-outgoing; Sun, 8 Dec 1996 16:15:12 -0800 (PST) Received: from mail-gw.pacbell.net (mail-gw.pacbell.net [206.13.28.25]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id QAA21231 for ; Sun, 8 Dec 1996 16:15:01 -0800 (PST) Received: from p133 (ppp-206-170-30-44.hywr01.pacbell.net [206.170.30.44]) by mail-gw.pacbell.net (8.8.3/8.7.1) with SMTP id QAA14749; Sun, 8 Dec 1996 16:13:25 -0800 (PST) Message-ID: <32AB5813.6EEC@pacbell.net> Date: Sun, 08 Dec 1996 16:06:43 -0800 From: Dave Sroelov X-Mailer: Mozilla 3.01Gold (WinNT; I) MIME-Version: 1.0 To: "Bethke, Barney" CC: Firewalls list Subject: Re: Procom Question References: <1996Dec06.090329.1065.40966@msmail.freddiemac.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk if someone can establish a dial-in connection using procomm or carbon copy or pc anywhere, or anything like that, there is a good chance that they can do and see anything that a person sitting at the pc could do. there are some things you can do to cut down access, but in general they can do whatever a person sitting there could do, on the pc and on the lan. that's why dial-in access to anything inside a secure area creates a really big hole. Bethke, Barney wrote: > > This isn't exactly a firewall question but closely related. Perhaps within > the vast security expertise of the Firewalls list, someone could answer a PC > dialup question. What could someone (a hacker) could do if they established > a Procom connection to a PC? Is it similar to using Carbon Copy or does it > depend on some type of software being up and running on the target PC? > Could a Procom hacker get at files on the target PC? If the target PC were > on a LAN, could an intruder also get at the LAN files/systems? From firewalls-owner Sun Dec 8 19:37:39 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA00438 for firewalls-outgoing; Sun, 8 Dec 1996 19:26:57 -0800 (PST) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id TAA00425 for ; Sun, 8 Dec 1996 19:26:46 -0800 (PST) Message-Id: <199612090326.TAA00425@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA020181955; Mon, 9 Dec 1996 14:25:55 +1100 From: Darren Reed Subject: Re: NT firewall debate To: keithstevens@acsinc.net (Keith Stevens) Date: Mon, 9 Dec 1996 14:25:55 +1100 (EDT) Cc: firewalls-digest@GreatCircle.COM In-Reply-To: <19961208154253131.AAA84@keith.acsinc.net> from "Keith Stevens" at Dec 8, 96 11:38:52 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Keith Stevens, sie said: [...] > technology but are constantly scrambling to keep up with new and > improved(?) servers, operating systems, routers (and their software updates > and patches), not to mention constantly expanding the hardware to > accomodate the constantly expanding bandwidth, and pleading with sewn > pockets management, dealing with the phone company, writing custom scripts, > creating webs, troubleshooting and repairing hardware, start early, no > lunch, leave late, work weekends. And now I have to learn firewall (btw, you probably realise this already, but it sounds like there is enough work there for 2 people, not 1...) [...] > a different language I don't pretend to understand). The wizard would tell > me something like: "theres ABCD protocol packets you want to let these in > if you must do bla bla however a hacker could use this to bla bla, do you > need to allow ABCD in? Y or N (not sure? see filtering ABCD packets)". A > lot of us are too small to hire a pro security specialist (my guess would > be most) but need fair to middling firewalls. If one of you who does know > wants help me create the above described tool... Well, you see, there are two problems here. The first is that you'll need to update your Wizard as often as product updates become available (anyway) if you want it to be as useful as you demand. Second, setting up a firewall isn't usually a case of "do I want this or do I not ?", but also a question of "who do I give access to if I do want this ?". You sound like you don't want that sort of question in your Wizard, so when you say "Yes, I want people to send me e-mail", is that going to be to your mail server, or all your mail servers or to every workstation because people run e-mail on their workstations ? Some of the questions might be easy ones "do I allow source routed packets ?", but some might seem easy to answer but actually have different implications than you might expect. Another example might be setting up FTP: "Do you want to allow people to ftp to the WWW ?" Yes. "Do all you wish to only use passive FTP connections ?" Yes. And so on, then sometime later, someone can't ftp out because their client doesn't do PASV, so you go back to your wizard and disable PASV... I could go on, but time is short so I'll summarise and quickly say that we haven't yet come far enough with firewall/computer security for it to safely be trivialised to the level of a Wizard (although we might disagree on what "safe" is), IMHO. If you can fit your Computer Security Policy into less than a page of double spaced lines, each one being a single statement, then maybe a wizard would enable you to configure a firewall appropriately. Darren From firewalls-owner Sun Dec 8 20:40:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA02901 for firewalls-outgoing; Sun, 8 Dec 1996 20:36:49 -0800 (PST) Received: from reflections.mindspring.com (reflections.mindspring.com [204.180.142.192]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id UAA02894 for ; Sun, 8 Dec 1996 20:36:42 -0800 (PST) Received: from localhost (lists@localhost) by reflections.mindspring.com (8.7.1/8.7.1) with SMTP id XAA09888 for ; Sun, 8 Dec 1996 23:35:54 -0500 Date: Sun, 8 Dec 1996 23:35:53 -0500 (EST) From: Todd Graham Lewis To: Firewalls Mailing List Subject: Delete permissions on files (Was: RE: Why would someone want an NT firewall?) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Just thought that some individuals might be interested in this little tidbit. No commentary is needed, hence none is offered. __ Todd Graham Lewis Linux! Core Engineering Mindspring Enterprises tlewis@mindspring.com (800) 719 4664, x2804 ---------- Forwarded message ---------- Date: Sat, 7 Dec 1996 00:48:44 -0600 To: Multiple recipients of list BUGTRAQ Subject: Re: (Fwd) RE: [NTSEC] Delete permissions on files At 12:34 12/6/96 -0500, you wrote: >I just read this morning in the Nov. 96 issue of NT magazine >that there _is_ a bug in NTFS permissions. "If you set a file >to R (read-only) access for Everyone, users can still delete >the file although Everyone lacks D (delete) access. >Apparently, MS has no plans to fill this hole." -From >Ctrl-Alt-Del column, pg 184. It is worse than that. It doesn't matter _who_ it is set to read-only. The file can be read-only administrators, and I can still delete it. Plus, even if you go into "special" permissions", and remove the execute flag, it can _still_ be deleted. [c:\]cacls foo C:\foo BUILTIN\Administrators:R [c:\]del foo Deleting C:\foo 1 file deleted 1,536 bytes freed [c:\]dir foo Volume in drive C is unlabeled Serial number is 8494:9621 4DOS/NT: The system cannot find the file specified. "C:\foo" bytes in 0 files and 0 dirs 265,867,776 bytes free What I have not tested is if it is read-only to one set of users, and another tries to delete it. This has _extremely_ serious implications, as this would allow _any_ user who has read access to a file to delete it, and replace it with a trojan. IMHO, Microsoft should put up a patch for this one ASAP. I've also not tested it under 3.51. I don't know who told the columnist that MS has no plans to fix it, but they should be made aware of exactly how serious such a problem is. The fact it has shown up in a magazine means that it was discovered a minimum of 2 months ago. I'd also like to know how it was that this guy found it, and the info didn't get back to the right people at MS. From my experience with them, if they'd known about it, it would have been patched - which tells me that the columnist didn't manage to tell anyone with enough sense to let the right people know. Plus, telling a columnist that MS has no plans to fix something this serious constitutes extremely bad press and coneys the impression they don't care about security issues. I don't feel like that is a correct impression, but it is extremely dumb for someone to tell a columnist such a thing. ----------------------------------------------------------- David LeBlanc | Voice: (770)395-0150 Internet Security Systems, Inc. | Fax: (404)395-1972 41 Perimeter Center East | E-Mail: dleblanc@iss.net Suite 660 | www: http://www.iss.net/ Atlanta, GA 30328 | From firewalls-owner Sun Dec 8 20:53:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA03151 for firewalls-outgoing; Sun, 8 Dec 1996 20:44:07 -0800 (PST) Received: from reflections.mindspring.com (reflections.mindspring.com [204.180.142.192]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id UAA03144 for ; Sun, 8 Dec 1996 20:44:00 -0800 (PST) Received: from localhost (lists@localhost) by reflections.mindspring.com (8.7.1/8.7.1) with SMTP id XAA09914 for ; Sun, 8 Dec 1996 23:43:12 -0500 Date: Sun, 8 Dec 1996 23:43:11 -0500 (EST) From: Todd Graham Lewis To: Firewalls Mailing List Subject: Re: Why would someone want a moron security manager? In-Reply-To: <199612071818.KAA27969@miles.greatcircle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sat, 7 Dec 1996, W.C. Epperson wrote: > >>>>> "Adrian" == Adrian Knight writes: > > Adrian> 3) At the time of my research a year ago, most mainstream > Adrian> firewalls ran on minicomputer-class machines like Sun Sparc, > Adrian> HPUX, AIX. For an educational site with good discounts, a > Adrian> platform like that ran around $15,000. We put our firewall on > Adrian> a well-endowed NT PC for $5,000. Hardware and software > Adrian> maintenance is also much cheaper > > I take it this is pure flame bait. Any numbers to back up the "most" > assertion? I'd conjecture that at the time a large proportion, if not > the majority, of the installed base, were FWTK setups and Gauntlets. At > that time I think the turn-key price for a Gauntlet, including hardware, > software, and installation, was $15K. And I have year old HP9000/800s and > RS6000s that cost significantly under $15K. And if you compare piecemeal > component support to the fully integrated problem resolution services > typical of the minicomputer class vendors, well, I reckon it _is_ > cheaper, at least til you factor in the downtime.... $5000? HARDWARE: Pentium 133, 64 MB RAM, mono VGA card, 9" b/w monitor, 2x 1GB SCSI HD, onboard SCSI controller, 2x 3com ethernet cards $1500, and I don't even have to try to get that price. OS: (Redhat Linux, Debian Linux, FreeBSD) $0 SOFTWARE: FWTK, Socks, ipfwadm, squid, kerberos, RA proxy, etc. $0 Just some food for thought. Especially for smaller sites, this is a really easy way to get your feet wet with firewalls while drastically increasing your site security in one, cheap, fell swoop. __ Todd Graham Lewis Linux! Core Engineering Mindspring Enterprises tlewis@mindspring.com (800) 719 4664, x2804 From firewalls-owner Sun Dec 8 21:08:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA03555 for firewalls-outgoing; Sun, 8 Dec 1996 20:55:19 -0800 (PST) Received: from reflections.mindspring.com (reflections.mindspring.com [204.180.142.192]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id UAA03548 for ; Sun, 8 Dec 1996 20:55:12 -0800 (PST) Received: from localhost (lists@localhost) by reflections.mindspring.com (8.7.1/8.7.1) with SMTP id XAA09936; Sun, 8 Dec 1996 23:52:35 -0500 Date: Sun, 8 Dec 1996 23:52:34 -0500 (EST) From: Todd Graham Lewis Reply-To: Todd Graham Lewis To: "Craig I. Hagan" cc: Firewalls Mailing List Subject: Re: Re[2]: Why would someone want an NT firewall? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sat, 7 Dec 1996, Craig I. Hagan wrote: > Lastly, people mention that the best firewall solution is one in which you > can freely review the sources. i totally agree with this. However, i think > that most people/companies are willing (due to lack of available > expertise) to accept another party's word for it (even a consultant) and > be done with the problem. Being that this is the case, what _reasonable_ > arguments are their against using an NT based firewall, assuming that it > is capable of reliably implementing one's policy in a secure manner. If no one else will say it, then I will. Because NT has had a track record from its inception of security holes, as Peter Da Silva has pointed out time and time again. Because NT is made and marketed by a company which will not acknowledge security holes or any other OS shortcoming until it is already common knowledge, until others have discovered them, until those who have discovered them have brought them to public attention, and until that attention has led to an uproar for a fix. Because Microsoft refuses to cooperate with CERT in the identification and elimination of security holes. Because I get much better network performance out of other operating systems. > assuming that it > is capable of reliably implementing one's policy in a secure manner. Because in my judgement it isn't. __ Todd Graham Lewis Linux! Core Engineering Mindspring Enterprises tlewis@mindspring.com (800) 719 4664, x2804 From firewalls-owner Sun Dec 8 21:23:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA03993 for firewalls-outgoing; Sun, 8 Dec 1996 21:05:32 -0800 (PST) Received: from mothra.io.com.au (mels2-02.ocean.com.au [203.12.234.172]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id VAA03971 for ; Sun, 8 Dec 1996 21:05:18 -0800 (PST) Received: from localhost (localhost.0.0.127.IN-ADDR.ARPA [127.0.0.1]) by mothra.io.com.au (8.8.3/8.8.3) with SMTP id OAA00577; Mon, 9 Dec 1996 14:10:39 +1100 Date: Mon, 9 Dec 1996 14:10:38 +1100 (EST) From: Damien Miller X-Sender: dmiller@mothra.io.com.au To: Bob Beck cc: Michael Dillon , firewalls@GreatCircle.COM Subject: Re: FWTK/Freestone Licensing (Was Yet Another NT Flamefest) In-Reply-To: <199612082356.QAA01269@chocolate.obtuse.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- On Sun, 8 Dec 1996, Bob Beck wrote: > Looks pretty clear to me. Consultants shouldn't use the FWTK > to build firewalls for other people if they want to get paid. If you > ask TIS for permission, the answer will be "Would you like to be a > Gauntlet Reseller?". - From the FWTK LICENSE file: ] c. A person or organization may not provide, configure, ] install, or build the FWTK for a client or ] customer under any circumstances without the prior ] written consent of TIS. Such consent shall not be ] unreasonably withheld for a maximum of two (2) ] installations or configurations in a calendar year. ] Should TIS grant such consent, the provider must ] clearly state in documentation and bid/proposal ] materials that the TIS Internet Firewall Toolkit ] technologies are licensed and provided by Trusted ] Information Systems, and a copy of this license must ] be included with the configured system. - From this it seems that TIS is willing to grant consent for you to install the FWTK for clients at least twice per year. This is hardly the basis for a career ;) The FWTK is a great set of tools for building firewalls from near-scratch. It is not always appropriate: for work we use TIS Gauntlet, mainly because management wanted a validated system. Gauntlet is a great product, too. I am very greatful for TIS for making FWTK available for use like this, or even at all. I fully intend to take advantage of the two client installs per year. Much kudos to you, TIS! Regards, Damien Miller | Damien Miller - | Email: dmiller@vitnet.com.sg (PGP and MIME ok) | WWW: http://www.vitnet.com.sg/dmiller | PGP public key: send me an email with "send file pgp_key" as the subject -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQEVAwUBMquC2rrHgZ2SMrItAQGPUAgAjSKxrqH5heGqOKoV35L1jn7VEXnd/P8l jmNh76UC7RfU89o2C1LY+adF9DC3aNwQPp+nXSx8/pWCu1Rl31Vtn+5QU+vjOfLI p3a1mnqG3om5nKNiW5e/PczWqMWCj2BsVR1wS/8QhjnEllfq/Mtq2iPtUBLO/Vmi VqZoiB78MY5IqQN5bbtDj2Xnk4wwixpCD6Yc7U4p9jTSJ/dnoN26MhSJYah9d8Tq Mw+RgCfEQiu51fcwg8luffLDIw0dag9HQUHM+2PBNQtrvtB/L8+Y5wGA2uemEpOZ 7S+PEfZVVHHYMuAZTSUYMA8BjJywXt9kk596v+Aw1oNdL+nC+/LUKA== =42yO -----END PGP SIGNATURE----- From firewalls-owner Sun Dec 8 21:37:50 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA05667 for firewalls-outgoing; Sun, 8 Dec 1996 21:25:27 -0800 (PST) Received: from rxk.India.Fluent.COM ([192.233.231.28]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id VAA05659 for ; Sun, 8 Dec 1996 21:25:14 -0800 (PST) Received: by rxk.India.Fluent.COM (931110.SGI/930416.SGI.AUTO) for firewalls@greatcircle.com id AA14602; Mon, 9 Dec 96 10:53:27 +0530 From: "Rajeev Kumar" Message-Id: <9612091053.ZM14600@rxk.India.Fluent.COM> Date: Mon, 9 Dec 1996 10:53:26 +0000 In-Reply-To: cwg@DeepEddy.Com "Re: IRINA is a Hoax" (Dec 5, 6:33pm) References: <15391.849832416@deepeddy.DeepEddy.Com> X-Mailer: Z-Mail (3.1.0 22feb94 MediaMail) To: firewalls@greatcircle.com Subject: Re: IRINA is a Hoax Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk WHo says IRINA is a hoax, don't you see it has already spoiled the firewall mailing lists and activate from here and there. Consider this mail as a part of INFECTION. Rajeev From firewalls-owner Sun Dec 8 22:22:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA10669 for firewalls-outgoing; Sun, 8 Dec 1996 22:08:25 -0800 (PST) Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA09689; Sun, 8 Dec 1996 21:59:25 -0800 (PST) Date: Sun, 8 Dec 1996 21:59:25 -0800 (PST) Message-Id: <199612090559.VAA09689@miles.greatcircle.com> To: firewalls@greatcircle.com From: Majordomo@GreatCircle.COM Subject: Welcome to firewalls Reply-To: Majordomo@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -- Welcome to the firewalls mailing list! Please save this message for future reference. Thank you. If you ever want to remove yourself from this mailing list, you can send mail to with the following command in the body of your email message: unsubscribe firewalls firewalls@greatcircle.com Here's the general information for the list you've subscribed to, in case you don't already have it: Description =========== This list is for discussions of Internet "firewall" security systems and related issues. It is an outgrowth of the Firewalls BOF session at the Third UNIX Security Symposium in Baltimore on September 15, 1992. This is the undigestified version of the list. All messages sent to this list are immediately forwarded to members of the list. The digestified version of the list is Firewalls-Digest@GreatCircle.COM. To subscribe to Firewalls-Digest, send "subscribe firewalls-digest" in the body of a message (not on the "Subject:" line) to "Majordomo@GreatCircle.COM". Frequently Asked Questions ========================== A "Frequently Asked Questions" (FAQ) document (written by Marcus Ranum, mjr@tis.com) is available via anonymous FTP from host FTP.GreatCircle.COM, file pub/firewalls/FAQ, or from Majordomo by sending the command "get firewalls FAQ" in the body of an email message (not on the "Subject:" line) to address "Majordomo@GreatCircle.COM", or via URL ftp://ftp.greatcircle.com/pub/firewalls/FAQ Policies ======== Code for cracking programs (programs designed to help break into another system) should not be posted to the Firewalls mailing list. You can subscribe a local redistribution list or a gateway to a local newsgroup, as long as whatever you do is local to your site. This restriction makes it much easier for me to track down mailer problems. I'm very aggressive when it comes to bounced email. If email to you starts bouncing, I'll probably drop you from the list fairly quickly; you'll have to resubscribe when you get the problem fixed, and retrieve the archives to find out what you missed. Archives ======== All messages to the list are archived. The archives are available via Majordomo using the "get" command (send "help" in the body of a message to "Majordomo@GreatCircle.COM" for more info), or via anonymous FTP from host FTP.GreatCircle.COM in directory "pub/firewalls/archive", or via URL ftp://ftp.greatcircle.com/pub/firewalls/archive/ The archives are broken down by year and month, and are stored in files named "firewalls.YYMM". The copy of the archive available by anonymous FTP is updated every night at 2am local time (0900 GMT in the summer, 1000 GMT in the winter). WAIS Access =========== The Firewalls archive is available by WAIS on host WAIS.GreatCircle.COM, at port 210, under the database name "firewalls-digest". The WAIS archive is actually maintained from the Firewalls-Digest archive, which has all the same information in it as the Firewalls archive, and is easier to convert to WAIS format. The WAIS archive is updated nightly. The FAQ document is also avialable by WAIS on host WAIS.GreatCircle.COM, at port 210, under the database name "firewalls-faq". For Further Information ======================= Michael C. Berch Postmaster and list manager, Great Circle Associates mcb@greatcircle.com From firewalls-owner Sun Dec 8 22:52:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA13057 for firewalls-outgoing; Sun, 8 Dec 1996 22:41:53 -0800 (PST) Received: from extol.com.my (portal.extol.com.my [202.185.238.