From firewalls-owner Sat Mar 1 01:31:53 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id BAA05209 for firewalls-outgoing; Sat, 1 Mar 1997 01:13:05 -0800 (PST) Received: from smtp.gte.net (radius3.gte.net [206.124.68.25]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id BAA05195 for ; Sat, 1 Mar 1997 01:12:55 -0800 (PST) Received: from pc-1 (dfw73005.gte.net [206.124.73.5]) by smtp.gte.net (SMI-8.6/) via SMTP id DAA05041 for ; Sat, 1 Mar 1997 03:11:12 -0600 Message-Id: <2.2.32.19970301090833.009c0288@mail.gte.net> X-Sender: csncr@mail.gte.net X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sat, 01 Mar 1997 03:08:33 -0600 To: Firewalls@GreatCircle.COM From: "James W. Thornton" Subject: SGI Guantlet Firewalls? Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We are going to purchase two Origin 2000 systems from SGI. SGI offers Gauntlet for their firewall server. We are also looking at Sun for a firewall. Is anybody running a SUN or SGI for their firewall that can give me some input. Since we are running SGI for our main servers, is there any reason to run Sun instead of SGI for a firewall. Note: Price is not an issue, because we have a good source for SGI equipment that will allow us to get SGI at about the same price as comparable Sun equipment. From firewalls-owner Sat Mar 1 03:16:47 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id DAA15538 for firewalls-outgoing; Sat, 1 Mar 1997 03:03:49 -0800 (PST) Received: from pha-web.chipnet.cz (pha-web.chipnet.cz [194.213.202.36]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id DAA15513 for ; Sat, 1 Mar 1997 03:03:27 -0800 (PST) Received: from WNTS02BDC.chipnet.cz by pha-web.chipnet.cz with SMTP (Microsoft Exchange Internet Mail Service Version 5.0.1389.3) id F5XY9GVP; Sat, 1 Mar 1997 12:02:06 +0100 Message-ID: <33175B56.29A6@chipnet.cz> Date: Fri, 28 Feb 1997 23:25:26 +0100 From: Pavel Galynin X-Sender: Pavel Galynin (Unverified) X-Mailer: Mozilla 4.0b1 (Win95; I) MIME-Version: 1.0 To: Todd Graham Lewis CC: crumrig@us-state.gov, Firewalls Mailing List Subject: Re: virus checking X-Priority: Normal References: Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Todd Graham Lewis wrote: > > > Besides, I think cleaning up a virus at the wall as something comes in > > is a ton easier than having to clean up 4 thousand machines, don't you? > > Which is why I say that ActiveX should be filtered at the firewall. Does > no one else see the similarity? Why do we treat these two issues > differently? If we introduce any such analogy, then W95 and NT should be filtered at the firewall too.. Paul. > > __ > Todd Graham Lewis MindSpring Enterprises tlewis@mindspring.com From firewalls-owner Sat Mar 1 07:46:47 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id HAA25499 for firewalls-outgoing; Sat, 1 Mar 1997 07:44:23 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id HAA25492 for ; Sat, 1 Mar 1997 07:44:17 -0800 (PST) From: Wilner.Catwalk@DOCKMASTER.NCSC.MIL Received: from DOCKMASTER.NCSC.MIL by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-961106) id HAA05089; Sat, 1 Mar 1997 07:40:52 -0800 (PST) Date: Sat, 1 Mar 97 10:40 EST Subject: Re: Stack overflows in firewalls To: firewalls@GreatCircle.COM Message-ID: <970301154008.614775@DOCKMASTER.NCSC.MIL> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ranum writes: >> remind us what you've done to deserve either Please, no p***ssing contests here. Chief architect and sole developer of the only MLS RDBMS to be approved by NSA, DISA, and others; co-chair of two NCSC working groups (admittedly a little while ago); details on my Web page. >> Dennis and Brian said . . . I beg you, do not be a "name dropper." I'm still looking for the contradiction that you claim I included in my last posting. Nor was there disrespect. As for "elders," I think I am about six months younger than you. From firewalls-owner Sat Mar 1 08:02:38 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id HAA25926 for firewalls-outgoing; Sat, 1 Mar 1997 07:55:39 -0800 (PST) Received: from diablo.cisco.com (diablo.cisco.com [171.68.223.106]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id HAA25910 for ; Sat, 1 Mar 1997 07:55:30 -0800 (PST) Received: from mhoward-pc.cisco.com (mhoward-isdn1.cisco.com [171.68.19.2]) by diablo.cisco.com (8.8.5/CISCO.SERVER.1.2) with SMTP id HAA02779; Sat, 1 Mar 1997 07:53:54 -0800 (PST) Message-Id: <2.2.32.19970301155655.00765ff4@diablo.cisco.com> X-Sender: mhoward@diablo.cisco.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sat, 01 Mar 1997 07:56:55 -0800 To: SKLAVON@MAIL.STATE.WI.US, "firewalls(a)greatcircle.com" From: Matthew Howard Subject: Re: PIX / Gauntlet blocking Telnet Sender: firewalls-owner@GreatCircle.COM Precedence: bulk the PIX can for sure. Plus, we can do transparent user authentication inside-out and outside-in (no re-configuration for client or server). TACACS+ or Radius can be used for central authentication, including token cards. Matt At 03:53 PM 2/28/97 -0600, SKLAVON@MAIL.STATE.WI.US wrote: > > >We have two ICS systems, (internal control system), one is located in our >vendor's location, one within our offices. The vendor wrote the software. >Both crunch the same data and are cross-checked multiple times per day to >by us and an independent auditor to verify that no tampering has taken >place. Both systems receive data from the same 3 hosts via telnet. How >can we prevent the vendor or others from telneting into the host, and >from there into our ICS? We have PIX and Gauntlet available to us. As the >application is custom, no proxy will be available. Can a telnet session >from the host be distinguished from a telnet session originating >elsewhere and coming through a trusted host? > >sklavon@mail.state.wi.us > > > Matthew Howard mhoward@cisco.com Sr. Product Line Manager 408-526-4720 (voice) Internet Appliances and Applications 408-527-8122 (fax) Cisco Systems Inc. 170 West Tasman Drive Building VM2 (corner of First St. & Vista Montana) San Jose, CA 95134 From firewalls-owner Sat Mar 1 08:46:59 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id IAA28846 for firewalls-outgoing; Sat, 1 Mar 1997 08:38:35 -0800 (PST) Received: from mail.baileynm.com (fw.baileynm.com [206.109.159.11]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id IAA28807 for ; Sat, 1 Mar 1997 08:38:21 -0800 (PST) Received: (qmail 2509 invoked from smtpd); 1 Mar 1997 16:36:44 -0000 Received: from web.nmti.com (root@198.178.0.201) by fw.nmti.com with SMTP; 1 Mar 1997 16:36:44 -0000 Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id KAA14224; Sat, 1 Mar 1997 10:36:43 -0600 Received: by sonic.nmti.com; id AA06615; Sat, 1 Mar 1997 10:28:32 -0600 From: peter@baileynm.com (Peter da Silva) Message-Id: <9703011628.AA06615@sonic.nmti.com.nmti.com> Subject: Re: virus checking To: pgalynin@chipnet.cz (Pavel Galynin) Date: Sat, 1 Mar 1997 10:28:32 -0600 (CST) Cc: lists@reflections.mindspring.com, crumrig@us-state.gov, firewalls@GreatCircle.COM In-Reply-To: <33175B56.29A6@chipnet.cz> from "Pavel Galynin" at Feb 28, 97 11:25:26 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > If we introduce any such analogy, then W95 and NT should be filtered at > the firewall too.. You mean SMB (netbios-ssn/netbios-ns, ports 139 and 137)? They sure should be. From firewalls-owner Sat Mar 1 10:46:55 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id KAA04361 for firewalls-outgoing; Sat, 1 Mar 1997 10:30:47 -0800 (PST) Received: from emout10.mail.aol.com (emout10.mx.aol.com [198.81.11.25]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id KAA04354 for ; Sat, 1 Mar 1997 10:30:41 -0800 (PST) From: AniFreez@aol.com Received: (from root@localhost) by emout10.mail.aol.com (8.7.6/8.7.3/AOL-2.0.0) id NAA24231 for firewalls@greatcircle.com; Sat, 1 Mar 1997 13:29:08 -0500 (EST) Date: Sat, 1 Mar 1997 13:29:08 -0500 (EST) Message-ID: <970301132907_1115035466@emout10.mail.aol.com> To: firewalls@greatcircle.com Subject: How do I get off this list. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi I am a teenager, who saw this mailing list in the alt.2600 faq, and so I joined it, but it was not interesting to me, I accidentally deleted my letter telling me how to get off the list. Could someone help me remove myself from this list ? Thank You. From firewalls-owner Sat Mar 1 11:32:03 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id LAA06721 for firewalls-outgoing; Sat, 1 Mar 1997 11:17:40 -0800 (PST) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id LAA06711 for ; Sat, 1 Mar 1997 11:17:31 -0800 (PST) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id OAA18664; Sat, 1 Mar 1997 14:13:06 -0500 (EST) From: Adam Shostack Message-Id: <199703011913.OAA18664@homeport.org> Subject: Re: stack bounds checking In-Reply-To: <199702201443.QAA00293@morden.sandelman.ottawa.on.ca> from Michael Richardson at "Feb 20, 97 04:41:52 pm" To: mcr@sandelman.ottawa.on.ca (Michael Richardson) Date: Sat, 1 Mar 1997 14:13:05 -0500 (EST) Cc: firewalls@GreatCircle.COM X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Michael Richardson wrote: | Ask the vendor to see their implementation of snprintf(). They | shouldn't have a problem showing that small piece of code to you. The | fact that they can find it, and know what it means should be taken as | an indication that they understand the problem. There are still lots | of OSes that do not ship snprintf() as part of libc. | | Ask to see their coding practice document. | | Ask to see their test case summary. Both good points. Another good question is "how big is this code you're claiming is secure?" I also look for install scripts that run as something other than root, and then get invoked by a small shell script (or somesuch), minimizing work done as root. "Can I see your documentation" is only good if you'd like the vendor to get apopleptic. :) Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Sat Mar 1 11:46:55 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id LAA07264 for firewalls-outgoing; Sat, 1 Mar 1997 11:25:59 -0800 (PST) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id LAA07240 for ; Sat, 1 Mar 1997 11:25:48 -0800 (PST) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id OAA18683; Sat, 1 Mar 1997 14:21:46 -0500 (EST) From: Adam Shostack Message-Id: <199703011921.OAA18683@homeport.org> Subject: Re: RPC's through the firewall In-Reply-To: <199702281537.KAA18678@interport.net> from cyerkes at "Feb 28, 97 10:37:04 am" To: chuck@snew.com Date: Sat, 1 Mar 1997 14:21:46 -0500 (EST) Cc: firewalls@GreatCircle.COM X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk cyerkes wrote: | Okay, a question for you all. I *have* to run rpc's through a | firewall. The client needs to have programs on the internet use | RPC's that they wrote execute on an internal machine. In fact, | one of the purposes of the firewall is to protect this machine. | They can also force their programs to only run in a certain | range of ports, so I think that I *should* be able to allow | access to portmapper and this range of programs. Why allow access to the portmapper? One of portmappers features* is to allow it to forward a packet to a service, making it appear that the request came from localhost. Allowing access to portmapper thus could open any other rpc service to attack. Better to allow access only to a few ports, and not allow portmapper. Also, scan the machine from time to time as part of your weekly activities, and ensure that no other services are enabled. (rpcinfo | grep -v expected) * Yes, it is a feature. It was designed to allow a request to come in, get mapped, and be processed with only a single UDP packet. (Security critical software shouldn't have features.) Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Sat Mar 1 12:01:52 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id LAA07697 for firewalls-outgoing; Sat, 1 Mar 1997 11:34:32 -0800 (PST) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id LAA07668 for ; Sat, 1 Mar 1997 11:34:18 -0800 (PST) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id OAA18719; Sat, 1 Mar 1997 14:30:19 -0500 (EST) From: Adam Shostack Message-Id: <199703011930.OAA18719@homeport.org> Subject: Re: NT 4.0 DNS & Split DNS ?? In-Reply-To: <41242F632110D0118B4500A024BF7EB00536D3@grail.austin.swinc.com> from "Webb, Andy" at "Feb 17, 97 10:18:57 am" To: Andy.Webb@swinc.com (Webb, Andy) Date: Sat, 1 Mar 1997 14:30:19 -0500 (EST) Cc: firewalls@GreatCircle.COM, bve@quadrix.com X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk (I was away from mail for a while, sorry to re-open the thread) Where's the CERT advisory? *Many* people rely on CERT to tell them when theres a problem they need to fix. Unless shown otherwise, I believe that Microsoft is not allowing CERT to issue an advisory so they can point to all those CERT advisories on UNIX systems and say, 'See, we don't have those security problems.' This is not a religous flame, its an observation of a business decision. The same applies to Apple, Novell, DEC wrt VMS, IBM MVS, etc. Adam Webb, Andy wrote: | A little clarification: | The DNS and RPC problems HAVE BEEN FIXED. Go to Microsoft's FTP site | ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixe | s-postSP2/ | | Posting this information is good. But please try not to increase the | hysteria any by leaving out the fact that the fixes are available. -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Sat Mar 1 12:16:51 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id MAA10050 for firewalls-outgoing; Sat, 1 Mar 1997 12:03:49 -0800 (PST) Received: from pha-web.chipnet.cz (pha-web.chipnet.cz [194.213.202.36]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id MAA10009 for ; Sat, 1 Mar 1997 12:03:30 -0800 (PST) Received: from BUNNY.chipnet.cz by pha-web.chipnet.cz with SMTP (Microsoft Exchange Internet Mail Service Version 5.0.1389.3) id F5XY9GZA; Sat, 1 Mar 1997 21:02:01 +0100 Message-ID: <3317D9E6.2595@chipnet.cz> Date: Sat, 01 Mar 1997 08:25:26 +0100 From: Pavel Galynin X-Sender: Pavel Galynin (Unverified) X-Mailer: Mozilla 4.0b1 (Win95; I) MIME-Version: 1.0 To: harley@icrf.icnet.uk CC: firewalls@GreatCircle.COM Subject: Re: virus checking X-Priority: Normal References: <199702281740.JAA00906@mycroft.GreatCircle.COM> Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk As far as I know, everything on this thread was ON TOPIC, since the messages which don't have words *FIREWALL or* *VIRUSWALL* are _not_ necessarily offtopic. Many people benefited from an explanation about polymorphic viruses, because now they understand the problems of designing a worthwhile viruswall better. If you are not interested in the discussion for any reason, it doesn't mean that everybody else isn't and/or shouldn't. Paul. > I don't think this list is the place to lock horns on virus/antivirus > technology. I suggest that we restrict any discussion not notably > relevant to firewalls/viruswalls to Email. From firewalls-owner Sat Mar 1 12:31:55 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id MAA12867 for firewalls-outgoing; Sat, 1 Mar 1997 12:25:06 -0800 (PST) Received: from pha-web.chipnet.cz (pha-web.chipnet.cz [194.213.202.36]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id MAA12830 for ; Sat, 1 Mar 1997 12:24:52 -0800 (PST) Received: from BUNNY.chipnet.cz by pha-web.chipnet.cz with SMTP (Microsoft Exchange Internet Mail Service Version 5.0.1389.3) id F5XY9GZ1; Sat, 1 Mar 1997 21:23:19 +0100 Message-ID: <3317DEE4.4C23@chipnet.cz> Date: Sat, 01 Mar 1997 08:46:44 +0100 From: Pavel Galynin X-Sender: Pavel Galynin (Unverified) X-Mailer: Mozilla 4.0b1 (Win95; I) MIME-Version: 1.0 To: harley@icrf.icnet.uk CC: firewalls@GreatCircle.COM Subject: Re: virus checking X-Priority: Normal References: <199702281656.IAA00664@mycroft.GreatCircle.COM> Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Agreed. Pavel, if we shouldn't be scanning at the wall because > of the latency that heuristic scanning entails, and we shouldn't > be scanning at the desktop because of these unspecified security > holes, where do you think we -should- be scanning? B-) At this point we should be scanning at the desktop and lock floppy drives. Right now I'm working on a project that should yield means of decreasing overhead dramatically enough to allow complete scanning of all potentially dangerous packets. Paul. From firewalls-owner Sat Mar 1 12:32:56 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id LAA08669 for firewalls-outgoing; Sat, 1 Mar 1997 11:50:02 -0800 (PST) Received: from mail.ka.inka.de (quechua.inka.de [193.197.84.5]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id LAA08622 for ; Sat, 1 Mar 1997 11:49:47 -0800 (PST) Received: from uu.inka.de ([193.197.84.8]) by mail.ka.inka.de with smtp (ident root using rfc1413) id m0w0ulQ-0004GCC (Debian Smail-3.2 1996-Jul-4 #2); Sat, 1 Mar 1997 20:48:12 +0100 (MET) Received: from lina.inka.de (lists@lina.inka.de) by uu.inka.de with bsmtp (S3.1.29.1) id ; Sat, 1 Mar 97 20:48 MET Received: by lina.inka.de id m0w0tzO-00016mC (Debian Smail-3.2 1996-Jul-4 #2); Sat, 1 Mar 1997 19:58:14 +0100 (CET) Message-ID: <19970301195813.51832@inka.de> Date: Sat, 1 Mar 1997 19:58:13 +0100 From: Bernd Eckenfels To: mshines@purdue.edu Cc: firewalls@greatcircle.com Subject: Re: Apache proxy on Firewall... References: <3315912c2bd6002@scribe.cc.purdue.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.61 In-Reply-To: <3315912c2bd6002@scribe.cc.purdue.edu>; from Michael S Hines on Feb 02, 1997 at 08:59:48AM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, > If you accept Beizer's hypothesis of one residual flaw per one hundred lines of > tested source code then a very large multipurpose application has more > chance of containing more bugs a small simple single purpose application. > > Right? Well.. not completely. The hundreds of line code for other purposes may have more bugs, but they are never excecuted. This is especialyl true for apache, where you can remove all unneeded modules. (Of course it is still bigger than squid or a generic plug-gw for example). But you have to make a tradeoff between security, performance and features. Greetings Bernd -- (OO) -- Bernd_Eckenfels@Wittumstrasse13.76646Bruchsal.de -- ( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/ o--o *plush* 2048/93600EFD eckes@irc +4972573817 BE5-RIPE (O____O) If privacy is outlawed only Outlaws have privacy From firewalls-owner Sat Mar 1 12:47:08 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id MAA14722 for firewalls-outgoing; Sat, 1 Mar 1997 12:39:55 -0800 (PST) Received: from pha-web.chipnet.cz (pha-web.chipnet.cz [194.213.202.36]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id MAA14627 for ; Sat, 1 Mar 1997 12:39:25 -0800 (PST) Received: from BUNNY.chipnet.cz by pha-web.chipnet.cz with SMTP (Microsoft Exchange Internet Mail Service Version 5.0.1389.3) id F5XY9GZ2; Sat, 1 Mar 1997 21:37:52 +0100 Message-ID: <3317E24D.1DD9@chipnet.cz> Date: Sat, 01 Mar 1997 09:01:17 +0100 From: Pavel Galynin X-Sender: Pavel Galynin (Unverified) X-Mailer: Mozilla 4.0b1 (Win95; I) MIME-Version: 1.0 To: Peter da Silva CC: lists@reflections.mindspring.com, crumrig@us-state.gov, firewalls@GreatCircle.COM Subject: Re: virus checking X-Priority: Normal References: <9703011628.AA06615@sonic.nmti.com.nmti.com> Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Peter da Silva wrote: > > > If we introduce any such analogy, then W95 and NT should be filtered at > > the firewall too.. > > You mean SMB (netbios-ssn/netbios-ns, ports 139 and 137)? They sure should be. No, I mean that W95 is a VIRUS, since virus loosely and philosophically non-computer-relatedly and generally described is something that spreads and causes harm. W95 spreads, no questions about that, it makes people stupid, even fewer doubts about that and it makes people bankrupt, if you know what I mean.. Paul. From firewalls-owner Sat Mar 1 12:50:29 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id MAA09818 for firewalls-outgoing; Sat, 1 Mar 1997 12:00:37 -0800 (PST) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id MAA09802 for ; Sat, 1 Mar 1997 12:00:29 -0800 (PST) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id OAA18917; Sat, 1 Mar 1997 14:55:29 -0500 (EST) From: Adam Shostack Message-Id: <199703011955.OAA18917@homeport.org> Subject: Re: Firewall Sparc platforms?y In-Reply-To: from Brian Tackett at "Feb 26, 97 09:32:56 am" To: cym@acrux.net (Brian Tackett) Date: Sat, 1 Mar 1997 14:55:28 -0500 (EST) Cc: armin@data.tops.net, firewalls@GreatCircle.COM X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Brian Tackett wrote: | > because if you have a problem with NT or solaris at some point you must | > believe what Mr. support@mikisoft.com says, | > if you have the source you can beginn from scratch. Therefore, guess what | > compiler i use....... | | And how many people are there who can realistically expect to sit down, | look through the code to a modern operating system, and detect security | breaches, bugs, etc? I submit that while there are many such people | extant, not nearly as many as you may think :) While it is not a complete solution, grepping the source can be very useful. You can use it to find things that call strcat, or strcpy. (You don't actually need the source to do this.) Programs that call either are usually the result of programmers dangerously lacking in knowledge about libc. It also allow you to find things like system or popen, so you can examine the paranoia surrounding the calls. Except in rare cases, this stuff is not rocket science. (http://www.esrin.esa.it/htdocs/tidc/Press/Press96/ariane5rep.html) Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Sat Mar 1 13:07:17 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id MAA10216 for firewalls-outgoing; Sat, 1 Mar 1997 12:05:42 -0800 (PST) Received: from news.acrux.net (pluto.acrux.net [207.51.199.3]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id MAA10206 for ; Sat, 1 Mar 1997 12:05:29 -0800 (PST) Received: from pluto (pluto [207.51.199.3]) by news.acrux.net (8.8.3/8.8.3) with SMTP id OAA13310; Sat, 1 Mar 1997 14:02:06 -0600 (CST) Date: Sat, 1 Mar 1997 14:02:05 -0600 (CST) From: Brian Tackett X-Sender: cym@pluto To: Adam Shostack cc: firewalls@GreatCircle.COM Subject: Re: Firewall Sparc platforms?y In-Reply-To: <199703011955.OAA18917@homeport.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sat, 1 Mar 1997, Adam Shostack wrote: > While it is not a complete solution, grepping the source can > be very useful. You can use it to find things that call strcat, > or strcpy. (You don't actually need the source to do this.) Programs > that call either are usually the result of programmers dangerously > lacking in knowledge about libc. > > It also allow you to find things like system or popen, so you > can examine the paranoia surrounding the calls. And you'll notice that I was fairly clear that having source is a Good Thing. It is not, however, the Only Thing :) Source is not required, as you pointed out, to examine what system calls are being made. Having the source is a bonus, a benefit, but IMHO it is not the end-all of product evaluation, at least not at the level at which most products are evaluated. > Except in rare cases, this stuff is not rocket science. > (http://www.esrin.esa.it/htdocs/tidc/Press/Press96/ariane5rep.html) No, it is not rocket science. But, as someone who has spent many an hour poring through firewall and other security product source, I can testify that neither is it the most efficient way to spend your time. In any sufficiently useful piece of software, there is a level of complexity which requires a certain amount of time to unravel, especially in products which are poorly documented at the source level. From firewalls-owner Sat Mar 1 13:10:28 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id MAA10486 for firewalls-outgoing; Sat, 1 Mar 1997 12:08:34 -0800 (PST) Received: from extra.infocable.cl (extra.infocable.cl [200.29.55.2]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id MAA10358 for ; Sat, 1 Mar 1997 12:07:54 -0800 (PST) Received: by extra.infocable.cl (951211.SGI.8.6.12.PATCH1042/951211.SGI.AUTO) for <@extra.infocable.cl:firewalls@greatcircle.com> id RAA06853; Sat, 1 Mar 1997 17:06:11 -0800 Received: from infocable.cl(192.10.1.2) by extra via smap (3.1) id xma006851; Sat, 1 Mar 97 17:05:45 -0800 Received: from intranet (intranet2.tls.cl [192.10.1.3]) by infocable.cl (950413.SGI.8.6.12/950213.SGI.AUTOCF.edo.patch) via SMTP id RAA04363 for ; Sat, 1 Mar 1997 17:05:44 -0800 Message-ID: <3318D268.41C6@infocable.cl> Date: Sat, 01 Mar 1997 17:05:44 -0800 From: "Eduardo Romero U." Organization: Infocable Chile. X-Mailer: Mozilla 3.0C-SGI (X11; I; IRIX 6.2 IP22) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: Re: SGI Guantlet Firewalls? References: <2.2.32.19970301090833.009c0288@mail.gte.