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id WAA13050 for ; Sun, 8 Dec 1996 22:41:34 -0800 (PST) Received: by portal.extol.com.my id <21890>; Mon, 9 Dec 1996 22:50:56 +0800 Message-Id: <96Dec9.225056gmt+0800.21890@portal.extol.com.my> Date: Mon, 9 Dec 1996 21:53:03 +0800 From: pclow Reply-To: pclow@pc.jaring.my X-Mailer: Mozilla 3.0Gold (Win95; I) MIME-Version: 1.0 To: Firewalls Mailing List Subject: Encryptors for Frame Relay References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk First my apologies for the non-relevent posting, but I'm pretty desperate. Does anyone out there know of any frame relay encryptors from a non-US source? As this post is not relevent to the list, (again my apologies), please reply directly to me. Thanks and appreciate your patience. From firewalls-owner Sun Dec 8 23:07:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA14313 for firewalls-outgoing; Sun, 8 Dec 1996 23:02:11 -0800 (PST) Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA10669 for firewalls-outgoing; Sun, 8 Dec 1996 22:08:25 -0800 (PST) Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA09689; Sun, 8 Dec 1996 21:59:25 -0800 (PST) Date: Sun, 8 Dec 1996 21:59:25 -0800 (PST) Message-Id: <199612090559.VAA09689@miles.greatcircle.com> To: firewalls@greatcircle.com From: Majordomo@GreatCircle.COM Subject: Welcome to firewalls Reply-To: Majordomo@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -- Welcome to the firewalls mailing list! Please save this message for future reference. Thank you. If you ever want to remove yourself from this mailing list, you can send mail to with the following command in the body of your email message: unsubscribe firewalls firewalls@greatcircle.com Here's the general information for the list you've subscribed to, in case you don't already have it: Description =========== This list is for discussions of Internet "firewall" security systems and related issues. It is an outgrowth of the Firewalls BOF session at the Third UNIX Security Symposium in Baltimore on September 15, 1992. This is the undigestified version of the list. All messages sent to this list are immediately forwarded to members of the list. The digestified version of the list is Firewalls-Digest@GreatCircle.COM. To subscribe to Firewalls-Digest, send "subscribe firewalls-digest" in the body of a message (not on the "Subject:" line) to "Majordomo@GreatCircle.COM". Frequently Asked Questions ========================== A "Frequently Asked Questions" (FAQ) document (written by Marcus Ranum, mjr@tis.com) is available via anonymous FTP from host FTP.GreatCircle.COM, file pub/firewalls/FAQ, or from Majordomo by sending the command "get firewalls FAQ" in the body of an email message (not on the "Subject:" line) to address "Majordomo@GreatCircle.COM", or via URL ftp://ftp.greatcircle.com/pub/firewalls/FAQ Policies ======== Code for cracking programs (programs designed to help break into another system) should not be posted to the Firewalls mailing list. You can subscribe a local redistribution list or a gateway to a local newsgroup, as long as whatever you do is local to your site. This restriction makes it much easier for me to track down mailer problems. I'm very aggressive when it comes to bounced email. If email to you starts bouncing, I'll probably drop you from the list fairly quickly; you'll have to resubscribe when you get the problem fixed, and retrieve the archives to find out what you missed. Archives ======== All messages to the list are archived. The archives are available via Majordomo using the "get" command (send "help" in the body of a message to "Majordomo@GreatCircle.COM" for more info), or via anonymous FTP from host FTP.GreatCircle.COM in directory "pub/firewalls/archive", or via URL ftp://ftp.greatcircle.com/pub/firewalls/archive/ The archives are broken down by year and month, and are stored in files named "firewalls.YYMM". The copy of the archive available by anonymous FTP is updated every night at 2am local time (0900 GMT in the summer, 1000 GMT in the winter). WAIS Access =========== The Firewalls archive is available by WAIS on host WAIS.GreatCircle.COM, at port 210, under the database name "firewalls-digest". The WAIS archive is actually maintained from the Firewalls-Digest archive, which has all the same information in it as the Firewalls archive, and is easier to convert to WAIS format. The WAIS archive is updated nightly. The FAQ document is also avialable by WAIS on host WAIS.GreatCircle.COM, at port 210, under the database name "firewalls-faq". For Further Information ======================= Michael C. Berch Postmaster and list manager, Great Circle Associates mcb@greatcircle.com From firewalls-owner Sun Dec 8 23:22:52 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA15723 for firewalls-outgoing; Sun, 8 Dec 1996 23:20:10 -0800 (PST) Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA13057 for firewalls-outgoing; Sun, 8 Dec 1996 22:41:53 -0800 (PST) Received: from extol.com.my (portal.extol.com.my [202.185.238.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id WAA13050 for ; Sun, 8 Dec 1996 22:41:34 -0800 (PST) Received: by portal.extol.com.my id <21890>; Mon, 9 Dec 1996 22:50:56 +0800 Message-Id: <96Dec9.225056gmt+0800.21890@portal.extol.com.my> Date: Mon, 9 Dec 1996 21:53:03 +0800 From: pclow Reply-To: pclow@pc.jaring.my X-Mailer: Mozilla 3.0Gold (Win95; I) MIME-Version: 1.0 To: Firewalls Mailing List Subject: Encryptors for Frame Relay References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk First my apologies for the non-relevent posting, but I'm pretty desperate. Does anyone out there know of any frame relay encryptors from a non-US source? As this post is not relevent to the list, (again my apologies), please reply directly to me. Thanks and appreciate your patience. From firewalls-owner Sun Dec 8 23:38:10 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA17040 for firewalls-outgoing; Sun, 8 Dec 1996 23:34:19 -0800 (PST) Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA14313 for firewalls-outgoing; Sun, 8 Dec 1996 23:02:11 -0800 (PST) Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA10669 for firewalls-outgoing; Sun, 8 Dec 1996 22:08:25 -0800 (PST) Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA09689; Sun, 8 Dec 1996 21:59:25 -0800 (PST) Date: Sun, 8 Dec 1996 21:59:25 -0800 (PST) Message-Id: <199612090559.VAA09689@miles.greatcircle.com> To: firewalls@greatcircle.com From: Majordomo@GreatCircle.COM Subject: Welcome to firewalls Reply-To: Majordomo@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -- Welcome to the firewalls mailing list! Please save this message for future reference. Thank you. If you ever want to remove yourself from this mailing list, you can send mail to with the following command in the body of your email message: unsubscribe firewalls firewalls@greatcircle.com Here's the general information for the list you've subscribed to, in case you don't already have it: Description =========== This list is for discussions of Internet "firewall" security systems and related issues. It is an outgrowth of the Firewalls BOF session at the Third UNIX Security Symposium in Baltimore on September 15, 1992. This is the undigestified version of the list. All messages sent to this list are immediately forwarded to members of the list. The digestified version of the list is Firewalls-Digest@GreatCircle.COM. To subscribe to Firewalls-Digest, send "subscribe firewalls-digest" in the body of a message (not on the "Subject:" line) to "Majordomo@GreatCircle.COM". Frequently Asked Questions ========================== A "Frequently Asked Questions" (FAQ) document (written by Marcus Ranum, mjr@tis.com) is available via anonymous FTP from host FTP.GreatCircle.COM, file pub/firewalls/FAQ, or from Majordomo by sending the command "get firewalls FAQ" in the body of an email message (not on the "Subject:" line) to address "Majordomo@GreatCircle.COM", or via URL ftp://ftp.greatcircle.com/pub/firewalls/FAQ Policies ======== Code for cracking programs (programs designed to help break into another system) should not be posted to the Firewalls mailing list. You can subscribe a local redistribution list or a gateway to a local newsgroup, as long as whatever you do is local to your site. This restriction makes it much easier for me to track down mailer problems. I'm very aggressive when it comes to bounced email. If email to you starts bouncing, I'll probably drop you from the list fairly quickly; you'll have to resubscribe when you get the problem fixed, and retrieve the archives to find out what you missed. Archives ======== All messages to the list are archived. The archives are available via Majordomo using the "get" command (send "help" in the body of a message to "Majordomo@GreatCircle.COM" for more info), or via anonymous FTP from host FTP.GreatCircle.COM in directory "pub/firewalls/archive", or via URL ftp://ftp.greatcircle.com/pub/firewalls/archive/ The archives are broken down by year and month, and are stored in files named "firewalls.YYMM". The copy of the archive available by anonymous FTP is updated every night at 2am local time (0900 GMT in the summer, 1000 GMT in the winter). WAIS Access =========== The Firewalls archive is available by WAIS on host WAIS.GreatCircle.COM, at port 210, under the database name "firewalls-digest". The WAIS archive is actually maintained from the Firewalls-Digest archive, which has all the same information in it as the Firewalls archive, and is easier to convert to WAIS format. The WAIS archive is updated nightly. The FAQ document is also avialable by WAIS on host WAIS.GreatCircle.COM, at port 210, under the database name "firewalls-faq". For Further Information ======================= Michael C. Berch Postmaster and list manager, Great Circle Associates mcb@greatcircle.com From firewalls-owner Mon Dec 9 00:23:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA21043 for firewalls-outgoing; Mon, 9 Dec 1996 00:12:42 -0800 (PST) Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA17040 for firewalls-outgoing; Sun, 8 Dec 1996 23:34:19 -0800 (PST) Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA14313 for firewalls-outgoing; Sun, 8 Dec 1996 23:02:11 -0800 (PST) Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA10669 for firewalls-outgoing; Sun, 8 Dec 1996 22:08:25 -0800 (PST) Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA09689; Sun, 8 Dec 1996 21:59:25 -0800 (PST) Date: Sun, 8 Dec 1996 21:59:25 -0800 (PST) Message-Id: <199612090559.VAA09689@miles.greatcircle.com> To: firewalls@greatcircle.com From: Majordomo@GreatCircle.COM Subject: Welcome to firewalls Reply-To: Majordomo@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -- Welcome to the firewalls mailing list! Please save this message for future reference. Thank you. If you ever want to remove yourself from this mailing list, you can send mail to with the following command in the body of your email message: unsubscribe firewalls firewalls@greatcircle.com Here's the general information for the list you've subscribed to, in case you don't already have it: Description =========== This list is for discussions of Internet "firewall" security systems and related issues. It is an outgrowth of the Firewalls BOF session at the Third UNIX Security Symposium in Baltimore on September 15, 1992. This is the undigestified version of the list. All messages sent to this list are immediately forwarded to members of the list. The digestified version of the list is Firewalls-Digest@GreatCircle.COM. To subscribe to Firewalls-Digest, send "subscribe firewalls-digest" in the body of a message (not on the "Subject:" line) to "Majordomo@GreatCircle.COM". Frequently Asked Questions ========================== A "Frequently Asked Questions" (FAQ) document (written by Marcus Ranum, mjr@tis.com) is available via anonymous FTP from host FTP.GreatCircle.COM, file pub/firewalls/FAQ, or from Majordomo by sending the command "get firewalls FAQ" in the body of an email message (not on the "Subject:" line) to address "Majordomo@GreatCircle.COM", or via URL ftp://ftp.greatcircle.com/pub/firewalls/FAQ Policies ======== Code for cracking programs (programs designed to help break into another system) should not be posted to the Firewalls mailing list. You can subscribe a local redistribution list or a gateway to a local newsgroup, as long as whatever you do is local to your site. This restriction makes it much easier for me to track down mailer problems. I'm very aggressive when it comes to bounced email. If email to you starts bouncing, I'll probably drop you from the list fairly quickly; you'll have to resubscribe when you get the problem fixed, and retrieve the archives to find out what you missed. Archives ======== All messages to the list are archived. The archives are available via Majordomo using the "get" command (send "help" in the body of a message to "Majordomo@GreatCircle.COM" for more info), or via anonymous FTP from host FTP.GreatCircle.COM in directory "pub/firewalls/archive", or via URL ftp://ftp.greatcircle.com/pub/firewalls/archive/ The archives are broken down by year and month, and are stored in files named "firewalls.YYMM". The copy of the archive available by anonymous FTP is updated every night at 2am local time (0900 GMT in the summer, 1000 GMT in the winter). WAIS Access =========== The Firewalls archive is available by WAIS on host WAIS.GreatCircle.COM, at port 210, under the database name "firewalls-digest". The WAIS archive is actually maintained from the Firewalls-Digest archive, which has all the same information in it as the Firewalls archive, and is easier to convert to WAIS format. The WAIS archive is updated nightly. The FAQ document is also avialable by WAIS on host WAIS.GreatCircle.COM, at port 210, under the database name "firewalls-faq". For Further Information ======================= Michael C. Berch Postmaster and list manager, Great Circle Associates mcb@greatcircle.com From firewalls-owner Mon Dec 9 00:53:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA22947 for firewalls-outgoing; Mon, 9 Dec 1996 00:39:46 -0800 (PST) Received: from diablo.ppp.de (diablo.ppp.de [193.141.101.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id AAA22933 for ; Mon, 9 Dec 1996 00:39:37 -0800 (PST) Received: from wmdhh by diablo.ppp.de with uucp (Smail3.1.28.1 #1) id m0vX1Em-000QXtC; Mon, 9 Dec 96 09:38 MET Received: from rs3.wmd.de by wmdhh with smtp (Smail3.1.26.7 #3) id m0vX2c1-0005UVC; Mon, 9 Dec 96 11:07 CET Received: by rs3.wmd.de (AIX 3.2/UCB 5.64/4.03.01) id AA21838; Mon, 9 Dec 1996 09:37:14 +0100 From: pauck@rs3.wmd.de (Marco Pauck) Message-Id: <9612090837.AA21838@rs3.wmd.de> Subject: Re: Oracle SQL/Net To: les@tracker.demon.co.uk Date: Mon, 9 Dec 1996 09:37:14 +0100 (MEZ) Cc: wyer@telecheck.com, firewalls@GreatCircle.COM In-Reply-To: <32b8296a.3681785@post.demon.co.uk> from "Les Carleton" at Dec 8, 96 08:51:53 pm Reply-To: pauck@wmd.de X-Mailer: ELM [version 2.4 PL20] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > On Fri, 06 Dec 96 08:25:30 -0600, you wrote: > >In any case, is there some sort of proxy agent which will handle = > Oracle's=20 > >SQL/Net / ODBC stuff in a graceful fashion between two conflicting IP = > networks > >somewhat like the Web proxy agent? > > There are firewall vendors working with Oracle to put together a real = > SQL*Net > proxy. I belive that Raptor, Checkpoint and TIS, at least, have some form= > of > SQL network proxy. For a summary please check: http://www.wmd.de/wmd/staff/pauck/misc/oracle_and_firewalls.html Marco -- Marco Pauck - WMD GmbH Hamburg, Germany - http://www.wmd.de/~pauck/ e-mail: pauck@wmd.de, phone: +49-40-58958-120, fax: +49-40-58958-199 You are on your own words. From firewalls-owner Mon Dec 9 02:37:43 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA01110 for firewalls-outgoing; Mon, 9 Dec 1996 02:32:45 -0800 (PST) Received: from maryann.ebs.net (maryann.ebs.net [204.254.158.8]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id CAA01092 for ; Mon, 9 Dec 1996 02:32:35 -0800 (PST) Received: from gilligan.ebs.net (cosmo@gilligan.ebs.net [204.254.158.13]) by maryann.ebs.net (8.8.2/8.6.9) with SMTP id EAA16593; Mon, 9 Dec 1996 04:41:02 -0600 Date: Mon, 9 Dec 1996 04:40:51 -0600 (CST) From: Craig Brozefsky To: Oswaldo Gomes cc: "'Firewalls@GreatCircle.COM'" Subject: Re: Firewalls over NT vs. UNIX In-Reply-To: <19961204084840622.AAA154@oswaldo40> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 4 Dec 1996, Oswaldo Gomes wrote: > I don=B4t think so... If I use a Windows NT with MS Proxy Server, I=B4m s= ure > that my network is secure... I can even use IPX on my private LAN... Can > you hack this? ;-) >=20 > =09Oswaldo Gomes When do you want me to start 8) Craig Brozefsky=09=09=09=09cosmo@ebs.net System Administrator=09=09=09vox: 312-226-1675 EBS.NET=09=09=09=09=09http://www.ebs.net *****available for limited time only in this dimension**** From firewalls-owner Mon Dec 9 02:52:49 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA00754 for firewalls-outgoing; Mon, 9 Dec 1996 02:23:47 -0800 (PST) Received: from maryann.ebs.net (maryann.ebs.net [204.254.158.8]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id CAA00747 for ; Mon, 9 Dec 1996 02:23:36 -0800 (PST) Received: from gilligan.ebs.net (cosmo@gilligan.ebs.net [204.254.158.13]) by maryann.ebs.net (8.8.2/8.6.9) with SMTP id EAA16558; Mon, 9 Dec 1996 04:31:57 -0600 Date: Mon, 9 Dec 1996 04:31:47 -0600 (CST) From: Craig Brozefsky To: Douglas Cheline cc: "'Firewalls@GreatCircle.COM'" Subject: Re: Firewalls over NT vs. UNIX In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sun, 1 Dec 1996, Douglas Cheline wrote: > The various Firewall vendors that I have spoken to have repeatedly > stated that, eventhough their product does run over NT, running > firewalls over UNIX is much more secure. The reasoning I get is that NT > has some inherent vulnerabilities that cannot be plugged since the code > is proprietary and closed. UNIX on the other hand is standard based and > open, plus it has been on the market much longer and more efforts have > been placed in plugging the holes there. Which I agree with. > > This sounds nice but not very convincing unless some hard facts are > revealed. Can knowledgable members of this forum tell me what those > 'holes' in NT are? and is this a valid argument? Check out the list of changes in the service packs you get, just going thru those will tell you soe of the things that were wrong with previous versions of NT and shows you what may e wong with the current versions. Tho TCP/IP implementation on NT is reported to have some problems, I recall one talk about UDP packets causing problems, not just malformed ones, but RFC ompliant ones but I'll have ot get back to he list on that one. Plus, considering Microsoft's track ercord with security it's really hard for me to trust them on something as complex as an OS. If I had source code I could get you prolly a dozen exploits in a few days 8) Craig Brozefsky cosmo@ebs.net System Administrator vox: 312-226-1675 EBS.NET http://www.ebs.net *****available for limited time only in this dimension**** From firewalls-owner Mon Dec 9 03:11:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA01667 for firewalls-outgoing; Mon, 9 Dec 1996 02:54:06 -0800 (PST) Received: from gmap-gw.gmap.leeds.ac.uk (gmap-gw.leeds.ac.uk [129.11.84.200]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id CAA01627 for ; Mon, 9 Dec 1996 02:53:06 -0800 (PST) Received: (from root@localhost) by gmap-gw.gmap.leeds.ac.uk (8.8.4/8.6.9) id KAA29956 for ; Mon, 9 Dec 1996 10:53:11 GMT Received: from gmap3.gmap.leeds.ac.uk(129.11.200.3) by gmap-gw via smap (V1.3) id sma029953; Mon Dec 9 10:52:52 1996 Received: from gmap.leeds.ac.uk (gmap124 [129.11.200.124]) by gmap3 (8.6.12/8.6.9) with SMTP id KAA07988 for ; Mon, 9 Dec 1996 10:53:58 GMT From: Danny Cox Date: Mon, 9 Dec 1996 10:52:04 +0000 Message-Id: <1508.9612091052@gmap.leeds.ac.uk> To: firewalls@greatcircle.com Subject: Scanning networks for dialups X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dear all, someone not so long ago (sorry, I've forgotten who) mentioned that they'd worked with a network somewhere and ran a scan on it to find modems which were connected. I'd like to be able to do something here, and identify, via a scan of some description where/when dialups to an external ISP are happening. I can't quite get my head around how to do this though .. can anyone help? Cheers Danny From firewalls-owner Mon Dec 9 03:23:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA01635 for firewalls-outgoing; Mon, 9 Dec 1996 02:53:25 -0800 (PST) Received: from maryann.ebs.net (maryann.ebs.net [204.254.158.8]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id CAA01626 for ; Mon, 9 Dec 1996 02:53:04 -0800 (PST) Received: from gilligan.ebs.net (cosmo@gilligan.ebs.net [204.254.158.13]) by maryann.ebs.net (8.8.2/8.6.9) with SMTP id EAA16620; Mon, 9 Dec 1996 04:48:18 -0600 Date: Mon, 9 Dec 1996 04:48:07 -0600 (CST) From: Craig Brozefsky To: BVE cc: firewalls@GreatCircle.COM Subject: Re: Firewalls over NT vs. UNIX In-Reply-To: <9612041521.AA02625@omsk.quadrix.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 4 Dec 1996, BVE wrote: > creates the exploit code, and a fix to prevent the problem (if the fix wasn't > already provided by the discoverer). This is good. There is also an extensive > reporting system for Unix bugs, and Unix vendors have been trained to respond > quickly. hehe, CERT? Not HP obviously if you look at what the SOD did to them. > disseminate bug fixes. They certainly don't like to tell you what problems > exist. For other reasons, they don't release their source (except at high > cost). This prevents the easy discovery of theoretical problems, which would > otherwise be corrected. Don't be fooled by security through obscurity! The > hackers find the holes -- we might as well, too! They don't release their sources, not normally. I believe you can get educational licenses, and once a university get's those it's out. Regardless there are people with NT source code scouring it for exploits and not releasing them, we just dont get a chance to fix them until MS finds out or we get bit by them. The first thing I do with any OS install is check all suid program, turn off ones I don't want and then the ones I leave on, I either replace with my own versions which I put together myself and trust, or get them from a friend. > Remember, the MS coders are human, too. Their code contains bugs, just like > Unix. It's just a matter of finding them, so the decision is about the > difficulties in finding and fixing them.... It depends on your threat horizon IMO. A small lan internal to your company can be protected by NT, I would trust NT to do that, I would also trust NT to gaurd a publicly accesable network with no real sensitive data on it. But for the clients I've worked with who have very sensitive data, brokers, developers, etc... I usually use a commercial firewall product liek Gauntlet(which i like) or MilkyWay Blackhole which is pretty kickin, and then replace alot of the system software with my own. From firewalls-owner Mon Dec 9 03:36:00 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA01508 for firewalls-outgoing; Mon, 9 Dec 1996 02:50:33 -0800 (PST) Received: from paranoid.convey.ru (paranoid.convey.ru [195.212.156.196]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id CAA01460 for ; Mon, 9 Dec 1996 02:50:08 -0800 (PST) Received: (from ark@localhost) by paranoid.convey.ru (8.7.5/8.7.3) id NAA24155; Mon, 9 Dec 1996 13:47:54 +0300 From: ArkanoiD Message-Id: <199612091047.NAA24155@paranoid.convey.ru> Subject: Re: Why would someone want an NT firewall? To: Russ.Cooper@RC.on.ca (Russ) Date: Mon, 9 Dec 1996 13:47:54 +0300 (MSK) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Russ" at Dec 8, 96 00:02:43 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk nuqneH, > * > Get real man, you're not playing by the same rules the rest of the > business world is. Most people have to pay their employees...and unless > you hadn't noticed, that would add a considerable amount to your $2000 > fee, not to mention the amount of time that the company would not be on > the Internet while their people learned how to do it all, not to > mention the *real* security that wouldn't be in such a box made for the > first time by people who had never touched Unix before in their lives. > Where would they test their box (do you think they have spare hubs and > such lying around to simulate an Internet connection)? Who could tell > them whether or not its set up properly (should they post a message to > alt.2600 and ask how to verify their Firewall configuration)? > * Get real man,do you think a man with no skills can build a firewall on NT good enough? Or do you think you can pay him less for that job? Anyways one needs the only thing : to go out and hire someone who can do that. And i doubt he'll prefer NT. -- _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! From firewalls-owner Mon Dec 9 03:53:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA03622 for firewalls-outgoing; Mon, 9 Dec 1996 03:20:39 -0800 (PST) Received: from paranoid.convey.ru (paranoid.convey.ru [195.212.156.196]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id DAA03609 for ; Mon, 9 Dec 1996 03:20:18 -0800 (PST) Received: (from ark@localhost) by paranoid.convey.ru (8.7.5/8.7.3) id OAA24328; Mon, 9 Dec 1996 14:18:09 +0300 From: ArkanoiD Message-Id: <199612091118.OAA24328@paranoid.convey.ru> Subject: Re: Why would someone want a moron security manager? To: lists@reflections.mindspring.com (Todd Graham Lewis) Date: Mon, 9 Dec 1996 14:18:08 +0300 (MSK) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Todd Graham Lewis" at Dec 8, 96 11:43:11 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk nuqneH, > SCSI HD, onboard SCSI controller, 2x 3com ethernet cards > No,no,not 3com! -- _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! From firewalls-owner Mon Dec 9 04:53:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA10936 for firewalls-outgoing; Mon, 9 Dec 1996 04:35:43 -0800 (PST) Received: from h01.scientia.com (h01.scientia.com [194.216.183.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id EAA10916 for ; Mon, 9 Dec 1996 04:35:23 -0800 (PST) Received: by h01.scientia.com with SMTP id MAA02063 for ; Mon, 9 Dec 1996 12:34:50 GMT Message-Id: <199612091234.MAA02063@h01.scientia.com> X-Sender: firewall@pop-server X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 09 Dec 1996 12:34:52 +0000 To: firewalls@greatcircle.com From: Ian Miller Subject: Re: Re[2]: Why would someone want an NT firewall? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 19:57 07/12/96 -0500, hagan@cih.com wrote: >it is my opinion that the demand in the industry requires that >implementing security policy will become a task that non-techies can >perform. I think that it could be directly inferred from this that, yes, >there is a finite amount of time in the future after which techies will >not be needed for most security tasks. I doubt it very much. I have heard any number of "in the future we won't need techies" predictions, and they have invariably proved false. What happens is that the functions that previously needed the technically competent are eventually automated, but the requirements move on and techies are still needed for the new functions. In some areas of technology you don't _need_ the new functions so you don't need the techies. However Firewalls (and security in general) are driven not by the requirement for new functionality, but by new threats which cannot be safely ignored. For example, a prediction for a future development: Virtual Network Perimeters will not merely be external (linking private LANs across insecure public network), but will also be internal, carrying potentially hostile traffic (e.g. Java applets) on Intranets. The VNP internal traffic will be encrypted to ensure that it can only be processed by security-harden systems inside the LAN. You are right there will a _demand_ for security without competence. There will almost certainly be people claiming to deliver it. However I _very_ much doubt they will manage it. Ian From firewalls-owner Mon Dec 9 05:40:44 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA12132 for firewalls-outgoing; Mon, 9 Dec 1996 05:07:29 -0800 (PST) Received: from mark.allyn.com (mark.allyn.com [206.114.135.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id FAA12089 for ; Mon, 9 Dec 1996 05:07:00 -0800 (PST) Received: (from allyn@localhost) by mark.allyn.com (8.7.5/8.7) id FAA13459; Mon, 9 Dec 1996 05:08:27 -0800 (PST) From: Mark Allyn 206-860-9454 Message-Id: <199612091308.FAA13459@mark.allyn.com> Subject: Re: Scanning networks for dialups To: dannyc@gmap.leeds.ac.uk (Danny Cox) Date: Mon, 9 Dec 1996 05:08:27 -0800 (PST) Cc: firewalls@GreatCircle.COM In-Reply-To: <1508.9612091052@gmap.leeds.ac.uk> from "Danny Cox" at Dec 9, 96 10:52:04 am X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello: I think it would be quite difficult to scan for outgoing calls from machines on your network. First of all, you would have to have access to each and every machine that is on your network. This includes everything from mainframes to the little desktop PC on everyone's desk. If your company has all of a very few types of machines and they are all tightly configured, you might be able to do it. You would have to have some sort of common software inventory software running on all of your platforms that reports back to some central database what it finds on the machine. Of course, the software would have to be tamper proof so that someone who wants to dial out cannot tamper with the inventory software to hide the fact that they installed modem software. As I don't know much about the telephone system; I would have no idea how easy it would be to have something monitor each of your outgoing trunk lines for modem carriers; distinguish between outgoing modem calls and incomming modem calls into your central modem pool. There might be a possibility there. This would get more cumbersome as your enterprise spans grows. Good Luck! Mark Allyn allyn@allyn.com From firewalls-owner Mon Dec 9 05:51:24 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA12491 for firewalls-outgoing; Mon, 9 Dec 1996 05:15:06 -0800 (PST) Received: from news.rc.on.ca ([207.176.151.6]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id FAA12460 for ; Mon, 9 Dec 1996 05:14:42 -0800 (PST) Received: by mail.rc.on.ca with IMAIL 2.0 id <01BBE5A8.9B518CE0@mail.rc.on.ca>; Mon, 9 Dec 1996 08:11:40 -0500 Message-ID: From: Russ To: Firewalls Mailing List , "'Todd Graham Lewis'" Subject: RE: Delete permissions on files (Was: RE: Why would someone want an NT firewall?) Date: Mon, 9 Dec 1996 08:11:39 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Connector (Beta) (4.5.1280.0) Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The *FACT* of this delete permission issue with NTFS is that its there because of *POSIX* compliance, and is a *FEATURE* not a *BUG*. Chances are a number of you will find the exact same *FEATURE* in your Unix OS if it supports both file permissions and directory permissions. * If a user (or group) is granted FULL CONTROL permissions for a directory, one of those permissions granted is DELETE_CHILD permission. This permission cannot be explicitly granted or denied, but is granted with FULL CONTROL and denied if less than FULL CONTROL permissions are configured. If files in the same directory then restrict the same user (or group) from deleting a particular file, the directory permission DELETE_CHILD overrides the file permission. This is *POSIX* compliant, not some Microsoft concept. So if you wish to prevent file deletions, you also have to restrict the directory permissions to (at least) everything but DELETE_CHILD permissions. * Its not documented in the NT documentation, but it is documented in the SDKs, so its an obscure feature to say the least. It is not, however, a bug in NTFS. * The *BUG*, if you can call it that, is that DELETE_CHILD permissions do not show up as a changeable permission in the permissions dialog, but is instead an additional permission granted when "Full Control" is selected (which the group Everyone has by default over all directories). So anyone who has reviewed the rights of their directories, in addition to reviewing the rights of their files, and specified less than "Full Control" access to those directories (which should be done if your trying to secure a box), has already prevented the default DELETE_CHILD right from being granted. The other possible *BUG* is that this permission, while being there for POSIX compliance, still behaves this way even if the POSIX subsystem is removed from the OS. * I have to say, Todd had a message from Frank Ramos (one of the most well-respected NT security experts) explaining this fact at the time he forwarded that message to the Firewalls list. Whether he bothered to read Frank's message or not is irrelevant, it was there in his mailbox as a reply to the original message thread (it was the very next message in the thread and was delivered ~30 minutes after the message Todd forwarded, 12 hours before Todd forwarded the message to Firewalls) and explained clearly the facts that I've just restated above. So, IMNSHO, he choose to give you only this "tidbit" in a effort to mislead the Firewalls Mailing List. Commentary was needed, and should have been offered, and was already available to him. He's entitled to his opinions as much as anyone else, but I don't believe the members of this list deserve being fed misleading messages from other groups, mid-thread, and then purposefully omitting to send the clarification message. * Cheers, Russ R.C. Consulting, Inc. - NT/Internet Security Consulting mailto:Russ.Cooper@RC.on.ca <-- *note the new address* From firewalls-owner Mon Dec 9 07:10:58 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA10999 for firewalls-outgoing; Mon, 9 Dec 1996 04:37:40 -0800 (PST) Received: from gw.teledigit.se ([193.14.252.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id EAA10991; Mon, 9 Dec 1996 04:37:13 -0800 (PST) Received: (from Unknown UID 6@localhost) by gw.teledigit.se (8.7.5/8.7.3) id NAA27473; Mon, 9 Dec 1996 13:32:28 +0100 (MET) Message-Id: <199612091232.NAA27473@gw.teledigit.se> X-Authentication-Warning: gw.teledigit.se: Unknown UID 6 set sender to using -f Received: from unknown(192.168.16.2) by gw.teledigit.se via smap (V1.3) id sma027471; Mon Dec 9 13:31:58 1996 Received: by mal-co.teledigit.se (NX5.67e/NX3.0X) id AA01829; Mon, 9 Dec 96 13:40:27 +0100 Content-Type: text/plain Mime-Version: 1.0 (NeXT Mail 3.3 v118.2) Received: by NeXT.Mailer (1.118.2) From: Harald Schwanborg Date: Mon, 9 Dec 96 13:40:26 +0100 To: mcb@GreatCircle.COM Subject: Welcome to firewalls Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Date: Sun, 8 Dec 1996 21:59:25 -0800 (PST) To: firewalls@GreatCircle.COM From: Majordomo@GreatCircle.COM Subject: Welcome to firewalls Reply-To: Majordomo@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM -- Welcome to the firewalls mailing list! Please save this message for future reference. Thank you. If you ever want to remove yourself from this mailing list, you can send mail to with the following command in the body of your email message: unsubscribe firewalls firewalls@greatcircle.com Here's the general information for the list you've subscribed to, in case you don't already have it: Description =========== This list is for discussions of Internet "firewall" security systems and related issues. It is an outgrowth of the Firewalls BOF session at the Third UNIX Security Symposium in Baltimore on September 15, 1992. This is the undigestified version of the list. All messages sent to this list are immediately forwarded to members of the list. The digestified version of the list is Firewalls-Digest@GreatCircle.COM. To subscribe to Firewalls-Digest, send "subscribe firewalls-digest" in the body of a message (not on the "Subject:" line) to "Majordomo@GreatCircle.COM". Frequently Asked Questions ========================== A "Frequently Asked Questions" (FAQ) document (written by Marcus Ranum, mjr@tis.com) is available via anonymous FTP from host FTP.GreatCircle.COM, file pub/firewalls/FAQ, or from Majordomo by sending the command "get firewalls FAQ" in the body of an email message (not on the "Subject:" line) to address "Majordomo@GreatCircle.COM", or via URL ftp://ftp.greatcircle.com/pub/firewalls/FAQ Policies ======== Code for cracking programs (programs designed to help break into another system) should not be posted to the Firewalls mailing list. You can subscribe a local redistribution list or a gateway to a local newsgroup, as long as whatever you do is local to your site. This restriction makes it much easier for me to track down mailer problems. I'm very aggressive when it comes to bounced email. If email to you starts bouncing, I'll probably drop you from the list fairly quickly; you'll have to resubscribe when you get the problem fixed, and retrieve the archives to find out what you missed. Archives ======== All messages to the list are archived. The archives are available via Majordomo using the "get" command (send "help" in the body of a message to "Majordomo@GreatCircle.COM" for more info), or via anonymous FTP from host FTP.GreatCircle.COM in directory "pub/firewalls/archive", or via URL ftp://ftp.greatcircle.com/pub/firewalls/archive/ The archives are broken down by year and month, and are stored in files named "firewalls.YYMM". The copy of the archive available by anonymous FTP is updated every night at 2am local time (0900 GMT in the summer, 1000 GMT in the winter). WAIS Access =========== The Firewalls archive is available by WAIS on host WAIS.GreatCircle.COM, at port 210, under the database name "firewalls-digest". The WAIS archive is actually maintained from the Firewalls-Digest archive, which has all the same information in it as the Firewalls archive, and is easier to convert to WAIS format. The WAIS archive is updated nightly. The FAQ document is also avialable by WAIS on host WAIS.GreatCircle.COM, at port 210, under the database name "firewalls-faq". For Further Information ======================= Michael C. Berch Postmaster and list manager, Great Circle Associates mcb@greatcircle.com What's happening with your list processor? From where I'm sitting, it appears to request a subscription to firewalls@GreatCircle.COM from itself all by itself. Not that that's a foolish thing to do :). It looks strange though. Best Regards, /HS From firewalls-owner Mon Dec 9 07:17:30 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA14978 for firewalls-outgoing; Mon, 9 Dec 1996 06:03:15 -0800 (PST) Received: from email.acsinc.net ([206.156.73.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA14967 for ; Mon, 9 Dec 1996 06:03:01 -0800 (PST) Received: from html (demo.acsinc.net [206.156.73.29]) by email.acsinc.net (Netscape Mail Server v1.1) with ESMTP id AAA157 for ; Mon, 9 Dec 1996 09:03:47 -0500 From: keithstevens@acsinc.net (Keith Stevens) To: Subject: Thank you Date: Mon, 9 Dec 1996 08:58:55 -0000 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Message-ID: <19961209140347088.AAA157@demo.acsinc.net> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Just wanted to quickly thank the group for the responses, and especially Bob for gracefully responding to my undeserved flame. The net affect of the responses: I will read up on this technology and write again at the end to let you know what we did and why. Thank you all, Keith From firewalls-owner Mon Dec 9 07:24:38 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA15181 for firewalls-outgoing; Mon, 9 Dec 1996 06:07:06 -0800 (PST) Received: from mail.clark.net (mail.clark.net [168.143.0.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA15120 for ; Mon, 9 Dec 1996 06:06:37 -0800 (PST) Received: from mjr.clark.net (mjr.clark.net [168.143.19.61]) by mail.clark.net (8.8.4/8.6.5) with SMTP id JAA17763 for ; Mon, 9 Dec 1996 09:05:40 -0500 (EST) Message-Id: <199612091405.JAA17763@mail.clark.net> Comments: Authenticated sender is From: "Marcus J. Ranum" Organization: V-ONE Corp Baltimore office To: firewalls@GreatCircle.COM (Firewalls-Digest) Date: Mon, 9 Dec 1996 09:06:40 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: toolkit license X-mailer: Pegasus Mail for Win32 (v2.42a) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Actually, TIS doesn't forbid you from building FWTK firewalls for other > people, it just requires a commercial license to do this, presumably > because they want to charge a fee. I expect this also has something to do > with liability since if you build your own FWTK firewall then you have > already agreed to accept full liability but if you do it for someone else > then they haven't specifically agreed that TIS has no liability. Anyway, The toolkit license isn't about liability, it's to keep TIS from having the toolkit compete with Gauntlet, pure and simple. There was a while there, when the Gauntlet's best competition was the toolkit. :) Later on TIS adopted a policy of strangling the toolkit by delaying updates and keeping the good new stuff out. For example, we've seen a Beta 2.0 version - no 2.0 version and the beta's been there for ages. Why is it beta? It's an older slice of the same code that the latest greatest Gauntlet it built on -- does it need testing? That being said, the toolkit is pretty well obsolete by now, since it hasn't been being kept up and out there. Nowadays, someone could build something substantially better using Darren Reed's ip_filt code combined with a transparency-aware plug proxy, and a transparency-aware squid cache server. I'm kind of surprised (and flattered) that the toolkit is still in wide use, despite the fact that it's over 3 years old, which in this industry is forever, and despite the fact that TIS has been damning it with faint praises for 2 of those years. mjr. ----- Marcus J. Ranum, Chief Scientist, V-ONE Corporation Work: http://www.v-one.com Personal: http://www.clark.net/pub/mjr "I'll have time to be laid back when I'm laid out on a slab" From firewalls-owner Mon Dec 9 07:40:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA17942 for firewalls-outgoing; Mon, 9 Dec 1996 06:50:36 -0800 (PST) Received: from europa.lif.icnet.uk (europa.lif.icnet.uk [143.65.1.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA17880 for ; Mon, 9 Dec 1996 06:50:11 -0800 (PST) Received: from localhost by europa.lif.icnet.uk with SMTP(5.65v3.0/6.2); Mon, 9 Dec 1996 14:49:50 GMT Date: Mon, 9 Dec 1996 14:49:50 +0000 (GMT) From: David Harley X-Sender: harley@europa.lif.icnet.uk To: firewalls@GreatCircle.COM Subject: Re: IRINA is a Hoax (fwd) Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Leave it to the techno-wizards to come up with an idiotic statement like >this. The most effective viruses ever created are the Good Times virus >and its variations such as Deeyenda and Irina. These viruses have Certainly no computer virus has taken up as much of my reaction time as these have. >Obviously these viruses are not the same sort of organism as the >Pakistani Brain virus or Michaelangelo but they are certainly not >hoaxes. Disagree. Yes, you could call them viruses - a number of related terms have been coined to account for them (metaviruses, meme viruses, social viruses), but they're definitedly hoaxes, in that the viruses they purport to warn against do not and in several cases can not exist. Hoax and virus are not necessarily disjoint sets. >It is widely understood that social engineering is the most effective way >to penetrate secure computer networks. We should not be surprised that >viruses based on these techniques are so effective. Precisely. From firewalls-owner Mon Dec 9 08:08:10 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA20763 for firewalls-outgoing; Mon, 9 Dec 1996 07:25:03 -0800 (PST) Received: from mercury.telecheck.com (mercury.telecheck.com [205.245.65.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA20742 for ; Mon, 9 Dec 1996 07:24:42 -0800 (PST) From: wyer@TeleCheck.com Received: from localhost by mercury.telecheck.com; (5.65v3.2/1.1.8.2/05Sep96-1016AM) id AA09209; Mon, 9 Dec 1996 09:24:05 -0600 Message-Id: <9612091524.AA09209@mercury.telecheck.com> X-Mailer: exmh version 1.6.5 12/11/95 To: Chris Carlson Cc: wyer@TeleCheck.com, firewalls@greatcircle.com Subject: Re: Oracle SQL/Net In-Reply-To: carlson@cycon.com's message of Mon, 09 Dec 96 10:13:11 -0500. Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 09 Dec 96 09:24:05 -0600 X-Mts: smtp Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>> carlson@cycon.com supposedly said: > On Fri, 6 Dec 1996 wyer@TeleCheck.com wrote: > > > Hello, > > > > We've recently acquired a company which is accessing an Oracle database on a > > remote network via TCP/IP. Due to addressing conflicts, we have installed > > back-to-back PIX boxes to do two-way address translation between both > > networks. > > Why do you have back-to-back PIX boxes? Can't one box do all your > translating for you? > > > Brett Wyer > > Chris- Nope. The PIX box assumes that you're running an RFC 1918 (10.x.x.x, 172.16.x.x, etc.) unconnected network internally and want internet connectivity. A PIX box only does translation on the source address on outbound (read "to the internet") packets and on the destination address on inbound (read "from the internet to the internal network) packets. If you're connecting two networks which have conflicting addresses you have to have two PIXes back-to-back to do full translation. If you would like more details, let me know. Brett +----------------------------------------------------------------------------+ | Brett Wyer | The difference between the men and the | | Manager, Systems Support | boys... | | TeleCheck International, Inc. | '89 Corvette - Black/Grey Leather | | (713) 439-6474 | '95 CBR600F3 - Black/Purple/Yellow | | e-mail: wyer@telecheck.com | "I was going _how_ fast, Officer?!?" | +---------------------------------+------------------------------------------+ | Opinions are my own and don't reflect the opinion of TeleCheck. | +----------------------------------------------------------------------------+ From firewalls-owner Mon Dec 9 08:13:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA16508 for firewalls-outgoing; Mon, 9 Dec 1996 06:27:31 -0800 (PST) Received: from lexicon.ins.com (lexicon.ins.com [199.0.193.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA16496 for ; Mon, 9 Dec 1996 06:27:04 -0800 (PST) Received: from martin_d.cci.cox.com ([206.98.142.20]) by lexicon.ins.com (8.7.5/8.7.3) with SMTP id GAA13711 for ; Mon, 9 Dec 1996 06:25:49 -0800 (PST) Message-Id: <3.0.32.19961209092751.006b8ac4@lexicon.ins.com> X-Sender: martin_d@lexicon.ins.