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk James W. Thornton wrote: > > We are going to purchase two Origin 2000 systems from SGI. SGI offers > Gauntlet for their firewall server. We are also looking at Sun for a > firewall. Is anybody running a SUN or SGI for their firewall that can give > me some input. Since we are running SGI for our main servers, is there any > reason to run Sun instead of SGI for a firewall. Note: Price is not an > issue, because we have a good source for SGI equipment that will allow us to > get SGI at about the same price as comparable Sun equipment. I'm using a Indy R5000 with Irix 5.3 and Gauntlet 3.1 , the system almost works fine [ this have a proxy also and with only 64Mb Ram]. This uses a netscape as admin interface, and uses many scripts in perl format, the problem is the options and params offers few information and the manuals is an only reference[almost turistic guide]. The other problem is many of programs is a smallers scripts [ sh, perl] that could be hacked easyly,but the manuals don't offer details about it. Other detail is that TIS or other org. offers a mailing list about this product. Edo. Infocable Chile From firewalls-owner Sat Mar 1 13:46:53 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id NAA23338 for firewalls-outgoing; Sat, 1 Mar 1997 13:35:15 -0800 (PST) Received: from europa.lif.icnet.uk (europa.lif.icnet.uk [143.65.100.4]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id NAA23304 for ; Sat, 1 Mar 1997 13:35:01 -0800 (PST) From: harley@icrf.icnet.uk Message-Id: <199703012135.NAA23304@miles.greatcircle.com> Received: by europa.lif.icnet.uk; Sat, 1 Mar 1997 21:33:36 GMT Subject: Re: virus checking To: firewalls@greatcircle.com Date: Sat, 1 Mar 1997 21:33:35 +0000 (GMT) X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Agreed. Pavel, if we shouldn't be scanning at the wall because > > of the latency that heuristic scanning entails, and we shouldn't > > be scanning at the desktop because of these unspecified security > > holes, where do you think we -should- be scanning? B-) > At this point we should be scanning at the desktop and lock floppy > drives. If you mean disabling floppy booting or changing the boot sequence from A,C to C,A I'm all in favour of that. If you mean disabling floppy access altogether, I disagree. If you get that draconian, the bad guys have won, and it's quite unnecessary: good on-access scanning, a virus-aware backup strategy etc. should reduce the risks to an acceptable level. > Right now I'm working on a project that should yield means of decreasing > overhead dramatically enough to allow complete scanning of all > potentially dangerous packets. Can't wait. B-) -- David Harley \ | / alt.comp.virus FAQ D.Harley@icrf.icnet.uk \ | / & Anti-Virus Web Page Support & Security Analyst \ | / Folk London On-Line gig-list Imperial Cancer Research Fund ____\|/____ http://webworlds.co.uk/dharley/ From firewalls-owner Sat Mar 1 14:01:59 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id NAA24614 for firewalls-outgoing; Sat, 1 Mar 1997 13:43:29 -0800 (PST) Received: from mail.baileynm.com (fw.baileynm.com [206.109.159.11]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id NAA24563 for ; Sat, 1 Mar 1997 13:43:14 -0800 (PST) Received: (qmail 3175 invoked from smtpd); 1 Mar 1997 21:41:35 -0000 Received: from web.nmti.com (root@198.178.0.201) by fw.nmti.com with SMTP; 1 Mar 1997 21:41:35 -0000 Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id PAA04065; Sat, 1 Mar 1997 15:41:34 -0600 Received: by sonic.nmti.com; id AA08327; Sat, 1 Mar 1997 15:33:24 -0600 From: peter@baileynm.com (Peter da Silva) Message-Id: <9703012133.AA08327@sonic.nmti.com.nmti.com> Subject: Re: virus checking To: pgalynin@chipnet.cz (Pavel Galynin) Date: Sat, 1 Mar 1997 15:33:24 -0600 (CST) Cc: harley@icrf.icnet.uk, firewalls@GreatCircle.COM In-Reply-To: <3317DEE4.4C23@chipnet.cz> from "Pavel Galynin" at Mar 1, 97 08:46:44 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We should scan for viruses everywhere we can afford to do so. In SMTP, HTTP, and NNTP transfers. At the desktop. On fileservers. Anywhere it's economically cost-effective to install a scanner. But that's only the first stage... We should discourage the use of operating systems and configurations that encourage viruses to spread. Unfortunately it's not economically feasible to stop using Microsoft Windows. It would be useful if someone could come up with a cookbook approach to securing an NT Workstation so that no system programs or applications were writable by a non- privileged user, but it was still possible to run these applications after installing them as an administrator. I have tried doing this myself, and while NT with NTFS is probably up to the job, my efforts have so far left me with broken and unusable copies of the applications we need NT for in the first place. If it were possible to get versions of these applications that ran under UNIX (in my case Digital UNIX) where application writers are used to their applications not being able to write to places like /etc and /bin (the equivalents of %systemroot% and the application home directories), it would help enormously. But so far I haven't seen that happening... From firewalls-owner Sat Mar 1 14:32:09 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id OAA01364 for firewalls-outgoing; Sat, 1 Mar 1997 14:29:05 -0800 (PST) Received: from smtp2.erols.com (smtp2.erols.com [205.252.116.102]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id OAA01349 for ; Sat, 1 Mar 1997 14:28:56 -0800 (PST) Received: from bdwilner.erols.com (spg-as45s84.erols.com [207.172.113.168]) by smtp2.erols.com (8.8.5/8.8.5) with SMTP id RAA08963 for ; Sat, 1 Mar 1997 17:27:19 -0500 (EST) Message-ID: <3318D76F.14E@nsli.com> Date: Sat, 01 Mar 1997 17:27:12 -0800 From: "Bruce D. Wilner" Reply-To: bdwilner@nsli.com X-Mailer: Mozilla 3.01Gold (Win95; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: an epiphany Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have reached an epiphany: this mailing list is a waste of time. It appears to serve as the personal fan club for one man, who decides, via the stroke of a key or a judiciously dropped name, what is important and what is not, dismissing rationales that are, perhaps, too tersely and abstractly expressed, and sidestepping legitimate criticisms while challenging the critic to "remind us what he has done" as a handy distractive sleight, yea, a sleight that I dignified with a serious response in this morning's posting. Those paraprofessional myrmidons who have mastered a few socket calls and TCP/IP admin commands and wish to subscribe to future sciolistic interpretations of things sublime, diverting themselves with, in Newton's words, "a smoother pebble or a prettier shell than ordinary," can goosestep onward and flame their hearts out while I restrict my pearls to more erudite fora. -- Bruce D. Wilner, CCP President Network Security Laboratories, Inc., Bethesda, MD mailto:bdwilner@nsli.com http://www.nsli.com From firewalls-owner Sat Mar 1 14:47:06 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id OAA01851 for firewalls-outgoing; Sat, 1 Mar 1997 14:34:30 -0800 (PST) Received: from pha-web.chipnet.cz (pha-web.chipnet.cz [194.213.202.36]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id OAA01824 for ; Sat, 1 Mar 1997 14:34:19 -0800 (PST) Received: from BUNNY.chipnet.cz by pha-web.chipnet.cz with SMTP (Microsoft Exchange Internet Mail Service Version 5.0.1389.3) id F5XY9G5Q; Sat, 1 Mar 1997 23:32:56 +0100 Message-ID: <3317FD47.586F@chipnet.cz> Date: Sat, 01 Mar 1997 10:56:23 +0100 From: Pavel Galynin X-Sender: Pavel Galynin (Unverified) X-Mailer: Mozilla 4.0b1 (Win95; I) MIME-Version: 1.0 To: harley@icrf.icnet.uk CC: firewalls@greatcircle.com Subject: Re: virus checking X-Priority: Normal References: <199703012135.NAA23304@miles.greatcircle.com> Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Can't wait. B-) If you can't wait, answer my post about an ideal OS for a firewall. Paul. From firewalls-owner Sat Mar 1 15:02:10 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id OAA02798 for firewalls-outgoing; Sat, 1 Mar 1997 14:49:01 -0800 (PST) Received: from Arco.COM (inetg1.Arco.COM [130.201.119.253]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id OAA02755 for ; Sat, 1 Mar 1997 14:48:43 -0800 (PST) Received: from gary2.rrt.arco.com ([192.70.184.52]) by Arco.COM (4.1/SMI-4.1) id AA05784; Sat, 1 Mar 97 16:47:07 CST Message-Id: <3.0.32.19970301104559.007a0100@inetg1.arco.com> X-Sender: gwhite@inetg1.arco.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Sat, 01 Mar 1997 10:46:00 -0600 To: firewalls@greatcircle.com From: Gary White Subject: Active-X at the firewall or proxy server Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi- Just curious if anybody has comments on good ways to block Active-X short of reading all the html that comes through. thanks -Gary __________________________________________________________________ Gary White ARCO Exploration & Production Technology gwhite@arco.com 2300 W Plano Parkway (214) 509-6554 Plano, Texas 75075 From firewalls-owner Sat Mar 1 15:47:08 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id PAA06877 for firewalls-outgoing; Sat, 1 Mar 1997 15:36:24 -0800 (PST) Received: from cet.cet.com (cet.cet.com [206.96.91.1]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id PAA06841 for ; Sat, 1 Mar 1997 15:36:13 -0800 (PST) Received: from cet.cet.com (roberth@cet.cet.com [206.96.91.1]) by cet.cet.com (8.6.12/8.6.12) with SMTP id PAA22368; Sat, 1 Mar 1997 15:35:12 -0800 Date: Sat, 1 Mar 1997 15:35:11 -0800 (PST) From: Robert Hanson To: "Bruce D. Wilner" cc: firewalls@GreatCircle.COM Subject: Re: an epiphany In-Reply-To: <3318D76F.14E@nsli.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk for my needs, i would have to agree... i just didnt want to look as stupid as all the "me too's" on the list getting off, yet im quite sure i could get off the list w/o help if i really wanted too... whatever happened to that educational researcher with the funky name that enlightened us about various things from time to time... - rh On Sat, 1 Mar 1997, Bruce D. Wilner wrote: > I have reached an epiphany: this mailing list is a waste of time. It > appears to serve as the personal fan club for one man, who decides, via > the stroke of a key or a judiciously dropped name, what is important and > what is not, dismissing rationales that are, perhaps, too tersely and > -- > Bruce D. Wilner, CCP > President > Network Security Laboratories, Inc., Bethesda, MD ---> Robert H. Hanson Cutting Edge Communications, Inc. Otis Orchards, Wa. Regional Commercial Internet Service Provider (509) 927-9541 email: roberth@cet.com - http://www.cet.com/ From firewalls-owner Sat Mar 1 16:08:59 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id PAA07901 for firewalls-outgoing; Sat, 1 Mar 1997 15:44:39 -0800 (PST) Received: from mail.telcentral.com ([207.211.70.7]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id PAA07890 for ; Sat, 1 Mar 1997 15:44:32 -0800 (PST) Received: from mail.telcentral.com by mail.telcentral.com (NTMail 3.02.10) with ESMTP id wa001192 for ; Sat, 1 Mar 1997 17:45:41 -0600 Reply-To: From: "Mark Rollings" To: , Subject: Re: an epiphany Date: Sat, 1 Mar 1997 17:37:39 -0600 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Message-Id: <23454118302206@telcentral.net> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Well put... BRAVO ---------- > From: Bruce D. Wilner > To: firewalls@greatcircle.com > Subject: an epiphany > Date: Saturday, March 01, 1997 7:27 PM > > I have reached an epiphany: this mailing list is a waste of time. It > appears to serve as the personal fan club for one man, who decides, via > the stroke of a key or a judiciously dropped name, what is important and > what is not, dismissing rationales that are, perhaps, too tersely and > abstractly expressed, and sidestepping legitimate criticisms while > challenging the critic to "remind us what he has done" as a handy > distractive sleight, yea, a sleight that I dignified with a serious > response in this morning's posting. > > Those paraprofessional myrmidons who have mastered a few socket calls > and TCP/IP admin commands and wish to subscribe to future sciolistic > interpretations of things sublime, diverting themselves with, in > Newton's words, "a smoother pebble or a prettier shell than ordinary," > can goosestep onward and flame their hearts out while I restrict my > pearls to more erudite fora. > > -- > Bruce D. Wilner, CCP > President > Network Security Laboratories, Inc., Bethesda, MD > mailto:bdwilner@nsli.com > http://www.nsli.com From firewalls-owner Sat Mar 1 16:17:07 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id PAA07987 for firewalls-outgoing; Sat, 1 Mar 1997 15:45:17 -0800 (PST) Received: from pha-web.chipnet.cz (pha-web.chipnet.cz [194.213.202.36]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id PAA07960 for ; Sat, 1 Mar 1997 15:44:59 -0800 (PST) Received: from MARTIN.chipnet.cz by pha-web.chipnet.cz with SMTP (Microsoft Exchange Internet Mail Service Version 5.0.1389.3) id F5XY9G69; Sun, 2 Mar 1997 00:43:36 +0100 Message-ID: <33180DD7.3106@chipnet.cz> Date: Sat, 01 Mar 1997 12:07:03 +0100 From: Pavel Galynin X-Sender: Pavel Galynin (Unverified) X-Mailer: Mozilla 4.0b1 (Win95; I) MIME-Version: 1.0 To: bdwilner@nsli.com CC: firewalls@greatcircle.com Subject: Re: an epiphany X-Priority: Normal References: <3318D76F.14E@nsli.com> Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bruce D. Wilner wrote: > > I have reached an epiphany: this mailing list is a waste of time. I agree, because you and the likes of you make it a waste of time. You flame, you write those fancy letters with ten-syllable words and don't pay attention to the topic of the list. The list is firewalls@greatcircle.com, not write-whatever-your-ass-urges-you-to@greatcircle.com. ( phew.. ) > It > appears to serve as the personal fan club for one man, who decides, via > the stroke of a key or a judiciously dropped name, what is important and > what is not, dismissing rationales that are, perhaps, too tersely and > abstractly expressed, and sidestepping legitimate criticisms while > challenging the critic to "remind us what he has done" as a handy > distractive sleight, yea, a sleight that I dignified with a serious > response in this morning's posting. > > Those paraprofessional myrmidons who have mastered a few socket calls > and TCP/IP admin commands and wish to subscribe to future sciolistic > interpretations of things sublime, diverting themselves with, in > Newton's words, "a smoother pebble or a prettier shell than ordinary," > can goosestep onward and flame their hearts out while I restrict my > pearls to more erudite fora. All of this is truly wonderful, but you should have posted it to some Better English mailing list as an example of useless use of literary words and, furthermore, inappropriate use. I would advise you to keep those excercises in writing on your local HD or in private e-mail and refrain from useless posting of those in the future. Paul. From firewalls-owner Sat Mar 1 16:32:12 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id QAA10747 for firewalls-outgoing; Sat, 1 Mar 1997 16:17:42 -0800 (PST) Received: from pha-web.chipnet.cz (pha-web.chipnet.cz [194.213.202.36]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id QAA10700 for ; Sat, 1 Mar 1997 16:17:20 -0800 (PST) Received: from MARTIN.chipnet.cz by pha-web.chipnet.cz with SMTP (Microsoft Exchange Internet Mail Service Version 5.0.1389.3) id F5XY9G7G; Sun, 2 Mar 1997 01:16:00 +0100 Message-ID: <3318156F.31A3@chipnet.cz> Date: Sat, 01 Mar 1997 12:39:27 +0100 From: Pavel Galynin X-Sender: Pavel Galynin (Unverified) X-Mailer: Mozilla 4.0b1 (Win95; I) MIME-Version: 1.0 To: bdwilner@nsli.com, firewalls@greatcircle.com Subject: Re: an epiphany X-Priority: Normal References: <3318D76F.14E@nsli.com> <33180DD7.3106@chipnet.cz> <3318ECE8.4AB5@nsli.com> Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bruce D. Wilner wrote: > > Come now, Pavel, don't be that way. The topic of the list is indeed > firewalls, but that leads to many discussions of related technologies. > The unnamed subject of my ranting may know a lot about slapping together > a toolkit, but he doesn't know jack about trusted systems, language > design and development, etc., etc. > > I'm glad you liked the English. I kinda like Steinbeck more, but.. > > I got many out-of-band responses to this posting, and yours was the only > negative one. It isn't negative, it's just a call for civilized discussion. Instead of declaring somebody's ignorance even if it's obvious, you should explain why it is so. Only after that you should retreat to flaming if the person didn't acknowledge smth. after proper proof of it was provided. I categorically denounce Now, who are you? - Wait, how are YOU! threads and believe that those or any kind of posts retreating to personal insults should be avoided at all costs. Somewhat negative tone of my previous post was caused by my disappoinment in finding a flame in place of an EPIPHANY. I would actually award you a victory by knockout for your English ( reading nice English is my hobby ). Paul. From firewalls-owner Sat Mar 1 16:46:51 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id QAA10166 for firewalls-outgoing; Sat, 1 Mar 1997 16:10:22 -0800 (PST) Received: from mailmule1.mindspring.com (mailmule1.mindspring.com [204.180.128.192]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id QAA10156 for ; Sat, 1 Mar 1997 16:10:08 -0800 (PST) Received: from [207.69.170.4] (user-37kbah2.dialup.mindspring.com [207.69.170.34]) by mailmule1.mindspring.com (8.8.4/8.8.4) with SMTP id TAA13949; Sat, 1 Mar 1997 19:08:30 -0500 (EST) Date: Sat, 1 Mar 1997 19:08:30 -0500 (EST) X-Sender: pelicans@pop.mindspring.com Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.COM From: pelicans@mindspring.com (BeachCruiser) Subject: Nuclear Winter on Firewalls Cc: DrLaura@Help.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 5:27 PM 3/1/97, Bruce D. Wilner wrote: >I have reached an epiphany: this mailing list is a waste of time. Here we go again! Crank up the corn popper Martha, we've got another customer. >It appears to serve as the personal fan club for one man, who decides, via >the stroke of a key or a judiciously dropped name, what is important and >what is not, dismissing rationales that are, perhaps, too tersely and >abstractly expressed, and sidestepping legitimate criticisms while >challenging the critic to "remind us what he has done" as a handy >distractive sleight, yea, a sleight that I dignified with a serious >response in this morning's posting. > >Those paraprofessional myrmidons who have mastered a few socket calls >and TCP/IP admin commands and wish to subscribe to future sciolistic >interpretations of things sublime, diverting themselves with, in >Newton's words, "a smoother pebble or a prettier shell than ordinary," >can goosestep onward and flame their hearts out while I restrict my >pearls to more erudite fora. Yesindeed...another brilliant spike of back-biased cranial capacitance (last time it was Kipling, now it's Newton) comes racing down the line. Imagine having this guy at the wheel of your information security apparatus? Well, who's next on the Firewalls podium...Hannabel Lechter? Jesus, you people have just got to find a better brand of coffee. :) //rmck ______________________ Bob McKisson Director Project Serpentine Virginia Beach, VA 23451 (757) 425-4195 Voice (757) 425-4196 FAX pelicans@mindspring.com "Avoid having your ego so close to your position that when your position falls, your ego goes with it." - Colin Powell From firewalls-owner Sat Mar 1 18:16:47 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id SAA22072 for firewalls-outgoing; Sat, 1 Mar 1997 18:03:29 -0800 (PST) Received: from mail.rc.on.ca ([207.176.151.2]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id SAA22065 for ; Sat, 1 Mar 1997 18:03:17 -0800 (PST) Received: by mail.rc.on.ca with Internet Mail Service (5.0.1389.3) id <01BC2683.B442F6F0@mail.rc.on.ca>; Sat, 1 Mar 1997 21:01:16 -0500 Message-ID: From: Russ To: firewalls@GreatCircle.COM Subject: RE: Nuclear Winter on Firewalls Date: Sat, 1 Mar 1997 21:01:15 -0500 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1389.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk So Marcus proposes a generic solution to poor programming techniques by suggesting, nay, insisting that C not be used as a language for security systems, and Bruce believes this translates into a call for the demise of a presumably liked language. Pot calls the Kettle black, and some presumably off-line vein gets slit, so here we sit trying to put buckets all around to catch all the spew. Could we get back to the real purpose of the list, namely, figuring out how to convince all customers to run their Firewalls on Windows NT! Cheers, Russ R.C. Consulting, Inc. - NT/Internet Security ...coming soon, Visual Basic for Firewall Neophytes - Professional Enterprise Edition v2.97... From firewalls-owner Sat Mar 1 18:32:18 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id SAA22625 for firewalls-outgoing; Sat, 1 Mar 1997 18:21:34 -0800 (PST) Received: from dvlp1.lioninc.com (johnp.ieway.com [204.188.53.31]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id SAA22618 for ; Sat, 1 Mar 1997 18:21:25 -0800 (PST) Received: from dvlp_pc1.lioninc.com by dvlp1.lioninc.com id aa27767; 1 Mar 97 18:22 PST Message-ID: <3318E382.5A98@lioninc.com> Date: Sat, 01 Mar 1997 18:18:42 -0800 From: John Pilley Reply-To: jpilley@lioninc.com Organization: InfoSystems Inc. X-Mailer: Mozilla 3.0 (Win16; U) MIME-Version: 1.0 To: firewalls@GreatCircle.Com Subject: Re: epiphany Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The subject thread is excellent evidence that Intelligence and Technical Expertise do not guarantee mature, civilized discourse. One of the prerequisites of a public forum has always been mutual respect and gentlemanly behavior (I use the term in its broadest sense). The purpose of this forum is to share expertise in a rapidly changing, complex field. Perhaps, to ensure the purpose is not subverted, a more dignified, mature tone should be set by those who publish here the most. -- John Pilley, Systems Engineer InfoSystems Inc. jpilley@lioninc.com (509) 328-9108 From firewalls-owner Sat Mar 1 18:46:51 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id SAA23556 for firewalls-outgoing; Sat, 1 Mar 1997 18:32:49 -0800 (PST) Received: from lokkur.dexter.mi.us (lokkur.dexter.mi.us [148.59.2.1]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id SAA23525 for ; Sat, 1 Mar 1997 18:32:33 -0800 (PST) Received: (from scs@localhost) by lokkur.dexter.mi.us (8.8.5/8.8.5/lokkur-1.1-scs) id VAA18071; Sat, 1 Mar 1997 21:30:51 -0500 (EST) To: firewalls@GreatCircle.COM Path: lokkur.dexter.mi.us!not-for-mail From: scs@lokkur.dexter.mi.us (Steve Simmons) Newsgroups: local.firewalls Subject: Re: ALL THESE REMOVE MSGS Date: 1 Mar 1997 21:30:50 -0500 Organization: Inland Sea Lines: 9 Distribution: local Message-ID: <5faooq$hkk@lokkur.dexter.mi.us> References: Sender: firewalls-owner@GreatCircle.COM Precedence: bulk "Gonzalez, David" writes: >Yeah, unprescribe mines three... Yeah, remote me. -- ``Software construction is a creative process. Sound methodology can empower and liberate the creative mind; it cannote enflame or inspire the drudge.'' --Fred Brooks, The Mythical Man Month, pg 202 (1996 edition) From firewalls-owner Sat Mar 1 19:02:07 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id SAA25211 for firewalls-outgoing; Sat, 1 Mar 1997 18:45:39 -0800 (PST) Received: from york.interport.net (york.interport.net [199.184.165.8]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id SAA25195 for ; Sat, 1 Mar 1997 18:45:29 -0800 (PST) Received: from interport.net (cyerkes@madison.nfs.interport.net [205.161.144.1]) by york.interport.net (8.8.5/8.8.5) with ESMTP id VAA01752; Sat, 1 Mar 1997 21:43:55 -0500 (EST) Received: (from cyerkes@localhost) by interport.net (8.8.5/8.8.5) id VAA14626; Sat, 1 Mar 1997 21:43:53 -0500 (EST) From: cyerkes Message-Id: <199703020243.VAA14626@interport.net> Subject: Re: NT 4.0 DNS & Split DNS ?? To: adam@homeport.org (Adam Shostack) Date: Sat, 1 Mar 1997 21:43:52 -0500 (EST) Cc: firewalls@greatcircle.com Reply-To: chuck@snew.com In-Reply-To: <199703011930.OAA18719@homeport.org> from "Adam Shostack" at Mar 1, 97 02:30:19 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On the other hand, CERT is a great way to find out about problems months after they've been reported. They are under too much political pressure not to issue alerts that say: "there is a problem with ftpd (for instance), but no fixes are available yet". They wait for vendors to have fixes available. This can be too late for some. This is the role of CERT, and while it's important, there are other, more timely places to rely on to keep up on holes. It is claimed, but unverified, that Adam Shostack wrote: > > (I was away from mail for a while, sorry to re-open the thread) > > Where's the CERT advisory? *Many* people rely on CERT to tell > them when theres a problem they need to fix. > > Unless shown otherwise, I believe that Microsoft is not > allowing CERT to issue an advisory so they can point to all those CERT > advisories on UNIX systems and say, 'See, we don't have those security > problems.' [...] From firewalls-owner Sat Mar 1 19:17:44 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id TAA27181 for firewalls-outgoing; Sat, 1 Mar 1997 19:00:41 -0800 (PST) Received: from york.interport.net (york.interport.net [199.184.165.8]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id TAA27135 for ; Sat, 1 Mar 1997 19:00:27 -0800 (PST) Received: from interport.net (cyerkes@madison.nfs.interport.net [205.161.144.1]) by york.interport.net (8.8.5/8.8.5) with ESMTP id VAA03857; Sat, 1 Mar 1997 21:58:51 -0500 (EST) Received: (from cyerkes@localhost) by interport.net (8.8.5/8.8.5) id VAA15390; Sat, 1 Mar 1997 21:58:46 -0500 (EST) From: cyerkes Message-Id: <199703020258.VAA15390@interport.net> Subject: Re: virus checking To: peter@baileynm.com (Peter da Silva) Date: Sat, 1 Mar 1997 21:58:45 -0500 (EST) Cc: pgalynin@chipnet.cz, harley@icrf.icnet.uk, firewalls@GreatCircle.COM In-Reply-To: <9703012133.AA08327@sonic.nmti.com.nmti.com> from "Peter da Silva" at Mar 1, 97 03:33:24 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk And these scanners will be able to decode files that may eventually be read by MX word from the .zip files that are base64 encoded? and every file that goes through that's: zipped, compressed, gzipped? and/or base64 encoded, uuencoded, rot13 encoded? or enclosed in a normal message or packets heading to a PC? or combination of the above along with everything else I left out? For every platform that's vulnerable? I've had enough trouble trying to find a Mac virus scanner that can run on my Mac file server (a BSDI machine). Perhaps we ought to start getting rid of the OS's that don't use (this modern concept of) protected memory instead? It is claimed, but unverified, that Peter da Silva wrote: > > We should scan for viruses everywhere we can afford to do so. > > In SMTP, HTTP, and NNTP transfers. > > At the desktop. > > On fileservers. > > Anywhere it's economically cost-effective to install a scanner. But that's > only the first stage... > > We should discourage the use of operating systems and configurations > that encourage viruses to spread. Unfortunately it's not economically > feasible to stop using Microsoft Windows. It would be useful if someone > could come up with a cookbook approach to securing an NT Workstation > so that no system programs or applications were writable by a non- > privileged user, but it was still possible to run these applications > after installing them as an administrator. > > I have tried doing this myself, and while NT with NTFS is probably up to > the job, my efforts have so far left me with broken and unusable copies of > the applications we need NT for in the first place. > > If it were possible to get versions of these applications that ran under > UNIX (in my case Digital UNIX) where application writers are used to their > applications not being able to write to places like /etc and /bin (the > equivalents of %systemroot% and the application home directories), it would > help enormously. But so far I haven't seen that happening... > From firewalls-owner Sat Mar 1 20:02:02 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id TAA04067 for firewalls-outgoing; Sat, 1 Mar 1997 19:54:20 -0800 (PST) Received: from unb.ca (hermes.csd.unb.ca [131.202.3.20]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id TAA04050 for ; Sat, 1 Mar 1997 19:54:12 -0800 (PST) Received: (from aa126@fan1.fan.nb.ca [207.216.99.163]) by unb.ca (8.7.6/970126-17:10) id XAA16839; Sat, 1 Mar 1997 23:52:20 -0400 (AST) Received: (from aa126@localhost) by fan1.fan.nb.ca (8.8.4/8.7.3) id XAA26500; Sat, 1 Mar 1997 23:52:11 -0400 (AST) Date: Sat, 1 Mar 1997 23:52:10 -0400 (AST) From: William Burrow To: Pavel Galynin cc: harley@icrf.icnet.uk, firewalls@GreatCircle.COM Subject: Re: virus checking In-Reply-To: <3317FD47.586F@chipnet.cz> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sat, 1 Mar 1997, Pavel Galynin wrote: > > Can't wait. B-) > If you can't wait, answer my post about an ideal OS for a firewall. DOS. Even if they break the firewall itself, the machine is still likely safe and so the logs of what broke might still be available. :) -- William Burrow -- Fredericton Area Network, New Brunswick, Canada Copyright 1997 William Burrow Smiley captioned for the humour impaired. From firewalls-owner Sat Mar 1 20:16:58 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id TAA03389 for firewalls-outgoing; Sat, 1 Mar 1997 19:48:12 -0800 (PST) Received: from mail.baileynm.com (fw.baileynm.com [206.109.159.11]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id TAA03382 for ; Sat, 1 Mar 1997 19:48:04 -0800 (PST) Received: (qmail 4023 invoked from smtpd); 2 Mar 1997 03:46:30 -0000 Received: from web.nmti.com (root@198.178.0.201) by fw.nmti.com with SMTP; 2 Mar 1997 03:46:30 -0000 Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id VAA27458; Sat, 1 Mar 1997 21:46:02 -0600 Received: by sonic.nmti.com; id AA09980; Sat, 1 Mar 1997 21:37:51 -0600 From: peter@baileynm.com (Peter da Silva) Message-Id: <9703020337.AA09980@sonic.nmti.com.nmti.com> Subject: Re: virus checking To: cyerkes@interport.net (cyerkes) Date: Sat, 1 Mar 1997 21:37:51 -0600 (CST) Cc: peter@baileynm.com, pgalynin@chipnet.cz, harley@icrf.icnet.uk, firewalls@GreatCircle.COM In-Reply-To: <199703020258.VAA15390@interport.net> from "cyerkes" at Mar 1, 97 09:58:45 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > And these scanners will be able to decode files that may eventually > be read by MX word from the .zip files that are base64 encoded? > and every file that goes through that's: > zipped, compressed, gzipped? > and/or base64 encoded, uuencoded, rot13 encoded? > or enclosed in a normal message or packets heading to a PC? > or combination of the above along with everything else I left out? Well, that depends. On what? On what, as I said, it's economically feasible to do. > Perhaps we ought to start getting rid of the OS's that don't use > (this modern concept of) protected memory instead? That would be nice, but protected memory won't stop an EXE infector from invading an NT box. From firewalls-owner Sat Mar 1 22:33:50 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id WAA14674 for firewalls-outgoing; Sat, 1 Mar 1997 22:27:23 -0800 (PST) Received: from blkbox.com (blkbox.com [206.109.97.2]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id WAA14660 for ; Sat, 1 Mar 1997 22:27:15 -0800 (PST) Received: from s26.max0.houston.box.net by blkbox.COM id aa25579; 2 Mar 97 0:24 CST Message-Id: <3.0.32.19970302002810.0096b8c0@mail.blkbox.com> X-Sender: renegade@mail.blkbox.