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Mon, 09 Dec 1996 09:28:22 -0500 To: firewalls@greatcircle.com From: Darwin Martinez Subject: Load sharing Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk All: At my client site, we are implementing a second firewall, preferrably for load sharing of data to / from the Internet. We are currently using FW-1 on HPUX for both machines. We have a Cisco environment, and are trying to decide the best way to implement laod sharing across 2 firewalls. Our goal is to have one machine completely handle all traffic should either machine fail, this way eliminating a single point of failure. We currently have default route statements in each router pointing to our firewall. Could we have 2 default route statements in each router? Cisco supports this, but I'm concerned about what happens (if it would happen) if the routers themselves begin to load share, i.e. send one packet to fw #1, next packet to fw #2, etc. This shouldn't affect TCP based data, but what about UDP based data? Each fw would have a separate path to the external (Internet) router, but each fw would (could?) be fed by the same two (closest) internal routers? Any ideas. TIA. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Darwin L. Martinez Voice: 404-843-5954 Network Systems Engineer Pager: 888-346-1320 International Network Services Vmail: 770-641-4004 Atlanta Office Email: http://www.ins.com "Frank Zappa and the Mothers, were at the best place around." ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ From firewalls-owner Mon Dec 9 08:23:11 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA16688 for firewalls-outgoing; Mon, 9 Dec 1996 06:29:03 -0800 (PST) Received: from gargoyle.clark.net (gargoyle.clark.net [168.143.0.250]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA16594 for ; Mon, 9 Dec 1996 06:28:02 -0800 (PST) Received: (from proberts@localhost) by gargoyle.clark.net (8.7.4/8.7.3) id JAA05980; Mon, 9 Dec 1996 09:29:16 -0500 Date: Mon, 9 Dec 1996 09:29:16 -0500 (EST) From: "Paul D. Robertson" X-Sender: proberts@localhost To: Danny Cox cc: firewalls@GreatCircle.COM Subject: Re: Scanning networks for dialups In-Reply-To: <1508.9612091052@gmap.leeds.ac.uk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 9 Dec 1996, Danny Cox wrote: > Dear all, > > someone not so long ago (sorry, I've forgotten who) mentioned that they'd > worked with a network somewhere and ran a scan on it to find modems which > were connected. > > I'd like to be able to do something here, and identify, via a scan of some > description where/when dialups to an external ISP are happening. I can't > quite get my head around how to do this though .. can anyone help? Any war dialer set to dial the numbers in your phone switch will do this. Depending on the number of incoming lines, you may want to run several machines against it at once. Depending on your telco, you may need to talk to them prior to proceeding, and I'd advise against running it from a different switch than the one you are scanning. At least in the US, I've heard that the telcos have been known to disconnect numbers running sequential dialers, if you run from a line inside the switch, you shouldn't hit their copper, and it shouldn't be an issue. As far as finding ISPs, the easiest way, if you have a low number of ISPs in the area is to grep your phone switch logs for outgoing calls to their numbers. This, of course, assumes that you have a phone switch that does reporting, and that your telcom department is sufficiently clued to be running reports. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@clark.net which may have no basis whatsoever in fact." PSB#9280 From firewalls-owner Mon Dec 9 08:27:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA14072 for firewalls-outgoing; Mon, 9 Dec 1996 05:43:05 -0800 (PST) Received: from edelweb.fr (edelweb.fr [193.51.12.16]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id FAA13935 for ; Mon, 9 Dec 1996 05:42:04 -0800 (PST) Received: from champagne.edelweb.fr (champagne.edelweb.fr [193.51.14.161]) by edelweb.fr (8.7.5/8.6.9) with ESMTP id OAA20832; Mon, 9 Dec 1996 14:39:34 +0100 (MET) Received: from mercier.gctech.edelweb.fr (mercier.gctech.edelweb.fr [193.51.14.7]) by champagne.edelweb.fr (8.6.10/8.6.6) with ESMTP id OAA13062; Mon, 9 Dec 1996 14:39:33 +0100 Received: from localhost (ben@localhost) by mercier.gctech.edelweb.fr (8.6.10/8.6.6) with SMTP id OAA07318; Mon, 9 Dec 1996 14:39:33 +0100 Date: Mon, 9 Dec 1996 14:39:33 +0100 (MET) From: Ben X-Sender: ben@mercier.gctech.edelweb.fr Reply-To: Ben To: Danny Cox cc: firewalls@GreatCircle.COM Subject: Re: Scanning networks for dialups In-Reply-To: <1508.9612091052@gmap.leeds.ac.uk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > worked with a network somewhere and ran a scan on it to find modems which > were connected. > > I'd like to be able to do something here, and identify, via a scan of some > description where/when dialups to an external ISP are happening. I can't > quite get my head around how to do this though .. can anyone help? Ok. It seems to me that we're talking about two separate and distinct things here: * You want to scan for dialups to an external ISP(i.e. outgoing calls) * As far as I remember the person was talking about scanning a the local PABX for modems that answered. In the former case, you'd have to have cooperation from your local telco people, either in-house and have all outgoing calls logged. In that case, (and it's not an easy task), you'd call around to the local ISP's(don't forget AOL, CIS, demon, etc.) get their local access numbers and check if there are outgoing calls placed to those access numbers. In the latter case(it's easier), you'd find a computer with a modem, install something like Demon Dialer or another war dialer and just sweep your company's "number space" of phone numbers. Every time you found a Connect, log the number and go have a chat with the owner of the offending equipment. In general, I'd worry more about the latter case, since employees often hook up modems, run a PPP server so that they can get access to the Internet from home for free by piggybacking on your company's connection. This tends to be what the modems are used for. Ben. ____ Ben Samman.................................................ben@edelweb.fr Paris, France Illudium Q36 Explosive Space Modulator From firewalls-owner Mon Dec 9 08:53:25 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA22547 for firewalls-outgoing; Mon, 9 Dec 1996 07:59:42 -0800 (PST) Received: from news.rc.on.ca ([207.176.151.6]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA22530 for ; Mon, 9 Dec 1996 07:59:31 -0800 (PST) Received: by mail.rc.on.ca with IMAIL 2.0 id <01BBE5BF.A15447B0@mail.rc.on.ca>; Mon, 9 Dec 1996 10:56:29 -0500 Message-ID: From: Russ To: "'Todd Graham Lewis'" Cc: "'Firewalls Mailing List'" Subject: RE: Delete permissions on files (Was: RE: Why would someone want an NT firewall?) Date: Mon, 9 Dec 1996 10:56:28 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Connector (Beta) (4.5.1280.0) Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Well, I always say if you can call yourself an ass before anyone else does, you've learned something...;-] * I made some pretty scathing remarks about a post from Todd Graham Lewis earlier this morning, and now its time to take them all back. * I totally failed to realize that Todd got his message from the BUGTRAQ list and not directly from the NTSecurity list where it originated. Its no wonder why he might have missed the message I referred to clarifying the issue, since it hasn't even been posted to BUGTRAQ yet. This important missed observation on my part led to a bunch of assumptions and assertions, all of which I'd like to retract. * Todd, sorry, I think its me that owes you a beer or two. * Cheers, Russ R.C. Consulting, Inc. - NT/Internet Security Consulting mailto:Russ.Cooper@RC.on.ca <-- *note the new address* From firewalls-owner Mon Dec 9 09:25:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA26560 for firewalls-outgoing; Mon, 9 Dec 1996 08:52:59 -0800 (PST) Received: from cih-gw.cih.com (cih-gw.cih.com [204.69.206.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA26519 for ; Mon, 9 Dec 1996 08:52:42 -0800 (PST) Received: (from mail@localhost) by cih-gw.cih.com (8.7.6/8.6.9) id LAA00484; Mon, 9 Dec 1996 11:51:03 -0500 X-Authentication-Warning: cih-gw.cih.com: mail set sender to using -f Received: from cih-gw(204.69.206.1) by cih-gw.cih.com via smap (V2.0alpha) id sma000480; Mon Dec 9 11:50:54 1996 Date: Mon, 9 Dec 1996 11:50:54 -0500 (EST) From: "Craig I. Hagan" Reply-To: hagan@cih.com To: Todd Graham Lewis cc: firewalls@GreatCircle.COM Subject: Re: Re[2]: Why would someone want an NT firewall? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk [true things about M$ and NT deleted, they are obvious and irritating] I was trying to separate arguments about M$ and the NT opertating system from the issues about firewalling. I know that there is some overlap, and, i think that, like unix, there will be some teething problems. I believe that the NT problems will take a _lot_ longer to solve than unix took due to the lack of sources, however, i would like to keep the discussion away from corporate/OS religion and towards other, more imporatant issues -- such as WHY NT firewalls are becoming popular. stating that NT is the antichrist, it stinks, etc. doesn't reduce its polularity, but, it does make us look silly. > > assuming that it > > is capable of reliably implementing one's policy in a secure manner. > > Because in my judgement it isn't. for the sake of an argument, lets work with assumptions. i don't like dealing with OS bigotry. I've seen a lot of name calling on the list but, totally dismissing an OS because it is new? when unix and all of its userspace stuff was as new as NT, it had a similar amount of holes, yet people ran it rather than multics and VMS. yes, access to sources makes it easier to fix. yes, it lets you verify for yourself easier. yes, working with well known public points of contact for security is the right thing to do. I'm looking for a good argument for why someone shouldn't use NT 6.x for a firewall (lets assume that it is in line with one of the current unixes by then for speed and security, which isn't unreasonable). If dealing with the aformentioned assumption is too much to ask, please delete this message. -- craig ------------------------------------------------------------------------------- CraigI. Hagan "It's a small world, but I wouldn't want to back it up" hagan@cih.com "True hackers don't die, their ttl expires" From firewalls-owner Mon Dec 9 09:57:50 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA00777 for firewalls-outgoing; Mon, 9 Dec 1996 09:41:48 -0800 (PST) Received: from ncar.UCAR.EDU (ncar.ucar.edu [192.52.106.6]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id JAA00746 for ; Mon, 9 Dec 1996 09:41:21 -0800 (PST) Message-Id: <199612091739.KAA22689@ncar.ucar.EDU> Received: by ncar.ucar.EDU (NCAR 12/5/96/ NCAR Central Post Office 03/11/93) id KAA22689; Mon, 9 Dec 1996 10:39:42 -0700 (MST) Subject: Re: Tacacs+ To: sameer@securities.com Date: Mon, 9 Dec 96 10:39:41 MST Cc: ctighe@dat.tds.de, firewalls@GreatCircle.COM In-Reply-To: <32A9B5B1.6BF5@securities.com>; from "Sameer Anja" at Dec 7, 96 10:21 am From: woods@ucar.edu (Greg Woods) X-Mailer: ELM [version 2.3 PL11] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > user=xyz > { > default service=permit > login = des something > } > > > The enable should work from this account.Email me if u have > any more problems.And if u get a better solution do tell me also. That still won't work; you have to create the $enable$ or $enab15$ user, or all "enable" attempts from the router are denied. --Greg From firewalls-owner Mon Dec 9 10:09:47 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA01709 for firewalls-outgoing; Mon, 9 Dec 1996 09:53:45 -0800 (PST) Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id JAA01624 for ; Mon, 9 Dec 1996 09:53:11 -0800 (PST) Received: from smtp1.sybase.com (sybgate) by halon.sybase.com (5.x/SMI-SVR4/SybFW4.0) id AA25545; Mon, 9 Dec 1996 09:54:56 -0800 Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) id AA22165; Mon, 9 Dec 96 09:52:52 PST Received: by notesgw2.sybase.com (5.x/SMI-4.1/SybEGW3.3) id AA09565; Mon, 9 Dec 1996 09:52:43 -0800 Message-Id: <9612091752.AA09565@notesgw2.sybase.com> Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id 5F3E4F87097C26F0882563FB006188AA; Mon, 9 Dec 96 09:52:40 EDT To: Robert Evans Cc: inet-access , firewalls From: Ryan Russell/SYBASE Date: 9 Dec 96 9:55:21 EDT Subject: Re: Can You Believe It? X-Lotus-Type: Reply All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We have considered doing that in our LAN environment at headquarters, but we have some real strong concerns about broadcast based protocols. Let me give you an example of some of the things that can happen: - Someone misconfigures a Netware server (or NT doing IPX for that matter) with the wrong wire number, and all of the other servers complain until someone tracks it down and fixes it, or SYS: fills up and servers crash. - Someone brings up an Appletalk seed router with the wrong cable range, and Macs start to lose the ability to "see" each-other. - For Microsoft Windows Browsing, someone has a bad browsemaster which answers the broadasts from the other Windows machines, and people start losing their network neighborhood (happens ALL the time here...) - A bad NIS server answering broadcasts - Some machine crashes while doing a broadcast, and starts flooding broadcasts at wire speed (hope you have broadcast choke on your switch/hub) - Someone starts broadcasting a video or audio stream - Duplicate NETBEUI names ...And many others. Now, I'm not even neccessarily against having a flat (or larger) broadcast domains..but again, the concerns above prevent us from doing so now...we've had all of the above. it was usually just one subnet affected, but it could have been the whole campus instead, if we had one broadcast domain. However, switch vendors like Cisco and Cabletron are starting to address these problems with smarter switches that can answer the broadcasts themselves (i.e. ARP) or change it to a Unicast (NETBEUI name caching) or flood them to a more limited group (i.e. only flood IPX SAP's to machines who have sent an IPX packet.) Ryan ---------- Previous Message ---------- To: inet-access cc: firewalls From: pedro @ orca.sitesonthe.net (Robert Evans) @ smtp Date: 12/06/96 05:51:11 PM Subject: Can You Believe It? Hi All, I am working with this company that is mostly old iron and we are helping them add tcp/ip into their 3000+ workstation environment spread across 5 buildings. We are adding Unix boxes into their network, switched atm. Today I found out that they have 300 - 400 devices using tcp/ip and the whole network is on one class b network. No subnets anywhere. Eventually they are going to be adding other facilities online and they expect that the tcp/ip services are going to catch on like wildfire in the organization. Any ideas on how I am going to convince these guys that this is ridiculous? Any other good stories about such situations? I could use a laugh after this one. Bob From firewalls-owner Mon Dec 9 10:32:59 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA13804 for firewalls-outgoing; Mon, 9 Dec 1996 05:40:18 -0800 (PST) Received: from reflections.mindspring.com (reflections.mindspring.com [204.180.142.192]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id FAA13751 for ; Mon, 9 Dec 1996 05:39:48 -0800 (PST) Received: from localhost (lists@localhost) by reflections.mindspring.com (8.7.1/8.7.1) with SMTP id IAA02033; Mon, 9 Dec 1996 08:38:55 -0500 Date: Mon, 9 Dec 1996 08:38:55 -0500 (EST) From: Todd Graham Lewis Reply-To: Todd Graham Lewis To: Russ cc: Firewalls Mailing List Subject: RE: Delete permissions on files (Was: RE: Why would someone want an NT firewall?) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dear Russ, While I understand why you are touchy on the topic, (if I made my living by telling people that NT is more secure than Unix, I'd probably be touchy, too,) I think this kind of ad hominem to be kind of silly. Calling my message "a effort (sic) to mislead the Firewalls Mailing List" makes me question the vigour with which Canada's finest are enforcing our neighbor to the north's drug laws. 8^) Come on, Russ. If it had already been addressed, then all it takes is a personal note and I would have posted an appropriate clarification. If, with >900 unread messages in this mail box (not to mention the _real_ mail box I do work out of,) I had not read the message in question, I would hope that you might cut me just the _tiniest_ bit of slack. Could it be that yet another catastrophic NT security hole has you on the edge of your seat, Russ? Linux and a slew of other Unices passes POSIX but NT is the first and only case like this of which I have heard. (Should we acronym-ize "Yet Another Catastrophic NT Security Hole"? YACNTSH, as in Yac-intosh?) Then again, I may be wrong. I'll tell you after I finally read that message from Frank Ramos, respected NT security expert. In the interim, you might want to try driving to Buffalo today and try some of our fine, American crack for a change. If your last message was any indication, you won't be any worse off. Yours Truly, Todd Lewis World Reknowned NT Security Non-Expert __ Todd Graham Lewis Linux! Core Engineering Mindspring Enterprises tlewis@mindspring.com (800) 719 4664, x2804 On Mon, 9 Dec 1996, Russ wrote: (...) > I have to say, Todd had a message from Frank Ramos (one of the most > well-respected NT security experts) explaining this fact at the time he > forwarded that message to the Firewalls list. Whether he bothered to > read Frank's message or not is irrelevant, it was there in his mailbox > as a reply to the original message thread (it was the very next message > in the thread and was delivered ~30 minutes after the message Todd > forwarded, 12 hours before Todd forwarded the message to Firewalls) and > explained clearly the facts that I've just restated above. So, IMNSHO, > he choose to give you only this "tidbit" in a effort to mislead the > Firewalls Mailing List. Commentary was needed, and should have been > offered, and was already available to him. He's entitled to his > opinions as much as anyone else, but I don't believe the members of > this list deserve being fed misleading messages from other groups, > mid-thread, and then purposefully omitting to send the clarification > message. (...) From firewalls-owner Mon Dec 9 11:08:20 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA08063 for firewalls-outgoing; Mon, 9 Dec 1996 10:58:48 -0800 (PST) Received: from ns1.eds.com (ns1.eds.com [192.85.154.78]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA08042 for ; Mon, 9 Dec 1996 10:58:36 -0800 (PST) From: MSITMI02.XZ46G8@eds.com Received: from nnsa.eds.com (nnsa.eds.com [130.174.31.78]) by ns1.eds.com (8.8.2/8.8.2) with ESMTP id NAA24101 for ; Mon, 9 Dec 1996 13:58:10 -0500 (EST) Received: from DNET.EDS.COM (dnet.eds.com [130.174.31.77]) by nnsa.eds.com (8.7.6/8.7.3) with SMTP id NAA07044 for ; Mon, 9 Dec 1996 13:57:38 -0500 (EST) X400-Originator: MSITMI02.XZ46G8@eds.com X400-Recipients: firewalls@GreatCircle.COM X400-MTS-Identifier: [/PRMD=DMN2PILOT/ADMD=TELEMAIL/C=US/;0095000008068997000002] X400-Content-Type: P2-1988 (22) Message-ID: <0095000008068997000002*@MHS> To: "firewalls(a)GreatCircle.COM":; Subject: Re: Redundant FW-1s in Parallel!? Date: Mon, 9 Dec 1996 14:00:56 -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I didn't see this pass by so I am posting again. ---------- From: Kerrigan, Philip Sent: mercoledi 4 dicembre 1996 9.59 To: 'firewalls-digest-owner' Subject: Re: Redundant FW-1s in Parallel!? Reply to Bill Husler: No, your picture is not true. Maybe someone who was at the Checkpoint Paris conference can give more details, but v 3.0 does not give HA. It allows the state to be shared between 2 machines, which helps high-availability and allows separate inbound and outbound routes, but it DOES NOT check the operating state of the other machine. Load balancing must also be done separately. Furthermore to have the same rulebase on both machines you need remote management, otherwise you have to remember to copy the rulebase to the other machine everytime you change it, and then install it. You could use cron to do this, of course, if the second machine was in standby, or run some form of script that starts the fwui, and then does a rcp when finished (if you want to allow rcp). Also you can have more interfaces. A Sparcstation 5 has its basic LAN le0, the SCSI card has another, le1, and you can add a quad ethernet to get qe0 through qe3. Using a virtual interface you can share a heartbeat link with the internal network. This gives you 5 usable interfaces. I have done this and it works. The basic Qualix SecureWatch is asymmetric but there is no real reason why you can't make it symmetric and fail over the A machine interfaces to a virtual interface on the B machine. Obviously in this case you can't share disks, and you need FW-1 licences on both machines. Currently you also lose all connections on the failed machine, but ver 3.0 should take care of that. distinti saluti/best regards Philip Kerrigan EDS Italia SpA Viale Monza, 257 Milano, Italy tel. + (0)2 2524272 msitmi02.xz46g8@eds.com fax + (0)2 27002588 From firewalls-owner Mon Dec 9 11:10:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA27046 for firewalls-outgoing; Mon, 9 Dec 1996 08:58:21 -0800 (PST) Received: from cosmo.aventail.com (cosmo.aventail.com [205.184.205.36]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id IAA26887 for ; Mon, 9 Dec 1996 08:57:32 -0800 (PST) From: evank@aventail.com Received: from [38.225.141.10] (root@newman.aventail.com [38.225.141.10]) by cosmo.aventail.com (8.6.12/8.6.9) with SMTP id JAA01809 for ; Mon, 9 Dec 1996 09:43:54 -0800 Message-Id: <199612091743.JAA01809@cosmo.aventail.com> Date: Mon, 09 Dec 1996 08:57:39 -0800 Subject: Re: Firewalls-Digest V5 #659 To: Firewalls@GreatCircle.COM In-Reply-To: <199612090900.BAA24342@miles.greatcircle.com> X-Mailer: SPRYNET Mail 32-Bit Mail Version: 04.20.06.64 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bill any chance you could answer the e-mail about Oracle SQLnet with a note on SOCKS On Mon, 9 Dec 1996, firewalls-digest-owner@GreatCircle.COM (Firewalls-Digest) wrote: > >Firewalls-Digest Monday, December 9 1996 Volume 05 : Number 659 > > > >In this issue: > > Welcome to firewalls > Re: Oracle SQL/Net > >See the end of the digest for information on subscribing to the Firewalls >or Firewalls-Digest mailing lists and on how to retrieve back issues. > >---------------------------------------------------------------------- > >Date: Sun, 8 Dec 1996 21:59:25 -0800 (PST) >From: Majordomo@GreatCircle.COM >Subject: Welcome to firewalls > >- -- > >Welcome to the firewalls mailing list! > >Please save this message for future reference. Thank you. > >If you ever want to remove yourself from this mailing list, >you can send mail to with the following >command in the body of your email message: > > unsubscribe firewalls firewalls@greatcircle.com > > Here's the general information for the list you've subscribed to, > in case you don't already have it: > >Description >=========== >This list is for discussions of Internet "firewall" security systems and >related issues. It is an outgrowth of the Firewalls BOF session at the >Third UNIX Security Symposium in Baltimore on September 15, 1992. > >This is the undigestified version of the list. All messages sent to this >list are immediately forwarded to members of the list. The digestified >version of the list is Firewalls-Digest@GreatCircle.COM. To subscribe >to Firewalls-Digest, send "subscribe firewalls-digest" in the body of >a message (not on the "Subject:" line) to "Majordomo@GreatCircle.COM". > >Frequently Asked Questions >========================== >A "Frequently Asked Questions" (FAQ) document (written by Marcus Ranum, >mjr@tis.com) is available via anonymous FTP from host FTP.GreatCircle.COM, >file pub/firewalls/FAQ, or from Majordomo by sending the command "get >firewalls FAQ" in the body of an email message (not on the "Subject:" >line) to address "Majordomo@GreatCircle.COM", or via URL > ftp://ftp.greatcircle.com/pub/firewalls/FAQ > >Policies >======== >Code for cracking programs (programs designed to help break into another >system) should not be posted to the Firewalls mailing list. > >You can subscribe a local redistribution list or a gateway to a local >newsgroup, as long as whatever you do is local to your site. This >restriction makes it much easier for me to track down mailer problems. > >I'm very aggressive when it comes to bounced email. If email to you >starts bouncing, I'll probably drop you from the list fairly quickly; >you'll have to resubscribe when you get the problem fixed, and retrieve >the archives to find out what you missed. > >Archives >======== >All messages to the list are archived. The archives are available via >Majordomo using the "get" command (send "help" in the body of a message >to "Majordomo@GreatCircle.COM" for more info), or via anonymous FTP from >host FTP.GreatCircle.COM in directory "pub/firewalls/archive", or via URL > ftp://ftp.greatcircle.com/pub/firewalls/archive/ > >The archives are broken down by year and month, and are stored in files >named "firewalls.YYMM". The copy of the archive available by anonymous >FTP is updated every night at 2am local time (0900 GMT in the summer, >1000 GMT in the winter). > >WAIS Access >=========== >The Firewalls archive is available by WAIS on host WAIS.GreatCircle.COM, >at port 210, under the database name "firewalls-digest". The WAIS >archive is actually maintained from the Firewalls-Digest archive, which >has all the same information in it as the Firewalls archive, and is >easier to convert to WAIS format. The WAIS archive is updated nightly. > >The FAQ document is also avialable by WAIS on host WAIS.GreatCircle.COM, >at port 210, under the database name "firewalls-faq". > >For Further Information >======================= >Michael C. Berch >Postmaster and list manager, Great Circle Associates >mcb@greatcircle.com > >------------------------------ > >Date: Mon, 9 Dec 1996 09:37:14 +0100 (MEZ) >From: pauck@rs3.wmd.de (Marco Pauck) >Subject: Re: Oracle SQL/Net > >> On Fri, 06 Dec 96 08:25:30 -0600, you wrote: >> >In any case, is there some sort of proxy agent which will handle = >> Oracle's=20 >> >SQL/Net / ODBC stuff in a graceful fashion between two conflicting IP = >> networks >> >somewhat like the Web proxy agent? >> >> There are firewall vendors working with Oracle to put together a real = >> SQL*Net >> proxy. I belive that Raptor, Checkpoint and TIS, at least, have some form= >> of >> SQL network proxy. > >For a summary please check: > >http://www.wmd.de/wmd/staff/pauck/misc/oracle_and_firewalls.html > > Marco >- -- >Marco Pauck - WMD GmbH Hamburg, Germany - http://www.wmd.de/~pauck/ >e-mail: pauck@wmd.de, phone: +49-40-58958-120, fax: +49-40-58958-199 > You are on your own words. > >------------------------------ > >End of Firewalls-Digest V5 #659 >******************************* > >To unsubscribe from Firewalls-Digest, send the following command >in the body of a message to "Majordomo@GreatCircle.COM": > >unsubscribe firewalls-digest > >If you want to subscribe or unsubscribe an address other than the >account the mail is coming from, such as a local redistribution list, >then append that address to the command; for example, to subscribe >"local-firewalls": > >subscribe firewalls-digest local-firewalls@your.domain.net > >A non-digest (direct mail) version of this list is also available; to >subscribe to that instead, replace all instances of "firewalls-digest" >in the commands above with "firewalls". > >Compressed back issues are available for anonymous FTP from >FTP.GreatCircle.COM, in pub/firewalls/digest/vNN.nMMM.Z (where "NN" >is the volume number, and "MMM" is the issue number). > > -------------------- Evan Kaplan Aventail Corporation www.Aventail.com 206-777-5600 From firewalls-owner Mon Dec 9 11:13:34 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA05082 for firewalls-outgoing; Mon, 9 Dec 1996 10:28:44 -0800 (PST) Received: from lia00.deis.unibo.it. (lia00.deis.unibo.it [137.204.56.130]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA05018 for ; Mon, 9 Dec 1996 10:28:25 -0800 (PST) Received: from lia00.deis.unibo.it by lia00.deis.unibo.it. (SMI-8.6/SMI-SVR4) id TAA12726; Mon, 9 Dec 1996 19:27:57 +0100 Message-ID: <32AC5A2D.6E16@lia00.deis.unibo.it> Date: Mon, 09 Dec 1996 19:27:57 +0100 From: "Carlo Baffe'" Organization: DEIS-Universita' di Bologna-Italia X-Mailer: Mozilla 3.0 (X11; I; SunOS 5.5.1 sun4u) MIME-Version: 1.0 To: Firewalls@greatcircle.com Subject: sendmail with firewall Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all, I need to configure sendmail (and all the mail service) for working with a firewall in dual homed gateway configuration. I have sendmail 8.4. The firewall is Firewall-1 2.0, running on a Sparc4 with Solaris 2.5.1. Where can I find information about this item? Thanks in advance and good work, Carlo From firewalls-owner Mon Dec 9 11:57:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA00505 for firewalls-outgoing; Mon, 9 Dec 1996 09:39:32 -0800 (PST) Received: from dredd.oai.org (dredd.oai.org [199.218.110.9]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id JAA00475 for ; Mon, 9 Dec 1996 09:39:19 -0800 (PST) Received: (from fsgreen@localhost) by dredd.oai.org (8.8.3/8.8.3) id MAA28252; Mon, 9 Dec 1996 12:34:54 -0500 (EST) Date: Mon, 9 Dec 1996 12:34:53 -0500 (EST) From: Doug Greenwald To: firewalls-digest@GreatCircle.COM Subject: OAI - basic firewall hardware sizing question Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk howdy all, didn't see this addressed in the FAQ... we're a smallish company (40 employees) going through a fairly complete information system redesign. one of the things that's coming out of this effort is the need for a firewall to protect the new services we're designing. i'm leaning heavily toward's checkpoint's firewall-1 on the sun sparc platform. given that we're probably always going to be a 40-50 person company and that we won't be a high profile target, could i reasonably run the firewall-1 software on a sparcstation 2 or should i go for a sparc 5 or 10? i don't plan on doing proxy service up front (but may add it later). i'm planning on a 3 network interface'd box with one interface handling the internet connection, one interface handling our perimeter net (with web, dns, ftp, and smtp services), and the third handling our interior network (and protecting internal web, mail, database, and accounting systems). one thing that may (or may not) be a little different is that we do have occasional visiting groups in the building that i plan on plugging into the perimeter net so that they can netscape and telnet to the internet (mostly it's training groups and consultants that need access to their home systems). any thoughts on minimum platform requirements would be appreciated. doug. Doug Greenwald DougGreenwald@oai.org Internet and Unix Administrator (216) 962 3145 Ohio Aerospace Institute ICOMP - NASA Lewis Research Center http://www.oai.org/ http://www.lerc.nasa.gov/ From firewalls-owner Mon Dec 9 12:25:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA07644 for firewalls-outgoing; Mon, 9 Dec 1996 10:54:24 -0800 (PST) Received: from ns2.eds.com (ns2.eds.com [199.228.142.78]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA07602 for ; Mon, 9 Dec 1996 10:54:07 -0800 (PST) From: MSITMI02.XZ46G8@eds.com Received: from nnsp.eds.com (nnsp.eds.com [130.174.32.78]) by ns2.eds.com (8.8.2/8.8.2) with ESMTP id NAA25821 for ; Mon, 9 Dec 1996 13:53:41 -0500 (EST) Received: from DNET.EDS.COM (dnet.eds.com [130.174.31.77]) by nnsp.eds.com (8.7.6/8.7.3) with SMTP id NAA18293 for ; Mon, 9 Dec 1996 13:53:09 -0500 (EST) X400-Originator: MSITMI02.XZ46G8@eds.com X400-Recipients: firewalls@GreatCircle.COM X400-MTS-Identifier: [/PRMD=DMN2PILOT/ADMD=TELEMAIL/C=US/;0095000008068849000002] X400-Content-Type: P2-1988 (22) Message-ID: <0095000008068849000002*@MHS> To: "firewalls(a)GreatCircle.COM":; Subject: Re: RAS and Firewalls Date: Mon, 9 Dec 1996 13:56:27 -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Actually, I am not trying to get a specific solution to a client's network. I wanted information on general principles and how RAS could be made to work across the Internet. The general situation is a internal network on which someone has installed RAS. It has frequently been argued that this makes the network insecure, one mail stating that the writer had detected someone going OUT through the firewall who had come in through RAS. The next step is that the company connects to the internet and installs a firewall. Obviously there is no point in doing this if RAS creates a hole behind the wall. As for RAS services, I don't know what they might all be. The first thing that comes to mind is collecting your mail with MS mail client. I don't see where DMZ enters the equation, but obviously a company would want only its own employees fetching mail, and wouldn't want damage being done to the server offering RAS. To repeat: How does this fit in with a firewall? The aim of course is that to use RAS the user must cross the firewall in a controlled manner, and not bypass it. distinti saluti/best regards Philip Kerrigan EDS Italia SpA Viale Monza, 257 Milano, Italy tel. + (0)2 2524272 msitmi02.xz46g8@eds.com fax + (0)2 27002588 ---------- From: doshai Sent: sabato 7 dicembre 1996 11.46 To: KERRIGAN, PHILIP Subject: Re: What is the network topography? Do you have multiple segments through the firewall? Secured servers? What do the clients using RAS need to access? What is withing your DMZ? Are the RAS clients to be trusted to the servers, internet, both? You need to give a fair bit more info before that may be answered. Regards Craig > Anyone have any recommendations on how to make RAS available to remote > clients when the internet gateway is a firewall? > > Would you have PPP on the Firewall itself, a RAS server outside the > Firewall, a modem bank outside the firewall? What protocols have to pass > the firewall? > > distinti saluti/best regards > Philip Kerrigan > EDS Italia SpA > Viale Monza, 257 > Milano, Italy tel. + (0)2 2524272 > msitmi02.xz46g8@eds.com fax + (0)2 27002588 > > From firewalls-owner Mon Dec 9 12:36:22 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA10980 for firewalls-outgoing; Mon, 9 Dec 1996 11:33:00 -0800 (PST) Received: from loach.cichlid.com (loach.cichlid.com [165.227.20.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA10962 for ; Mon, 9 Dec 1996 11:32:42 -0800 (PST) Received: (from news@localhost) by loach.cichlid.com (8.7.4/8.7.3) id LAA28208; Mon, 9 Dec 1996 11:29:03 -0800 To: firewalls@GreatCircle.COM Path: cichlid From: msitmi02.xz46g8@eds.com Newsgroups: mail.firewalls Subject: None Date: 9 Dec 1996 11:29:03 -0800 Lines: 78 Message-ID: <58hp9v$h3s@cichlid.cichlid.com> NNTP-Posting-Host: cichlid.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Message-ID: <2ac89c8f6f39111a@deliver.cichlid.com> Lines: 54 Xdeliver: HEADER START (not lowercased) Xdeliver: From firewalls-owner@GreatCircle.COM Mon Dec 9 11:28:58 1996 Xdeliver: Return-Path: Xdeliver: Received: from relay6.UU.NET by cichlid.com with smtp Xdeliver: (Smail3.1.28.1 #13) id m0vXBNa-000GTya; Mon, 9 Dec 96 11:28 PST Xdeliver: Received: from miles.greatcircle.com by relay6.UU.NET with ESMTP Xdeliver: (peer crosschecked as: miles.greatcircle.com [198.102.244.34]) Xdeliver: id QQbtjp02951; Mon, 9 Dec 1996 14:27:44 -0500 (EST) Xdeliver: Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA08063 for firewalls-outgoing; Mon, 9 Dec 1996 10:58:48 -0800 (PST) Xdeliver: Received: from ns1.eds.com (ns1.eds.com [192.85.154.78]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA08042 for ; Mon, 9 Dec 1996 10:58:36 -0800 (PST) Xdeliver: From: MSITMI02.XZ46G8@eds.com Xdeliver: Received: from nnsa.eds.com (nnsa.eds.com [130.174.31.78]) by ns1.eds.com (8.8.2/8.8.2) with ESMTP id NAA24101 for ; Mon, 9 Dec 1996 13:58:10 -0500 (EST) Xdeliver: Received: from DNET.EDS.COM (dnet.eds.com [130.174.31.77]) by nnsa.eds.com (8.7.6/8.7.3) with SMTP id NAA07044 for ; Mon, 9 Dec 1996 13:57:38 -0500 (EST) Xdeliver: Xdeliver: HEADER END Xdeliver: SENDER firewalls-owner@greatcircle.com Xdeliver: to Xdeliver: cc Xdeliver: apparent_to Xdeliver: from msitmi02.xz46g8@eds.com X400-Originator: MSITMI02.XZ46G8@eds.com X400-Recipients: firewalls@GreatCircle.COM X400-MTS-Identifier: [/PRMD=DMN2PILOT/ADMD=TELEMAIL/C=US/;0095000008068997000002] X400-Content-Type: P2-1988 (22) Message-ID: <0095000008068997000002*@MHS> To: "firewalls(a)GreatCircle.COM":; Subject: Re: Redundant FW-1s in Parallel!? Date: Mon, 9 Dec 1996 14:00:56 -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I didn't see this pass by so I am posting again. ---------- From: Kerrigan, Philip Sent: mercoledi 4 dicembre 1996 9.59 To: 'firewalls-digest-owner' Subject: Re: Redundant FW-1s in Parallel!? Reply to Bill Husler: No, your picture is not true. Maybe someone who was at the Checkpoint Paris conference can give more details, but v 3.0 does not give HA. It allows the state to be shared between 2 machines, which helps high-availability and allows separate inbound and outbound routes, but it DOES NOT check the operating state of the other machine. Load balancing must also be done separately. Furthermore to have the same rulebase on both machines you need remote management, otherwise you have to remember to copy the rulebase to the other machine everytime you change it, and then install it. You could use cron to do this, of course, if the second machine was in standby, or run some form of script that starts the fwui, and then does a rcp when finished (if you want to allow rcp). Also you can have more interfaces. A Sparcstation 5 has its basic LAN le0, the SCSI card has another, le1, and you can add a quad ethernet to get qe0 through qe3. Using a virtual interface you can share a heartbeat link with the internal network. This gives you 5 usable interfaces. I have done this and it works. The basic Qualix SecureWatch is asymmetric but there is no real reason why you can't make it symmetric and fail over the A machine interfaces to a virtual interface on the B machine. Obviously in this case you can't share disks, and you need FW-1 licences on both machines. Currently you also lose all connections on the failed machine, but ver 3.0 should take care of that. distinti saluti/best regards Philip Kerrigan EDS Italia SpA Viale Monza, 257 Milano, Italy tel. + (0)2 2524272 msitmi02.xz46g8@eds.com fax + (0)2 27002588 From firewalls-owner Mon Dec 9 12:41:37 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA06499 for firewalls-outgoing; Mon, 9 Dec 1996 10:42:43 -0800 (PST) Received: from loke.computec.no (loke.computec.no [193.214.26.33]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA06450 for ; Mon, 9 Dec 1996 10:42:09 -0800 (PST) Received: from localhost (haakon@localhost) by loke.computec.no (8.8.3/8.6.10) with SMTP id TAA05242; Mon, 9 Dec 1996 19:46:28 +0100 Date: Mon, 9 Dec 1996 19:46:28 +0100 (GMT+0100) From: Haakon Innerdal To: Doc cc: firewalls@GreatCircle.COM Subject: Re: Module error. In-Reply-To: <96Dec5.155601gmt+0800.21890@portal.extol.com.my> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 5 Dec 1996, Doc wrote: > Hello, >=20 > =09I'm not sure if this question is right for this list, but > =09here goes. >=20 Probably not, but I dare to answer anyway. (No flames please) > =09I'm developing a firewall on a Linux box. The thing is that > =09when I have make the modules, like new_tunnel.o, etc and I=20 > =09try to load it into mem [insmod new_tunnel.o], I get the=20 > =09following error: >=20 > =09create_module: Unknown error 1048489984 >=20 > =09When I did an lsmod, it shows that the module is in mem with > =09the number of pages allocated and in the "Used by:" column, > =09I get uninitialized. >=20 > =09How can I eliminate this Unknown error problem? Thanks in advance. > This is most likely because you don't have the right binaries of insmod, lsmod, kerneld, and rmmod. If you have kernel 2.0.XX, use modules-2.0.0 in some sunsite mirror found in the dir GCC somewhere. If you got kernel 2.1.XX (Which is NOT a good idea to use on a firewall-machine, it's a development kernel!), you should use modules-2.1.13, i believe it is in the same place as the modules-2.0.0-tar.gz Probably the best thing is to compile these binaries yourself, because it then uses your current kernel's includes. Again, sorry for this reply in a impropriate place, but I hope I helped=20 somebody... -- H=E5kon Innerdal http://www.computec.no/~haakon Computec AS, postboks 3, 7340 Oppdal Tlf:72400100(ISDN), Fax:72420840, Mobil:90659332 From firewalls-owner Mon Dec 9 12:54:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA16628 for firewalls-outgoing; Mon, 9 Dec 1996 12:44:48 -0800 (PST) Received: from loach.cichlid.com (loach.cichlid.com [165.227.20.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id MAA16621 for ; Mon, 9 Dec 1996 12:44:31 -0800 (PST) Received: (from news@localhost) by loach.cichlid.com (8.7.4/8.7.3) id MAA28951; Mon, 9 Dec 1996 12:40:59 -0800 To: firewalls@GreatCircle.COM Path: cichlid From: msitmi02.xz46g8@eds.com Newsgroups: mail.firewalls Subject: None Date: 9 Dec 1996 12:40:57 -0800 Lines: 98 Message-ID: <58htgp$kan@cichlid.cichlid.com> NNTP-Posting-Host: cichlid.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Message-ID: <560cc20ec43e3607@deliver.cichlid.com> Lines: 74 Xdeliver: HEADER START (not lowercased) Xdeliver: From firewalls-owner@GreatCircle.COM Mon Dec 9 12:40:53 1996 Xdeliver: Return-Path: Xdeliver: Received: from relay5.UU.NET by cichlid.com with smtp Xdeliver: (Smail3.1.28.1 #13) id m0vXCUa-000GTya; Mon, 9 Dec 96 12:40 PST Xdeliver: Received: from miles.greatcircle.com by relay5.UU.NET with ESMTP Xdeliver: (peer crosschecked as: [198.102.244.34]) Xdeliver: id QQbtju09571; Mon, 9 Dec 1996 15:39:21 -0500 (EST) Xdeliver: Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA07644 for firewalls-outgoing; Mon, 9 Dec 1996 10:54:24 -0800 (PST) Xdeliver: Received: from ns2.eds.com (ns2.eds.com [199.228.142.78]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA07602 for ; Mon, 9 Dec 1996 10:54:07 -0800 (PST) Xdeliver: From: MSITMI02.XZ46G8@eds.com Xdeliver: Received: from nnsp.eds.com (nnsp.eds.com [130.174.32.78]) by ns2.eds.com (8.8.2/8.8.2) with ESMTP id NAA25821 for ; Mon, 9 Dec 1996 13:53:41 -0500 (EST) Xdeliver: Received: from DNET.EDS.COM (dnet.eds.com [130.174.31.77]) by nnsp.eds.com (8.7.6/8.7.3) with SMTP id NAA18293 for ; Mon, 9 Dec 1996 13:53:09 -0500 (EST) Xdeliver: Xdeliver: HEADER END Xdeliver: SENDER firewalls-owner@greatcircle.com Xdeliver: to Xdeliver: cc Xdeliver: apparent_to Xdeliver: from msitmi02.xz46g8@eds.com X400-Originator: MSITMI02.XZ46G8@eds.com X400-Recipients: firewalls@GreatCircle.COM X400-MTS-Identifier: [/PRMD=DMN2PILOT/ADMD=TELEMAIL/C=US/;0095000008068849000002] X400-Content-Type: P2-1988 (22) Message-ID: <0095000008068849000002*@MHS> To: "firewalls(a)GreatCircle.COM":; Subject: Re: RAS and Firewalls Date: Mon, 9 Dec 1996 13:56:27 -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Actually, I am not trying to get a specific solution to a client's network. I wanted information on general principles and how RAS could be made to work across the Internet. The general situation is a internal network on which someone has installed RAS. It has frequently been argued that this makes the network insecure, one mail stating that the writer had detected someone going OUT through the firewall who had come in through RAS. The next step is that the company connects to the internet and installs a firewall. Obviously there is no point in doing this if RAS creates a hole behind the wall. As for RAS services, I don't know what they might all be. The first thing that comes to mind is collecting your mail with MS mail client. I don't see where DMZ enters the equation, but obviously a company would want only its own employees fetching mail, and wouldn't want damage being done to the server offering RAS. To repeat: How does this fit in with a firewall? The aim of course is that to use RAS the user must cross the firewall in a controlled manner, and not bypass it. distinti saluti/best regards Philip Kerrigan EDS Italia SpA Viale Monza, 257 Milano, Italy tel. + (0)2 2524272 msitmi02.xz46g8@eds.com fax + (0)2 27002588 ---------- From: doshai Sent: sabato 7 dicembre 1996 11.46 To: KERRIGAN, PHILIP Subject: Re: What is the network topography? Do you have multiple segments through the firewall? Secured servers? What do the clients using RAS need to access? What is withing your DMZ? Are the RAS clients to be trusted to the servers, internet, both? You need to give a fair bit more info before that may be answered. Regards Craig > Anyone have any recommendations on how to make RAS available to remote > clients when the internet gateway is a firewall? > > Would you have PPP on the Firewall itself, a RAS server outside the > Firewall, a modem bank outside the firewall? What protocols have to pass > the firewall? > > distinti saluti/best regards > Philip Kerrigan > EDS