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Sun, 02 Mar 1997 00:28:17 -0600 To: Pavel Galynin , bdwilner@nsli.com From: renegade Subject: Re: an epiphany Cc: firewalls@greatcircle.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 12:07 PM 3/1/97 +0100, Pavel Galynin wrote: >Bruce D. Wilner wrote: >> >> I have reached an epiphany: this mailing list is a waste of time. > >I agree, because you and the likes of you make it a waste of time. >You flame, you write those fancy letters with ten-syllable words and >don't pay attention to the topic of the list. The list is >firewalls@greatcircle.com, not >write-whatever-your-ass-urges-you-to@greatcircle.com. ( phew.. ) good show >> It >> appears to serve as the personal fan club for one man, who decides, via >> the stroke of a key or a judiciously dropped name, what is important and >> what is not, dismissing rationales that are, perhaps, too tersely and >> abstractly expressed, and sidestepping legitimate criticisms while >> challenging the critic to "remind us what he has done" as a handy >> distractive sleight, yea, a sleight that I dignified with a serious >> response in this morning's posting. >> >> Those paraprofessional myrmidons who have mastered a few socket calls >> and TCP/IP admin commands and wish to subscribe to future sciolistic >> interpretations of things sublime, diverting themselves with, in >> Newton's words, "a smoother pebble or a prettier shell than ordinary," >> can goosestep onward and flame their hearts out while I restrict my >> pearls to more erudite fora. > >All of this is truly wonderful, but you should have posted it to some >Better English mailing list as an example of useless use of literary >words and, furthermore, inappropriate use. I would advise you to keep >those excercises in writing on your local HD or in private e-mail and >refrain from useless posting of those in the future. > > Paul. > ========================================================================== renegade@blkbox.com |Knowledge isnt power till it is used and expolited 281-894-4910 |Internet Security Consultant ========================================================================== From firewalls-owner Sat Mar 1 23:46:52 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id XAA19267 for firewalls-outgoing; Sat, 1 Mar 1997 23:31:42 -0800 (PST) Received: from xyzzy.plugh.edmonton.ab.ca (xyzzy.plugh.edmonton.ab.ca [198.161.22.2]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id XAA19260 for ; Sat, 1 Mar 1997 23:31:34 -0800 (PST) Received: (from uucp@localhost) by xyzzy.plugh.edmonton.ab.ca (8.6.12/8.6.9) id AAA00871; Sun, 2 Mar 1997 00:28:23 -0700 Received: from snouts-gw.obtuse.com(192.168.30.61), claiming to be "snouts.obtuse.com" via SMTP by mailhost.plugh.edmonton.ab.ca, id smtpd00869aaa; Sun Mar 2 00:28:12 1997 Received: (from beck@localhost) by snouts.obtuse.com (8.7.5/8.7.3) id AAA00616; Sun, 2 Mar 1997 00:28:12 -0700 From: Bob Beck Message-Id: <199703020728.AAA00616@snouts.obtuse.com> Subject: Re: virus checking To: peter@baileynm.com (Peter da Silva) Date: Sun, 2 Mar 1997 00:28:10 -0700 (MST) Cc: cyerkes@interport.net, peter@baileynm.com, pgalynin@chipnet.cz, harley@icrf.icnet.uk, firewalls@GreatCircle.COM In-Reply-To: <9703020337.AA09980@sonic.nmti.com.nmti.com> from "Peter da Silva" at Mar 1, 97 09:37:51 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > Perhaps we ought to start getting rid of the OS's that don't use > > (this modern concept of) protected memory instead? > > That would be nice, but protected memory won't stop an EXE infector from > invading an NT box. > Or your favorite unix exploit. Protected memory just stops the "traditional" style PC virii. They don't have to run unprotected, it just has to be possible to do something "evil" and then it's dangerous. It's harder on an OS with real users and a real filesystem, but not by a lot. Heck it doesn't even have to be exploit anything beyond people. Look at how well "Good Times" does, yeah laugh, but now think about how easy it would be to pass off something half credible sounding on your average user base somewhere. Particularly if you wait 'till after their security admin's vacation program replies to mailinglist posts indicating they'll be away for a week so there's less likeleyhood of people getting educated fast. -Bob -- Bob Beck Obtuse Systems Corporation beck@obtuse.com http://www.obtuse.com/ True Evil hides its real intentions in its street address. Search and you shall find it, and the truth shall set you free. From firewalls-owner Sun Mar 2 04:17:57 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id EAA04865 for firewalls-outgoing; Sun, 2 Mar 1997 04:12:06 -0800 (PST) Received: from europa.lif.icnet.uk (europa.lif.icnet.uk [143.65.100.4]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id EAA04849 for ; Sun, 2 Mar 1997 04:11:50 -0800 (PST) From: harley@icrf.icnet.uk Message-Id: <199703021211.EAA04849@miles.greatcircle.com> Received: by europa.lif.icnet.uk; Sun, 2 Mar 1997 12:10:26 GMT Subject: Re: virus checking To: firewalls@greatcircle.com Date: Sun, 2 Mar 1997 12:10:25 +0000 (GMT) X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > Perhaps we ought to start getting rid of the OS's that don't use > > (this modern concept of) protected memory instead? > > That would be nice, but protected memory won't stop an EXE infector from > invading an NT box. > Or a boot-sector or partition-sector infection on an NT box (or any other x86 machine, regardless of operating system). -- David Harley \ | / alt.comp.virus FAQ D.Harley@icrf.icnet.uk \ | / & Anti-Virus Web Page Support & Security Analyst \ | / Folk London On-Line gig-list Imperial Cancer Research Fund ____\|/____ http://webworlds.co.uk/dharley/ From firewalls-owner Sun Mar 2 04:46:52 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id EAA06130 for firewalls-outgoing; Sun, 2 Mar 1997 04:33:58 -0800 (PST) Received: from europa.lif.icnet.uk (europa.lif.icnet.uk [143.65.100.4]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id EAA06100 for ; Sun, 2 Mar 1997 04:33:45 -0800 (PST) From: harley@icrf.icnet.uk Message-Id: <199703021233.EAA06100@miles.greatcircle.com> Received: by europa.lif.icnet.uk; Sun, 2 Mar 1997 12:32:22 GMT Subject: Re: virus checking To: firewalls@greatcircle.com Date: Sun, 2 Mar 1997 12:32:22 +0000 (GMT) X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > And these scanners will be able to decode files that may eventually > be read by MX word from the .zip files that are base64 encoded? > and every file that goes through that's: > zipped, compressed, gzipped? > and/or base64 encoded, uuencoded, rot13 encoded? > or enclosed in a normal message or packets heading to a PC? > or combination of the above along with everything else I left out? > I'd add encrypted files to that list, personally. The encryption on passworded .DOCs is weak, but at least one vendor won't decrypt and scan because it can't be considered error-proof. Then there's PKZIP passwording, PGP, crypt, and a million or so more or less proprietary variations. Not to mention executables compressed with PKLite etc. I've not seen a scanner that claims to address all these possibilities (desktop or perimeter), and I wouldn't trust one that did. > I've had enough trouble trying to find a Mac virus scanner that > can run on my Mac file server (a BSDI machine). Now that's perverse.... B-) Have you looked at VFind? I haven't the contact details to hand, but the website is www.cyber.com. -- David Harley \ | / alt.comp.virus FAQ D.Harley@icrf.icnet.uk \ | / & Anti-Virus Web Page Support & Security Analyst \ | / Folk London On-Line gig-list Imperial Cancer Research Fund ____\|/____ http://webworlds.co.uk/dharley/ From firewalls-owner Sun Mar 2 05:17:14 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id FAA09786 for firewalls-outgoing; Sun, 2 Mar 1997 05:10:13 -0800 (PST) Received: from europa.lif.icnet.uk (europa.lif.icnet.uk [143.65.100.4]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id FAA09769 for ; Sun, 2 Mar 1997 05:10:03 -0800 (PST) From: harley@icrf.icnet.uk Message-Id: <199703021310.FAA09769@miles.greatcircle.com> Received: by europa.lif.icnet.uk; Sun, 2 Mar 1997 13:08:37 GMT Subject: re: virus checking To: firewalls@greatcircle.com Date: Sun, 2 Mar 1997 13:08:37 +0000 (GMT) X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > Can't wait. B-) > If you can't wait, answer my post about an ideal OS for a firewall. > Paul. > Darn, I was hoping to skip this one. B-) There are people much better qualified to address that issue, and I don't have the post to hand, so I may be barking up the wrong rabbit anyway, but FWIW: * Up to a point, the OS isn't necessarily relevant. Even a hardened Unix isn't necessarily secure enough out-of-the-box. What matters is what you do with it. Unix is attractive there because you can rewrite the bits that don't suit your purposes relatively easily and the holes are well-known. NT is more of a black box, and there may be a scaling issue. But it has its attractions. Mind you, at least one vendor seems to think Win95 does, too....... * In some respects, hardware may be more relevant, especially if you're trying to overcome the latency problems with virus scanning. Quite a few vendors are basing their solutions on single-processor Intel-based PCs, and that makes me nervous. But not everyone can afford a high-end SPARC or Alpha box, so you have to think about who you're targetting. * I presume from what you've said previously that you're particularly interested in the virus managment angle. Lots of scope there. B-) But if you're going to call it a firewall, perhaps it's better to consider how you're going to implement the more conventional firewall mechanisms first, because that will have a bearing on the OS you choose, as well as on your scanning technology. Just my 2p's worth. And probably not what you originally asked. B-) -- David Harley \ | / alt.comp.virus FAQ D.Harley@icrf.icnet.uk \ | / & Anti-Virus Web Page Support & Security Analyst \ | / Folk London On-Line gig-list Imperial Cancer Research Fund ____\|/____ http://webworlds.co.uk/dharley/ From firewalls-owner Sun Mar 2 06:16:56 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id GAA13558 for firewalls-outgoing; Sun, 2 Mar 1997 06:03:58 -0800 (PST) Received: from pha-web.chipnet.cz (pha-web.chipnet.cz [194.213.202.36]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id GAA13551 for ; Sun, 2 Mar 1997 06:03:46 -0800 (PST) Received: from MARTIN.chipnet.cz by pha-web.chipnet.cz with SMTP (Microsoft Exchange Internet Mail Service Version 5.0.1389.3) id F5XY9G97; Sun, 2 Mar 1997 15:02:24 +0100 Message-ID: <3318D71D.686E@chipnet.cz> Date: Sun, 02 Mar 1997 02:25:49 +0100 From: Pavel Galynin X-Sender: Pavel Galynin (Unverified) X-Mailer: Mozilla 4.0b1 (Win95; I) MIME-Version: 1.0 To: harley@icrf.icnet.uk CC: firewalls@greatcircle.com Subject: Firewall OS X-Priority: Normal References: <199703021310.FAA09769@miles.greatcircle.com> Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Originally, my question was about features and qualities you would like to see in an OS you would put on your firewall machine. I also wondered what complaints and flaws you can report about the OS you are currently using for your firewall. I got two DOS answers, but they were quite vague, saying they would like something like DOS. The messages didn't mention which aspects of DOS they would like to see on their OS. The other question is, if they like DOS, why don't they use DOS? Why are there no firewalls for DOS ( at least to my limited knowledge ) ? Paul. harley@icrf.icnet.uk wrote: > > > > > > Can't wait. B-) > > If you can't wait, answer my post about an ideal OS for a firewall. > > Paul. > > > > Darn, I was hoping to skip this one. B-) > > There are people much better qualified to address that issue, > and I don't have the post to hand, so I may be barking up the > wrong rabbit anyway, but FWIW: > > * Up to a point, the OS isn't necessarily relevant. Even a hardened > Unix isn't necessarily secure enough out-of-the-box. What matters > is what you do with it. Unix is attractive there because you can > rewrite the bits that don't suit your purposes relatively easily > and the holes are well-known. NT is more of a black box, and there > may be a scaling issue. But it has its attractions. Mind you, at > least one vendor seems to think Win95 does, too....... > * In some respects, hardware may be more relevant, especially if > you're trying to overcome the latency problems with virus scanning. > Quite a few vendors are basing their solutions on single-processor > Intel-based PCs, and that makes me nervous. But not everyone can > afford a high-end SPARC or Alpha box, so you have to think about who > you're targetting. > * I presume from what you've said previously that you're particularly > interested in the virus managment angle. Lots of scope there. B-) > But if you're going to call it a firewall, perhaps it's better to > consider how you're going to implement the more conventional firewall > mechanisms first, because that will have a bearing on the OS you > choose, as well as on your scanning technology. > > Just my 2p's worth. And probably not what you originally asked. B-) > > -- > David Harley \ | / alt.comp.virus FAQ > D.Harley@icrf.icnet.uk \ | / & Anti-Virus Web Page > Support & Security Analyst \ | / Folk London On-Line gig-list > Imperial Cancer Research Fund ____\|/____ http://webworlds.co.uk/dharley/ From firewalls-owner Sun Mar 2 08:01:54 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id HAA20034 for firewalls-outgoing; Sun, 2 Mar 1997 07:54:55 -0800 (PST) Received: from mail.ka.inka.de (quechua.inka.de [193.197.84.5]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id HAA20019 for ; Sun, 2 Mar 1997 07:54:47 -0800 (PST) Received: from uu.inka.de ([193.197.84.8]) by mail.ka.inka.de with smtp (ident root using rfc1413) id m0w1DZb-0004FzC (Debian Smail-3.2 1996-Jul-4 #2); Sun, 2 Mar 1997 16:53:15 +0100 (MET) Received: from lina.inka.de (lists@lina.inka.de) by uu.inka.de with bsmtp (S3.1.29.1) id ; Sun, 2 Mar 97 16:53 MET Received: by lina.inka.de id m0w1DSa-00016mC (Debian Smail-3.2 1996-Jul-4 #2); Sun, 2 Mar 1997 16:45:40 +0100 (CET) Message-ID: <19970302164539.15793@inka.de> Date: Sun, 2 Mar 1997 16:45:40 +0100 From: Bernd Eckenfels To: firewalls@greatcircle.com Subject: Re: Firewall OS References: <199703021310.FAA09769@miles.greatcircle.com> <3318D71D.686E@chipnet.cz> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.61.1 In-Reply-To: <3318D71D.686E@chipnet.cz>; from Pavel Galynin on Mar 03, 1997 at 02:25:49AM +0100 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello, On Mar 2, Pavel Galynin wrote > Originally, my question was about features and qualities you would like > to see in an OS you would put on your firewall machine. I also wondered > what complaints and flaws you can report about the OS you are currently > using for your firewall. > I got two DOS answers, but they were quite vague, saying they would like > something like DOS. The messages didn't mention which aspects of DOS > they would like to see on their OS. The other question is, if they like > DOS, why don't they use DOS? Why are there no firewalls for DOS ( at > least to my limited knowledge ) ? There are Packetfilters for DOS. The main Problem for anything more than Filtering is, that you need some kind of scheduling, youwill have to rewrite half of a real operating system. What is realy needed for a Firewall OS is (IMHO): a) safe, fast and reliable TCP/IP Stack (or rewritten Stack from FW Vendor) b) hooks for new features in the Networking code c) hooks for hardening the OS d) the source of the OS for the FW vendor e) Access Control. Ideally this should be much more fine grained than Unix. Root should not be needed o a firewall for daemons. Greetings Bernd -- (OO) -- Bernd_Eckenfels@Wittumstrasse13.76646Bruchsal.de -- ( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/ o--o *plush* 2048/93600EFD eckes@irc +4972573817 BE5-RIPE (O____O) If privacy is outlawed only Outlaws have privacy From firewalls-owner Sun Mar 2 08:31:53 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id IAA22261 for firewalls-outgoing; Sun, 2 Mar 1997 08:25:57 -0800 (PST) Received: from sl001.infi.net (sl001.infi.net [205.219.238.210]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id IAA22235 for ; Sun, 2 Mar 1997 08:25:48 -0800 (PST) Received: (from swright@localhost) by sl001.infi.net (8.7.4/8.7.3) id LAA29452; Sun, 2 Mar 1997 11:19:08 -0500 (EST) Date: Sun, 2 Mar 1997 11:19:08 -0500 (EST) From: Steve Wright To: ALpesh cc: firewalls@GreatCircle.COM Subject: Re: Firewall ? In-Reply-To: <3317C81B.3896@idt.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk As a suggestion: You might wanna try using TIS Gauntlet or Cyberguards' Firewall. Both use encryption for creating a Virtual Private Network(VPN) that allows you to do what you are asking for. Hope this helps, Steve W. Security Consultant On Sat, 1 Mar 1997, ALpesh wrote: > I am looking for a product , which will connect two companies networks > together using a oneway encryption, thru a firewall maybe ? > I was wondering if there is a product out there which will be able to > do this and let certain users from one company access all info on > another companies lan via IP or IPX. Is this possible ? > From firewalls-owner Sun Mar 2 09:02:00 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id IAA24620 for firewalls-outgoing; Sun, 2 Mar 1997 08:57:21 -0800 (PST) Received: from hil-img-3.compuserve.com (hil-img-3.compuserve.com [149.174.177.133]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id IAA24582 for ; Sun, 2 Mar 1997 08:57:10 -0800 (PST) Received: by hil-img-3.compuserve.com (8.6.10/5.950515) id LAA20856; Sun, 2 Mar 1997 11:55:36 -0500 Date: 02 Mar 97 11:54:27 EST From: John Madincea <71333.2026@CompuServe.COM> To: majordomo Subject: TIS Gauntlet ? Message-ID: <970302165426_71333.2026_DHB58-1@CompuServe.COM> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Sun Mar 2 09:17:06 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id JAA25031 for firewalls-outgoing; Sun, 2 Mar 1997 09:01:48 -0800 (PST) Received: from dub-img-1.compuserve.com (dub-img-1.compuserve.com [149.174.206.131]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id JAA25002 for ; Sun, 2 Mar 1997 09:01:32 -0800 (PST) Received: by dub-img-1.compuserve.com (8.6.10/5.950515) id LAA13429; Sun, 2 Mar 1997 11:59:58 -0500 Date: 02 Mar 97 11:58:40 EST From: John Madincea <71333.2026@CompuServe.COM> To: majordomo Subject: TIS Gaunlet ? Message-ID: <970302165840_71333.2026_DHB58-4@CompuServe.COM> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Sun Mar 2 09:31:56 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id JAA25071 for firewalls-outgoing; Sun, 2 Mar 1997 09:02:03 -0800 (PST) Received: from dub-img-1.compuserve.com (dub-img-1.compuserve.com [149.174.206.131]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id JAA25003 for ; Sun, 2 Mar 1997 09:01:32 -0800 (PST) Received: by dub-img-1.compuserve.com (8.6.10/5.950515) id LAA13433; Sun, 2 Mar 1997 11:59:59 -0500 Date: 02 Mar 97 11:58:43 EST From: John Madincea <71333.2026@CompuServe.COM> To: majordomo Subject: TIS Gaunlet ? Message-ID: <970302165843_71333.2026_DHB58-5@CompuServe.COM> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I need some configuration help and would also appreciate additional verbage that would increase my understanding as well. I am setting up a new firewall running TIS 3.2 on BDSi 2.1. If I use the default setup all of the functionality works. However, it is to loose. That is, I want to tighten down which services can be used on a host by host basis. Furthurmore, I want to be able to limit the destinations. For sake of reference I would like to use FTP as a point of discussion. I've created new policies but cannot get them to work. I've tried many parameters and they seem to have no effect. The end result is that each test gets denied in the standard generic trusted policy. Simplified configuration consists of: host_a trusted host host_b trusted host host_c trusted host host_d untrusted host host_e untrusted host Here is what I want to do. 1. permit host_a FTP access to host_d 2. permit host_b FTP access to the firewall, host_d and host_e 3. deny host_c FTP access 4. permit host_d FTP access to host_a 5. permit host_e FTP access to host_a and host_c Could someone please show me how to code the netperm-table for this and explain what else may need to be done. Does Gauntlet use /etc/inetd for anything ? With regards to the log files - do the numbers in brackets have any significance for each message generated ? Is there a way to debug a session to see what lines of the netperm-table are getting used ? Are there any FAQ's or URL's available that you can point me to for additional information ? Thanks in advance, John Madincea 71333.2026@compuserve.com From firewalls-owner Sun Mar 2 09:46:53 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id JAA25374 for firewalls-outgoing; Sun, 2 Mar 1997 09:06:33 -0800 (PST) Received: from wizard.abirnet.co.il (wizard.abirnet.co.il [194.90.211.10]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id JAA25333 for ; Sun, 2 Mar 1997 09:06:04 -0800 (PST) Received: from ziv.abirnet.co.il (z1.abirnet.co.il [194.90.211.21]) by wizard.abirnet.co.il (8.7.6/8.7.3) with SMTP id BAA00703; Mon, 3 Mar 1997 01:08:13 +0200 Date: Sun, 2 Mar 97 19:00:40 From: Ziv Dascalu Subject: RE: actions logging To: firewalls@GreatCircle.COM, mato@intas.sk X-PRIORITY: 3 (Normal) X-Mailer: Chameleon 5.0, TCP/IP for Windows, NetManage Inc. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >Hi all, >I'm in such problem: > >One of our costumers would like have logs from its employees activities >in format like: >1.source of request (user/IP/FQDN) >2.destination ( IP/FQDN) >3.typ of service (port) mainly:HTTP,ftp,telnet,smtp >4.start time >5.end time >6.amount of (uploaded/downloaded) packets/byts in servicetime > >Hi will be connected throu firewall 2.1 (SUN+FWfirst) so many of activities can >be logged well, but I not sure if I'm possible to obtain all that requested >informations from fw logs. (I'm rather new in fw-ing) > >So question is: can I all requested info get from fw logs or it's >better to use some other SW for such logging simultanously with fw. > or any other hints ? -----------------End of Original Message----------------- All this information exist in almost all application level firewalls, the BIG difference is how much messing up with reports you need to do in order to sort up and present the information. there are also other software products (like AbirNet SessionWall) who are sitting on the network and listening (like a sniffer) to all the traffic that passes by and then create these reports for you. hope this helps /Ziv /~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\ | A B I R N E T Active Network Protection | \~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~/ / AbirNet provides the next generation in Internet and Intranet Protection\ | AbirNet provides Windows 95 & NT-based software that let's you know | | how your network is being used while protecting it from intrusions | | and abuse using no-network overhead, see-it-all filtering, blocking, | | alerting, logging, and scanning technologies. | | | \========== Get a BETA version at ================/ From firewalls-owner Sun Mar 2 10:01:59 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id JAA28001 for firewalls-outgoing; Sun, 2 Mar 1997 09:33:54 -0800 (PST) Received: from relay1.UU.NET (relay1.UU.NET [192.48.96.5]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id JAA27894 for ; Sun, 2 Mar 1997 09:33:21 -0800 (PST) Received: from netevolve.com by relay1.UU.NET with SMTP (peer crosschecked as: [206.136.48.11]) id QQcfdu19328; Sun, 2 Mar 1997 12:31:47 -0500 (EST) Received: from lazar (ws1.netevolve.com) by netevolve.com (4.1/SMI-4.1) id AA22076; Sun, 2 Mar 97 12:34:59 EST Message-Id: <3.0.1.32.19970302122227.00729934@netevolve.com> X-Sender: lazar@netevolve.com X-Mailer: Windows Eudora Pro Version 3.0.1 (32) Date: Sun, 02 Mar 1997 12:22:27 -0500 To: firewalls@greatcircle.com From: Irwin Lazar Subject: FIREWALL LIST INSTRUCTIONS Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This is an attempt to cut down on the number of remove messages. Please save this message for future reference. ------------ > >Welcome to the firewalls mailing list! > >Please save this message for future reference. Thank you. > >If you ever want to remove yourself from this mailing list, >you can send mail to with the following >command in the body of your email message: > > unsubscribe firewalls (your e-mail address) > > Here's the general information for the list you've subscribed to, > in case you don't already have it: > >Description >=========== >This list is for discussions of Internet "firewall" security systems and >related issues. It is an outgrowth of the Firewalls BOF session at the >Third UNIX Security Symposium in Baltimore on September 15, 1992. > >This is the undigestified version of the list. All messages sent to this >list are immediately forwarded to members of the list. The digestified >version of the list is Firewalls-Digest@GreatCircle.COM. To subscribe >to Firewalls-Digest, send "subscribe firewalls-digest" in the body of >a message (not on the "Subject:" line) to "Majordomo@GreatCircle.COM". > >Frequently Asked Questions >========================== >A "Frequently Asked Questions" (FAQ) document (written by Marcus Ranum, >mjr@tis.com) is available via anonymous FTP from host FTP.GreatCircle.COM, >file pub/firewalls/FAQ, or from Majordomo by sending the command "get >firewalls FAQ" in the body of an email message (not on the "Subject:" >line) to address "Majordomo@GreatCircle.COM", or via URL > ftp://ftp.greatcircle.com/pub/firewalls/FAQ > >Policies >======== >Code for cracking programs (programs designed to help break into another >system) should not be posted to the Firewalls mailing list. > >You can subscribe a local redistribution list or a gateway to a local >newsgroup, as long as whatever you do is local to your site. This >restriction makes it much easier for me to track down mailer problems. > >I'm very aggressive when it comes to bounced email. If email to you >starts bouncing, I'll probably drop you from the list fairly quickly; >you'll have to resubscribe when you get the problem fixed, and retrieve >the archives to find out what you missed. > >Archives >======== >All messages to the list are archived. The archives are available via >Majordomo using the "get" command (send "help" in the body of a message >to "Majordomo@GreatCircle.COM" for more info), or via anonymous FTP from >host FTP.GreatCircle.COM in directory "pub/firewalls/archive", or via URL > ftp://ftp.greatcircle.com/pub/firewalls/archive/ > >The archives are broken down by year and month, and are stored in files >named "firewalls.YYMM". The copy of the archive available by anonymous >FTP is updated every night at 2am local time (0900 GMT in the summer, >1000 GMT in the winter). > >WAIS Access >=========== >The Firewalls archive is available by WAIS on host WAIS.GreatCircle.COM, >at port 210, under the database name "firewalls-digest". The WAIS >archive is actually maintained from the Firewalls-Digest archive, which >has all the same information in it as the Firewalls archive, and is >easier to convert to WAIS format. The WAIS archive is updated nightly. > >The FAQ document is also avialable by WAIS on host WAIS.GreatCircle.COM, >at port 210, under the database name "firewalls-faq". > >For Further Information >======================= >Michael C. Berch >Postmaster and list manager, Great Circle Associates >mcb@greatcircle.com <><><><><><><><><><><><><><><><><><><><><><> Irwin Lazar IP Networking References - Network Evolutions, Inc. http://www.netevolve.com/lazar http://www.netevolve.com lazar@netevolve.com From firewalls-owner Sun Mar 2 10:32:13 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id KAA03773 for firewalls-outgoing; Sun, 2 Mar 1997 10:15:10 -0800 (PST) Received: from news.acrux.net (pluto.acrux.net [207.51.199.3]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id KAA03671 for ; Sun, 2 Mar 1997 10:14:48 -0800 (PST) Received: from pluto (pluto [207.51.199.3]) by news.acrux.net (8.8.3/8.8.3) with SMTP id MAA22190; Sun, 2 Mar 1997 12:11:26 -0600 (CST) Date: Sun, 2 Mar 1997 12:11:26 -0600 (CST) From: Brian Tackett X-Sender: cym@pluto To: John Madincea <71333.2026@CompuServe.COM> cc: majordomo Subject: Re: TIS Gaunlet ? In-Reply-To: <970302165843_71333.2026_DHB58-5@CompuServe.COM> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On 2 Mar 1997, John Madincea wrote: > Does Gauntlet use /etc/inetd for anything ? I don't believe so, no. > With regards to the log files - do the numbers in brackets have > any significance for each message generated ? Usually the bracketed number is the PID of the process generating the message > Is there a way to debug a session to see what lines of the > netperm-table are getting used ? Well, YMMV, but in a recent problem I had, I patched the proxy (since source to the various proxies is included in Gauntlet) to dump various kinds of policy data. If you're interested, contact me via private email, but be forewarned that you'd better be careful :) From firewalls-owner Sun Mar 2 11:02:35 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id KAA06806 for firewalls-outgoing; Sun, 2 Mar 1997 10:46:36 -0800 (PST) Received: from unb.ca (hermes.csd.unb.ca [131.202.3.20]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id KAA06780 for ; Sun, 2 Mar 1997 10:46:27 -0800 (PST) Received: (from aa126@fan1.fan.nb.ca [207.216.99.163]) by unb.ca (8.7.6/970126-17:10) id OAA16768; Sun, 2 Mar 1997 14:44:49 -0400 (AST) Received: (from aa126@localhost) by fan1.fan.nb.ca (8.8.4/8.7.3) id OAA12712; Sun, 2 Mar 1997 14:44:46 -0400 (AST) Date: Sun, 2 Mar 1997 14:44:46 -0400 (AST) From: William Burrow To: Bernd Eckenfels cc: firewalls@GreatCircle.COM Subject: Re: Firewall OS In-Reply-To: <19970302164539.15793@inka.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sun, 2 Mar 1997, Bernd Eckenfels wrote: > There are Packetfilters for DOS. The main Problem for anything more than > Filtering is, that you need some kind of scheduling, youwill have to rewrite > half of a real operating system. Or perhaps knock away half a real OS. :) > What is realy needed for a Firewall OS is (IMHO): > > a) safe, fast and reliable TCP/IP Stack (or rewritten Stack from FW Vendor) > b) hooks for new features in the Networking code > c) hooks for hardening the OS > d) the source of the OS for the FW vendor > e) Access Control. Ideally this should be much more fine grained than Unix. > Root should not be needed on a firewall for daemons. The simplicity of DOS is that it is typically not possible to do anything with it when not on the console (with luck). I'm considering an idea whereby firewall or other logs are sent to a DOS box that does nothing but logging to a big disk. The question of how to monitor that log is an important one, but at least the logs will be secure from outside erasure or modification. A lowly junk 386 might be able to do this task, so cost is minimal. Would this concept be considered overkill or not important? It seems to me that detecting a breakin might require intact log files, and this might be one way to assure this. -- William Burrow -- Fredericton Area Network, New Brunswick, Canada Copyright 1997 William Burrow From firewalls-owner Sun Mar 2 12:02:13 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id LAA12689 for firewalls-outgoing; Sun, 2 Mar 1997 11:50:39 -0800 (PST) Received: from mail.baileynm.com (fw.baileynm.com [206.109.159.11]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id LAA12672 for ; Sun, 2 Mar 1997 11:50:30 -0800 (PST) Received: (qmail 5430 invoked from smtpd); 2 Mar 1997 19:48:58 -0000 Received: from web.nmti.com (root@198.178.0.201) by fw.nmti.com with SMTP; 2 Mar 1997 19:48:58 -0000 Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id NAA21266; Sun, 2 Mar 1997 13:48:30 -0600 Received: by sonic.nmti.com; id AA13014; Sun, 2 Mar 1997 13:40:20 -0600 From: peter@baileynm.com (Peter da Silva) Message-Id: <9703021940.AA13014@sonic.nmti.com.nmti.com> Subject: Re: virus checking To: beck@obtuse.com (Bob Beck) Date: Sun, 2 Mar 1997 13:40:20 -0600 (CST) Cc: peter@baileynm.com, cyerkes@interport.net, pgalynin@chipnet.cz, harley@icrf.icnet.uk, firewalls@GreatCircle.COM In-Reply-To: <199703020728.AAA00616@snouts.obtuse.com> from "Bob Beck" at Mar 2, 97 00:28:10 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > That would be nice, but protected memory won't stop an EXE infector from > > invading an NT box. > Or your favorite unix exploit. Protected memory just stops the > "traditional" style PC virii. An EXE infector *is* a traditional style PC virus. From firewalls-owner Sun Mar 2 12:17:20 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id LAA12783 for firewalls-outgoing; Sun, 2 Mar 1997 11:52:04 -0800 (PST) Received: from mail.baileynm.com (fw.baileynm.com [206.109.159.11]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id LAA12765 for ; Sun, 2 Mar 1997 11:51:51 -0800 (PST) Received: (qmail 5450 invoked from smtpd); 2 Mar 1997 19:50:20 -0000 Received: from web.nmti.com (root@198.178.0.201) by fw.nmti.com with SMTP; 2 Mar 1997 19:50:20 -0000 Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id NAA21291; Sun, 2 Mar 1997 13:50:19 -0600 Received: by sonic.nmti.com; id AA13043; Sun, 2 Mar 1997 13:42:09 -0600 From: peter@baileynm.com (Peter da Silva) Message-Id: <9703021942.AA13043@sonic.nmti.com.nmti.com> Subject: Re: virus checking To: harley@icrf.icnet.uk Date: Sun, 2 Mar 1997 13:42:09 -0600 (CST) Cc: firewalls@greatcircle.com In-Reply-To: <199703021211.EAA04849@miles.greatcircle.com> from "harley@icrf.icnet.uk" at Mar 2, 97 12:10:25 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > Perhaps we ought to start getting rid of the OS's that don't use > > > (this modern concept of) protected memory instead? > > That would be nice, but protected memory won't stop an EXE infector from > > invading an NT box. > Or a boot-sector or partition-sector infection on an NT box (or any > other x86 machine, regardless of operating system). Um, yes, it will keep a boot sector infector from infecting a box. You can't write to the boot sector under NT or UNIX from a user program. (you're still subject to floppy infections, but we're talking firewalls, not armed guards in computer labs) From firewalls-owner Sun Mar 2 12:32:28 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id MAA15025 for firewalls-outgoing; Sun, 2 Mar 1997 12:26:38 -0800 (PST) Received: from mail.baileynm.com (fw.baileynm.com [206.109.159.11]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id MAA14979 for ; Sun, 2 Mar 1997 12:26:26 -0800 (PST) Received: (qmail 5545 invoked from smtpd); 2 Mar 1997 20:24:50 -0000 Received: from web.nmti.com (root@198.178.0.201) by fw.nmti.com with SMTP; 2 Mar 1997 20:24:50 -0000 Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id OAA27700 for ; Sun, 2 Mar 1997 14:24:50 -0600 Received: by sonic.nmti.com; id AA13309; Sun, 2 Mar 1997 14:16:39 -0600 Date: Sun, 2 Mar 1997 14:16:39 -0600 From: peter@baileynm.com (Peter da Silva) Message-Id: <9703022016.AA13309@sonic.nmti.com.nmti.com> To: firewalls@greatcircle.com Subject: Another recipe to add to your ActiveX filters.... Sender: firewalls-owner@GreatCircle.COM Precedence: bulk See www.cybersnot.com for yet another Internet Exploiter hole. From firewalls-owner Sun Mar 2 12:47:06 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id MAA16065 for firewalls-outgoing; Sun, 2 Mar 1997 12:36:59 -0800 (PST) Received: from newman (newman.unifiedtech.com [38.251.136.48]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id MAA16045 for ; Sun, 2 Mar 1997 12:36:48 -0800 (PST) Received: from bass.unifiedtech.com by newman (SMI-8.6/SMI-SVR4) id PAA03750; Sun, 2 Mar 1997 15:34:37 -0500 Received: by bass.unifiedtech.com (SMI-8.6/SMI-SVR4) id PAA10670; Sun, 2 Mar 1997 15:34:45 -0500 Date: Sun, 2 Mar 1997 15:34:45 -0500 From: jonesmd@unifiedtech.com (Mike Jones) Message-Id: <199703022034.PAA10670@bass.unifiedtech.com> To: crumrig@us-state.gov, lists@reflections.mindspring.com Subject: Re: virus checking Cc: firewalls@GreatCircle.COM Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Content-MD5: /JbdU1QDVqei1Y0HKC4nZg== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Todd Graham Lewis writes... > > Besides, I think cleaning up a virus at the wall as something comes = in > > is a ton easier than having to clean up 4 thousand machines, don't = you?=20 > Which is why I say that ActiveX should be filtered at the firewall. = Does > no one else see the similarity? Why do we treat these two issues > differently? Good question. Security in depth, remember? Saying that the firewall is the WRONG place to do virus checking (which I've seen a couple of times on the list recently) is like saying the desktop is the WRONG place to have security. Among other things, virus checking at the "firewall = complex" won't catch things brought in on a floppy in someone's pocket. OTOH, it *will* catch a certain number of things and it doesn't cost a ton of=20 money or effort to implement, which makes it a worthwhile thing in my = book. -- Mike Jones Sr. Technical Advisor UNIFIED Technologies From firewalls-owner Sun Mar 2 13:32:00 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id NAA21638 for firewalls-outgoing; Sun, 2 Mar 1997 13:23:24 -0800 (PST) Received: from xyzzy.plugh.edmonton.ab.ca (xyzzy.plugh.edmonton.ab.ca [198.161.22.2]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id NAA21614 for ; Sun, 2 Mar 1997 13:23:14 -0800 (PST) Received: (from uucp@localhost) by xyzzy.plugh.edmonton.ab.ca (8.6.12/8.6.9) id OAA02893; Sun, 2 Mar 1997 14:21:22 -0700 Received: from snouts-gw.obtuse.com(192.168.30.61), claiming to be "snouts.obtuse.com" via SMTP by mailhost.plugh.edmonton.ab.ca, id smtpd02889aaa; Sun Mar 2 14:21:17 1997 Received: (from beck@localhost) by snouts.obtuse.com (8.7.5/8.7.3) id OAA01493; Sun, 2 Mar 1997 14:21:29 -0700 From: Bob Beck Message-Id: <199703022121.OAA01493@snouts.obtuse.com> Subject: Re: virus checking To: peter@baileynm.com (Peter da Silva) Date: Sun, 2 Mar 1997 14:21:28 -0700 (MST) Cc: harley@icrf.icnet.uk, firewalls@GreatCircle.COM In-Reply-To: <9703021942.AA13043@sonic.nmti.com.nmti.com> from "Peter da Silva" at Mar 2, 97 01:42:09 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > Or a boot-sector or partition-sector infection on an NT box (or any > > other x86 machine, regardless of operating system). > > Um, yes, it will keep a boot sector infector from infecting a box. You > can't write to the boot sector under NT or UNIX from a user program. > I assume your meaning is from a "regular" user account, or directly from a "user" mode program. All these have provisions for the kernel to access raw devices for you which you certainly can use if you have root/Administrator. On various *nixii, "installboot", "bootany", "lilo", or others are all examples of beasties that do this. "dd" will do in a pinch if pointed at the correct raw device, although it's decidedly user-hostile if your screw it up :-) -Bob From firewalls-owner Sun Mar 2 14:02:02 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id NAA23216 for firewalls-outgoing; Sun, 2 Mar 1997 13:46:56 -0800 (PST) Received: from mail.baileynm.com (fw.baileynm.com [206.109.159.11]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id NAA23199 for ; Sun, 2 Mar 1997 13:46:33 -0800 (PST) Received: (qmail 5700 invoked from smtpd); 2 Mar 1997 21:44:54 -0000 Received: from web.nmti.com (root@198.178.0.201) by fw.nmti.com with SMTP; 2 Mar 1997 21:44:54 -0000 Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id PAA11672; Sun, 2 Mar 1997 15:44:27 -0600 Received: by sonic.nmti.com; id AA14139; Sun, 2 Mar 1997 15:36:16 -0600 From: peter@baileynm.com (Peter da Silva) Message-Id: <9703022136.AA14139@sonic.nmti.com.nmti.com> Subject: Re: virus checking To: beck@obtuse.com (Bob Beck) Date: Sun, 2 Mar 1997 15:36:16 -0600 (CST) Cc: peter@baileynm.com, harley@icrf.icnet.uk, firewalls@GreatCircle.COM In-Reply-To: <199703022121.OAA01493@snouts.obtuse.com> from "Bob Beck" at Mar 2, 97 02:21:28 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I assume your meaning is from a "regular" user account, or > directly from a "user" mode program. No, my meaning is "using the techniques that boot sector infectors use". If you download a boot-sector infector it's going to use DOS/Windows techniques to get itself installed and propogated. Those simply don't work on UNIX or NT... wherease an EXE infector *might* work on NT. For NT- or UNIX- specific viruses of course you're right. From firewalls-owner Sun Mar 2 14:17:26 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id OAA24810 for firewalls-outgoing; Sun, 2 Mar 1997 14:03:12 -0800 (PST) Received: from europa.lif.icnet.uk (europa.lif.icnet.uk [143.65.100.4]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id OAA24782 for ; Sun, 2 Mar 1997 14:02:54 -0800 (PST) From: harley@icrf.icnet.uk Message-Id: <199703022202.OAA24782@miles.greatcircle.com> Received: by europa.lif.icnet.uk; Sun, 2 Mar 1997 22:01:29 GMT Subject: Re: virus checking To: firewalls@greatcircle.com Date: Sun, 2 Mar 1997 22:01:29 +0000 (GMT) X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > > That would be nice, but protected memory won't stop an EXE infector from > > > invading an NT box. > > > Or a boot-sector or partition-sector infection on an NT box (or any > > other x86 machine, regardless of operating system). > > Um, yes, it will keep a boot sector infector from infecting a box. You > can't write to the boot sector under NT or UNIX from a user program. That covers multipartite viruses and droppers, but not 'pure' BSIs or PSIs. They (normally) infect when you boot a PC with an infected floppy in drive A, and infect before the operating system kicks in. There are, for instance, documented instances of Unix boxes infected with Michelangelo. An infected NT box probably wouldn't boot afterwards, but that's another matter. > > (you're still subject to floppy infections, but we're talking firewalls, > not armed guards in computer labs) > I'm afraid I can think of several scenarios where a firewall or other server might be booted from an infected floppy, not necessarily deliberately. None of them are particularly likely, but it's providing for the boundary conditions that makes virus management so expensive. -- David Harley \ | / alt.comp.virus FAQ D.Harley@icrf.icnet.uk \ | / & Anti-Virus Web Page Support & Security Analyst \ | / Folk London On-Line gig-list Imperial Cancer Research Fund ____\|/____ http://webworlds.co.uk/dharley/ From firewalls-owner Sun Mar 2 14:32:06 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id OAA26693 for firewalls-outgoing; Sun, 2 Mar 1997 14:29:11 -0800 (PST) Received: from europa.lif.icnet.uk (europa.lif.icnet.uk [143.65.100.4]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id OAA26647 for ; Sun, 2 Mar 1997 14:28:54 -0800 (PST) Received: from localhost by europa.lif.icnet.uk with SMTP(5.65v3.0/6.2); Sun, 2 Mar 1997 22:27:25 GMT Date: Sun, 2 Mar 1997 22:27:25 +0000 (GMT) From: David Harley X-Sender: harley@europa.lif.icnet.uk To: firewalls@greatcircle.com Subject: Re: virus checking Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Todd Graham Lewis writes... > > Besides, I think cleaning up a virus at the wall as something comes in > > is a ton easier than having to clean up 4 thousand machines, don't you? > Which is why I say that ActiveX should be filtered at the firewall. Does > no one else see the similarity? Why do we treat these two issues > differently? > Good question. Security in depth, remember? Nothing wrong with that. There's nothing wrong with scanning at the firewall as long as you don't rely on it exclusively, and as long as you can afford the overheads. > Saying that the firewall is > the WRONG place to do virus checking (which I've seen a couple of times > on the list recently) is like saying the desktop is the WRONG place to > have security. Not altogether. Properly-implemented desktop scanning will catch just about anything that scanning at the firewall will, but a little redundancy doesn't hurt, in virus management as in routing. Scanning at the firewall -won't- catch everything that can be picked up at the desktop. Of course, if you can't trust the quality of scanning at the desktop, a good scanner at the perimeter is a lot better than nothing. -- David Harley \ | / alt.comp.virus FAQ D.Harley@icrf.icnet.uk \ | / & Anti-Virus Web Page Support & Security Analyst \ | / Folk London On-Line gig-list Imperial Cancer Research Fund ____\|/____ http://webworlds.co.uk/dharley/ From firewalls-owner Sun Mar 2 15:02:09 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id OAA28972 for firewalls-outgoing; Sun, 2 Mar 1997 14:56:16 -0800 (PST) Received: from dot.youbet.com (smtp.youbet.com [38.246.174.130]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id OAA28929 for ; Sun, 2 Mar 1997 14:56:03 -0800 (PST) Received: by dot.youbet.com with Microsoft Exchange (IMC 4.0.838.14) id <01BC271A.44EF07C0@dot.youbet.com>; Sun, 2 Mar 1997 14:59:03 -0800 Message-ID: From: Robert Peverley To: "'firewalls@greatcircle.com'" Subject: Re: virus checking - I know what you mean Date: Sun, 2 Mar 1997 14:54:00 -0800 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.838.14 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Date: Sat, 01 Mar 1997 09:01:17 +0100 From: Pavel Galynin Subject: Re: virus checking Peter da Silva wrote: > > > If we introduce any such analogy, then W95 and NT should be filtered at > > the firewall too.. > > You mean SMB (netbios-ssn/netbios-ns, ports 139 and 137)? They sure should be. No, I mean that W95 is a VIRUS, since virus loosely and philosophically non-computer-relatedly and generally described is something that spreads and causes harm. W95 spreads, no questions about that, it makes people stupid, even fewer doubts about that and it makes people bankrupt, if you know what I mean.. Paul. Yes Paul...I know what you mean...but do you? You mean to waste the time of the people reading the information in this group instead of providing a valid case study solution. The comment peter made about the netbios ports is important and unfortunately clouded by your pretentious comments about W95 and NT. Here is a concept...don't use them and put your intelligence to work providing valid comments about what you do use. We all have our pet peves. From firewalls-owner Sun Mar 2 15:17:28 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id PAA00385 for firewalls-outgoing; Sun, 2 Mar 1997 15:05:54 -0800 (PST) Received: from wr.com.au (wr.com.au [203.12.42.10]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id PAA00296 for ; Sun, 2 Mar 1997 15:05:28 -0800 (PST) Received: from forge.com.au (dialup37.wr.com.au) by wr.com.au (5.x/SMI-SVR4-1.0) id AA11144; Mon, 3 Mar 1997 10:03:39 +1100 Received: from forge.com.au (localhost [127.0.0.1]) by forge.com.au (8.6.11/8.6.9) with ESMTP id LAA04271 for ; Mon, 3 Mar 1997 11:03:06 +1100 Message-Id: <199703030003.LAA04271@forge.com.au> X-Mailer: exmh version 1.6.2 7/18/95 To: firewalls@greatcircle.com Subject: Helping people get off:-) Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 03 Mar 1997 11:03:05 +1100 From: Chris Mugdan at World Reach Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I have monitored this list for a reasonable length of time and can't help noticing the number of people who have problems getting off the list. I also belong to the Sydney Linux Users Group (SLUG to its friends). They have adopted the policy of placing instructions on how to remove oneself on each message published so *anyone* who can read can do it. Would this be a useful exercise? Cheers, ----------------------------------------------------------------------------- Christopher J M Mugdan Forge Information Technology email: chrism@forge.com.au PO Box 3107 cmugdan@acm.org Tamarama fax: +61 2 9365 7178 NSW 2026, Australia tel: +61 2 9959 2306 http://www.forge.com.au/forge PGP key fingerprint 5E BE 5F 37 01 B4 32 33 59 63 6E 38 58 7B E6 CE ----------------------------------------------------------------------------- From firewalls-owner Sun Mar 2 15:33:52 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id OAA28172 for firewalls-outgoing; Sun, 2 Mar 1997 14:46:06 -0800 (PST) Received: from europa.lif.icnet.uk (europa.lif.icnet.uk [143.65.100.4]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id OAA28160 for ; Sun, 2 Mar 1997 14:45:55 -0800 (PST) Received: from localhost by europa.lif.icnet.uk with SMTP(5.65v3.0/6.2); Sun, 2 Mar 1997 22:44:32 GMT Date: Sun, 2 Mar 1997 22:44:32 +0000 (GMT) From: David Harley X-Sender: harley@europa.lif.icnet.uk To: firewalls@greatcircle.com Subject: Re: virus checking (fwd) Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I assume your meaning is from a "regular" user account, or > directly from a "user" mode program. > No, my meaning is "using the techniques that boot sector infectors use". > If you download a boot-sector infector it's going to use DOS/Windows > techniques to get itself installed and propogated. Those simply don't > work on UNIX or NT... We seem to be using different definitions of boot-sector infector. A pure BSI/PSI is OS-independent (but not hardware independent), since the infective mechanism kicks in before the OS at bootup. Thus there are, for instance, documented instances of a SCO workstation infected with Michelangelo. What you seem to be referring to is either a multipartite (file and boot) virus, or a virus dropper. In those cases, you're quite correct (in every scenario I can think of, off hand, anyway). > wherease an EXE infector *might* work on NT. Quite true. Likewise for OS/2, Linux etc. Also for a box whose primary operating system is non-DOS, but which has a DOS partition. -- David Harley \ | / alt.comp.virus FAQ D.Harley@icrf.icnet.uk \ | / & Anti-Virus Web Page Support & Security Analyst \ | / Folk London On-Line gig-list Imperial Cancer Research Fund ____\|/____ http://webworlds.co.uk/dharley/ From firewalls-owner Sun Mar 2 16:47:06 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id QAA09123 for firewalls-outgoing; Sun, 2 Mar 1997 16:36:08 -0800 (PST) Received: from relay.hq.tis.com (relay.hq.tis.com [192.94.214.100]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id QAA09098 for ; Sun, 2 Mar 1997 16:35:57 -0800 (PST) Received: by relay.hq.tis.com; id TAA00764; Sun, 2 Mar 1997 19:33:15 -0500 (EST) Received: from clipper.hq.tis.com(10.33.1.2) by relay.hq.tis.com via smap (3.2) id xma000753; Sun, 2 Mar 97 19:33:11 -0500 Received: from jupiter.hq.tis.com (jupiter.hq.tis.com [10.33.112.189]) by clipper.hq.tis.com (8.7.5/8.7.3) with SMTP id TAA19796; Sun, 2 Mar 1997 19:30:58 -0500 (EST) From: Jody C Patilla Message-Id: <199703030030.TAA19796@clipper.hq.tis.com> Subject: Re: an epiphany To: bdwilner@nsli.com Date: Sun, 2 Mar 1997 19:30:56 -0500 (EST) Cc: firewalls@greatcircle.com In-Reply-To: <3318D76F.14E@nsli.com> from "Bruce D. Wilner" at Mar 1, 97 05:27:12 pm Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I have reached an epiphany: this mailing list is a waste of time. It > appears to serve as the personal fan club for one man, who decides, via > the stroke of a key or a judiciously dropped name, what is important and > what is not, dismissing rationales that are, perhaps, too tersely and > abstractly expressed, and sidestepping legitimate criticisms while > challenging the critic to "remind us what he has done" as a handy > distractive sleight, yea, a sleight that I dignified with a serious > response in this morning's posting. This sounds a lot like "since *I'm* not the center of attention, I am going to take my marbles and go home." IT's too bad that you seem to have such a chip on your shoulder. Bye! Have a nice day! ;-) - jcp -- ========================================================================= Jody C. Patilla jcp@tis.com Trusted Information Systems Glenwood, Md. From firewalls-owner Sun Mar 2 17:47:08 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id RAA15168 for firewalls-outgoing; Sun, 2 Mar 1997 17:30:59 -0800 (PST) Received: from lotus.lotus.com (lotus.com [192.233.136.1]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id RAA15160 for ; Sun, 2 Mar 1997 17:30:43 -0800 (PST) From: Martin_Khoo/SIN/Lotus@lotus.com Received: from internet2.lotus.com by lotus.lotus.com (SMI-8.6/SMI-SVR4) id UAA24442; Sun, 2 Mar 1997 20:25:39 -0500 Received: from mta2.lotus.com by internet2.lotus.com (5.x/SMI-SVR4) id AA24110; Sun, 2 Mar 1997 20:22:09 -0500 Received: by mta2.lotus.com(Lotus SMTP MTA v1.05 (305.4 1-15-1997)) id 8525644F.00083B5A ; Sun, 2 Mar 1997 20:29:54 -0400 X-Lotus-Fromdomain: LOTUSINT@LOTUS@MTA To: csncr@gte.net Cc: firewalls@greatcircle.com Message-Id: <4825644F.0006CBA2.00@mta2.lotus.com> Date: Mon, 3 Mar 1997 09:29:15 +0900 Subject: Re: SGI Guantlet Firewalls? Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, It all depends on your patience/tolerance level and your willingness to use vi to modify configuration table for the firewall. Compare that with using a GUI that alows you to easily and clearly consturct rules that implement your company's security policy. If you don't mind and/or like to use vi to meddle around then go for Gauntlet; unless you are going to use the netperm-table (that is the file to set all your rules for Gauntlet) as shipped then you have to figure out the syntax and be prepared for some trial & error. The last time I looked, Gauntlet does not come with any printed documentation, you have to print the documentation online and even then the manual is not clear in explaining the modification of the netperm-table. Don't be mislead by the documentation that Gauntlet administartion is done using Netscape Navigator; that's ony half the truth, the other half is that what you can do with the GUI is VERY LIMITED. It allows you to set what is the trusted interface, setup user authentication setup logging and thats about the most significant things that it offers. Notice that , there is NO mention about setting up of your rulebase that controls what goes in/out of your network, who/what can do this or that ? On the SUN, you have a choice of either Checkpoint Firewall-1 or Milkyway BalckHole. Both offers you a TRUE GUI based administration. Checkout http://ww.checkpoint.com for more details about Firewall-1 or http://www.milkyway.com for BalckHole. Cheers! Martin Khoo csncr@gte.net on 03/01/97 05:08:33 PM To: Firewalls@GreatCircle.COM cc: (bcc: Martin Khoo/SIN/Lotus) Subject: SGI Guantlet Firewalls? We are going to purchase two Origin 2000 systems from SGI. SGI offers Gauntlet for their firewall server. We are also looking at Sun for a firewall. Is anybody running a SUN or SGI for their firewall that can give me some input. Since we are running SGI for our main servers, is there any reason to run Sun instead of SGI for a firewall. Note: Price is not an issue, because we have a good source for SGI equipment that will allow us to get SGI at about the same price as comparable Sun equipment. From firewalls-owner Sun Mar 2 18:01:55 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id RAA16345 for firewalls-outgoing; Sun, 2 Mar 1997 17:59:36 -0800 (PST) Received: from darkstar.sysinfo.com (darkstar.sysinfo.com [204.246.65.62]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id RAA16336 for ; Sun, 2 Mar 1997 17:59:28 -0800 (PST) Received: from parka.winternet.com (dufresne@parka.winternet.com [198.174.169.9]) by darkstar.sysinfo.com (8.8.2/8.8.2) with SMTP id TAA19489; Sun, 2 Mar 1997 19:59:18 -0600 Date: Sun, 2 Mar 1997 19:57:02 -0600 (CST) From: Ron DuFresne To: Peter da Silva cc: Bob Beck , harley@icrf.icnet.uk, firewalls@GreatCircle.COM Subject: Re: virus checking In-Reply-To: <9703022136.AA14139@sonic.nmti.com.nmti.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sun, 2 Mar 1997, Peter da Silva wrote: > > I assume your meaning is from a "regular" user account, or > > directly from a "user" mode program. > > No, my meaning is "using the techniques that boot sector infectors use". > > If you download a boot-sector infector it's going to use DOS/Windows > techniques to get itself installed and propogated. Those simply don't > work on UNIX or NT... wherease an EXE infector *might* work on NT. Incorrect if you have a working floppy drive that's bootable. For one of the "techniques that boot sector infectors use" is wide open to a x86 machine... Later, Ron DuFresne > > For NT- or UNIX- specific viruses of course you're right. > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. From firewalls-owner Sun Mar 2 18:17:26 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id RAA15323 for firewalls-outgoing; Sun, 2 Mar 1997 17:33:38 -0800 (PST) Received: from gw.iai.com (gw.iai.com [206.64.157.62]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id RAA15283 for ; Sun, 2 Mar 1997 17:33:20 -0800 (PST) Received: by gw.iai.com; id UAA08758; Sun, 2 Mar 1997 20:31:33 -0500 (EST) Received: from milford.ma.iai.com(10.1.1.2) by gw.iai.com via smap (3.2) id xma008756; Sun, 2 Mar 97 20:31:30 -0500 Received: by milford.iai.com (AIX 4.1/UCB 5.64/4.03) id AA23466; Sun, 2 Mar 1997 20:32:09 -0500 From: jegan@iai.com (James Egan) Message-Id: <9703030132.AA23466@milford.iai.com> Subject: Re: TIS Gaunlet ? To: 71333.2026@CompuServe.COM (John Madincea) Date: Sun, 2 Mar 1997 20:32:09 -0500 (EST) Cc: firewalls@GreatCircle.COM In-Reply-To: <970302165843_71333.2026_DHB58-5@CompuServe.COM> from "John Madincea" at Mar 2, 97 11:58:43 am Reply-To: Jim.Egan@iai.com Organization: Integrated Architectures, Inc. Pgp-Fingerprint: 64 47 DC 51 D9 11 1D FF 31 43 9C 4C E2 A1 FC 04 Pgp-Public-Key: public-key-server@martigny.ai.mit.edu (subject: GET jegan) X-Mailer: ELM [version 2.4 PL24 ME5a] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk John: I suggest you contact support@tis.com Also, have you read the Gauntlet Administrator's Guide? /Jim/ -- James P. Egan | Jim.Egan@iai.com Integrated Architectures, Inc. | "Trust no one" Use PGP for more secure email John Madincea recently wrote: > > I need some configuration help and would also appreciate additional > verbage that would increase my understanding as well. I am setting > up a new firewall running TIS 3.2 on BDSi 2.1. If I use the default > setup all of the functionality works. However, it is to loose. > That is, I want to tighten down which services can be used on a host > by host basis. Furthurmore, I want to be able to limit the > destinations. > > For sake of reference I would like to use FTP as a point of discussion. > I've created new policies but cannot get them to work. I've tried > many parameters and they seem to have no effect. The end result is > that each test gets denied in the standard generic trusted policy. > > Simplified configuration consists of: > host_a trusted host > host_b trusted host > host_c trusted host > host_d untrusted host > host_e untrusted host > > Here is what I want to do. > 1. permit host_a FTP access to host_d > 2. permit host_b FTP access to the firewall, host_d and host_e > 3. deny host_c FTP access > 4. permit host_d FTP access to host_a > 5. permit host_e FTP access to host_a and host_c > > Could someone please show me how to code the netperm-table for this > and explain what else may need to be done. > > Does Gauntlet use /etc/inetd for anything ? > > With regards to the log files - do the numbers in brackets have > any significance for each message generated ? > > Is there a way to debug a session to see what lines of the > netperm-table are getting used ? > > Are there any FAQ's or URL's available that you can point me to > for additional information ? > > Thanks in advance, > > John Madincea > 71333.2026@compuserve.com > > > From firewalls-owner Sun Mar 2 18:32:16 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id SAA18686 for firewalls-outgoing; Sun, 2 Mar 1997 18:19:35 -0800 (PST) Received: from mercury.Sun.COM (mercury.Sun.COM [192.9.25.1]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id SAA18612 for ; Sun, 2 Mar 1997 18:19:14 -0800 (PST) Received: from PRC.Sun.COM ([129.158.112.5]) by mercury.Sun.COM (SMI-8.6/mail.byaddr) with SMTP id SAA09751; Sun, 2 Mar 1997 18:15:42 -0800 Received: from qishan.PRC.Sun.COM by PRC.Sun.COM (SMI-8.6/SMI-5.3) id KAA07915; Mon, 3 Mar 1997 10:28:13 +0800 Received: by qishan.PRC.Sun.COM (SMI-8.6/SMI-SVR4) id KAA02087; Mon, 3 Mar 1997 10:26:38 +0800 Date: Mon, 3 Mar 1997 10:26:38 +0800 From: Carl.Ma@PRC.Sun.COM (Carl Ma - SE Trainee) Message-Id: <199703030226.KAA02087@qishan.PRC.Sun.COM> To: Raymond.Sleiman@mail.gestronic.ch Subject: Configure mail Cc: Firewalls@GreatCircle.COM X-Sun-Charset: US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, IHAC who is installing ten PCs,whose IP addresses are virtual.Their server is SUNultra 1.The OS is Solaris 2.5.I met the problems that the E-mail can't work normally. I want to find some information,Can you give me some hints? your sincerely, carl From firewalls-owner Sun Mar 2 18:47:15 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id SAA21225 for firewalls-outgoing; Sun, 2 Mar 1997 18:34:43 -0800 (PST) Received: from mail.rc.on.ca ([207.176.151.2]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id SAA21218 for ; Sun, 2 Mar 1997 18:34:32 -0800 (PST) Received: by mail.rc.on.ca with Internet Mail Service (5.0.1389.3) id <01BC2751.495E91E0@mail.rc.on.ca>; Sun, 2 Mar 1997 21:32:53 -0500 Message-ID: From: Russ To: firewalls@GreatCircle.COM, "'alp@IDT.NET'" Subject: RE: Firewall ? Date: Sun, 2 Mar 1997 21:32:52 -0500 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1389.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk As a partial solution to your question, Windows NT 4.0 can use PPTP (Point-to-Point Tunneling Protocol) to create the encrypted channel over which you can run IP, IPX, or NetBEUI even, since it takes your network traffic and runs it over PPP, which in turn is then encapsulated within a TCP channel (over port 1723). Although I personally would not recommend it, it is possible to enable PPTP filtering on said NT box and have it ignore all other connection attempts other than via TCP 1723, supposedly leaving it as a bastion which only PPTP is useful through. I've found no failing in this configuration, although I have not thoroughly tested it either. I would still recommend that you put some sort of Firewall between the two PPTP devices to provide you with monitoring, alarms, and the stuff that good security is made of. However, assuming you have good Firewalls, allowing PPTP (in which the PPP can be encrypted using RSA MD5) could provide you with the rest of your requirements. Cheers, Russ R.C. Consulting, Inc. - NT/Internet Security From firewalls-owner Sun Mar 2 19:27:33 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id TAA25657 for firewalls-outgoing; Sun, 2 Mar 1997 19:07:50 -0800 (PST) Received: from relay.rv.tis.com (relay.rv.tis.com [204.254.155.2]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id TAA25594 for ; Sun, 2 Mar 1997 19:07:32 -0800 (PST) Received: by relay.rv.tis.com; id WAA21609; Sun, 2 Mar 1997 22:13:55 -0500 (EST) Received: from dhcp9.ex.tis.com(192.94.214.129) by relay.rv.tis.com via smap (3.2) id xma021606; Sun, 2 Mar 97 22:13:53 -0500 Message-Id: <3.0.32.19970302215532.00708ba0@pop.rv.tis.com> X-Sender: rick@pop.rv.tis.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Sun, 02 Mar 1997 21:58:40 -0500 To: John Madincea <71333.2026@CompuServe.COM> From: Rick Murphy Subject: Re: TIS Gaunlet ? Cc: majordomo Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 11:58 AM 3/2/97 EST, John Madincea wrote: > 1. permit host_a FTP access to host_d >Could someone please show me how to code the netperm-table for this >and explain what else may need to be done. Between netacl and ftp-gw this shouldn't be a problem to set up if you read the documentation. > >Does Gauntlet use /etc/inetd for anything ? Nothing other than the dummy identd. > >With regards to the log files - do the numbers in brackets have >any significance for each message generated ? Other than the PID of the process, no. >Is there a way to debug a session to see what lines of the >netperm-table are getting used ? show-policy is used to debug the configuration. > >Are there any FAQ's or URL's available that you can point me to >for additional information ? There are support resources available that can help you; either your reseller or TIS support. -Rick From firewalls-owner Sun Mar 2 21:47:44 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id VAA03752 for firewalls-outgoing; Sun, 2 Mar 1997 21:34:40 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id VAA03633 for ; Sun, 2 Mar 1997 21:34:07 -0800 (PST) Received: from silence.secnet.com by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-961106) id UAA12515; Sun, 2 Mar 1997 20:47:42 -0800 (PST) Received: from localhost (davids@localhost) by silence.secnet.com (8.8.5/secnet) with SMTP id VAA00428 for ; Sun, 2 Mar 1997 21:51:01 -0700 (MST) Date: Sun, 2 Mar 1997 21:51:01 -0700 (MST) From: David Sacerdote To: firewalls@GreatCircle.COM Subject: imapd and pop3d hole Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ###### ## ## ###### ## ### ## ## ###### ## # ## ## ## ## ### ## ###### . ## ## . ######. Secure Networks Inc. Security Advisory March 2, 1997 Buffer Overflow in imapd and ipop3d A vulnerability exists within Mark Crispin's mail server toolkit that will allow arbitrary individuals to obtain root access to servers running imapd and ipop3d. This vulnerability is present in both the POP3 and IMAP2bis servers included in the PINE distribution, as well as the IMAP2bis and IMAP4 servers included in Mr. Crispin's IMAP toolkit. Technical Details ~~~~~~~~~~~~~~~~~ The vulnerable mail servers call a library routine to affect a Unix "login", authenticating the user against it's password. A stack overrun exists in this routine. In essence this will allow any client with the ability to attempt a login to enter an overly long username to cause arbitrary machine code to execute. Both the POP and IMAP servers Mr. Crispin distributes discard supervisory privileges sometime after this authentication phase. Unfortunately, the overflow occurs before this happens, and the vulnerability will thus allow an attacker superuser access. The problematic routine is server_login(), which is in "log_xxx.c" in the OS-dependent code tree of the server source distribution. The problem occurs due to the routine's attempt to allow a case insensitive match on the username, which it does by copying the username provided to the routine into an automatic variable in the routine's stack. The username buffer is MAILTMPLEN long, which defaults to 1024 bytes. Unfortunately, the server's input buffer is greater than this, allowing a remote client to feed the routine a username greater than 1024 bytes. If the excess characters in this username contain a valid virtual memory address, the routine will overwrite it's stack frame when copying the username, causing the return from the routine to jump to an unexpected location. Interestingly, the buffer is converted to lowercase after being copied. This provides a slight technical challenge, as the machine code required to take over the server contains uppercase characters. However, modifications to the "standard" stack overrun exploit code to reverse the affects of this lowercasing were trivial. On i386 4.4BSD, the VM address required to redirect server_login()'s return need not contain uppercase characters. The flawed code reads: long server_login (char *user, char *pass, int argc, char *argv[]) { char tmp[MAILTMPLEN]; struct passwd *pw = getpwnam (user); /* allow case-independent match */ if(!pw) pw = getpwnam (lcase (strcpy (tmp, user))); } Impact ~~~~~~ Remote individuals, who do not have a valid username and password for the mail server, can obtain root access to systems running a vulnerable IMAP or POP server. Vulnerable Systems ~~~~~~~~~~~~~~~~~~ Any system running Mark Crispin's POP or IMAP server, of a release earlier than 4.1beta is vulnerable. To determine whether your system is vulnerable, telnet to ports 109, 110, 143 and 220. If you see a banner looking like: * OK example.com IMAP2bis Service 7.8(92) at Mon, 3 Mar 1997 12:00:00 -0500 (EST) or: * OK example.com IMAP4 v10.00 server ready or: +OK example.com POP3 3.0(10) w/IMAP client (Report problems in this server to MRC@CAC.Washington.edu) at Mon, 3 Mar 1998 12:00:00 -0500 (EST) Then your system is vulnerable. If you see "POP3 3.3" or "IMAP4rev1" or later, your POP or IMAP server is not vulnerable. POP servers not derived from Mark Crispin's code, including the somewhat confusingly named "pop3d" from the University of California at Davis are not vulnerable to the attack described in this advisory. Similarly, the University of California at Berkeley popper, and derived POP servers, including the Qualcomm popper, are not vulnerable to this attack. Fix Information ~~~~~~~~~~~~~~~ As a temporary workaround, you can disable the POP and IMAP services in /etc/inetd.conf, and then kill and restart inetd. You can fix the problem in the source yourself, by changing the server_login() function to read: char tmp[MAILTMPLEN]; struct passwd *pw = getpwnam (user); if(!pw) { strncpy(tmp, user, MAILTMPLEN - 1); pw = getpwnam(lcase(tmp)); Or, as a final option, you can switch to the IMAP 4.1 beta distribution, which can be found at ftp://ftp.cac.washington.edu/mail/imap.tar.Z. Additional Information ~~~~~~~~~~~~~~~~~~~~~~ If you have any questions about this advisory, feel free to contact me, by sending mail to davids@secnet.com If you wish to encrypt your messages to me, feel free to use the following PGP public key. -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQCNAzJ4qJAAAAEEAOgB7mooQ6NgzcUSIehKUufGsyojutC7phVXZ+p8FnHLLZNB BLQEtj5kmfww2A2pR29q4rgPeqEUOjWPlLNdSLby3NI8yKz1AQSQLHAwIDXt/lku 8QXClaV6pNIaQSN8cnyyvjH6TYF778yZhYz0mwLqW6dU5whHtP93ojDw1UhtAAUR tCtEYXZpZCBTYWNlcmRvdGUgPGRhdmlkc0BzaWxlbmNlLnNlY25ldC5jb20+ =LtL9 -----END PGP PUBLIC KEY BLOCK----- Further information about the Interactive Mail Aaccess Protocol can be found in RFCs 1731, 1732, 1733, 2060, 2061, 2062, 2086, 2087, 2088, and 2095. Further information about the Post Office Protocol can be found in RFCs 1939 and 1957. Copies of RFCs can be found at http://ds.internic.net/rfc/rfcXXXX.txt For further information about Secure Networks Inc, including product information, past advisories, and papers, see http://www.secnet.com If you wish to obtain Secure Networks advisories via our mailing list, please send mail to sni-advisories-request@secnet.com, with a single line reading: subscribe sni-advisories Copyright ~~~~~~~~~ The contents of this advisory are Copyright (C) 1997 Secure Networks Inc, and may be distributed freely provided that no fee is charged for distribution, and that proper credit is given. imapd and ipop3d fall under the following license: Copyright 1997 by the University of Washington Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appears in all copies and that both the above copyright notice and this permission notice appear in supporting documentation, and that the name of the University of Washington not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. This software is made available "as is", and THE UNIVERSITY OF WASHINGTON DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, WITH REGARD TO THIS SOFTWARE, INCLUDING WITHOUT LIMITATION ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, AND IN NO EVENT SHALL THE UNIVERSITY OF WASHINGTON BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, TORT (INCLUDING NEGLIGENCE) OR STRICT LIABILITY, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. From firewalls-owner Sun Mar 2 22:28:39 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id VAA07166 for firewalls-outgoing; Sun, 2 Mar 1997 21:48:08 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id VAA04282 for ; Sun, 2 Mar 1997 21:37:14 -0800 (PST) Received: from gatekeeper.Bridge.COM by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-961106) id TAA10456; Sun, 2 Mar 1997 19:39:18 -0800 (PST) Received: (from mailproxy@localhost) by gatekeeper.Bridge.COM (8.6.12/8.6.9) id VAA11235; Sun, 2 Mar 1997 21:37:37 -0600 Received: from dns1srv.bridge.com(167.76.36.6) by gatekeeper.Bridge.COM via smap (V1.3) id sma011233; Sun Mar 2 21:37:30 1997 Received: from enzo (enzo.bridge.com [167.76.24.29]) by dns1srv.bridge.com (8.7.6/8.7.3) with SMTP id VAA11183; Sun, 2 Mar 1997 21:40:15 -0600 (CST) Date: Sun, 2 Mar 1997 21:39:30 -0600 (CST) From: Ken Hardy X-Sender: ken@enzo To: "Bruce D. Wilner" cc: firewalls@GreatCircle.COM Subject: Re: an epiphany In-Reply-To: <3318D76F.14E@nsli.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ideosyncratically euphistic eccentricities are the promulgators of triturable obfuscation. On Sat, 1 Mar 1997, Bruce D. Wilner wrote: > I have reached an epiphany: this mailing list is a waste of time. It > appears to serve as the personal fan club for one man, who decides, via > the stroke of a key or a judiciously dropped name, what is important and > what is not, dismissing rationales that are, perhaps, too tersely and > abstractly expressed, and sidestepping legitimate criticisms while > challenging the critic to "remind us what he has done" as a handy > distractive sleight, yea, a sleight that I dignified with a serious > response in this morning's posting. > > Those paraprofessional myrmidons who have mastered a few socket calls > and TCP/IP admin commands and wish to subscribe to future sciolistic > interpretations of things sublime, diverting themselves with, in > Newton's words, "a smoother pebble or a prettier shell than ordinary," > can goosestep onward and flame their hearts out while I restrict my > pearls to more erudite fora. > > -- > Bruce D. Wilner, CCP > President > Network Security Laboratories, Inc., Bethesda, MD > mailto:bdwilner@nsli.com > http://www.nsli.com > -- Ken Hardy From firewalls-owner Mon Mar 3 00:17:29 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id AAA21646 for firewalls-outgoing; Mon, 3 Mar 1997 00:11:17 -0800 (PST) Received: from fw.matav.hu (firewall.matav.hu [145.236.225.161]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id AAA21632 for ; Mon, 3 Mar 1997 00:11:07 -0800 (PST) Received: from tiivs7.tii.matav.hu ([145.236.48.148]) by hades.fw.matav.hu with SMTP id <55637-1>; Mon, 3 Mar 1997 09:08:04 +0100 Received: from piheno.tii.matav.hu by tiivs7.tii.matav.hu (MX V4.1 VAX) with SMTP; Mon, 03 Mar 1997 09:09:08 MET Received: (from mag@localhost) by piheno.tii.matav.hu (8.6.12/8.6.9) id JAA01753; Mon, 3 Mar 1997 09:11:00 +0100 Date: Mon, 3 Mar 1997 09:11:00 +0100 From: "Magossa'nyi A'rpa'd" To: Russ CC: firewalls@GreatCircle.COM Subject: RE: Nuclear Winter on Firewalls In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-2 Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sun, 2 Mar 1997, Russ wrote: > Could we get back to the real purpose of the list, namely, figuring out > how to convince all customers to run their Firewalls on Windows NT! >=20 Is it really the claimed purpose of the mailing list, or just kidding? --- GNU GPL: csak tiszta forr=E1sb=F3l From firewalls-owner Mon Mar 3 01:47:29 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id BAA27546 for firewalls-outgoing; Mon, 3 Mar 1997 01:35:15 -0800 (PST) Received: from mimas.glo.be (dns.glo.be [206.48.177.1]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id BAA27538 for ; Mon, 3 Mar 1997 01:35:08 -0800 (PST) Received: from titan.glo.be (eloos@titan.glo.be [206.48.190.18]) by mimas.glo.be (8.8.5/8.7.3) with ESMTP id KAA12109; Mon, 3 Mar 1997 10:31:00 +0100 Received: (from eloos@localhost) by titan.glo.be (8.8.5/1.0) id KAA05250; Mon, 3 Mar 1997 10:33:26 +0100 Date: Mon, 3 Mar 1997 10:33:26 +0100 (MET) From: Eric To: William Burrow cc: Bernd Eckenfels , firewalls@GreatCircle.COM Subject: Re: Firewall OS In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Sun, 2 Mar 1997, William Burrow wrote: > On Sun, 2 Mar 1997, Bernd Eckenfels wrote: > > > There are Packetfilters for DOS. The main Problem for anything more than > > Filtering is, that you need some kind of scheduling, youwill have to rewrite > > half of a real operating system. > > Or perhaps knock away half a real OS. :) > > > What is realy needed for a Firewall OS is (IMHO): > > [SNIP] > The simplicity of DOS is that it is typically not possible to do anything > with it when not on the console (with luck). I'm considering an idea > whereby firewall or other logs are sent to a DOS box that does nothing but > logging to a big disk. The question of how to monitor that log is an > important one, but at least the logs will be secure from outside erasure > or modification. A lowly junk 386 might be able to do this task, so cost > is minimal. > > Would this concept be considered overkill or not important? It seems to > me that detecting a breakin might require intact log files, and this > might be one way to assure this. No actually I think it is a very good idea... what good are logs to log any security violations if you know that the first thing that a hacker does is erasing them. Altough a proper equiped (or better striped down) firewall should be very hard to compromise and thus making it more important to log any traffic to your internal network then to your firewall itself, logging it to an external incompromisable host is IMHO a very good idea > -- > William Burrow -- Fredericton Area Network, New Brunswick, Canada > Copyright 1997 William Burrow > > --Eric Globe Internet nv Junior Systems engineer (own != company) opinion From firewalls-owner Mon Mar 3 02:32:27 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id CAA00530 for firewalls-outgoing; Mon, 3 Mar 1997 02:13:05 -0800 (PST) Received: from calvo.teleco.ulpgc.es (calvo.teleco.ulpgc.es [193.145.140.21]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id CAA00182 for ; Mon, 3 Mar 1997 02:09:19 -0800 (PST) Received: (from kuko@localhost) by calvo.teleco.ulpgc.es (8.7.5/8.7.3) id KAA03025; Mon, 3 Mar 1997 10:10:46 GMT Date: Mon, 3 Mar 1997 10:10:46 +0000 (GMT) From: Miguel Armas del Rio To: Per Gustavsson cc: "'firewalls@GreatCircle.COM'" Subject: RE: Apache proxy on Firewall... In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Fri, 28 Feb 1997, Per Gustavsson wrote: > >I am evaluating the use of Apache in proxy mode on our firewall. > >One problem has surface that I can find a pointer to... > > > >Our DNS domains are split. The outside world doesn't see inside > >systems and the inside world doesn't see outside systems. When > >using Apache as a proxy server, Netscape hangs on requests to > >access internal hosts... Host unknown! > > > >[PG] We are also using Apache and have two DNS running, One for our internal > >net and one that shows us on internet. > >I had similar problems and I solved it by adding all the relevant inside > >hosts in the /etc/hosts (or whatever its called on your system). > >Then the proxy will be able to resolv the inside names without using the DNS. > >Per M. Gustavsson > >pergu@acm.org > > > > > >Clues, comments, pointers appreciated. You can solve that problem running a secondary name server on your firewall. That way it can resolve names inside your firewall asking to