Italia SpA > Viale Monza, 257 > Milano, Italy tel. + (0)2 2524272 > msitmi02.xz46g8@eds.com fax + (0)2 27002588 > > From firewalls-owner Mon Dec 9 13:04:19 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA25554 for firewalls-outgoing; Mon, 9 Dec 1996 08:42:40 -0800 (PST) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id IAA25512 for ; Mon, 9 Dec 1996 08:42:10 -0800 (PST) Received: (adam@localhost) by homeport.org (8.6.9/8.6.9) id LAA02939; Mon, 9 Dec 1996 11:38:35 -0500 From: Adam Shostack Message-Id: <199612091638.LAA02939@homeport.org> Subject: Re: "Fair to Middling" firewalls and "Firewall Wizard" In-Reply-To: <199612082053.NAA01086@chocolate.obtuse.com> from Bob Beck at "Dec 8, 96 01:53:10 pm" To: beck@obtuse.com (Bob Beck) Date: Mon, 9 Dec 1996 11:37:40 -0500 (EST) Cc: keithstevens@acsinc.net, firewalls@GreatCircle.COM X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've deleted a good part of Bob's excellent post, to disagree with a few of his assessments. I do (usually) agree that you should do it right, however, I think that there may be a drift to allowing the best to be the enemy of the good. Compare a simple packet filter to no perimiter defenses. The packet filter I'll hypothesize about is one that denies all but a liberally chosen set of services. That is, everything not explicitly permitted is denied, but the permit list is on the large side. I think most would agree that this is not very good. However, it does protect the organization against a large number of easy attacks, and misconfigured machine on the inside. If this sort of filter is in place, they're protected against many attacks. They're not protected against all attacks. However, given the ease of scanning large networks, most networks get scanned at least once in a while. This simple, low cost, relatively low impact firewall will block much of that scan, and may convince an attacker to move to easier pickings. I'll assert that any network over 100 hosts can be broken into if I get unhampered IP access to it. (Yes, there are probably exceptions, but not many. I won't encourage you to post "My network of N hosts is safe," as there are people other than me who will try to prove you wrong.) Given that your network is vulnerable, are there reasons to install a 'not very good' firewall? I see stopping the easy attack and stopping liability as good reasons. The easy attack is discussed above. Liability may come from negligence; it may come from maintaining an attractive nuisance, or conspiracy. IANAL, you should ask yours. But I expect that engaging in industry standard behaviors (such as installing a firewall) would be a useful part of a defense. The other side of this coin is the overconfidence that a bad firewall instills. I need to get back to work (Hi Joe!), so I'll comment on that later. Adam Bob Beck wrote: | IMNSHO, if you can't afford the time to do it right, you are | probably (unless you are at high risk) better off not doing it at all. | Why put your users and yourself to great inconvenience to | ineffectively counter a threat that (at least from your indication) | appears not to be a significant concern? Sure you'll be at risk of an | intrusion, but what have you saved in terms of your time, resources, | user convenience, user's respect for you, etc.? You may do more harm | than good with a "fair to middling" solution. Don't think you need a | firewall just because it's the "thing to do". Do you have armed guards | at the door and in the office to prevent random violence? Are your | company deposits sent to the bank by a team of the same? If not it may | be because the risks don't justify that type solution. Review your | needs and resources and decide intelligently. Choose your battles very | carefully, then fight them hard. -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Mon Dec 9 13:28:51 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA18757 for firewalls-outgoing; Mon, 9 Dec 1996 13:14:07 -0800 (PST) Received: from inet2.tek.com (inet2.tek.com [134.62.48.22]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id NAA18746 for ; Mon, 9 Dec 1996 13:13:48 -0800 (PST) Received: from tektronix.tek.com by inet2.tek.com id ; Mon, 9 Dec 1996 13:13:13 -0800 Received: from master.cna.tek.com (master.cna.tek.com [192.65.32.41]) by tektronix.tek.com (8.7.5/8.7.3) with ESMTP id NAA01731 for ; Mon, 9 Dec 1996 13:13:09 -0800 (PST) Received: from solaris.cna.tek.com by master.cna.tek.com (8.7.5/8.6.9) id VAA02882; Mon, 9 Dec 1996 21:08:05 GMT Received: (from frankm@localhost) by solaris.cna.tek.com (8.6.11/8.6.10) id NAA03030; Mon, 9 Dec 1996 13:11:29 -0800 Date: Mon, 9 Dec 1996 13:11:29 -0800 From: "Frank 'Scruffy' Miller" Message-Id: <199612092111.NAA03030@solaris.cna.tek.com> X-Organization: Tektronix CNA Division Technical Computing Group 625 NE Salmon Ave Redmond, OR 97756, USA X-Fax: (541) 923-4543 X-Phone: (541) 923-4402 X-Mailer: GnuEmacs RMAIL ver 19.25 To: firewalls@greatcircle.COM Subject: RTP support with a Firewall? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Anyone have any suggestions for RTP support from a Cisco 25** utilizing an access list for firewalling on the WAN side in? Thanks, F From firewalls-owner Mon Dec 9 13:59:04 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA19082 for firewalls-outgoing; Mon, 9 Dec 1996 13:18:38 -0800 (PST) Received: from Aptech.com (joshua.aptech.com [199.29.185.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id NAA19053 for ; Mon, 9 Dec 1996 13:18:21 -0800 (PST) Received: by Aptech.com (SMI-8.6/SMI-SVR4) id NAA24707; Mon, 9 Dec 1996 13:17:28 -0800 Received: from naomi(199.29.185.132) by joshua via smap (V1.3) id sma024705; Mon Dec 9 13:17:24 1996 Received: from amos.Aptech.com by naomi.Aptech.com (SMI-8.6/SMI-SVR4) id NAA09613; Mon, 9 Dec 1996 13:17:42 -0800 Received: by amos.Aptech.com (SMI-8.6/SMI-SVR4) id NAA19757; Mon, 9 Dec 1996 13:17:42 -0800 Date: Mon, 9 Dec 1996 13:17:42 -0800 From: sjones@Aptech.com (Samuel D. Jones) Message-Id: <199612092117.NAA19757@amos.Aptech.com> To: firewalls@GreatCircle.COM Subject: PGP on Solaris x86 X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, Has anyone compiled PGP on Solaris x86 using the SunPro compiler? --------------------------- Here is my make target line: --------------------------- # x86 running Sunos5 (Solaris)... solx86gcc: $(MAKE) all CC=cc LD=cc OBJS_EXT=_80386.o \ CFLAGS="-w $(RSAINCDIR) -xO4 -DSOLARIS -DUNIX -DIDEA32" \ ASMDEF=-DSYSV ---------------- I'm getting this: ---------------- (/pgp/src)% make solx86gcc make all CC=cc LD=cc OBJS_EXT=_80386.o \ CFLAGS="-w -I../rsaref/source -I../rsaref/test -DUSEMPILIB -xO4 -DSOLARIS -DUNIX -DIDEA32" \ ASMDEF=-DSYSV cc -E -DSYSV 80386.S > _80386.s cc -c -o _80386.o _80386.s Assembler: aline 1 : Illegal mnemonic aline 1 : syntax error aline 3 : Illegal mnemonic aline 3 : syntax error aline 5 : Illegal mnemonic aline 5 : syntax error aline 10 : Illegal mnemonic aline 10 : syntax error aline 11 : Illegal mnemonic aline 11 : syntax error aline 11 : Illegal mnemonic aline 11 : Illegal mnemonic aline 11 : syntax error aline 11 : Illegal mnemonic aline 11 : Illegal mnemonic aline 58 : Illegal mnemonic aline 58 : syntax error aline 60 : Illegal mnemonic aline 60 : syntax error aline 62 : Illegal mnemonic aline 62 : syntax error aline 62 : Illegal mnemonic aline 62 : Illegal mnemonic aline 62 : syntax error aline 62 : Illegal mnemonic aline 62 : Illegal mnemonic aline 80 : Illegal register aline 80 : syntax error aline 80 : Illegal register aline 80 : Illegal register aline 80 : Illegal register Too many errors - Goodbye cc: assembler failed for _80386.s *** Error code 1 make: Fatal error: Command failed for target `_80386.o' Current working directory /pgp/src *** Error code 1 make: Fatal error: Command failed for target `solx86gcc' (/pgp/src)% Sam ------------------------------- | Samuel D. Jones | | | | Phone: (206) 432-7855 | | FAX: (206) 432-7832 | | E-mail: sjones@Aptech.com | ------------------------------- From firewalls-owner Mon Dec 9 14:03:33 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA17443 for firewalls-outgoing; Mon, 9 Dec 1996 12:57:47 -0800 (PST) Received: from ibmmail.COM (ibmmail.com [199.171.26.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id MAA17435 for ; Mon, 9 Dec 1996 12:57:33 -0800 (PST) From: gblolmxb@ibmmail.com Message-Id: <199612092057.MAA17435@miles.greatcircle.com> Received: from ibmmail by ibmmail.COM (IBM VM SMTP V2R3) with BSMTP id 7568; Mon, 09 Dec 96 15:57:06 EST Date: Mon, 09 Dec 1996 15:56:25 EST To: firewalls@greatcircle.com MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Insurance policy covering security breach Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does anyone know of the existance of any insurance policy covering a breach of a security system, in particular a firewall protecting a private network(s) from the Internet? I know there obviously clauses about negligence, dilagence etc, but I would still be interested Mark. From firewalls-owner Mon Dec 9 14:10:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA20064 for firewalls-outgoing; Mon, 9 Dec 1996 13:35:06 -0800 (PST) Received: from smtp1.interramp.com (smtp1.interramp.com [38.8.45.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id NAA20054 for ; Mon, 9 Dec 1996 13:34:46 -0800 (PST) Received: from micron by smtp1.interramp.com (8.8.1/SMI-4.1.3-PSI-irsmtp) id QAA05085; Mon, 9 Dec 1996 16:34:19 -0500 (EST) Message-ID: <32ACA432.4308@oar-wash.com> Date: Mon, 09 Dec 1996 16:43:46 -0700 From: Eric Woodall Reply-To: eric_woodall@oar-wash.com X-Mailer: Mozilla 3.0 (WinNT; I) MIME-Version: 1.0 To: firewalls-digest@GreatCircle.COM Subject: New Firewall Software? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Rumor has it that there's a new software security product for webservers that protects the underlying OS and stops graffiti, flooding, etc., but still lets designers working remotely get through. Anybody heard of it -- who makes it, what it costs, how to obtain? From firewalls-owner Mon Dec 9 14:15:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA19769 for firewalls-outgoing; Mon, 9 Dec 1996 13:29:12 -0800 (PST) Received: from dfw-ix1.ix.netcom.com (dfw-ix1.ix.netcom.com [206.214.98.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id NAA19719 for ; Mon, 9 Dec 1996 13:28:49 -0800 (PST) Received: from 8ooq02lr.ix.netcom.com ([207.94.100.47]) by dfw-ix1.ix.netcom.com (8.6.13/8.6.12) with ESMTP id NAA06516 for ; Mon, 9 Dec 1996 13:28:10 -0800 Message-Id: <199612092128.NAA06516@dfw-ix1.ix.netcom.com> From: "Michael G. Mucha" To: Subject: Anyone read Stephen Cobb's NCSA Guide to PC and LAN Security????? Date: Mon, 9 Dec 1996 16:30:16 -0500 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I was thinking of picking up the NCSA Guide to PC and LAN Security (formerly Stephen Cobb's Guide to PC and LAN Security, and I was wondering if anyone had read it, before I spend $50 on it. Thanks Michael G. Mucha mmucha@ix.netcom.com From firewalls-owner Mon Dec 9 14:19:19 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA20584 for firewalls-outgoing; Mon, 9 Dec 1996 13:43:01 -0800 (PST) Received: from cda1.cda.com (cda1.cda.com [199.97.12.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id NAA20555 for ; Mon, 9 Dec 1996 13:42:45 -0800 (PST) Received: from cda-prod.cda.com (fogleman.cda.com [199.99.242.20]) by cda1.cda.com (8.6.9/8.6.9) with SMTP id QAA15992 for ; Mon, 9 Dec 1996 16:47:41 -0500 Message-ID: <32AC886A.FD1@cda.com> Date: Mon, 09 Dec 1996 16:45:14 -0500 From: Shaun Fogleman Organization: CDA Investment Technologies X-Mailer: Mozilla 3.0 (Win95; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: Unix vs. Windows NT Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am a Unix Systems Administrator and have been one for about 5 years now. I'm in a position now where I can influence the purchase of a Firewall product for our network. I've been searching the net for the past couple of days and haven't found anything definite about the "big battle" between Unix and NT. I've found a few things which don't discuss much in any detail. Could you provide me a location, or a document which gives an accurate description of the Unix vs. NT battle which is going on? Thank You Shaun Fogleman Unix Systems Administrator CDA Investment Technologies From firewalls-owner Mon Dec 9 14:25:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA20921 for firewalls-outgoing; Mon, 9 Dec 1996 13:47:02 -0800 (PST) Received: from gatekeeper2.mcimail.com (gatekeeper2.mcimail.com [192.147.45.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id NAA20912 for ; Mon, 9 Dec 1996 13:46:49 -0800 (PST) Received: from mailgate2.mcimail.com (mailgate2.mcimail.com [166.40.135.23]) by gatekeeper2.mcimail.com (8.6.12/8.6.10) with SMTP id VAA04809; Mon, 9 Dec 1996 21:53:30 GMT Received: from mcimail.com by mailgate2.mcimail.com id ao21538; 9 Dec 96 21:47 WET Date: Mon, 9 Dec 96 16:46 EST From: "Kevin J. McMahon" <0003557428@mcimail.com> To: Firewalls Subject: Re: Scanning networks for dialups Message-Id: <02961209214620/0003557428DC4EM@MCIMAIL.COM> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Danny Cox wrote: > someone not so long ago (sorry, I've forgotten who) mentioned that they'd >worked with a network somewhere and ran a scan on it to find modems which >were connected. This was probably a scan with a wardialer. Many companies wardial their own facilities to identify where modems are hooked up that allow inbound access. > I'd like to be able to do something here, and identify, via a scan of some >description where/when dialups to an external ISP are happening. I can't >quite get my head around how to do this though .. can anyone help? What you're describing here is outbound access which is a bit different, but I think I understand what you are trying to do. If the available outbound analog lines run through a PBX, then you can get the PBX techs to turn on call detail reporting (which should already be on anyway, but usually isn't in my experience). Then you can scan the CDRs for ISP access lines. If the analog lines do not go through a PBX (i.e., they are on individual POTS - Plain Old Telephone Service - lines) then you are probably out of luck. I am not familiar with the situation in the UK, but in the US 800 (freephone) numbers won't show up on your bill. If they aren't 800 numbers then they are probably local numbers and again, they _probably_ won't show up on your bill. Check with your local carrier and see if they can give you detailed call records (i.e., include all calls that are made). In the US they would probably want a "small" ;) fee for this, but it can't hurt to try. Kevin J. McMahon MCI Technical Security From firewalls-owner Mon Dec 9 14:30:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA19928 for firewalls-outgoing; Mon, 9 Dec 1996 13:30:55 -0800 (PST) Received: from smtp1.interramp.com (smtp1.interramp.com [38.8.45.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id NAA19840 for ; Mon, 9 Dec 1996 13:30:02 -0800 (PST) Received: from micron by smtp1.interramp.com (8.8.1/SMI-4.1.3-PSI-irsmtp) id QAA04932; Mon, 9 Dec 1996 16:29:33 -0500 (EST) Message-ID: <32ACA310.2062@oar-wash.com> Date: Mon, 09 Dec 1996 16:38:56 -0700 From: Eric Woodall Reply-To: eric_woodall@oar-wash.com X-Mailer: Mozilla 3.0 (WinNT; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: Firewall software????? Content-Type: multipart/mixed; boundary="------------449C2CA329B1" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is a multi-part message in MIME format. --------------449C2CA329B1 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit "Rumor has it that there's a new software security product for webservers that protects the underlying OS and stops graffiti, flooding, etc., but still lets designers working remotely get through. Anybody heard of it -- who makes it, what it costs, how to obtain? --------------449C2CA329B1 Content-Type: application/octet-stream; name="forcerel.doc" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="forcerel.doc" 26UtAAAACQQAAAAAAAAAAAAAAAAAAAAAgAEAAHULAAAAEgAAAAAAAAAAAAAAAAAAAAAAAPUJ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAADmAAAQAADmAOYQAAAAAOYQ AAAAAOYQAAAAAOYQAAAAAOYQAAAOAPQQAAAAAAAAAAAAAPQQAAAAAPQQAAAAAPQQAAAAAPQQ AAAKAP4QAAAKAAAAAAAAAAgRAABHAFARAAAoAHgRAAAAAHgRAAAAAHgRAAAAAHgRAAAAAHgR AAAAAHgRAAAAAHgRAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAHgRAAA0AKwRAABUAAASAAAAAAASAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABgAHAAEA AQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAADQoNCg0KDQpGT0xMT1dJTkcgSVMgTkVXIFZFUlNJT04gV0lUSCBDT1JSRUNURUQg Q09OVEFDVCBQSE9ORQ0KDQpGT1IgSU1NRURJQVRFIFJFTEVBU0UJCQlDT05UQUNUOiAJU3Rh Y2V5IEZhaXJiYWlybg0KRGVjZW1iZXIgOSwgMTk5NgkJCQkJCQkoMzAxKSA1MjctOTUwMA0K CQkJCQkJCQkJc2VmQHRpcy5jb20NCg0KDQoNCkdBVU5UTEVUIEZPUkNFRklFTEQTc3ltYm9s IDIyOCBcZiAiU3ltYm9sIiBccyAxMhQVIEZST00gVElTIFJFUEVMUyBBVFRBQ0tTIE9OIFdF QiBTRVJWRVJTDQpGaXJzdCBTb2Z0d2FyZSBQcm9kdWN0IHRvIENvbXByZWhlbnNpdmVseSBB ZGRyZXNzIHRoZSBTZWN1cml0eSBvZiBXZWIgU2VydmVycw0KDQoNCkdMRU5XT09ELCBNRCAt LSBUcnVzdGVkIEluZm9ybWF0aW9uIFN5c3RlbXMgKE5hc2RhcTogVElTWCkgdG9kYXkgYW5u b3VuY2VkIGEgZmlyc3Qtb2YtaXRzLWtpbmQgcHJvZHVjdCBkZXNpZ25lZCB0byBlbmQgdW53 YW50ZWQgcGVuZXRyYXRpb24gb2Ygd2ViIHNlcnZlcnMuIEJhc2VkIG9uIEdhdW50bGV0riBJ bnRlcm5ldCBGaXJld2FsbCB0ZWNobm9sb2d5LCB0aGUgR2F1bnRsZXQgRm9yY2VGaWVsZCBo ZWxwcyBwcmV2ZW50IG1vc3QgY29tbW9uIHdlYiBzZXJ2ZXIgYXR0YWNrcywgaW5jbHVkaW5n IGdyYWZmaXRpIGFuZCBmbG9vZGluZy4gIEdhdW50bGV0IEZvcmNlRmllbGQgaGFyZGVucyB0 aGUgd2ViIHNlcnZlcpJzIG9wZXJhdGluZyBzeXN0ZW0sIHJlcGVscyBhdHRlbXB0cyB0byBw ZW5ldHJhdGUgdGhlIHNlcnZlciBzeXN0ZW0sIGFuZCBzZXRzIG9mZiCTc21va2UgYWxhcm1z lCB3aGVuIGEgcGVuZXRyYXRpb24gYXR0ZW1wdCBpcyBub3RlZC4NCg0Kk05vYm9keSB3YW50 cyB0byBjbGljayBvbiB0aGVpciBob21lIHBhZ2UgYW5kIGZpbmQgdGhlIHNpdGUgZnVsbCBv ZiBzb21lIGhhY2tlcpJzIGdyYWZmaXRpLJQgc2F5cyBUSVMgQ29tbWVyY2lhbCBEaXZpc2lv biBQcmVzaWRlbnQsIEhhcnZleSBXZWlzcy4gk0ZvcmNlRmllbGQgcHV0cyB0aGUgcG93ZXIg b2YgR2F1bnRsZXQgc2VjdXJpdHkgdG8gd29yayB0byBzdG9wIHN1Y2ggYXR0YWNrcy6UDQoN ClRoZSBuZXcgcHJvZHVjdCBpbmNsdWRlcyBhIHN0cm9uZyBhdXRoZW50aWNhdGlvbiBwcm9j ZXNzLCBzbyB0aGF0IGEgc2l0ZZJzIG93biB3ZWJtYXN0ZXIsIHdvcmtpbmcgcmVtb3RlbHks IGNhbiBoYXZlIGFjY2VzcyB0byB0aGUgdW5kZXJseWluZyBIVE1MIGZpbGVzLiAgVXNlcnMg bWF5IGFsc28gdGFrZSBhZHZhbnRhZ2Ugb2YgdGhlIHN5c3RlbZJzIHZpcnR1YWwgcHJpdmF0 ZSBuZXR3b3JrIGNhcGFiaWxpdHkgLS0gdGhlIG9wdGlvbiBvZiB0b3RhbGx5IHByaXZhdGUg cmVtb3RlIGFjY2VzcyBieSBhdXRoZW50aWNhdGVkIHVzZXJzIG92ZXIgYW4gZW5jcnlwdGVk IGNvbW11bmljYXRpb24gbGluayB0byB0aGUgd2ViIHNlcnZlci4NCg0KLSBtb3JlIC0NCg0K DQpHYXVudGxldCBGb3JjZUZpZWxkIHdpbGwgc2hpcCBpbiBKYW51YXJ5IGF0IGEgcHJpY2Ug b2YgJDQ5NS4gIFZlcnNpb24gMS4wIGlzIGRlc2lnbmVkIHRvIHdvcmsgd2l0aCBhbGwgVU5J WC1iYXNlZCB3ZWIgc2VydmVyIHByb2R1Y3RzIHN1Y2ggYXMgdGhvc2UgZnJvbSBOZXRzY2Fw ZSwgT3BlbiBNYXJrZXQsIEFwYWNoZSBhbmQgdGhlIE5hdGlvbmFsIENlbnRlciBmb3IgU3Vw ZXJjb21wdXRpbmcgQXBwbGljYXRpb25zIChOQ1NBKS4gIEEgdmVyc2lvbiBmb3IgTWljcm9z b2Z0IElJUyBpcyBleHBlY3RlZCBpbiBlYXJseSAxOTk3Lg0KDQpTZWUgRm9yY2VmaWVsZCBk ZW1vZWQgYXQgSW50ZXJuZXQgV29ybGQsIGJvb3RoICM5NTEuICANCk5ldyBZb3JrLCBEZWNl bWJlciAxMS0xMy4NCg0KIyMjDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0K DQoNCg0KDQoNCg0KDQpUcnVzdGVkIEluZm9ybWF0aW9uIFN5c3RlbXMsIEluYy4sIGlzIGEg bGVhZGluZyBwcm92aWRlciBvZiBjb21wcmVoZW5zaXZlIHNlY3VyaXR5IHNvbHV0aW9ucyBm b3IgcHJvdGVjdGlvbiBvZiBjb21wdXRlciBuZXR3b3JrcywgaW5jbHVkaW5nIGdsb2JhbCBJ bnRlcm5ldC1iYXNlZCBzeXN0ZW1zLCBpbnRlcm5hbCBuZXR3b3JrcyBhbmQgaW5kaXZpZHVh bCB3b3JrIHN0YXRpb25zIGFuZCBsYXB0b3BzLiAgVGhlIGNvbXBhbnkgZGV2ZWxvcHMsIG1h cmtldHMsIGxpY2Vuc2VzIGFuZCBzdXBwb3J0cyB0aGUgR2F1bnRsZXQTc3ltYm9sIDIxMCBc ZiAiU3ltYm9sIiBccyAxMBQVIGZhbWlseSBvZiBmaXJld2FsbCBwcm9kdWN0cyBhbmQgb3Ro ZXIgbmV0d29yayBzZWN1cml0eSBwcm9kdWN0cywgYW5kIHByb3ZpZGVzIGNyeXB0b2dyYXBo eSBhbmQgc2VjdXJpdHkgY29uc3VsdGluZyB0cmFpbmluZywgYWR2YW5jZWQgcmVzZWFyY2gg YW5kIGVuZ2luZWVyaW5nLCBhbmQgc2VydmljZXMgZm9yIGNvbW1lcmNpYWwgYW5kIGdvdmVy bm1lbnQgY3VzdG9tZXJzLiAgRm9yIG1vcmUgaW5mb3JtYXRpb24sIGNvbnRhY3QgVElTIGF0 ICgzMDEpIDUyNy05NTAwLCBvciBhdCAgaHR0cDovL3d3dy50aXMuY29tIG9uIHRoZSBXb3Js ZCBXaWRlIFdlYi4NCg0KDQoDiAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAEAANYB AAA4AgAASwIAAEwCAABoAgAAagIAAJECAACTAgAA4AIAAJMDAACUAwAAYAgAALMIAADqCAAA EwoAABQKAAAwCgAAMgoAAG8LAAB1CwAA/gD9+/r49wD2APUA9ADw7Ojk4AAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAcAAAQAAAAUBwACBAAAABQHAAAEAAAAFAcAAgQAAAAUBwAABAAAABQBAQEB AQIBAQIBAgABAQIBAgABAQEBABSAAQAAggEAAIQBAACGAQAAiAEAAL8BAADBAQAA9QEAABwC AAAyAgAANAIAADYCAAA4AgAAkwIAAOICAADkAgAA5gIAAMwEAADOBAAAsQUAALMFAAAeBwAA IAcAACoHAAAsBwAALgcAAF4IAABgCAAAmAgAALMIAAC1CAAAuggAALwIAAC+CAAAwAgAAMII AADECAAAxggAAMgIAADKCAAAzAgAAM4IAADQCAAA0ggAANQIAADWCAAA2AgAANoIAADcCAAA 3ggAAOAIAADiCAAA5AgAAOYIAADoCAAA6ggAAHELAABzCwAAdQsAAAAAAAD6+gAAAAAAAPT0 AADu7u7m4ODZ09PLy8TExL6+vr6+vr6+vr6+vr6+vr6+vr6+vr6+vr4AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAUAAAAAAAAABQEAAAYAAAAAAAAABQEQMP0ABwAAAAAA AAAQMP0UaAEAAAUAAAAAAAAAFGgBAAYAAAAAAAAABQEUaAEABQAAAAAAAAAUaAEABwAAAAAA AAAToAUUaAEAAAUAAAAAAAAAFGgBAAUAAAAAAAAABQEAAAUAAAAAAAAABQEAOgMAJQAA//8A CUtEIE5vcm1hbAlDRENOb3JtYWwKQ0RDIE5vcm1hbDQADgMARgAEACQAAAAAAAAE//8OAABG AAMAGAAAAAAACQQABQAAAgAFCgAAIQAAAAAAPgF7ABL9AAAAAAAACAEULAEV8AAWtAD//wcA AAAAAAAADQEAAAAAAAAUPAAWoAAUAgAAAAAAAA8FAAEAAAAUuAEWtAA4AwAAAAAAAA8pAA0A ANACoAVwCEALEA7gELATgBZQGSAc8B7AIQAAAAAAAAAAAAAAAAAUuAEWtAAHAAAAAAAAAADe AQACAAMAAAAAAPUJAAAAAHULAACAAQAAdQsAAAYAgAEAAHULAAAHAEcAChAAVG1zIFJtbgAJ YABTeW1ib2wAByAASGVsdgASEABUaW1lcyBOZXcgUm9tYW4ACCAAQXJpYWwACxAAQ0cgVGlt ZXMAAMsAAADoAAAA6QAAAJMIAACwCAAAsQgAAPYJAAATORT/FQATORT/FQAiAAIAAwMAAAAA 0AIAAAAAAAAAANdLDAbySwwGQkoMBgMAAAAAAAIAAABfAQAA1AcAAAAAVAAAADJFTUJBUkdP RUQgRk9SIFJFTEVBU0UJCQlDT05UQUNUOiAJU3RhY2V5IEZhaXJiYWlybgAAAAxSYW5keSBG cmVyZXQMRXJpYyBXb29kYWxs --------------449C2CA329B1-- From firewalls-owner Mon Dec 9 14:53:39 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA21080 for firewalls-outgoing; Mon, 9 Dec 1996 13:49:07 -0800 (PST) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id NAA21051 for ; Mon, 9 Dec 1996 13:48:48 -0800 (PST) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id PAA12455; Mon, 9 Dec 1996 15:38:14 -0500 Date: Mon, 9 Dec 1996 15:38:11 -0500 (EST) From: Rabid Wombat To: Ben cc: Danny Cox , firewalls@GreatCircle.COM Subject: Re: Scanning networks for dialups In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 9 Dec 1996, Ben wrote: > > worked with a network somewhere and ran a scan on it to find modems which > > were connected. > > > > In general, I'd worry more about the latter case, since employees often > hook up modems, run a PPP server so that they can get access to the > Internet from home for free by piggybacking on your company's connection. > This tends to be what the modems are used for. You could check for outbound access during non-business hours at the firewall, and log the source address. If you see a pattern of after hours usage, you've either got someone staying late to netsurf, or someone's got a piggyback connection as described above. You might need to weed out a few addresses if you have some 24x7 departments, etc. Watch for port 80 and also keep an eye out for 4000 and 9999, favorites of mudders. Also, you can use a protocol analyzer to keep a watch for routing related broadcasts coming from systems that should not be running any routing protocols. -r.w. From firewalls-owner Mon Dec 9 15:28:54 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA25920 for firewalls-outgoing; Mon, 9 Dec 1996 15:00:48 -0800 (PST) Received: from smtp.msp.tsg-usa.com (mntsg.tsg-usa.com [206.185.177.223]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id PAA25862 for ; Mon, 9 Dec 1996 15:00:23 -0800 (PST) From: uhaas@tsg-usa.com Received: by smtp.msp.tsg-usa.com(Lotus SMTP MTA v1.01 (214.1 9-9-1996)) id 862563FB.007EB0C0 ; Mon, 9 Dec 1996 17:03:47 -0500 X-Lotus-FromDomain: TSG To: firewalls@greatcircle.com Message-ID: <862563FB:007E7425.00@smtp.msp.tsg-usa.com> Date: Mon, 9 Dec 1996 17:03:37 -0500 Subject: Re: Scanning networks for dialups Mime-Version: 1.0 Content-type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Also, Don't forget about laptops/docking stations that typicly have a modem and a lan card. The modem used for dialing into servers while out of the office, lan card while in the office. There is nothing that prevents that same modem from dialing out while in the office. Is your scan going to pickup all the laptops that aren't there presently? Are you going to run the scan every day? Urban ---------------------- Forwarded by Urban A Haas/TSG on 12-09-96 04:57 PM --------------------------- allyn @ allyn.com 12-09-96 07:08 AM To: dannyc @ gmap.leeds.ac.uk cc: firewalls @ GreatCircle.COM Subject: Re: Scanning networks for dialups Hello: I think it would be quite difficult to scan for outgoing calls from machines on your network. First of all, you would have to have access to each and every machine that is on your network. This includes everything from mainframes to the little desktop PC on everyone's desk. If your company has all of a very few types of machines and they are all tightly configured, you might be able to do it. You would have to have some sort of common software inventory software running on all of your platforms that reports back to some central database what it finds on the machine. Of course, the software would have to be tamper proof so that someone who wants to dial out cannot tamper with the inventory software to hide the fact that they installed modem software. As I don't know much about the telephone system; I would have no idea how easy it would be to have something monitor each of your outgoing trunk lines for modem carriers; distinguish between outgoing modem calls and incomming modem calls into your central modem pool. There might be a possibility there. This would get more cumbersome as your enterprise spans grows. Good Luck! Mark Allyn allyn@allyn.com ------------------------------------------------------------ Urban A. Haas Open Systems and Network Consulting Total Solutions Group Phone: (800) 423-8741 Ext. 133; Fax: (612) 831-0509 Internet: uhaas@tsg-usa.com -or- mailto:uhaas@tsg-usa.com ------------------------------------------------------------ From firewalls-owner Mon Dec 9 15:37:03 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA24835 for firewalls-outgoing; Mon, 9 Dec 1996 14:44:47 -0800 (PST) Received: from abs.net (u1.abs.net [207.114.0.130]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id OAA24784 for ; Mon, 9 Dec 1996 14:44:21 -0800 (PST) Received: from Pwyegroup (pm1-s21.abs.net [207.114.1.31]) by abs.net (8.8.3/8.7.3) with ESMTP id RAA07392 for ; Mon, 9 Dec 1996 17:43:52 -0500 (EST) Message-Id: <199612092243.RAA07392@abs.net> From: "Buff Colchagoff" To: Subject: packet filtering on NT? Date: Mon, 9 Dec 1996 17:44:13 -0500 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am new to the firewall scene. I'm on a project that needs an extensible NT packet filter to which we can add some authorization functionality. Does anyone know of such a product? If not, can someone recommend an NT TCP stack that we could modify to accomplish this task? Licensing/Cost is an issue. Any information is helpful. I'd appreciate an email buff@wyegroup.com From firewalls-owner Mon Dec 9 16:20:39 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA24856 for firewalls-outgoing; Mon, 9 Dec 1996 14:44:59 -0800 (PST) Received: from mesbne01.medeserv.com.au (mesbne01.medeserv.com.au [203.9.184.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id OAA24815 for ; Mon, 9 Dec 1996 14:44:31 -0800 (PST) Received: (from mail@localhost) by mesbne01.medeserv.com.au (8.7.4/8.7.3) id IAA19807; Tue, 10 Dec 1996 08:43:57 +1000 (EST) Received: from tooh199.medeserv.com.au(203.9.187.199) by mesbne01 via smap (V1.3) id /mail/incoming/sma019800; Tue Dec 10 08:43:54 1996 Message-ID: <32AC9822.707B@medeserv.com.au> Date: Tue, 10 Dec 1996 08:52:18 +1000 From: Steven Herod Reply-To: sherod@medeserv.com.au Organization: Med-E-Serv.Connect X-Mailer: Mozilla 3.0 (WinNT; I) MIME-Version: 1.0 To: Ben CC: firewalls@greatcircle.com Subject: Re: Scanning networks for dialups References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ben wrote: [snip] > > In general, I'd worry more about the latter case, since employees often > hook up modems, run a PPP server so that they can get access to the > Internet from home for free by piggybacking on your company's connection. > This tends to be what the modems are used for. This is probably off subject but... It think this all falls into the catagory of the filtering illegal material out of HTTP. More a social solution than a technical one. But then I'm not a pscycologist. (or a good speller) If you sent around emails explaining in polite terms the dire consequences of a penetration because of some wally and his modem. (i.e. Network being compromised, public execution of parties involved etc) you might get a better response. I've found when it comes to passwords that ppl always select no or simple passwords - until you explain to them what *exactly* could happen to them if someone penetrated their account. (Funnily enough, the threat that someone could email the student population from a staff account has a motivating effect on academics). Presumably the theory holds true for other security problems. It's got to be worth a go before employing expensive (in time or money) techo methods. From firewalls-owner Mon Dec 9 16:38:09 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA21788 for firewalls-outgoing; Mon, 9 Dec 1996 14:02:48 -0800 (PST) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id OAA21770 for ; Mon, 9 Dec 1996 14:02:34 -0800 (PST) Message-Id: <199612092202.OAA21770@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA082208903; Tue, 10 Dec 1996 09:01:43 +1100 From: Darren Reed Subject: Re: toolkit license To: mjr@mail.clark.net (Marcus J. Ranum) Date: Tue, 10 Dec 1996 09:01:43 +1100 (EDT) Cc: firewalls@GreatCircle.COM In-Reply-To: <199612091405.JAA17763@mail.clark.net> from "Marcus J. Ranum" at Dec 9, 96 09:06:40 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Marcus J. Ranum, sie said: [...] > I'm kind of surprised (and flattered) that the toolkit is still in > wide use, despite the fact that it's over 3 years old, which in > this industry is forever, and despite the fact that TIS has been > damning it with faint praises for 2 of those years. The FWTK has uses even on non-firewall systems. Take smapd, for example. Using that to receieve internet mail instead of sendmail has been enough to provide protection from a number of sendmail bugs (be nice if sendmail 8 came with an equivalent sort of standalone daemon!), especailly when combined with running sendmail as uucp. So, as long as the tools provide useful functionality without decreasing the security of the system (and sendmail continues to exist :-), it won't be obselete. Darren From firewalls-owner Mon Dec 9 17:24:10 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA06246 for firewalls-outgoing; Mon, 9 Dec 1996 17:09:42 -0800 (PST) Received: from sun (sun.gfnorte.com.mx [192.100.234.15]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id RAA06225 for ; Mon, 9 Dec 1996 17:09:26 -0800 (PST) Received: from MZamora.gfnorte.com.mx by sun (SMI-8.6/SMI-SVR4) id TAA03951; Mon, 9 Dec 1996 19:28:42 -0800 Message-ID: <32ACB7FA.9E@spin.com.mx> Date: Mon, 09 Dec 1996 19:08:10 -0600 From: "Marco A. Zamora Cunningham" Reply-To: mzamora@spin.com.mx Organization: Casa de Bolsa Banorte X-Mailer: Mozilla 3.0Gold (Win95; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: Pointers to real-word TIS troubles/joys/configs? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I've lurked this list for some months now, and I've aquired a fair-to-middlin' grasp of the basics. I'm about to set up a small, isolated net behind a TIS firewall on Linux RedHat 4.0, with my sights set on an upgrade to Gauntlet when the isolated net turns into a DMZ for our LAN; with a later upgrade to a Sun box with Gauntlet when our needs/bandwidth warrant it. This will be done by outside contractors, more as a quick-start than as a turnkey solution: I want to know enough to validate their installation and carry on from where they leave. Does any of you have any good pointers (which means, configuration tips, horror/love stories and/or URLs to resources I should know about)? TIA... Marco Zamora From firewalls-owner Mon Dec 9 17:26:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA04980 for firewalls-outgoing; Mon, 9 Dec 1996 16:52:58 -0800 (PST) Received: from manukau.govt.nz ([202.14.82.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id QAA04937 for ; Mon, 9 Dec 1996 16:52:36 -0800 (PST) Received: by kotuku.manukau.govt.nz id <35722>; Tue, 10 Dec 1996 14:02:37 +1300 Message-Id: <96Dec10.140237nzdt.35722@kotuku.manukau.govt.nz> From: Matthew Thompson To: "'Todd Graham Lewis'" , "'firewalls@greatcircle.com'" Subject: RE: Delete permissions on files Date: Wed, 11 Dec 1996 15:47:43 +1300 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Well golly gosh! Another gaping NT hole which does not exist in Unix! On your HP-UX system try: mkdir xx chmod 777 xx cd xx cp /dev/null yy chmod 0 yy rm yy Gee looks like my "no body has access" Unix file is gone, and I can replace it with any other (But then hopefully everyone on this list knew that already). Now you know where the "Feature" in NT came from, for Posix compliance and Unix compatibility, to emulate the Unix behavior demonstrated above. On NT, Set the permissions for that directory to "Change", and the permissions on the file to deny deletion than try to delete the file, No Go! Wow!. Suprising isn't it that granting "Full Control" to a directory actually gives you full control of it's contents, Just Like Unix!, How Strange! The exact behaviour is a bit obscure, in that the no delete bit is ignored when full control is selected, and people who don't know what the're doing may be seduced by the GUI into thinking they do. Not a religious argument for NT, Just Unix only guys, don't assume NT works just like Unix, actually read the manuals and work with the system then spout an opinion based on reality not percieved reality. The stongest opinions on a given subject are generally held either by those who know everything about it or those who know nothing about it. --------------------------------------------------------------------- Kiwitech Marine Solutions Ltd. RaceTech, SailTech, PowerTech, Marine Software & Hardware Web: http://www.kiwitech.co.nz, Email: mthomps1@kiwitech.co.nz Phone: +64-9-307-0819 Fax: +64-9-307-6685 Mobile: +64-21-998-600 PO Box 5909, Wellesley Street, Auckland, New Zealand From firewalls-owner Mon Dec 9 18:23:13 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA12044 for firewalls-outgoing; Mon, 9 Dec 1996 18:09:34 -0800 (PST) Received: from smtp2.interramp.com (smtp2.interramp.com [38.8.200.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id SAA11953 for ; Mon, 9 Dec 1996 18:08:55 -0800 (PST) Received: from davidh.interramp.com by smtp2.interramp.com (8.8.1/SMI-4.1.3-PSI-irsmtp) id UAA27425; Mon, 9 Dec 1996 20:57:26 -0500 (EST) Message-ID: <32ACB360.5418@checkpoint.com> Date: Mon, 09 Dec 1996 18:48:32 -0600 From: David Helms Reply-To: david.helms@checkpoint.com Organization: CheckPoint Software Technologies X-Mailer: Mozilla 3.0 (Win95; I) MIME-Version: 1.0 To: Darwin Martinez CC: firewalls@GreatCircle.COM Subject: Re: Load sharing References: <3.0.32.19961209092751.006b8ac4@lexicon.ins.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Darwin, This problem is handled by the 3.0 release of FW-1. An excerpt out of the 3.0 highlights document.... An industry first, FireWall-1 3.0's high-availability is designed to offer uninterrupted network connectivity by allowing multiple FireWall-1installations on the network to share state tables. As a result, if one network connection fails, a backup firewall can take its place to maintain secure corporate Internet connectivity. In addition, this state table synchronization also provides a solution for firewalling enterprises that have asymmetric routing in their networks. FireWall-1's high availability ensures continuous Internet and Intranet access to and within the corporation. The full text of the 3.0 announcement is available at http://www.checkpoint.com/press/30release.html Regards, David Helms Darwin Martinez wrote: > > All: > > At my client site, we are implementing a second firewall, preferrably for > load sharing of data to / from the Internet. We are currently using FW-1 on > HPUX for both machines. We have a Cisco environment, and are trying to > decide the best way to implement laod sharing across 2 firewalls. Our goal > is to have one machine completely handle all traffic should either machine > fail, this way eliminating a single point of failure. We currently have > default route statements in each router pointing to our firewall. Could we > have 2 default route statements in each router? Cisco supports this, but > I'm concerned about what happens (if it would happen) if the routers > themselves begin to load share, i.e. send one packet to fw #1, next packet > to fw #2, etc. This shouldn't affect TCP based data, but what about UDP > based data? > > Each fw would have a separate path to the external (Internet) router, but > each fw would (could?) be fed by the same two (closest) internal routers? > > Any ideas. > > TIA. > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > Darwin L. Martinez Voice: 404-843-5954 > Network Systems Engineer Pager: 888-346-1320 > International Network Services Vmail: 770-641-4004 > Atlanta Office Email: > > http://www.ins.com > > "Frank Zappa and the Mothers, were at the best place around." > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -- __________________________________ David Helms Senior Technical Consultant CheckPoint Software Technologies ph 703.684.4824 fx 703.684.4847 davidh@checkpoint.com __________________________________ From firewalls-owner Mon Dec 9 18:51:18 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA13230 for firewalls-outgoing; Mon, 9 Dec 1996 18:22:24 -0800 (PST) Received: from ns1.ntshop.com ([207.91.166.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id SAA12201 for ; Mon, 9 Dec 1996 18:10:51 -0800 (PST) Received: from beast.ntshop.net ([207.91.166.3]) by ns1.ntshop.com (post.office MTA v2.0 0813 ID# 153-13296) with SMTP id AAA191 for ; Mon, 9 Dec 1996 20:12:57 -0600 Received: by beast.ntshop.net with Microsoft Mail id <01BBE60C.F6691B20@beast.ntshop.net>; Mon, 9 Dec 1996 20:10:03 -0600 Message-ID: <01BBE60C.F6691B20@beast.ntshop.net> From: Mark Joseph Edwards To: "'firewalls@greatcircle.com'" Subject: Another IIS Bug Date: Mon, 9 Dec 1996 20:10:00 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Wanna see something ridiculous? Telnet to your favorite (?) IIS Web server on port 80 (of course) and enter this "GET ../.." and press ENTER. The Web server crashes! Geez. Talk about denial of service.......... mark From firewalls-owner Mon Dec 9 20:08:31 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA28047 for firewalls-outgoing; Mon, 9 Dec 1996 19:57:19 -0800 (PST) Received: from fishhead.eye-on.co.il (fishhead.eye-on.co.il [194.90.39.20]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id TAA28002 for ; Mon, 9 Dec 1996 19:57:01 -0800 (PST) Received: from unallocated9.eye-on.co.il (unallocated9.eye-on.co.il [194.90.195.203]) by fishhead.eye-on.co.il (NTMail 3.02.11) with ESMTP id ba005773 for ; Tue, 10 Dec 1996 05:56:01 +0200 Comments: Authenticated sender is From: "Yehuda Hahn" To: firewalls@GreatCircle.COM Date: Tue, 10 Dec 1996 05:56:09 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Is NT really that bad? Reply-to: ygh@cfsnet.com X-mailer: Pegasus Mail for Win32 (v2.42) X-Info: Focus Communications, Ltd. Message-Id: <03560172800870@eye-on.co.il> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Guys, after browsing this list for a few days I realize this is an extremely controversial issue, but: if I want to protect a small NT network whose sole purpose is to provide a SSL web server, can I do so safely by configuring an NT firewall to provide access to port 443 exclusively? The network presents data from a legacy network (linked via SNA Server) that controls about US $15 billion, so security is a massive issue, but the people I spoke to said that if I only allow access to port 443 using NT's built-in security features and use even MS Proxy Server I can prevent all break-in attacks. (I'm not overly concerned about denial-of-service attacks.) My test configuration uses Checkpoint FW-1 on NT, with NetBEUI as the internal network protocol bound to the internal card and a non-routable IP address on the internal web server. The Checkpoint machine is not part of the domain and has no permissions there. All standard security precautions pertaining to NT were taken (auditing, flag monitoring, password cracking, file and registry permissions, etc.) throughout the network and the project was already approved, but I am concerned about the underlying OS. Flames anyone? Thanx, Yehuda ****************** Yehuda Hahn Technical Director Focus Lion Communications, Ltd. 6 Yannai Street Jerusalem http://www.eye-on.co.il #define QUESTION ((bb) | !(bb)) From firewalls-owner Mon Dec 9 20:38:21 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA02063 for firewalls-outgoing; Mon, 9 Dec 1996 20:34:01 -0800 (PST) Received: from ashanti.webmaster.net (ashanti.webmaster.net [205.160.174.210]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id UAA02034 for ; Mon, 9 Dec 1996 20:33:41 -0800 (PST) Received: (from jason@localhost) by ashanti.webmaster.net (8.8.4/8.8.4) id XAA04031; Mon, 9 Dec 1996 23:29:12 -0500 (EST) To: sjones@Aptech.com (Samuel D. Jones) Cc: firewalls@GreatCircle.COM Subject: Re: PGP on Solaris x86 References: <199612092117.NAA19757@amos.Aptech.com> From: jason@Mastaler.COM (Jason R. Mastaler) Date: 09 Dec 1996 23:29:11 -0500 In-Reply-To: sjones@Aptech.com's message of Mon, 9 Dec 1996 13:17:42 -0800 Message-ID: Lines: 30 X-Mailer: Red Gnus v0.74/XEmacs 19.14 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk sjones@Aptech.com (Samuel D. Jones) writes: > Has anyone compiled PGP on Solaris x86 > using the SunPro compiler? Try the patch below. Optionally you could use GCC and the GNU assembler (gas) available from the binutils-2.7.tar.gz package on ftp.gnu.ai.mit.edu in /pub/gnu. *** makefile.orig Thu Jul 25 11:41:31 1996 --- makefile Thu Jul 25 11:42:37 1996 *************** *** 113,119 **** # Assembly-language subroutine dependencies _80386.o: 80386.S ! $(CPP) $(ASMDEF) 80386.S > _80386.s $(ASM) -o $@ _80386.s rm -f _80386.s --- 113,119 ---- # Assembly-language subroutine dependencies _80386.o: 80386.S ! $(CPP) $(ASMDEF) 80386.S | grep -v '^# ' > _80386.s $(ASM) -o $@ _80386.s rm -f _80386.s From firewalls-owner Mon Dec 9 20:53:30 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA01993 for firewalls-outgoing; Mon, 9 Dec 1996 20:32:53 -0800 (PST) Received: from oldman.steinkamm.com (OldMan.Steinkamm.COM [194.127.175.225]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id UAA01921 for ; Mon, 9 Dec 1996 20:32:30 -0800 (PST) Received: (from arne@localhost) by oldman.steinkamm.com (8.8.3/8.8.3) id FAA10181; Tue, 10 Dec 1996 05:31:40 +0100 (MET) From: Arne Steinkamm Message-Id: <199612100431.FAA10181@oldman.steinkamm.com> Subject: Re: Delete permissions on files To: mthomps1@kiwitech.co.nz (Matthew Thompson) Date: Tue, 10 Dec 1996 05:31:39 +0100 (MET) Cc: lists@reflections.mindspring.com, firewalls@GreatCircle.COM In-Reply-To: <96Dec10.140237nzdt.35722@kotuku.manukau.govt.nz> from "Matthew Thompson" at Dec 11, 96 03:47:43 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Well golly gosh! Another gaping NT hole which does not exist in Unix! > > On your HP-UX system try: > mkdir xx > chmod 777 xx > cd xx > cp /dev/null yy > chmod 0 yy > rm yy > > Gee looks like my "no body has access" Unix file is gone, and I can replace > it with any other (But then hopefully everyone on this list knew that > already). And that's the reason we have permissions on directories and the sticky bit. Is something similar in NT ? Greetings .