itself. Just make sure to protect your internal namespace with secure_zone (bind 4.9.4 I think...), because if you don't, external hosts can query your firewall to find out names in your internal namespace. CU! ------------------------------------------------------------------------ Miguel Armas del Rio kuko@cic.teleco.ulpgc.es ETSI de Telecomunicaciones http://calvo.teleco.ulpgc.es/ Universidad de Las Palmas PGP public key available (11/1/97): Spain finger kuko@calvo.teleco.ulpgc.es ------------------------------------------------------------------------ From firewalls-owner Mon Mar 3 03:17:13 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id DAA05984 for firewalls-outgoing; Mon, 3 Mar 1997 03:08:40 -0800 (PST) Received: from fw.matav.hu (firewall.matav.hu [145.236.225.161]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id DAA05977 for ; Mon, 3 Mar 1997 03:08:22 -0800 (PST) Received: from tiivs7.tii.matav.hu ([145.236.48.148]) by hades.fw.matav.hu with SMTP id <55600-1>; Mon, 3 Mar 1997 12:05:27 +0100 Received: from piheno.tii.matav.hu by tiivs7.tii.matav.hu (MX V4.1 VAX) with SMTP; Mon, 03 Mar 1997 12:05:32 MET Received: (from mag@localhost) by piheno.tii.matav.hu (8.6.12/8.6.9) id MAA05225; Mon, 3 Mar 1997 12:07:40 +0100 Date: Mon, 3 Mar 1997 12:07:39 +0100 From: "Magossa'nyi A'rpa'd" To: Eric CC: firewalls@GreatCircle.COM Subject: Re: Firewall OS In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-2 Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 3 Mar 1997, Eric wrote: [snip] > > The simplicity of DOS is that it is typically not possible to do anythi= ng > > with it when not on the console (with luck). I'm considering an idea > > whereby firewall or other logs are sent to a DOS box that does nothing = but > > logging to a big disk. The question of how to monitor that log is an > > important one, but at least the logs will be secure from outside erasur= e=20 > > or modification. A lowly junk 386 might be able to do this task, so co= st=20 > > is minimal. > >=20 > > Would this concept be considered overkill or not important? It seems t= o=20 > > me that detecting a breakin might require intact log files, and this=20 > > might be one way to assure this. > No actually I think it is a very good idea... what good are logs to log= =20 > any security violations if you know that the first thing that a hacker=20 > does is erasing them. Altough a proper equiped (or better striped down)= =20 > firewall should be very hard to compromise and thus making it more=20 > important to log any traffic to your internal network then to your=20 > firewall itself, logging it to an external incompromisable host is IMHO a= =20 > very good idea I think that generally it is _BAD_ idea to store the logfiles on the very same machine you genereated them on. I would store that logs on at least two independent, well-protected hosts. --- GNU GPL: csak tiszta forr=E1sb=F3l From firewalls-owner Mon Mar 3 03:32:15 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id DAA06391 for firewalls-outgoing; Mon, 3 Mar 1997 03:18:17 -0800 (PST) Received: from ns.mad.servicom.es (peterpan.mad.servicom.es [194.106.6.133]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id DAA06376 for ; Mon, 3 Mar 1997 03:18:02 -0800 (PST) From: Juan Carlos Gomez Received: from Servicom.mad.servicom.es by ns.mad.servicom.es (8.6.12/FI-3.3) Mon, 3 Mar 1997 12:21:13 +0100 Message-Id: <3.0.32.19970303121515.0071a6c8@pop.mad.servicom.es> X-Sender: jcgomez@pop.mad.servicom.es X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Mon, 03 Mar 1997 12:15:17 +0000 To: Firewalls@GreatCircle.COM Subject: plug-in Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, Has anybody know the tolerance of "fast-plug" (fwtk)?? It starts up from "inetd", but it could be inefficient when we have many concurrent connections. Please, is there something similar that can be started as a daemon from the init files??? Thanks in advance. Juan Carlos. From firewalls-owner Mon Mar 3 04:02:20 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id DAA08155 for firewalls-outgoing; Mon, 3 Mar 1997 03:45:27 -0800 (PST) Received: from arl-img-3.compuserve.com (arl-img-3.compuserve.com [149.174.217.133]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id DAA08063 for ; Mon, 3 Mar 1997 03:44:55 -0800 (PST) Received: by arl-img-3.compuserve.com (8.6.10/5.950515) id GAA01851; Mon, 3 Mar 1997 06:43:26 -0500 Date: 03 Mar 97 06:42:35 EST From: John Madincea <71333.2026@CompuServe.COM> To: majordomo Subject: TIS Gaunlet ? (continued) Message-ID: <970303114234_71333.2026_DHB55-1@CompuServe.COM> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ---------- Forwarded Message ---------- Here is some additional information that I left off in the first mail. I have read the Administrator's guide and it is somewhat insufficient. It basically, explains the proxies and then has a section on various options. However, it does not contain examples or show how everything fits together. So if you are experiencing any trouble you're out of luck. I've also contacted TIS as some of you suggested. As a matter of fact I've called them for a week straight (approximately 10-20 times). Each time I called I was told that my call was in a queue and that someone would call me. However, they only called me twice. The first time I was at lunch. When I called them back I just got the same story that everyone was busy and that my call was in the queue. I explained that I am not always at my desk and that I would appreciate if they paged me via voice mail. Wouldn't you know it on their second call they forgot to do it. However, I did see that I had voice mail and it was only 5 minutes old. So naturally I called back and again all support was to busy to take my call. Additionaly, I've searched their web site and could not find any information to got me through this problem. So as you can see I've been trying and am still in need of help. So if you have any helpful information please reply, otherwise please cut back on the BS repsonses. I need some configuration help and would also appreciate additional verbage that would increase my understanding as well. I am setting up a new firewall running TIS 3.2 on BDSi 2.1. If I use the default setup all of the functionality works. However, it is to loose. That is, I want to tighten down which services can be used on a host by host basis. Furthurmore, I want to be able to limit the destinations. For sake of reference I would like to use FTP as a point of discussion. I've created new policies but cannot get them to work. I've tried many parameters and they seem to have no effect. The end result is that each test gets denied in the standard generic trusted policy. Simplified configuration consists of: host_a trusted host host_b trusted host host_c trusted host host_d untrusted host host_e untrusted host Here is what I want to do. 1. permit host_a FTP access to host_d 2. permit host_b FTP access to the firewall, host_d and host_e 3. deny host_c FTP access 4. permit host_d FTP access to host_a 5. permit host_e FTP access to host_a and host_c Could someone please show me how to code the netperm-table for this and explain what else may need to be done. Does Gauntlet use /etc/inetd for anything ? With regards to the log files - do the numbers in brackets have any significance for each message generated ? Is there a way to debug a session to see what lines of the netperm-table are getting used ? Are there any FAQ's or URL's available that you can point me to for additional information ? Thanks in advance, John Madincea 71333.2026@compuserve.com From firewalls-owner Mon Mar 3 04:17:02 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id EAA10251 for firewalls-outgoing; Mon, 3 Mar 1997 04:03:44 -0800 (PST) Received: from ildico.comnet.com.tr (ildico.comnet.com.tr [195.174.10.2]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id EAA10109 for ; Mon, 3 Mar 1997 04:03:00 -0800 (PST) Received: (from uucp@localhost) by ildico.comnet.com.tr (8.8.5/8.7.3) id OAA11819 for ; Mon, 3 Mar 1997 14:02:36 +0200 (EET) Received: from ostinato.comnet.com.tr(195.174.10.14) by ildico via smap (V1.3) id sma011814; Mon Mar 3 14:02:12 1997 Message-Id: <3.0.32.19970303135758.00be2d58@mail.comnet.com.tr> X-Sender: ferioli@mail.comnet.com.tr X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Mon, 03 Mar 1997 13:57:59 +0200 To: firewalls@GreatCircle.COM From: Michael Ferioli Subject: POP3 Security Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Without going to look at the RFC(s) for the POP3 protocol, can anyone tell me if the protocol specifically specifies that a user should be able to try his password over and over again without the POP3 server closing the connection? I have not done much research into this, but I discovered that the popular "qpopper" from Qualcomm allows this. This is an interesting "feature" because it allows for brute force attacks on the ONLY service that providers allow from any host on the Internet. In other words, most providers will allow their customers to POP from any other provider. I downloaded a simple modification of "crack" which was adapted for this purpose. I was able to run an entire dictionary file in under 5 minutes on my POP server (granted it was at 10Mb). I immediately modified the code to close the socket after one bad password. This does not seem to be a problem since I have yet to encounter a POP client that tries passwords without reopening a connection with the server. Anyone have any thoughts on this? Mike -- \\\|/// \\ - - // ( @ @ ) +--------------------oOOo-(_)-oOOo-------------------------+ | Michael D. Ferioli ferioli@comnet.com.tr | | Comnet A.S. http://www.comnet.com.tr | +------------------------------Oooo------------------------+ oooO ( ) ( ) ) / \ ( (_/ \_) From firewalls-owner Mon Mar 3 05:32:19 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id FAA18991 for firewalls-outgoing; Mon, 3 Mar 1997 05:25:56 -0800 (PST) Received: from newman (newman.unifiedtech.com [38.251.136.48]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id FAA18964 for ; Mon, 3 Mar 1997 05:25:43 -0800 (PST) Received: from bass.unifiedtech.com by newman (SMI-8.6/SMI-SVR4) id IAA05274; Mon, 3 Mar 1997 08:21:51 -0500 Received: by bass.unifiedtech.com (SMI-8.6/SMI-SVR4) id IAA10962; Mon, 3 Mar 1997 08:22:01 -0500 Date: Mon, 3 Mar 1997 08:22:01 -0500 From: jonesmd@unifiedtech.com (Mike Jones) Message-Id: <199703031322.IAA10962@bass.unifiedtech.com> To: firewalls@greatcircle.com, harley@icrf.icnet.uk Subject: Re: virus checking Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Content-MD5: iJANHfB8LG1Fq4aNfJSWtg== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk David Harley writes... > I wrote... > > Saying that the firewall is > > the WRONG place to do virus checking (which I've seen a couple of = times > > on the list recently) is like saying the desktop is the WRONG place = to > > have security.=20 > Not altogether. Properly-implemented desktop scanning will catch > just about anything that scanning at the firewall will, but a little > redundancy doesn't hurt, in virus management as in routing. Scanning > at the firewall -won't- catch everything that can be picked up > at the desktop. Of course, if you can't trust the quality of > scanning at the desktop, a good scanner at the perimeter is a lot > better than nothing. Properly implemented security at the desktop would eliminate just about all of the security risks that firewalls catch, too. The devil is in=20 the details, as usual. We implement firewalls because it's so damned = hard to implement security well at *every* desktop. It's certainly easier to implement virus checking than good overall security practice at the desktop, but that's only relative. In an absolute sense, it's still very hard. Virus checking at the firewall is complementary to checking at the desktop. -- Mike Jones Sr. Technical Advisor UNIFIED Technologies From firewalls-owner Mon Mar 3 05:46:59 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id FAA19786 for firewalls-outgoing; Mon, 3 Mar 1997 05:36:29 -0800 (PST) Received: from mail.vtx.ch (mail.vtx.ch [194.51.92.4]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id FAA19771 for ; Mon, 3 Mar 1997 05:36:21 -0800 (PST) Received: from tla03 ([194.191.78.3]) by mail.vtx.ch (Netscape Mail Server v1.1) with SMTP id AAA25257; Mon, 3 Mar 1997 14:32:23 +0200 Message-ID: <331AC674.42E8@tla.ch> Date: Mon, 03 Mar 1997 13:39:16 +0100 From: Christian ALT X-Mailer: Mozilla 2.01Gold (WinNT; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM CC: calt@tla.ch Subject: UDP canceled by ISP Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Installing Securemote from Checpoint to have encryption between our site and a customer I went through a strange situation, and I would like to have your opinion. The firewall-1 encryption uses port 259 over UDP for authentication. We are unable to have that service running from our site. We receive from a router the following message: ICMP destination-unreachable because trafic prohibited by filter After enquieries we received the following explanation: Our trafic is of type UDP and goes through the network of a provider (switch.ch)that forbides any trafic of type UDP. Since it is the first time that I see something like that I'm just wondering if this is a trend among ISP, or a special situation. TIA -- Christian ALT E-mail: calt@tla.ch Telecom and Logistics Associates phone & fax : +41 22 328 14 88 10, Rue des Savoises, CH-1205 Geneva http://www.tla.ch From firewalls-owner Mon Mar 3 06:03:00 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id FAA20496 for firewalls-outgoing; Mon, 3 Mar 1997 05:47:23 -0800 (PST) Received: from simtel.Coast.NET (simtel.coast.net [205.149.128.6]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id FAA20443 for ; Mon, 3 Mar 1997 05:47:03 -0800 (PST) Received: by simtel.Coast.NET (Smail3.1.28.1 #12) id m0w1Y3T-0000rpC; Mon, 3 Mar 97 08:45 EST Date: Mon, 3 Mar 1997 08:45:26 -0500 (EST) To: firewalls@greatcircle.com (Firewalls Mailing List) Subject: Re: SGI Guantlet Firewalls? From: "Mike O'Connor" Reply-To: "Mike O'Connor" X-Organization: :noitazinagrO-X Message-Id: <970303084526.mjo@dojo.mi.org> Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Martin_Khoo/SIN/Lotus@lotus.com writes: :It all depends on your patience/tolerance level and your willingness to use :vi to modify configuration table for the firewall. Compare that with using :a GUI that alows you to easily and clearly consturct rules that implement :your company's security policy. [...] :Don't be mislead by the documentation that Gauntlet administartion is done :using Netscape Navigator; that's ony half the truth, the other half is that :what you can do with the GUI is VERY LIMITED. It allows you to set what is [...] :On the SUN, you have a choice of either Checkpoint Firewall-1 or Milkyway :BalckHole. Both offers you a TRUE GUI based administration. Checkout The implication here seems to be that a WWW-based administration scheme isn't as suitable or for configuring a firewall product as a "true GUI". While TIS may or may not implement their WWW configuration well, I don't think that managing a firewall using Web technology is inherently better or worse than coming up with one's own GUI. I'd think that with WWW-based management, one can use some of the security mechanisms of the firewall itself rather than create a distinct GUI and have to independently insure its security and integrity. Has anyone done some thinking or research on this sort of thing? FWIW, it's my observation that a sledgehammer, rather than a GUI or CLI, is the right tool for "illustrating" most sites' security policies. :-) -- Michael J. O'Connor WWW: http://dojo.mi.org/~mjo/ Email: mjo@dojo.mi.org InterNIC WHOIS: MJO (has my PGP & Geek Code info) Phone: (changing soon) =--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--= "...and it rained -- like a slow divorce..." -Robyn Hitchcock From firewalls-owner Mon Mar 3 06:18:22 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id GAA22436 for firewalls-outgoing; Mon, 3 Mar 1997 06:07:44 -0800 (PST) Received: from tuna.wang.com (TUNA.wang.com [150.124.136.4]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id GAA22390 for ; Mon, 3 Mar 1997 06:07:25 -0800 (PST) Received: from mars.wangfed.com (mars.Wangfed.COM [159.94.10.1]) by tuna.wang.com (8.6.12/8.6.12tf1) with SMTP id JAA17867; Mon, 3 Mar 1997 09:05:52 -0500 Received: from uc0009.wangfed.com (uc0009 [159.94.10.15]) by mars.wangfed.com (8.8.4/3.8) with SMTP id JAA23051; Mon, 3 Mar 1997 09:12:02 -0500 (EST) Received: from [159.94.14.48] by uc0009.wangfed.com (BULL 5.61++/B.O.S 02.01) id AA17954; Mon, 3 Mar 97 08:55:15 -0500 Date: Mon, 3 Mar 97 08:55:15 -0500 Message-Id: <9703031355.AA17954@uc0009.wangfed.com> From: "K.M." Reply-To: "K.M." To: bdwilner@nsli.com, firewalls@GreatCircle.COM Subject: Re: an epiphany Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Your point, besides insulting a lot of people? Put another way, if you can't take the boredom, get off the list. But your message contributed absolutely nothing except perhaps to make you feel better at the expense of everyone else. Go away, you selfish nit. KM From firewalls-owner Mon Mar 3 06:32:41 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id GAA22339 for firewalls-outgoing; Mon, 3 Mar 1997 06:06:40 -0800 (PST) Received: from tuna.wang.com (TUNA.wang.com [150.124.136.4]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id GAA22315 for ; Mon, 3 Mar 1997 06:06:26 -0800 (PST) Received: from mars.wangfed.com (mars.Wangfed.COM [159.94.10.1]) by tuna.wang.com (8.6.12/8.6.12tf1) with SMTP id JAA17774; Mon, 3 Mar 1997 09:03:38 -0500 Received: from uc0009.wangfed.com (uc0009 [159.94.10.15]) by mars.wangfed.com (8.8.4/3.8) with SMTP id JAA23017; Mon, 3 Mar 1997 09:09:49 -0500 (EST) Received: from [159.94.14.48] by uc0009.wangfed.com (BULL 5.61++/B.O.S 02.01) id AA17949; Mon, 3 Mar 97 08:53:02 -0500 Date: Mon, 3 Mar 97 08:53:02 -0500 Message-Id: <9703031353.AA17949@uc0009.wangfed.com> From: "K.M." Reply-To: "K.M." To: AniFreez@aol.com, firewalls@GreatCircle.COM Subject: Re: How do I get off this list. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In message <970301132907_1115035466@emout10.mail.aol.com> writes: > Hi I am a teenager, who saw this mailing list in the alt.2600 faq, and so I > joined it, but it was not interesting to me, I accidentally deleted my letter > telling me how to get off the list. Could someone help me remove myself from > this list ? We should make him stay on the list. I can't think of better retribution for a hacker than to bore him to death. KM From firewalls-owner Mon Mar 3 06:47:41 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id GAA25158 for firewalls-outgoing; Mon, 3 Mar 1997 06:27:26 -0800 (PST) Received: from knidos.cc.metu.edu.tr (knidos.cc.metu.edu.tr [144.122.199.20]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id GAA25078 for ; Mon, 3 Mar 1997 06:27:00 -0800 (PST) Received: from eti.cc.hun.edu.tr by knidos.cc.metu.edu.tr with SMTP (1.37.109.4/16.2) id AA09469; Mon, 3 Mar 97 16:24:06 +0100 Received: from eti by eti.cc.hun.edu.tr (8.6.13/200.2.1.5) id QAA29915; Mon, 3 Mar 1997 16:25:02 +0300 Date: Mon, 3 Mar 1997 16:25:02 +0300 (EET) From: Koray Tuna X-Sender: bbm512@eti To: firewalls@greatcircle.com Subject: Try it, it works! Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The Following information is going to make you a lot of $$$CASH$$$ if you read the article carefully and follow the easy steps. I just read an article in an internet newsgroup describing how to make $50,000.00 in only one month from a $5.00 investment (and five stamps). Of course I thought this was ridiculous ,or some type of pyramid. I talked it over with my family and my friends, and they all agreed it was some sort of scam. I hate scams because usually someone gets burned, and I didn't want it to be me! I blew it off for a few weeks then saw another one in a newsgroup I go to a lot and thought, "Maybe this is legitimate!". Besides, what's $5.00 , I spend more than that in the morning on my way to work on coffee and cigs for the day. Well, two weeks later, I began receiving money in the mail! I couldn't believe it! Not just a little , I mean big bucks! At first only a few hundred dollars, then a week later, a couple of thousand , then BOOM . By the end of the fourth week , I had received nearly $47,000.00. It came from all over the world. And every bit of it perfectly legal and on the up and up. I've been able to pay off all my bills and still had enough left over for a nice vacation for me and my family. Not only does it work for me, it works for other folks as well. Markus Valppu says he made $57,883 in four weeks. Dave Manning claims he made $53,664 in the same amount of time. Dan Shepstone says it was only $17,000 for him. Do I know these folks? No, but when I read how they say they did it, it made sense to me. Enough sense that I'm taking a similar chance with $5 of my own money. Not a big chance, I admit--but one with incredible potential, because $5 is all anyone ever invests in this system. Period. That's all Markus, Dave, or Dan invested, yet their $5 netted them tens of thousands of dollars each, in a safe, legal, completely legitimate way. Here's how it works in 3 easy steps: STEP 1. Invest your $5 by writing your name and address on five separate pieces of paper along with the words, "PLEASE ADD ME TO YOUR MAILING LIST." And on that piece of paper include what position the addressees are at after step 2. (This way, you're not just sending a dollar to someone; you're paying for a legitimate service, therefore making it 100% legal!) Fold a $1 bill in each paper, and mail them to the following five addresses: (Remember: It costs more to send a letter to Europe, Asia, Canada or so) 1. Anu Z Murthy P.O. Box 540315 Omaha, NE 68154 USA 2. Amitkumar Patel 4645 Mackenzie Cote-des-Neige, PQ H3W 1B2 Canada 3. Afzal Bashir 7030 Champagneur Montreal, Quebec H3N 2J5 Canada 4. Miroslaw Omieljanowicz ul. Jagienki 6 m 36 15-478 BIALYSTOK POLAND 5. Koray Tuna Kukurtlu Cd. Cahan Apt. No:43 B Blok D:4 16080 Bursa TURKEY STEP 2. Now remove the top name from the list, and move the other names up. This way, #5 becomes #4 and so on. Put your name in as the fifth one on the list. STEP 3. Post the article to at least 200 newsgroups. There are at least 17000 newsgroups at any given moment in time. Try posting to as many newsgroups as you can.Remember the more groups you post to, the more people will see your article and send you cash! STEP 4. You are now in business for yourself, and should start seeing returns within 7 to 14 days! Remember, the internet is new and huge. There is no way you can lose. Now here is how and why this system works: Out of every block of 200 posts I made, I got back 5 responses. Yes, that's right, only 5. You make $5.00 in cash, not checks or money orders, but real cash with your name at #5. Each additional person who sent you $1.00 now also makes 200 additional postings with your name at #4, 1000 postings. On average then, 50 people will send you $1.00 with your name at #4,....$50.00 in your pocket! Now these 50 new people will make 200 postings each with your name at #3 or 10,000 postings. Average return, 500 people= $500. They make 200 postings each with your name at #2= 100,000 postings=5000 returns at $1.00 each=$5,000.00 in cash! Finally, 5,000 people make 200 postings each with your name at #1 and you get a return of $50,000 before your name drops off the list. And that's only if everyone down the line makes only 200 postings each! Your total income for this one cycle is $55,000. From time to time when you see your name is no longer on the list, you take the latest posting you can find and start all over again. PLEASE REMEMBER....THIS SYSTEM WORKS ON HONESTY. YOU DON'T NEED TO CHEAT THE BASIC IDEA TO MAKE THE MONEY! GOOD LUCK TO ALL, AND PLEASE PLAY FAIR AND YOU WILL WIN AND MAKE SOME REAL INSTANT FREE CASH! ___ ++-[_ _]-++ ( 0 0 ) +------------oOO----(_)--------------------+ | Koray Tuna | | Hacettepe Univeristy/Computer Sc.&Eng. | | | | e-mail: bbm512@eko.cc.hun.edu.tr | | http://www.hun.edu.tr/~bbm512/ (soon) | +--------------------------oOO-------------+ |__|__| || || ooO Ooo From firewalls-owner Mon Mar 3 07:02:16 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id GAA27526 for firewalls-outgoing; Mon, 3 Mar 1997 06:44:45 -0800 (PST) Received: from h01.scientia.com (h01.scientia.com [194.216.183.1]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id GAA27373 for ; Mon, 3 Mar 1997 06:44:12 -0800 (PST) Received: by h01.scientia.com with SMTP id OAA01651 for ; Mon, 3 Mar 1997 14:42:30 GMT Message-Id: <199703031442.OAA01651@h01.scientia.com> X-Sender: firewall@pop-server X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 03 Mar 1997 14:42:25 +0000 To: firewalls@greatcircle.com From: Ian Miller Subject: Re: POP3 Security Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 13:57 03/03/97 +0200, you wrote: >Anyone have any thoughts on this? > If you are using username/password POP3 logins, you have very weak security in any case as anyone logging in from a remote provider may be eavesdropped on that remote provider compromising the password. If you are allowing remote logins, then I would insist on APOP (qpopper 2.0 supports this). This challenge/response based on a shared secret. (See RFC1725). However if a challenge/response pair is intercepted an attacker can mount a very fast off-line brute attack. (It is possible to try many thousands of passwords per second on single PC). Accordingly no normal human chosen password is adequate. The RFC states ".. shared secrets should be long strings (considerably longer than the 8-character example shown below.". I recommend system administrator allocated wholly random passwords of adequate length. Ian From firewalls-owner Mon Mar 3 07:43:08 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id HAA03285 for firewalls-outgoing; Mon, 3 Mar 1997 07:22:16 -0800 (PST) Received: from mail.vtx.ch (mail.vtx.ch [194.51.92.4]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id HAA03232 for ; Mon, 3 Mar 1997 07:21:49 -0800 (PST) Received: from tla03 ([194.191.78.3]) by mail.vtx.ch (Netscape Mail Server v1.1) with SMTP id AAA28603; Mon, 3 Mar 1997 16:17:44 +0200 Message-ID: <331ADF1C.723A@tla.ch> Date: Mon, 03 Mar 1997 15:24:28 +0100 From: Christian ALT X-Mailer: Mozilla 2.01Gold (WinNT; I) MIME-Version: 1.0 To: Firewalls@GreatCircle.COM CC: calt@tla.ch Subject: Re: UDP canceled by ISP References: <199703031456.OAA01654@h01.scientia.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ian Miller wrote: I have to correct my first message, DNS traffic is not cut. > Our trafic is of type UDP and goes through the network of a > provider (switch.ch)that forbides any trafic of type UDP. > > Since it is the first time that I see something like that I'm > just wondering if this is a trend among ISP, or a special > situation. > -- Christian ALT E-mail: calt@tla.ch Telecom and Logistics Associates phone & fax : +41 22 328 14 88 10, Rue des Savoises, CH-1205 Geneva http://www.tla.ch From firewalls-owner Mon Mar 3 07:49:23 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id HAA03230 for firewalls-outgoing; Mon, 3 Mar 1997 07:21:46 -0800 (PST) Received: from gate3.fmr.com (gate3.fmr.com [192.223.170.13]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id HAA03197 for ; Mon, 3 Mar 1997 07:21:28 -0800 (PST) Received: (from adm@localhost) by gate3.fmr.com (8.7.3/8.6.9) id KAA20226 for ; Mon, 3 Mar 1997 10:19:50 -0500 (EST) Received: from msgbos100nts.fmr.com(137.199.145.25) by gw01i via smap (g3.0.3) id xma018878; Mon, 3 Mar 97 10:11:15 -0500 Received: by msgbos100nts.fmr.