//. Arne -- Arne Steinkamm | Mail (MIME): Arne@Steinkamm.COM IRC: Arne Tel.: +49.89.299.756 | URL: http://WWW.Steinkamm.COM/ NIC-Handle: AS306 Robert-Koch-Str. 4 | "There's coffee in that nebula" D-80538 Muenchen | Cptn. Kathryn Janeway, ST:VOY - The Cloud From firewalls-owner Mon Dec 9 21:15:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA01873 for firewalls-outgoing; Mon, 9 Dec 1996 20:31:45 -0800 (PST) Received: from Athena.McRCIM.McGill.EDU (Athena.McRCIM.McGill.EDU [132.206.4.20]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id UAA01855 for ; Mon, 9 Dec 1996 20:31:36 -0800 (PST) Received: from Twinky.McRCIM.McGill.EDU (Twinky.McRCIM.McGill.EDU [132.206.8.6]) by 8067 on Athena.McRCIM.McGill.EDU (8.6.10) with ESMTP id XAA08067 for ; Mon, 9 Dec 1996 23:31:09 -0500 From: Pierre-Jules Tremblay Received: (trep@localhost) by Twinky.McRCIM.McGill.EDU (8.6.10/8.6.9) id EAA04111 for firewalls@greatcircle.com; Tue, 10 Dec 1996 04:31:08 GMT Message-Id: <199612100431.EAA04111@Twinky.McRCIM.McGill.EDU> Subject: The Unix over NT firewall debate To: firewalls@greatcircle.com Date: Mon, 9 Dec 1996 23:31:08 -0500 (EST) X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk It seems to me both the security purists and the NT users are speaking a different tongue entirely. In my opinion, it must be realized that there are only two distinct 'clienteles' for firewalls: 1) those that require absolute security 2) those that don't. To the security purist, this will appear as an all-or-nothing situation, howver, for the typical relatively non-technical manager, it does not. In the same way you can argue that the anti-theft steering wheel bar is meant to discourage potential thieves, you could say many would be satisfied with such an ineffective device protecting their network (these people would fall in category 2). Of course, you could also argue that it's an invitation to the clever to 'show you' just how poorly you are protected. When someone asks me for a good firewall solution, they also ask me why I trust that it's good. With NT, I'd have to answer either "I don't know" or "somebody else says that (...)". I invariably recommend a Unix-based firewall to people of group 1. As for group 2, how about recommending that critical data be moved using a different protocol? All that's left to do is to turn off inbound services on the local net, install a decent packet-filtering router, and you're done. These guys don't need a firewall, NT or otherwise. If the above doesn't cut it for you, then a "somewhere in the middle" security solution won't cut it either. -- Pierre-Jules Tremblay | CIM mailto:trep@cim.mcgill.ca | McGill University http://www.cim.mcgill.ca/~trep/Home.html | Montreal, Canada From firewalls-owner Mon Dec 9 21:41:35 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA06698 for firewalls-outgoing; Mon, 9 Dec 1996 21:23:54 -0800 (PST) Received: from ns1.ntshop.com ([207.91.166.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id VAA06675 for ; Mon, 9 Dec 1996 21:23:43 -0800 (PST) Received: from beast.ntshop.net ([207.91.166.3]) by ns1.ntshop.com (post.office MTA v2.0 0813 ID# 153-13296) with SMTP id AAA91; Mon, 9 Dec 1996 23:26:09 -0600 Received: by beast.ntshop.net with Microsoft Mail id <01BBE627.F31D0920@beast.ntshop.net>; Mon, 9 Dec 1996 23:23:13 -0600 Message-ID: <01BBE627.F31D0920@beast.ntshop.net> From: Mark Joseph Edwards To: "'Lee Seong Koo'" Cc: "'firewalls@greatcircle.com'" Subject: RE: Another IIS Bug Date: Mon, 9 Dec 1996 23:23:10 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Oooooooo. Shame shame. Trying to crash microsoft..... It appears this problem is not in all IIS versions. I would guess that = Microsoft is running Merchant Server, not generic IIS. Some systems are = not vulnerable to this, but I haven't found discovered why yet....I = think maybe older versions IIS, and perhaps NT 3.51 as well.=20 Anyone else know yet? mark -----Original Message----- From: Lee Seong Koo [SMTP:klbcardl@hitel.kol.co.kr] Sent: Monday, December 09, 1996 10:10 PM To: Mark Joseph Edwards Subject: Re: Another IIS Bug Hi alls I tried "telnet www.server.my 80" and "GET ../.." My server is crashed.=20 and I tried "telnet www.microsoft.com 80" and "GET ../.." but, MS' www server was not crashed. Why not? At 08:10 PM 96/12/09 -0600, you wrote: > >Wanna see something ridiculous? > >Telnet to your favorite (?) IIS Web server on port 80 (of course) and enter this "GET ../.." and press ENTER. > >The Web server crashes! Geez. Talk about denial of service.......... > >mark > > > From firewalls-owner Mon Dec 9 21:52:55 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA07425 for firewalls-outgoing; Mon, 9 Dec 1996 21:28:15 -0800 (PST) Received: from xyzzy.plugh.edmonton.ab.ca (xyzzy.plugh.edmonton.ab.ca [198.161.22.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id VAA07381 for ; Mon, 9 Dec 1996 21:28:00 -0800 (PST) Received: (from uucp@localhost) by xyzzy.plugh.edmonton.ab.ca (8.6.12/8.6.9) id WAA11134; Mon, 9 Dec 1996 22:27:22 -0700 Received: from beckio.precise.ab.ca(192.168.30.61), claiming to be "snouts.obtuse.com" via SMTP by mailhost.plugh.edmonton.ab.ca, id smtpd11132aaa; Mon Dec 9 22:27:15 1996 Received: (from uucp@localhost) by snouts.obtuse.com (8.7.5/8.7.3) id WAA02619; Mon, 9 Dec 1996 22:27:13 -0700 From: Bob Beck Received: from UNKNOWN(192.168.20.5), claiming to be "chocolate.obtuse.com" via SMTP by snouts.obtuse.com, id smtpd02617aaa; Mon Dec 9 22:27:09 1996 Received: (from beck@localhost) by chocolate.obtuse.com (8.7.5/8.7.3) id WAA03492; Mon, 9 Dec 1996 22:27:23 -0700 Message-Id: <199612100527.WAA03492@chocolate.obtuse.com> Subject: Re: "Fair to Middling" firewalls and "Firewall Wizard" To: adam@homeport.org (Adam Shostack) Date: Mon, 9 Dec 1996 22:27:23 -0700 (MST) Cc: firewalls@greatcircle.com In-Reply-To: <199612100302.WAA05711@homeport.org> from "Adam Shostack" at Dec 9, 96 10:02:03 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk [ I originally sent this to Adam alone, he gets it twice, oops - B] Adam Shostack reportedly said: > I've deleted a good part of Bob's excellent post, to disagree > with a few of his assessments. I do (usually) agree that you should > do it right, however, I think that there may be a drift to allowing > the best to be the enemy of the good. > > Compare a simple packet filter to no perimiter defenses. The > packet filter I'll hypothesize about is one that denies all but a > liberally chosen set of services. That is, everything not explicitly > permitted is denied, but the permit list is on the large side. I > think most would agree that this is not very good. However, it does > protect the organization against a large number of easy attacks, and > misconfigured machine on the inside. The classic "Always go fishing in bear country with someone who doesn't run as fast as you" model. I agree, and thanks for making the point, since it looks like original post could be taken to mean "don't do anything if you can't go all the way". The ambiguity is probably in what I meant by "doing it right". Making a conscious decision ahead of time to use the simple packet filter and knowing what the risks/rewards are is sort of what I was alluding to with "conventional security and a few filters on your router". I.E. you now have at least some sort of rudimentary security policy that hopefully more than just one person in the organization knows about, You've now "done it right". When not "done right" (i.e. implemented haphazardly with no planning and education) I've certainly seen firewalls that did more harm than good when all was said and done. "Doing it right" in this sense takes some investment of resources, particularly if you don't already have any of the skill set in house. If you're small, low risk, and can't justify making the investement, then you *may* (probably not usually) be better off simply accepting the net at face value for all it's warts. I've certainly seen organizations do that, and in some cases I've even thought the decision wasn't completely wrong. Most people reading this probably aren't in that category, but you may meet someone who is. -Bob -- Bob Beck Obtuse Systems Corporation beck@obtuse.com http://www.obtuse.com/ True Evil hides its real intentions in its street address. Search and you shall find it, and the truth shall set you free. From firewalls-owner Mon Dec 9 22:13:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA10448 for firewalls-outgoing; Mon, 9 Dec 1996 21:58:25 -0800 (PST) Received: from trumpet.aix.calpoly.edu (trumpet.aix.calpoly.edu [129.65.65.6]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id VAA10424 for ; Mon, 9 Dec 1996 21:58:09 -0800 (PST) Received: by trumpet.aix.calpoly.edu (AIX 3.2/UCB 5.64/4.03) id AA06034; Mon, 9 Dec 1996 21:57:15 -0800 Date: Mon, 9 Dec 1996 21:57:15 -0800 (PST) From: "R. E. Paret" To: Mark Joseph Edwards Cc: "'firewalls@greatcircle.com'" Subject: Re: Another IIS Bug In-Reply-To: <01BBE60C.F6691B20@beast.ntshop.net> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 9 Dec 1996, Mark Joseph Edwards wrote: > > Wanna see something ridiculous? > > Telnet to your favorite (?) IIS Web server on port 80 (of course) and enter this "GET ../.." and press ENTER. > > The Web server crashes! Geez. Talk about denial of service.......... > > mark > The only thing ridiculous here is your post. Not only is it off topic, but that bug you mentioned was fixed VERSIONS ago. There have been many other bugs since then (like phf) which have also been patched, making any DOS attack using that method totally ineffective. R. E. Paret From firewalls-owner Mon Dec 9 22:23:06 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA12014 for firewalls-outgoing; Mon, 9 Dec 1996 22:10:40 -0800 (PST) Received: from ns1.ntshop.com ([207.91.166.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id WAA11889 for ; Mon, 9 Dec 1996 22:10:16 -0800 (PST) Received: from beast.ntshop.net ([207.91.166.3]) by ns1.ntshop.com (post.office MTA v2.0 0813 ID# 153-13296) with SMTP id AAA168 for ; Tue, 10 Dec 1996 00:12:42 -0600 Received: by beast.ntshop.net with Microsoft Mail id <01BBE62E.72A32840@beast.ntshop.net>; Tue, 10 Dec 1996 00:09:44 -0600 Message-ID: <01BBE62E.72A32840@beast.ntshop.net> From: Mark Joseph Edwards To: "'firewalls@greatcircle.com'" Subject: RE: Another IIS Bug Date: Tue, 10 Dec 1996 00:09:42 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ooops. Wrong list......and a long day. I didn't mean to ruffle your feathers..... -----Original Message----- From: R. E. Paret [SMTP:rparet@trumpet.aix.calpoly.edu] Sent: Monday, December 09, 1996 11:57 PM To: Mark Joseph Edwards Cc: 'firewalls@greatcircle.com' Subject: Re: Another IIS Bug On Mon, 9 Dec 1996, Mark Joseph Edwards wrote: > > Wanna see something ridiculous? > > Telnet to your favorite (?) IIS Web server on port 80 (of course) and enter this "GET ../.." and press ENTER. > > The Web server crashes! Geez. Talk about denial of service.......... > > mark > The only thing ridiculous here is your post. Not only is it off topic, but that bug you mentioned was fixed VERSIONS ago. There have been many other bugs since then (like phf) which have also been patched, making any DOS attack using that method totally ineffective. R. E. Paret From firewalls-owner Mon Dec 9 22:56:14 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA11193 for firewalls-outgoing; Mon, 9 Dec 1996 22:04:49 -0800 (PST) Received: from fishhead.eye-on.co.il (fishhead.eye-on.co.il [194.90.39.20]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id WAA11150 for ; Mon, 9 Dec 1996 22:04:28 -0800 (PST) Received: from microtoad.eye-on.co.il (microtoad.eye-on.co.il [194.90.39.26]) by fishhead.eye-on.co.il (NTMail 3.02.11) with ESMTP id ma005784 for ; Tue, 10 Dec 1996 08:03:31 +0200 Received: by microtoad.eye-on.co.il with Microsoft Mail id <01BBE670.9AFDF1C0@microtoad.eye-on.co.il>; Tue, 10 Dec 1996 08:03:19 +0200 Message-ID: <01BBE670.9AFDF1C0@microtoad.eye-on.co.il> From: "Yehuda G. Hahn" To: "'Bob Beck'" Cc: "'firewalls@greatcircle.com'" Subject: RE: Is NT really that bad? Date: Tue, 10 Dec 1996 08:07:28 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Info: CyberCorp Financial Services Network Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The only thing behind the firewall is the service. However, the service = does use ISAPI extensions, Active Server scripts, and other such CGI = extensions. The program is written to block all CGI subversion efforts = using a custom three-homed data firewall that detects and blocks data = attacks assuming no TCP/IP or network attacks disable it first. The = service would become irrelevant if someone were to learn the LSA = password for one of the internal machines and turn off auditing, for = example. As to outgoing ports, the service does not use any, so I'm planning on = allowing any to begin with.=20 Thanx Yehuda Yehuda G. Hahn Technical Director Focus Lion Communications, Ltd. 6 Yannai Street, Suite 1 Jerusalem Israel Tel. +972 2-622-1352 Fax. +972 2-622-1289 E-mail: ygh@cfsnet.com URL: http://www.eye-on.co.il/ -----Original Message----- From: Bob Beck [SMTP:beck@obtuse.com] Sent: Tuesday, December 10, 1996 7:22 AM To: ygh@cfsnet.com Subject: Re: Is NT really that bad? Put it this way, *I* wouldn't do it with NT, since I know I can do a better job with Unix, and I do have experience with both. NT is definately (IMNSHO) the riskier, but Unix isn't without risk either, in spite of what all the religious zealots on both sides of the fence will say to you. If it's as simple as you say, you're probably not in bad shape with either, For serious purposes I'd still stick to Unix, but that advantage only works when properly used and configured. Both can be misconfigured easily too :-) You mentioned 443 (https) in. Are you allowing anything out? I.E. are there users behind the firewall or just the service? If there are users behind I'd be more worried. I'd also be more worried if=20 the https server is doing more things than just serving documents. i.e. is it doing CGI. If that's the case then you must be *much* more careful, and in that case I might take a second look at how secure you are if a CGI script gets away from you. I'm sure you'll get lots of opinions. You'll have to be=20 the one to sort it out, and with that much in dollar value behind it I'm sure you'll live in interesting times. I suggest when you=20 do make your decision and implement it. Have it audited by someone else who had nothing to do with the process of implementing it.=20 Good luck! -Bob >=20 > Guys, after browsing this list for a few days I realize this is an=20 > extremely controversial issue, but: if I want to protect a small=20 > NT network whose sole purpose is to provide a SSL web server, can I=20 > do so safely by configuring an NT firewall to provide access to=20 > port 443 exclusively? The network presents data from a legacy network=20 > (linked via SNA Server) that controls about US $15 billion, so = security is=20 > a massive issue, but the people I spoke to said that if I only allow = access=20 > to port 443 using NT's built-in security features and use even MS = Proxy=20 > Server I can prevent all break-in attacks. (I'm not overly concerned=20 > about denial-of-service attacks.) My test=20 > configuration uses Checkpoint FW-1 on NT, with NetBEUI as the internal = > network protocol bound to the internal card and a non-routable IP = address on=20 > the internal web server. The Checkpoint machine is not part of the = domain=20 > and has no permissions there. All standard security precautions = pertaining=20 > to NT were taken (auditing, flag monitoring, password cracking, file = and=20 > registry permissions, etc.) throughout the network and the project was = > already approved, but I am concerned about the underlying OS. Flames=20 > anyone?=20 >=20 > Thanx, >=20 > Yehuda >=20 >=20 > ****************** > Yehuda Hahn > Technical Director > Focus Lion Communications, Ltd. > 6 Yannai Street=20 > Jerusalem > http://www.eye-on.co.il >=20 > #define QUESTION ((bb) | !(bb)) >=20 From firewalls-owner Mon Dec 9 22:58:41 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA11074 for firewalls-outgoing; Mon, 9 Dec 1996 22:03:59 -0800 (PST) Received: from gw.research.megasoft.com (gw.research.megasoft.com [206.230.35.93]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id WAA11030 for ; Mon, 9 Dec 1996 22:03:46 -0800 (PST) Received: (from uucp@localhost) by gw.research.megasoft.com (8.7.5/8.7.3-cmcurtin) id BAA09172; Tue, 10 Dec 1996 01:02:24 -0500 (EST) Received: from goffette.research.megasoft.com(192.168.1.2) by gw.research.megasoft.com via smap (V1.3) id sma009170; Tue Dec 10 01:02:13 1996 Received: by goffette.research.megasoft.com (940816.SGI.8.6.9/940406.SGI) id AAA10294; Tue, 10 Dec 1996 00:56:11 -0500 Date: Tue, 10 Dec 1996 00:56:11 -0500 Message-Id: <199612100556.AAA10294@goffette.research.megasoft.com> From: C Matthew Curtin To: Doug Greenwald Cc: firewalls-digest@GreatCircle.COM Subject: Re: OAI - basic firewall hardware sizing question In-Reply-To: References: X-Face: "&>g(&eGr?u^F:nFihL%BsyS1[tCqG7}I2rGk4{aKJ5I_5A\*6RYn4"N.`1pPF9LO!Fa<(gj:12)?=uP2l01e10Gij"7j&-)torL^iBrNf\s7PDLm=rf[PjxtSbZ{J(@@j"q2/iV9^Mx given that we're probably always going to be a 40-50 person Doug> company and that we won't be a high profile target, could i Doug> reasonably run the firewall-1 software on a sparcstation 2 or Doug> should i go for a sparc 5 or 10? This part of firewall design is just like any other sort of system engineering. The (seemingly) simple question of resource requirements, capacity planning, etc., is an interesting one. First of all, you need to define what it is that you're going to do with it (which you've done below). Then, you'll need to determine what the critical resources of what you're going to do are. You'll need to figure out how much of a given critical resource you're going to have to have available at various points throughout the day, and might even want to do a little gazing into your crystal ball to see what's coming down the road next month, next quarter, next half, next year. The real difference between your choices here is processor speed. There are going to be other things, too, I'm sure, but the biggest thing when choosing among a SPARC 2, 5, and 10 is CPU. Generally speaking, your critical resource on a gateway/router type machine is going to be your OS' socket performance. CPU is also necessary, since you're going to be doing a fair bit of fork'ing/exec'ing most likely. And, naturally, you need lots of memory in order to prevent hitting swap. And tons of disk space to throw your logs on. SPARC-based machines are nice. They're rock-solid and you don't need to worry about them. You can yank the keyboard and monitor, throw a null-modem into ttya and hook it up to some serial device and have console access from remote. I really like Solaris 2.5+ ... nice and stable. The socket performance hasn't been terribly impressive, though. Sun announced a while back a supplement that will take care of that. I've not used it myself, though, so I can't really comment in any sort of useful way on it. http://www.sun.com/solaris/products/siss/prodspec.html Now, that having been said, you might find that your resources and your environment will make some other options more suitable for you. I myself have been using fast Pentium-based machines running FreeBSD for firewall-type machines these days. Setups like this have several advantages. The network performance is faster than any other I've seen, you've got complete source to the OS itself (as opposed to source to the OS from which the one you're using was derived), and it's usually less expensive. (Now, getting an Intel system doesn't necessarily mean running out to Best Buy and grabbing the first thing they shove in your face. I still recommend getting good motherboards that use parity RAM, PCI interfaces for everything and SCSI for your disks, CDs, etc. Even so, parts (i.e., ethernet boards, etc.) are inexpensive and easy to get. I typically shove about 64MB RAM in bastion hosts for groups about the size of your user base, though it depends, since there might be other things running on the system or some other special requirements that change that. RAM is pretty cheap now, and it's better to go overboard with too much memory than to do the opposite. swapping is your (worst?) enemy on that kind of system. There are, of course, disadvantages to going this way. THey're more difficult to remotely maanage (i.e., via remote console access), it'll require you to do more crawling around in configuration, code, etc., to get things up and running. You'll have to watch things yourself to stay up to date on patches and such (i.e., There won't be a FreeBSD rep around to tell you about the newest release of this-or-that.) Basically, it comes down to how much you want to do yourself, and how much you're willing to pay to not have to. (And how much you're willing to trust someone else (i.e., Sun) to provide you with good stuff...) The really interesting figure, though, is cost over time. There isn't a whole lot of difference in a good Intel-based server machine and a SPARC box prices these days, but when you look at it over time, you might find that the difference in price isn't really that significant. Just more stuff to think about ... -- Matt Curtin cmcurtin@research.megasoft.com Megasoft, Inc Chief Scientist http://www.research.megasoft.com/people/cmcurtin/ I speak only for myself. Hacker Security Firewall Crypto PGP Privacy Unix Perl Java Internet Intranet From firewalls-owner Mon Dec 9 23:24:08 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA19567 for firewalls-outgoing; Mon, 9 Dec 1996 23:21:54 -0800 (PST) Received: from garanti1.garanti.com.tr ([194.54.51.100]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id XAA19529; Mon, 9 Dec 1996 23:21:36 -0800 (PST) Received: from Mailhub by garanti1.garanti.com.tr id AA06848; Tue, 10 Dec 1996 09:21:06 +0300 Received: from GarantiUser by GarantiMailServer id AA29858; Tue, 10 Dec 1996 09:20:03 +0300 Received: by SMTPGW.FW.GARANTI.COM.TR with Microsoft Mail id <32AD9B9F@SMTPGW.FW.GARANTI.COM.TR>; Tue, 10 Dec 96 09:19:27 PST From: "Cihan Subasi (Garanti Tic)" To: firewall-digest , firewall-perf , firewall Subject: test..... Date: Tue, 10 Dec 96 09:19:00 PST Message-Id: <32AD9B9F@SMTPGW.FW.GARANTI.COM.TR> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk somehow I cannot send mail to the group..... From firewalls-owner Tue Dec 10 00:27:02 1996 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA24498 for firewalls-outgoing; Tue, 10 Dec 1996 00:20:46 -0800 (PST) Received: from myall.awadi.com.au (myall.awadi.com.AU [150.207.2.65]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id AAA24483 for ; Tue, 10 Dec 1996 00:20:28 -0800 (PST) Received: from bunya.awadi ([150.207.2.63]) by myall.awadi.com.au (8.7.5/8.7.3) with SMTP id SAA16314; Tue, 10 Dec 1996 18:49:35 +1030 (CST) Received: from mallee.awadi by bunya.awadi (SMI-8.6/SMI-SVR4) id SAA01656; Tue, 10 Dec 1996 18:49:33 +1030 Received: by mallee.awadi (SMI-8.6/SMI-SVR4) id SAA06478; Tue, 10 Dec 1996 18:49:31 +1030 From: blymn@awadi.com.au (Brett Lymn) Message-Id: <199612100819.SAA06478@mallee.awadi> Subject: Re: OAI - basic firewall hardware sizing question To: cmcurtin@research.megasoft.com Date: Tue, 10 Dec 1996 18:48:39 +1030 (CST) Cc: firewalls@greatcircle.com In-Reply-To: <199612100556.AAA10294@goffette.research.megasoft.com> from "C Matthew Curtin" at Dec 10, 96 00:56:11 am X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk According to C Matthew Curtin: > >There are, of course, disadvantages to going this way. THey're more >difficult to remotely maanage (i.e., via remote console access), Um no, I don't think so. At least in the version of NetBSD I am running there is code for you to have a serial console on the i386 architecture (NetBSD supports a lot of architectures, if you want to find out more hit http://www.netbsd.org for an up to date list). I have not tried it out myself but it looks like the f