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BC27BB.3A903C30@msgbos100nts.fmr.com>; Mon, 3 Mar 1997 10:11:15 -0500 Message-ID: From: "Feeney, Tim" To: "firewalls@GreatCircle.COM" Subject: Re: an epiphany Date: Mon, 3 Mar 1997 09:59:00 -0500 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Ok stop already I am getting tired (and a number of paper cuts) flipping through my dictionary. This list is becoming more like alt.2600 than a list to compare and contrast specific views regarding firewalls, and their underlying technology. In addition my delete key is quickly reaching it's MTBF. Tim ---------- From: Ken Hardy To: Bruce D. Wilner Cc: firewalls@GreatCircle.COM Subject: Re: an epiphany Date: Sunday, March 02, 1997 10:39PM Ideosyncratically euphistic eccentricities are the promulgators of triturable obfuscation. On Sat, 1 Mar 1997, Bruce D. Wilner wrote: > I have reached an epiphany: this mailing list is a waste of time. It > appears to serve as the personal fan club for one man, who decides, via > the stroke of a key or a judiciously dropped name, what is important and > what is not, dismissing rationales that are, perhaps, too tersely and > abstractly expressed, and sidestepping legitimate criticisms while > challenging the critic to "remind us what he has done" as a handy > distractive sleight, yea, a sleight that I dignified with a serious > response in this morning's posting. > > Those paraprofessional myrmidons who have mastered a few socket calls > and TCP/IP admin commands and wish to subscribe to future sciolistic > interpretations of things sublime, diverting themselves with, in > Newton's words, "a smoother pebble or a prettier shell than ordinary," > can goosestep onward and flame their hearts out while I restrict my > pearls to more erudite fora. > > -- > Bruce D. Wilner, CCP > President > Network Security Laboratories, Inc., Bethesda, MD > mailto:bdwilner@nsli.com > http://www.nsli.com > -- Ken Hardy From firewalls-owner Mon Mar 3 08:02:29 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id HAA06968 for firewalls-outgoing; Mon, 3 Mar 1997 07:47:42 -0800 (PST) Received: from it3nt.pasttimes.com (hc29.pasttimes.com [195.216.4.253]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id HAA06931 for ; Mon, 3 Mar 1997 07:47:28 -0800 (PST) Received: by it3nt.pasttimes.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BC27EA.004F0360@it3nt.pasttimes.com>; Mon, 3 Mar 1997 15:46:04 -0000 Message-ID: From: Simon Blake To: "'firewalls@GreatCircle.COM'" Subject: RE: Try it, it works! Date: Mon, 3 Mar 1997 15:45:44 -0000 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Arrrrgh .... how many times do these things come round on the net... not even we are safe from these people....... Anyone got an email script that searches for these things and auto deletes them? Regards, Simon Blake Historical Collections Group Witney England Email: SimonBlake@pasttimes.com =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- >-----Original Message----- >From: Koray Tuna [SMTP:bbm512@eti.cc.hun.edu.tr] >Sent: Monday, March 03, 1997 1:25 PM >To: firewalls@GreatCircle.COM >Subject: Try it, it works! > >The Following information is going to make you a lot of $$$CASH$$$ >if you read the article carefully and follow the easy steps. > > > From firewalls-owner Mon Mar 3 08:34:15 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id IAA09014 for firewalls-outgoing; Mon, 3 Mar 1997 08:02:47 -0800 (PST) Received: from amaltd.com ([205.181.172.42]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id IAA08991 for ; Mon, 3 Mar 1997 08:02:34 -0800 (PST) Received: from [205.181.172.175] by amaltd.com with ESMTP (Apple Internet Mail Server 1.1.1); Mon, 3 Mar 1997 10:56:14 -0500 Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 3 Mar 1997 11:03:23 -0500 To: firewalls@GreatCircle.COM From: Steve Semple Subject: On Guard Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Lately I've been barraged by mail from On Technology Corp regarding their many products, including On Guard firewall. Strikes me as odd that I've never even seen the product mentioned in discussions here over the past six months or so (I just returned from being on the road -- so if the past two weeks have been filled with On Guard give-and-take, please flame lightly). Has anyone evaluated this product? Care to comment? Steve From firewalls-owner Mon Mar 3 08:52:31 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id IAA09890 for firewalls-outgoing; Mon, 3 Mar 1997 08:09:39 -0800 (PST) Received: from maelstrom.dial.pipex.net (maelstrom.dial.pipex.net [158.43.128.52]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id IAA09819 for ; Mon, 3 Mar 1997 08:09:18 -0800 (PST) Received: from typhoon.dial.pipex.net (158.43.128.27) by maelstrom.dial.pipex.net (8.8.3/) id QAA21733; Mon, 3 Mar 1997 16:07:44 GMT Received: from ai111.du.pipex.com (193.130.248.111) by typhoon.dial.pipex.net (8.8.2/UUNET PIPEX simple 1.29) id QAA00263; Mon, 3 Mar 1997 16:05:04 GMT Message-ID: In-Reply-To: <9703031353.AA17949@uc0009.wangfed.com> References: Conversation <9703031353.AA17949@uc0009.wangfed.com> with last message <9703031353.AA17949@uc0009.wangfed.com> To: "K.M." , AniFreez@aol.com, firewalls@greatcircle.com MIME-Version: 1.0 From: KENSINGTON 2 Subject: Re: How do I get off this list. Date: Mon, 03 Mar 97 16:01:11 GMT Content-Type: text/plain; charset=US-ASCII; X-MAPIextension=".TXT" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I sympathise with the teenager, I also joined this list by mistake - and you are an extremely fucking boring bunch of cunts. From firewalls-owner Mon Mar 3 09:03:25 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id IAA15659 for firewalls-outgoing; Mon, 3 Mar 1997 08:53:39 -0800 (PST) Received: from lshp1.fastnet.ch (lshp1.fastnet.ch [193.246.63.10]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id IAA15601 for ; Mon, 3 Mar 1997 08:53:18 -0800 (PST) Received: from [193.246.62.65] by lshp1.fastnet.ch with SMTP (1.37.109.4/16.2) id AA27805; Mon, 3 Mar 97 16:58:04 +0100 Received: from sleiman-r by gestronic.ch (SMI-8.6/SMI-SVR4) id RAA00890; Mon, 3 Mar 1997 17:49:01 +0100 Message-Id: <331B04F6.5681@gestronic.ch> Date: Mon, 03 Mar 1997 18:05:58 +0100 From: Raymond Sleiman Reply-To: r.sleiman@mail.gestronic.ch Organization: Gestronic S.A X-Mailer: Mozilla 3.0Gold (Win95; I) Mime-Version: 1.0 To: Firewalls@GreatCircle.COM Subject: sendmail and many domains running in sun with Solaris 2.5.1 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello All, I am an ISP. I host mail for multiple domains. How can I get the mail for each user to have a "From" address for the user's own domain instead of the domain of the mailhost? Best Reagrds From firewalls-owner Mon Mar 3 09:19:30 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id JAA17020 for firewalls-outgoing; Mon, 3 Mar 1997 09:08:07 -0800 (PST) Received: from mail.baileynm.com (fw.baileynm.com [206.109.159.11]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id JAA16929 for ; Mon, 3 Mar 1997 09:07:38 -0800 (PST) Received: (qmail 8714 invoked from smtpd); 3 Mar 1997 17:05:58 -0000 Received: from web.nmti.com (root@198.178.0.201) by fw.nmti.com with SMTP; 3 Mar 1997 17:05:58 -0000 Received: from sonic.nmti.com (peter@sonic.nmti.com [198.178.0.2]) by web.nmti.com (8.6.12/8.6.9) with SMTP id LAA10960; Mon, 3 Mar 1997 11:05:30 -0600 Received: by sonic.nmti.com; id AA29885; Mon, 3 Mar 1997 10:57:19 -0600 From: peter@baileynm.com (Peter da Silva) Message-Id: <9703031657.AA29885@sonic.nmti.com.nmti.com> Subject: Re: virus checking To: dufresne@parka.winternet.com (Ron DuFresne) Date: Mon, 3 Mar 1997 10:57:19 -0600 (CST) Cc: peter@baileynm.com, beck@obtuse.com, harley@icrf.icnet.uk, firewalls@GreatCircle.COM In-Reply-To: from "Ron DuFresne" at Mar 2, 97 07:57:02 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > If you download a boot-sector infector it's going to use DOS/Windows > > techniques to get itself installed and propogated. Those simply don't > > work on UNIX or NT... wherease an EXE infector *might* work on NT. > Incorrect if you have a working floppy drive that's bootable. For one of > the "techniques that boot sector infectors use" is wide open to a x86 > machine... We're talking about a *firewalls* context here. Not someone walking in with an infected floppy. A) you have to have a floppy in the drive. B) the program has to write to the floppy, raw. It normally can't do that from a user program under NT or UNIX, and it certainly can't do it through the BIOS or even hardware I/O calls that it's using. From firewalls-owner Mon Mar 3 09:37:14 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id JAA18721 for firewalls-outgoing; Mon, 3 Mar 1997 09:25:56 -0800 (PST) Received: from po-external.FCNBD.COM (po-external.FCNBD.COM [147.113.146.4]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id JAA18712 for ; Mon, 3 Mar 1997 09:25:41 -0800 (PST) From: Scott_Thomas@em.fcnbd.com Received: from po-internal.FCNBD.COM (internalhost.FCNBD.COM [147.113.104.10]) by po-external.FCNBD.COM (8.7.5/fcnbd/domain/1.5.1) with ESMTP id LAA10335; Mon, 3 Mar 1997 11:14:43 -0600 (CST) Received: from em.fcnbd.com (ccintgat [147.113.229.37]) by po-internal.FCNBD.COM (8.7.5/fcnbd/internal-domain/1.4.1) with SMTP id LAA14564; Mon, 3 Mar 1997 11:10:57 -0600 (CST) Received: from ccMail by em.fcnbd.com (IMA Internet Exchange 2.1 Enterprise) id 0007CB13; Mon, 3 Mar 97 11:06:44 -0600 Mime-Version: 1.0 Date: Mon, 3 Mar 1997 11:00:28 -0600 Message-ID: <0007CB13.1944@em.fcnbd.com> Subject: Re: Try it, it works! To: firewalls@greatcircle.com, Koray Tuna Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk WOW! What a great deal! It looks so good I am sending $10.00 in each envelope. Does that mean I can expect $500,000? Gee whiz golly, I hope so! By the way, keep your garbage scams to yourself and your type. Don't insult the intelligence of the people on this forum. ______________________________ Reply Separator _________________________________ Subject: Try it, it works! Author: Koray Tuna at INTERNET Date: 3/3/97 4:25 PM The Following information is going to make you a lot of $$$CASH$$$ if you read the article carefully and follow the easy steps. From firewalls-owner Mon Mar 3 09:43:13 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id JAA18807 for firewalls-outgoing; Mon, 3 Mar 1997 09:27:40 -0800 (PST) Received: from york.interport.net (york.interport.net [199.184.165.8]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id JAA18770 for ; Mon, 3 Mar 1997 09:27:20 -0800 (PST) Received: from interport.net (cyerkes@madison.nfs.interport.net [205.161.144.1]) by york.interport.net (8.8.5/8.8.5) with ESMTP id MAA10513; Mon, 3 Mar 1997 12:25:48 -0500 (EST) Received: (from cyerkes@localhost) by interport.net (8.8.5/8.8.5) id MAA23412; Mon, 3 Mar 1997 12:25:32 -0500 (EST) From: cyerkes Message-Id: <199703031725.MAA23412@interport.net> Subject: Re: SGI Guantlet Firewalls? To: Martin_Khoo/SIN/Lotus@lotus.com Date: Mon, 3 Mar 1997 12:25:30 -0500 (EST) Cc: csncr@gte.net, firewalls@GreatCircle.COM Reply-To: chuck@snew.com In-Reply-To: <4825644F.0006CBA2.00@mta2.lotus.com> from "Martin_Khoo/SIN/Lotus@lotus.com" at Mar 3, 97 09:29:15 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk It is claimed, but unverified, that Martin_Khoo/SIN/Lotus@lotus.com wrote: > > It all depends on your patience/tolerance level and your willingness to use > vi to modify configuration table for the firewall. Compare that with using > a GUI that alows you to easily and clearly consturct rules that implement > your company's security policy. [ Extra text cut, because we don't need to waste bandwidth repeating what you've already seen. A hint for all you folks out there - feel free to only quote pertinent parts] While a skilled admin can use a GUI firewall product to set up a secure firewall, a GUI product does not create a secure firewall with an unskilled administrator. Specifics: My issue with this goes back to when Checkpoint/Raptor/Blackhole/etc all introduced: 1) X should not reside on the firewall. It's too complex. While not mandatory anymore with these packages, it's the common configuration. It should not be an option. Oh yeah, with no curses front end, you can't make a fix remotely from an HP-LX when your beeper goes off at 12 AM. -TIS Gauntlet uses a web browser, so no X libraries or clients need live on the firewall. You can also use vi [or editor-of-choice]. X *on* the bastion should not be an option. 2) The Mac problem: With menu's you generally have the option layed out the way some geek in Utah decided was best (no offense to Utahians). Once you are familiar with the tool, you still have to use menus - no quick shortcuts. If you decide (after deliberation) you need to make the firewall do something they didn't think of, you can't. I can generally get screend to meet very odd requirements that Checkpoint just can't do easily. Granted screend/ip-filterd need other options (like Time-of-day options), but I can add those. Ever call tech support at the GUI companies with odd requests? My latest need: Allow any packet in range x,000->x,999 to go to this DMZ'd machine. One vendor suggested adding 999 lines to their config. 3) MOST IMPORTANT: If you can't use vi (or your text editor of choice), then you really shouldn't be running a firewall. It's a skill set thing, not the editor per se. A simplified front-end does not remove the complexity of networking. - I've seen too many places with a GUI firewall that had rules that were in place (with just an easy click) that opened up gaping security holes. - Too many places where they got an "easy" firewall and lacked a skilled SA because the sales weasel^H^H^H^H^H^H^H person showed them that it was so easy their Jr. jr. ("what's udp?") novell guy could run it. Networking is complex. It takes knowledge and experience. A person with knowledge and experience can run a GUI firewall just fine. They also generally know [text-editor-of-choice] well. Let's put GUI's on the parts of Unix that can best benefit - user interface and basic admin (adduser/backup/whatnot). When there is a "firewall wizard" (in uSoft speak) that can pop up and say "Hey there fella, you're letting in POP, which uses a cleartext password" or "You shouldn't be running an IMAP server on the Bastion" then perhaps GUI's will be more useful. At this point, they're smoke and mirrors to make management think that they don't need skilled people and that firewall's are easy. It's a skill set thang. Don't get me started on the mainframe-escent per/user licensing schemes ("Does it cost more if my hardware is working harder?") chuck yerkes From firewalls-owner Mon Mar 3 09:43:58 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id HAA07965 for firewalls-outgoing; Mon, 3 Mar 1997 07:55:17 -0800 (PST) Received: from virgo.massolant.navy.mil (virgo.massolant.navy.mil [198.97.235.7]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id HAA07954 for ; Mon, 3 Mar 1997 07:55:03 -0800 (PST) Received: from cliff.massolant.navy.mil by virgo.massolant.navy.mil (8.6.4/) id KAA19325; Mon, 3 Mar 1997 10:53:19 -0500 Received: (from swright@localhost) by cliff.massolant.navy.mil (8.6.10/8.6.11) id KAA10543; Mon, 3 Mar 1997 10:49:08 -0600 Date: Mon, 3 Mar 1997 10:49:08 -0600 (CST) From: swright@virgo.massolant.navy.mil To: Christian ALT cc: firewalls@GreatCircle.COM, calt@tla.ch Subject: Re: UDP canceled by ISP In-Reply-To: <331AC674.42E8@tla.ch> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Christian, I hope this answers your question: I know from experience that ISP's will deny any ICMP traffic into their network. The reason for this is simple, certain terminal servers, for the modem banks, will disconnect a port that a user is logged into if too many ICMP packets are received. For instance, if a user is dialed into port 29(IP A.B.C.D), of a Xylogics Annex III terminal server, then if you ping that IP address insessently(1000x or more), it will disconnect the active session on that port. It sounds like this may be your problem. I know many other ISP's that deny ICMP traffic onto their network for this very reason. Hope this helps, Steve W. Security Consultant On Mon, 3 Mar 1997, Christian ALT wrote: > Installing Securemote from Checpoint to have encryption between > our site and a customer I went through a strange situation, and > I would like to have your opinion. > > The firewall-1 encryption uses port 259 over UDP for > authentication. We are unable to have that service running from > our site. We receive from a router the following message: > > ICMP destination-unreachable because trafic prohibited by > filter > > After enquieries we received the following explanation: > > Our trafic is of type UDP and goes through the network of a > provider (switch.ch)that forbides any trafic of type UDP. > > Since it is the first time that I see something like that I'm > just wondering if this is a trend among ISP, or a special > situation. > > TIA > -- > Christian ALT E-mail: calt@tla.ch > Telecom and Logistics Associates phone & fax : +41 22 > 328 14 88 > 10, Rue des Savoises, CH-1205 Geneva http://www.tla.ch > > From firewalls-owner Mon Mar 3 10:01:07 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id IAA10588 for firewalls-outgoing; Mon, 3 Mar 1997 08:13:45 -0800 (PST) Received: from laptop.homecom.net ([207.240.62.17]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id IAA10568 for ; Mon, 3 Mar 1997 08:13:35 -0800 (PST) Received: from Jay.homecom.com (207.240.62.3) by laptop.homecom.net (Integralis SMTPRS 1.51) with SMTP id ; Mon, 03 Mar 1997 11:05:09 -0500 Message-Id: <331AF93D.562A@HomeCom.com> Date: Mon, 03 Mar 1997 11:15:57 -0500 From: Jay Heiser Reply-To: jay@homecom.com Organization: HomeCom Internet Security Services X-Mailer: Mozilla 3.0Gold (Win95; U) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: What IS a firewall? (final word on viruswalls) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Its my contention that at a minimum, a firewall is an access control device. As such, it doesn't matter how it is implemented. Packet filters, proxies, hybrids, all can perform access control, making them legitimate firewall candidates. The question of what is a GOOD firewall is completely different. It cannot be answered without requirements analysis so I won't address it. The Anti-virus firewall debate is one of several related discussions revolving around two questions: 1) 'What else is useful or appropriate to do at the point of external network connectivity besides access control?' 2) 'Is it useful or appropriate to do this on the same platform that is performing access control?' These are two different questions, and confusing these issues is clouding the debate. I'll give my opinion: 1) Its useful to take a crack at viruses at the external network access point. Virus control is not trivial and takes a multi-pronged approach. Without question, the desktop is the most effective place to control viruses. Succesful security approaches usually have multiple countermeasures to address any single threat, as experience shows that countermeasures can fail or be circumvented. Most computer viruses spread by floppy disk -- dowloading infected binaries over the Internet is rare. However, macro viruses spread like wildfire over the Internet. If you could stop all e-mail borne macro viruses for free, would you do it? Sure. OK, if you can't do it for free, what would you pay for this? 2) Its possible to filter out viruses both on the firewall and on a stand-alone server located outside of the firewall. Do whichever you are most comfortable with. E-mail is asynchronous, so a little time spent scanning attachments isn't noticeable. As far as polymorphics go, its pretty hard to detect them without actually running them. Most viruses attack Microsoft/Intel environments and the best AV software runs on the same platform. I see some compelling advantages for Intel/NT over RISC/UNIX when scanning for Windows viruses. Virus control is like executable content control. You can do it either on the desktop or at a network choke point. There are advantages to both and doing both simultaneously can be justified for some organizations. Don't dismiss providing additional (non-access control) security on the firewall because of guesses about performance -- if you haven't seen it operate, you don't really know. Does adding additional functionality to an access control device increase the risk that it will fail? Probably. Should it be avoided then? That question cannot be answered without doing a requirements analysis and risk assessment. I suggest that it is appropriate for this list to discuss any security control that would be applied at the point of external connectivity. -- Jay Heiser, 703-610-6846, jay@homecom.com Homecom Internet Security Services http://www.homecom.com/services/hiss For company & industry news...subscribe to newsletter@homecom.com From firewalls-owner Mon Mar 3 10:28:24 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id KAA23537 for firewalls-outgoing; Mon, 3 Mar 1997 10:09:30 -0800 (PST) Received: from dnmail.gates.com ([206.155.73.2]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id KAA23421 for ; Mon, 3 Mar 1997 10:08:50 -0800 (PST) Received: from [10.15.4.152] by dnmail.gates.com (SMTPD32-95.10.15) id A4779590082; Mon Mar 03 11:12:07 1997 Received: from GCORP-Message_Server by mail.gates.com with Novell_GroupWise; Mon, 03 Mar 1997 11:07:05 -0700 Message-Id: X-Mailer: Novell GroupWise 4.1 Date: Mon, 03 Mar 1997 11:04:17 -0700 From: David Clark To: firewalls@greatcircle.com Subject: firewall architectures Mime-Version: 1.0 Content-Type: text/plain Content-Disposition: inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am soliciting comments from anyone who has evaluated (or has educated opinions on) the pros and cons of Sidewinder's "type enforcement" and Checkpoint's "stateful inspection" technologies. Although a veteran of networking, I'm relatively new to this forum; any pointers to previous discussions on this appreciated. Cheers, Dave Clark Gates Rubber Company Denver, CO From firewalls-owner Mon Mar 3 10:59:47 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id JAA17462 for firewalls-outgoing; Mon, 3 Mar 1997 09:13:21 -0800 (PST) Received: from darkstar.sysinfo.com (darkstar.sysinfo.com [204.246.65.62]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id JAA17420 for ; Mon, 3 Mar 1997 09:12:42 -0800 (PST) Received: from parka.winternet.com (dufresne@parka.winternet.com [198.174.169.9]) by darkstar.sysinfo.com (8.8.2/8.8.2) with SMTP id LAA22362; Mon, 3 Mar 1997 11:12:35 -0600 Date: Mon, 3 Mar 1997 11:10:18 -0600 (CST) From: Ron DuFresne To: Mike Jones cc: firewalls@GreatCircle.COM, harley@icrf.icnet.uk Subject: Re: virus checking In-Reply-To: <199703031322.IAA10962@bass.unifiedtech.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 3 Mar 1997, Mike Jones wrote: > David Harley writes... > > I wrote... > > > Saying that the firewall is > > > the WRONG place to do virus checking (which I've seen a couple of times > > > on the list recently) is like saying the desktop is the WRONG place to > > > have security. > > Not altogether. Properly-implemented desktop scanning will catch > > just about anything that scanning at the firewall will, but a little > > redundancy doesn't hurt, in virus management as in routing. Scanning > > at the firewall -won't- catch everything that can be picked up > > at the desktop. Of course, if you can't trust the quality of > > scanning at the desktop, a good scanner at the perimeter is a lot > > better than nothing. > > Properly implemented security at the desktop would eliminate just about > all of the security risks that firewalls catch, too. The devil is in > the details, as usual. We implement firewalls because it's so damned hard > to implement security well at *every* desktop. It's certainly easier to > implement virus checking than good overall security practice at the > desktop, but that's only relative. In an absolute sense, it's still very > hard. Virus checking at the firewall is complementary to checking at > the desktop. I'll accept 'complementary' to the desktop, but not instead of at the desktop at this stage of the game. Those that try to do this all from the firewall are in for a world of hurt if they don't have each and every desktop also running the latest and greatest virus scanners. Later, Ron DuFresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. From firewalls-owner Mon Mar 3 11:47:50 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id KAA01051 for firewalls-outgoing; Mon, 3 Mar 1997 10:58:17 -0800 (PST) Received: from scribe.cc.purdue.edu (scribe.cc.purdue.edu [128.210.11.6]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id KAA01025 for ; Mon, 3 Mar 1997 10:58:06 -0800 (PST) Received: from ia01.freh.purdue.edu by scribe.cc.purdue.edu; Mon, 3 Mar 97 13:56:24 -0500 Comments: Authenticated sender is From: "Michael S Hines" Organization: Purdue University To: firewalls@greatcircle.com Date: Mon, 3 Mar 1997 13:55:16 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Flames..... Reply-to: mshines@purdue.edu X-mailer: Pegasus Mail for Win32 (v2.42) Message-Id: <331b1ed82fa4002@scribe.cc.purdue.edu> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Might I suggest that rather than discuss the disgusting message here, that you follow my lead and send a message to the postmaster@dial.pipex.com inquiring as to whether a message such as the one posted violated their terms of service. 1. We don't have to put up with that. 2. We don't need to clutter firewalls about the message. Don't just complain, go to someone who can do something about it! Some days the CDA **almost** makes sense.... :) ............ and now back to our regularly scheduled program...... ----------------------------------------------------------------- Internet: mshines@purdue.edu * Michael S. Hines, CDP, CFE Voice: (765) 494-5845 * Sr. Information Systems Auditor FAX: (765) 496-1814 * Purdue University * 1065 Freehafer Hall * West Lafayette, IN 47907-1065 From firewalls-owner Mon Mar 3 11:53:04 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id KAA01091 for firewalls-outgoing; Mon, 3 Mar 1997 10:58:35 -0800 (PST) Received: from smtpgate.saa-cons.co.uk (haddock.demon.co.uk [158.152.16.191]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id KAA01013 for ; Mon, 3 Mar 1997 10:58:01 -0800 (PST) Received: by smtpgate.saa-cons.co.uk (8.6.8.1/1.3-eef) id TAA13321; Mon, 3 Mar 1997 19:00:34 GMT Received: from haddock.saa-cons.co.uk(10.1.11.2) by amnesiac via smap (V1.3) id sma013319; Mon Mar 3 19:00:20 1997 Received: from localhost by haddock.saa-cons.co.uk (AIX 3.2/UCB 5.64/5.00) id AA29768; Mon, 3 Mar 1997 19:00:05 GMT Date: Mon, 3 Mar 1997 19:00:05 +0000 (GMT) From: Dave Roberts To: Firewalls Mailing List Subject: RST packets after connection Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have to admit to being a little perplexed. I've just put a sniffer onto a DMZ that I'm setting up, and noticed that when I use http or even ftp, I get a whole host of RST packets even after the connection has been closed down (FIN & ACK'd). Sometimes, the RST packets go to ports that weren't involved in a connection. Either way these packets always come from the host that I connect to. I didn't think this was standard TCP/IP practice, and have certainly not seen it on my LAN. Has anyone else seen this? And is it me or them? TIA -- Dave Roberts For PGP Key - send mail with subject of 'get pgp':- Senior Unix Admin < 51 4B 6A 35 3F C4 B6 3D 13 88 0C B2 48 61 51 1C > SAA Consultants Ltd Std disclaimer applies, it's nothing to do with them Plymouth, UK. Tel: +44 1752 606000 Fax: +44 1752 606838 From firewalls-owner Mon Mar 3 12:25:31 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id KAA26775 for firewalls-outgoing; Mon, 3 Mar 1997 10:31:34 -0800 (PST) Received: from darkstar.sysinfo.com (darkstar.sysinfo.com [204.246.65.62]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id KAA26651 for ; Mon, 3 Mar 1997 10:31:01 -0800 (PST) Received: from parka.winternet.com (dufresne@parka.winternet.com [198.174.169.9]) by darkstar.sysinfo.com (8.8.2/8.8.2) with SMTP id MAA22513; Mon, 3 Mar 1997 12:30:15 -0600 Date: Mon, 3 Mar 1997 12:27:58 -0600 (CST) From: Ron DuFresne To: Peter da Silva cc: beck@obtuse.com, harley@icrf.icnet.uk, firewalls@GreatCircle.COM Subject: Re: virus checking In-Reply-To: <9703031657.AA29885@sonic.nmti.com.nmti.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 3 Mar 1997, Peter da Silva wrote: > > > If you download a boot-sector infector it's going to use DOS/Windows > > > techniques to get itself installed and propogated. Those simply don't > > > work on UNIX or NT... wherease an EXE infector *might* work on NT. > > > Incorrect if you have a working floppy drive that's bootable. For one of > > the "techniques that boot sector infectors use" is wide open to a x86 > > machine... > > We're talking about a *firewalls* context here. Not someone walking in > with an infected floppy. > > A) you have to have a floppy in the drive. Yes, fact > > B) the program has to write to the floppy, raw. It normally can't do that > from a user program under NT or UNIX, and it certainly can't do it through > the BIOS or even hardware I/O calls that it's using. > > Do this, boot you firewall up with an infected floppy, then tell me, does your firewalls bootsector get infected also? Same attack, slightly different circumstances, same result, disaster recovery time. Now, as for being able to get an virus to run with enough privledge in a *nix/NT/etc 32bit multi-user NOS, yes, as long as the system is not booted with an infected drive in the HW device, we're pretty much safe. Though, wasn't there a discussion here, besides the linux security mailing list about 'bliss' and it's ability to do virus types of actions in a *nix/32 bit environ, and not having to be run above user level to do it's nasties... Later, Ron DuFresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. From firewalls-owner Mon Mar 3 12:40:46 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id MAA06808 for firewalls-outgoing; Mon, 3 Mar 1997 12:03:58 -0800 (PST) Received: from mail.rc.on.ca ([207.176.151.2]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id MAA06801 for ; Mon, 3 Mar 1997 12:03:51 -0800 (PST) Received: by mail.rc.on.ca with Internet Mail Service (5.0.1389.3) id <01BC27E3.E32678A0@mail.rc.on.ca>; Mon, 3 Mar 1997 15:02:18 -0500 Message-ID: From: Russ To: "'Firewalls@Greatcircle.com'" Subject: PPTP and GREv2 Date: Mon, 3 Mar 1997 15:02:17 -0500 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1389.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I would appreciate hearing comments from people regarding opening IP protocol 47 (Generic Routing Encapsulation Protocol v2.0) through their Firewall to an internal network. The current implementation of PPTP uses TCP1723 for control information, but then all PPP data packets are sent using GRE. What, if any, problems could arise as a result of allowing this traffic (the GRE traffic) through a Firewall. Since this is not port based, what if any monitoring facilities exist to monitor traffic using that protocol? Cheers, Russ R.C. Consulting, Inc. - NT/Internet Security From firewalls-owner Mon Mar 3 13:13:59 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id LAA04000 for firewalls-outgoing; Mon, 3 Mar 1997 11:26:42 -0800 (PST) Received: from mailhost.netrunner.net (mailhost-net.netrunner.net [207.234.128.253]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id LAA03965 for ; Mon, 3 Mar 1997 11:26:26 -0800 (PST) Received: from brian ([207.100.192.100]) by mailhost.netrunner.net (8.7.5/8.7.5) with SMTP id OAA14391; Mon, 3 Mar 1997 14:26:51 -0500 (EST) Date: Mon, 3 Mar 1997 14:26:51 -0500 (EST) Message-Id: <1.5.4.16.19970303142437.1edf09fe@MAIl.davocom.com> X-Sender: brianp@MAIl.davocom.com X-Mailer: Windows Eudora Light Version 1.5.4 (16) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: KENSINGTON 2 From: lowprofile Subject: Re: How do I get off this list. Cc: "K.M." , AniFreez@aol.com, firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 04:01 PM 3/3/97 GMT, you wrote: >I sympathise with the teenager, I also joined this list by mistake - >and you are an extremely fucking boring bunch of cunts. > > If we are so boring, Why are reading this ???? \\\|/// \\ - - // ( @ @ ) +--------------------oOOo-(_)-oOOo-------------------------+ | Brian Podolak brianp@davocom.com | | Davocom One http://www.davocom.com | +------------------------------Oooo------------------------+ oooO ( ) ( ) ) / \ ( (_/ \_) From firewalls-owner Mon Mar 3 13:43:50 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id KAA00262 for firewalls-outgoing; Mon, 3 Mar 1997 10:52:36 -0800 (PST) Received: from alfalfa (ns.sips.state.nc.us [149.168.11.11]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id KAA00209 for ; Mon, 3 Mar 1997 10:52:11 -0800 (PST) Received: from everett.pitt.cc.nc.us by alfalfa (SMI-8.6/SMI-SVR4) id NAA18936; Mon, 3 Mar 1997 13:41:11 -0500 Received: from EVERETT/SpoolDir by everett.pitt.cc.nc.us (Mercury 1.21); 3 Mar 97 14:02:22 EST5EDT Received: from SpoolDir by EVERETT (Mercury 1.30); 3 Mar 97 14:02:00 EST5EDT From: "Jim Leo" Organization: Pitt Community College To: firewalls@greatcircle.com Date: Mon, 3 Mar 1997 14:01:58 EST MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: NAT Reply-to: admin@everett.pitt.cc.nc.us X-mailer: Pegasus Mail for Windows (v2.01) Message-ID: <134CD3051D3@everett.pitt.cc.nc.us> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I know many may not accept this as a valid topic for the list, however since it does deal with how a network is accessed, I consider it to be of use. Can anyone provide performance specifications for using NAT for four (4) or more Class C IP's. I'm concerned about the eventual migration to IPv6 and UDP performance. I've grown to understand that certain UDP's require 'true addressing' and some NAT-like devices are not capable of handling this. Also I'm interested in the validity of laying out a network lengthwise ( no subnets ) versus subnets. Points to be addressed: 1. segment contention 2. traffic management 3. implementing future IPv6 protocol 4. implementing UDP TIA Jim Leo admin@everett.pitt.cc.nc.us From firewalls-owner Mon Mar 3 14:02:42 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id NAA20421 for firewalls-outgoing; Mon, 3 Mar 1997 13:36:10 -0800 (PST) Received: from pha-web.chipnet.cz (pha-web.chipnet.cz [194.213.202.36]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id NAA20261 for ; Mon, 3 Mar 1997 13:35:28 -0800 (PST) Received: from EDDIE.chipnet.cz by pha-web.chipnet.cz with SMTP (Microsoft Exchange Internet Mail Service Version 5.0.1389.3) id GGQDVMGQ; Mon, 3 Mar 1997 22:33:09 +0100 Message-ID: <331A9245.2615@chipnet.cz> Date: Mon, 03 Mar 1997 09:56:37 +0100 From: Pavel Galynin X-Sender: Pavel Galynin (Unverified) X-Mailer: Mozilla 4.0b1 (Win95; I) MIME-Version: 1.0 To: cyerkes CC: firewalls@greatcircle.com Subject: Re: Firewall OS X-Priority: Normal References: <199703031903.OAA07774@interport.net> Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I generally don't answer posts to my question, because I'm interested in the way it'll go without me, but I want some more info on this one.. cyerkes wrote: > > It is claimed, but unverified, that Pavel Galynin wrote: > > > > Originally, my question was about features and qualities you would like > > to see in an OS you would put on your firewall machine. I also wondered > > what complaints and flaws you can report about the OS you are currently > > using for your firewall. > > I got two DOS answers, but they were quite vague, saying they would like > > something like DOS. The messages didn't mention which aspects of DOS > > they would like to see on their OS. The other question is, if they like > > DOS, why don't they use DOS? Why are there no firewalls for DOS ( at > > least to my limited knowledge ) ? > > Ok, DOS is a loader: It loads the program and gets out of the > way. Why DOS then? > The only extra stuff is a seriously simple standard way to > get to some parts of the hardware (output a char/line, get a char > from a serial port, etc). Start of an OS.. > > This can be the start of a firewall though - just load the firewall > package and it goes. Drawback? The package must do ALL the work > and have ALL the code (ip drivers, etc, etc). Serious disadvantage.. > > What do we want? > - TCP/IP - so we can talk to the net. > - drivers for hardware - so we can talk to the network devices. That starts looking more like an OS than just a package.. > - Multitasking/threading - so we can handle multiple "processes" at a time. That's an OS function. If somebody implements it in a firewall package it becomes an OS with integrated firewall. > - Monitoring tools - so was can see what's going on. > - packet screening > - application proxies > - perhaps some caching of some data (ie web data) > - Application Filtering (so I can stop Java/ActiveX if I choose) > - Protected memory - so one "process" can't write into another's memory And you're saying it's just a firewall package? That's a full-featured OS! > - Virtual memory - so I don't have to buy only primary ($$) memory. > - Shared libraries - so shared code doesn't get repeated in memory. What more do I have to say than the above.. > > - The source. - so I can make changes and updates and be sure that > it's actually secure - and so OTHER people who may be > more qualified can check it out. Black boxes and > "trust us" doesn't cut it. > > - Really cheap, so Mom can afford to have it between her cable > modem and the computers running her house (we are talking future). How much would your mom be able to pay? > > Can we lose the massiveness of NT and Unix (one due to code > bloat, the other to a huge plethora of tools)? > > Oh yeah, most important, maturity - it's gone through the > ringers before I bet my company on it PLUS I can find competant > people to write for it and run it. Somebody has to test it first, and if everybody has the same requirements as you, even a good firewall OS will never be accepted.. > > AND it's available from multiple vendors so I don't have to > follow one if their marketing plans don't coincide with my > needs. What if it's just an individual ( We're talking posssibilities here. ) > > Well, I guess that last one write off a lot and we get stuck > with Unix again. > > (for now, as MS has wiped out much OS research that used to happen) Kmon. Don't give in. Paul. > > chuck From firewalls-owner Mon Mar 3 14:07:56 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id NAA18590 for firewalls-outgoing; Mon, 3 Mar 1997 13:23:21 -0800 (PST) Received: from pha-web.chipnet.cz (pha-web.chipnet.cz [194.213.202.36]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id NAA18574 for ; Mon, 3 Mar 1997 13:23:05 -0800 (PST) Received: from EDDIE.chipnet.cz by pha-web.chipnet.cz with SMTP (Microsoft Exchange Internet Mail Service Version 5.0.1389.3) id GGQDVMG3; Mon, 3 Mar 1997 22:21:29 +0100 Message-ID: <331A8F89.7F61@chipnet.cz> Date: Mon, 03 Mar 1997 09:44:57 +0100 From: Pavel Galynin X-Sender: Pavel Galynin (Unverified) X-Mailer: Mozilla 4.0b1 (Win95; I) MIME-Version: 1.0 To: jay@homecom.com CC: firewalls@greatcircle.com Subject: Re: What IS a firewall? (final word on viruswalls) X-Priority: Normal References: <331AF93D.562A@HomeCom.com> Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Very nice summary. However, it has some weak points. e-mail borne macro viruses What do you mean by that?? > 2) Its possible to filter out viruses both on the firewall and on a > stand-alone server located outside of the firewall. Or on a standalone machine i nside the firewall... > As far as polymorphics go, > its pretty hard to detect them without actually running them. Wrong, most scanners actually try to get redundant code out of the decrypor routine in heuristic mode. Russian Dr. Webb package implemented virtual CPU method, and the implementation is very good, but it's not there yet. This method requires a lot of hard coding and caution, but has a potential to yield good results. With heuristic analyzis you can't really go wrong, but it doesn't have such a good potential. If you mean just running them... Well, that's dangerous at best.. > Most > viruses attack Microsoft/Intel environments and the best AV software > runs on the same platform. I see some compelling advantages for > Intel/NT over RISC/UNIX when scanning for Windows viruses. Which are they? On a RISC/UNIX as you put it, if the code gets executed by any chance, the odds are it wouldn't do any harm, but on M$Il.. > > Virus control is like executable content control. You can do it either > on the desktop or at a network choke point. There are advantages to > both and doing both simultaneously can be justified for some > organizations. Don't dismiss providing additional (non-access control) > security on the firewall because of guesses about performance -- if you > haven't seen it operate, you don't really know. > > Does adding additional functionality to an access control device > increase the risk that it will fail? Probably. Should it be avoided > then? That question cannot be answered without doing a requirements > analysis and risk assessment. > > I suggest that it is appropriate for this list to discuss any security > control that would be applied at the point of external connectivity. > > -- > Jay Heiser, 703-610-6846, jay@homecom.com > Homecom Internet Security Services > http://www.homecom.com/services/hiss > For company & industry news...subscribe to newsletter@homecom.com Great job! Paul. From firewalls-owner Mon Mar 3 14:11:59 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id JAA16844 for firewalls-outgoing; Mon, 3 Mar 1997 09:06:49 -0800 (PST) Received: from www.steldyn.com (www.steldyn.com [198.68.45.121]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id JAA16781 for ; Mon, 3 Mar 1997 09:06:23 -0800 (PST) Received: (qmail 31039 invoked from network); 3 Mar 1997 17:07:33 -0000 Received: from juneau.steldyn.com (172.16.31.1) by www.steldyn.com with SMTP; 3 Mar 1997 17:07:33 -0000 Received: by juneau.steldyn.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BC27BA.4EF8F4B0@juneau.steldyn.com>; Mon, 3 Mar 1997 10:04:40 -0700 Message-ID: From: Chris Pugrud To: "'Russ'" , Firewalls Mailing list Subject: RE: Nuclear Winter on Firewalls Date: Mon, 3 Mar 1997 10:04:38 -0700 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >-----Original Message----- >From: Russ [SMTP:Russ.Cooper@RC.on.ca] >Sent: Saturday, March 01, 1997 7:01 PM >To: Firewalls Mailing list >Subject: RE: Nuclear Winter on Firewalls > >So Marcus proposes a generic solution to poor programming techniques by >suggesting, nay, insisting that C not be used as a language for security >systems, and Bruce believes this translates into a call for the demise >of a presumably liked language. Pot calls the Kettle black, and some >presumably off-line vein gets slit, so here we sit trying to put buckets >all around to catch all the spew. > >Could we get back to the real purpose of the list, namely, figuring out >how to convince all customers to run their Firewalls on Windows NT! > >[CP] Russ, you're on the wrong list again, that's the purpose of NT >Security. We gather here on firewalls to post sacrifices and show patronage >to the great deities of UN*X and the almighty prophets who brought to us the >magic of firewalls that will protect and shield us from all the evils of the >great Internet so that we shalt never have to suffer eyes to the disgusting >perversion running rampant throughout the net, not to mention the meddlesome >children that wish to pry and play within our private lives through our >sacred computers. > >We come offering sacrifice and hope that they will wash us of our sinful ways >and remove any thoughts or desires for the use of NT. > >I need more coffee. It's Monday. There is no such thing as enough coffee on >a Monday. > >Chris > >-- I apologize to any person that bothers to take me seriously on a Monday >morning before I've started into the 5th pot of black tar (caffeine is my >master, I shall follow him..). > >Cheers, >Russ >R.C. Consulting, Inc. - NT/Internet Security >...coming soon, Visual Basic for Firewall Neophytes - Professional >Enterprise Edition v2.97... From firewalls-owner Mon Mar 3 14:17:37 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id NAA21958 for firewalls-outgoing; Mon, 3 Mar 1997 13:48:06 -0800 (PST) Received: from york.interport.net (york.interport.net [199.184.165.8]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id NAA21906 for ; Mon, 3 Mar 1997 13:47:45 -0800 (PST) Received: from interport.net (cyerkes@madison.nfs.interport.net [205.161.144.1]) by york.interport.net (8.8.5/8.8.5) with ESMTP id QAA22396; Mon, 3 Mar 1997 16:46:15 -0500 (EST) Received: (from cyerkes@localhost) by interport.net (8.8.5/8.8.5) id QAA28523; Mon, 3 Mar 1997 16:44:50 -0500 (EST) From: cyerkes Message-Id: <199703032144.QAA28523@interport.net> Subject: Re: Firewall OS To: pgalynin@chipnet.cz (Pavel Galynin) Date: Mon, 3 Mar 1997 16:44:44 -0500 (EST) Cc: firewalls@greatcircle.com In-Reply-To: <331A9245.2615@chipnet.cz> from "Pavel Galynin" at Mar 3, 97 09:56:37 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk It is claimed, but unverified, that Pavel Galynin wrote: > > I generally don't answer posts to my question, because I'm interested in > the way it'll go without me, but I want some more info on this one.. > > cyerkes wrote: > > It is claimed, but unverified, that Pavel Galynin wrote: > > > Originally, my question was about features and qualities you would like > > > to see in an OS you would put on your firewall machine. I also wondered > > > what complaints and flaws you can report about the OS you are currently > > > using for your firewall. > > > I got two DOS answers, but they were quite vague, saying they would like > > > something like DOS. The messages didn't mention which aspects of DOS > > > they would like to see on their OS. The other question is, if they like > > > DOS, why don't they use DOS? Why are there no firewalls for DOS ( at > > > least to my limited knowledge ) ? > > > > Ok, DOS is a loader: It loads the program and gets out of the > > way. > Why DOS then? A bootable machine with memory management. 80386/68010/whatever. Boots into being a firewall. > > The only extra stuff is a seriously simple standard way to > > get to some parts of the hardware (output a char/line, get a char > > from a serial port, etc). > Start of an OS.. > > > > This can be the start of a firewall though - just load the firewall > > package and it goes. Drawback? The package must do ALL the work > > and have ALL the code (ip drivers, etc, etc). > Serious disadvantage.. > > > > What do we want? > > - TCP/IP - so we can talk to the net. > > - drivers for hardware - so we can talk to the network devices. > > That starts looking more like an OS than just a package.. > > - Multitasking/threading - so we can handle multiple "processes" at a time. > > That's an OS function. If somebody implements it in a firewall package > it becomes an OS with integrated firewall. > > > - Monitoring tools - so was can see what's going on. > > - packet screening > > - application proxies > > - perhaps some caching of some data (ie web data) > > - Application Filtering (so I can stop Java/ActiveX if I choose) > > - Protected memory - so one "process" can't write into another's memory > > And you're saying it's just a firewall package? That's a full-featured > OS! > > > - Virtual memory - so I don't have to buy only primary ($$) memory. > > - Shared libraries - so shared code doesn't get repeated in memory. > > What more do I have to say than the above.. Are we talking about a Package or a product? What people need is a firewall. Period. If it runs on Unix or NT, then Unix or NT become issues in that firewall. If we're talking about a raw firewall, then we need Basic OS functions, without the flexibility of a full generic OS for users. This isn't for users, it's for a firewall to run. I don't need an OS running a firewall applications. Full blown OS's have too much; think more on the terms of microcontroller OS's. > > > > - The source. - so I can make changes and updates and be sure that > > it's actually secure - and so OTHER people who may be > > more qualified can check it out. Black boxes and > > "trust us" doesn't cut it. > > > > - Really cheap, so Mom can afford to have it between her cable > > modem and the computers running her house (we are talking future). > > How much would your mom be able to pay? Less than a VCR. > > > > Can we lose the massiveness of NT and Unix (one due to code > > bloat, the other to a huge plethora of tools)? > > > > Oh yeah, most important, maturity - it's gone through the > > ringers before I bet my company on it PLUS I can find competant > > people to write for it and run it. > > Somebody has to test it first, and if everybody has the same > requirements as you, even a good firewall OS will never be accepted.. > > > > AND it's available from multiple vendors so I don't have to > > follow one if their marketing plans don't coincide with my > > needs. > > What if it's just an individual (We're talking posssibilities here.) Then is needs to be able to compete in functionality, not just marketing, patents and lawsuits. > > Well, I guess that last one write off a lot and we get stuck > > with Unix again. From firewalls-owner Mon Mar 3 14:22:07 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id NAA15493 for firewalls-outgoing; Mon, 3 Mar 1997 13:05:28 -0800 (PST) Received: from exch-bel1.attachmate.com (exch-bel1.attachmate.com [149.82.1.46]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id NAA15434 for ; Mon, 3 Mar 1997 13:05:06 -0800 (PST) Received: by exch-bel1.attachmate.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BC27D2.C0665A80@exch-bel1.attachmate.com>; Mon, 3 Mar 1997 12:59:38 -0800 Message-ID: From: Darren Cromer To: "'firewalls@greatcircle.com'" Subject: RE: virus checking Date: Mon, 3 Mar 1997 13:01:51 -0800 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Of course scanning at your firewall assumes that all virus's originate on the internet and are not introduced internally. I'd venture to guess that most virus we have come in contact with transmitted the old fashioned way through floppys. -----Original Message----- From: Ron DuFresne [SMTP:dufresne@parka.winternet.com] Sent: Monday, March 03, 1997 12:10 PM To: Mike Jones Cc: firewalls@GreatCircle.COM; harley@icrf.icnet.uk Subject: Re: virus checking On Mon, 3 Mar 1997, Mike Jones wrote: > David Harley writes... > > I wrote... > > > Saying that the firewall is > > > the WRONG place to do virus checking (which I've seen a couple of times > > > on the list recently) is like saying the desktop is the WRONG place to > > > have security. > > Not altogether. Properly-implemented desktop scanning will catch > > just about anything that scanning at the firewall will, but a little > > redundancy doesn't hurt, in virus management as in routing. Scanning > > at the firewall -won't- catch everything that can be picked up > > at the desktop. Of course, if you can't trust the quality of > > scanning at the desktop, a good scanner at the perimeter is a lot > > better than nothing. > > Properly implemented security at the desktop would eliminate just about > all of the security risks that firewalls catch, too. The devil is in > the details, as usual. We implement firewalls because it's so damned hard > to implement security well at *every* desktop. It's certainly easier to > implement virus checking than good overall security practice at the > desktop, but that's only relative. In an absolute sense, it's still very > hard. Virus checking at the firewall is complementary to checking at > the desktop. I'll accept 'complementary' to the desktop, but not instead of at the desktop at this stage of the game. Those that try to do this all from the firewall are in for a world of hurt if they don't have each and every desktop also running the latest and greatest virus scanners. Later, Ron DuFresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. From firewalls-owner Mon Mar 3 14:32:35 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id MAA11802 for firewalls-outgoing; Mon, 3 Mar 1997 12:42:53 -0800 (PST) Received: from ACML.COM ([207.140.173.10]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id MAA11730 for ; Mon, 3 Mar 1997 12:42:29 -0800 (PST) Received: from smtpngw.acml.com by ACML.COM (SMI-8.6/SMI-SVR4) id PAA03237; Mon, 3 Mar 1997 15:37:34 -0500 Received: by smtpngw.acml.com (IBM OS/2 SENDMAIL VERSION 1.3.18/2.12um) id AA7028; Mon, 03 Mar 97 15:37:46 -0500 Message-Id: <9703032037.AA7028@smtpngw.acml.com> Received: from ALLIANCE with "Lotus Notes Mail Gateway for SMTP" id 0741B82AE4B6568A8525644F00718187; Mon, 3 Mar 97 15:37:46 To: Firewalls From: John Chen/New York/ACMC Date: 3 Mar 97 15:44:26 Subject: SNMP via FW-1 on Solaris Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Can someone tell me how to setup FW-1 to allow SNMP routing between two interfaces? Any rules are to define other than SNMP protocal? Thanks. From firewalls-owner Mon Mar 3 14:58:34 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id KAA27316 for firewalls-outgoing; Mon, 3 Mar 1997 10:34:24 -0800 (PST) Received: from mailman.faxint.com (mailman.faxint.com [206.15.191.5]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id KAA27163 for ; Mon, 3 Mar 1997 10:33:40 -0800 (PST) Received: from mailman.faxinter.com (outside [206.15.188.17]) by mailman.faxint.com (8.6.10/8.6.9--ma01) with ESMTP id NAA11973 for ; Mon, 3 Mar 1997 13:27:05 -0500 Received: from smtpgate.faxinter.com (smtpgate.faxinter.com [200.200.209.219]) by mailman.faxinter.com (8.6.10/8.6.9) with SMTP id NAA19614 for ; Mon, 3 Mar 1997 13:32:06 -0500 Received: by smtpgate.faxinter.com with NT SMTP Gateway ver 31 id <331B1923@smtpgate.faxinter.com>; Mon, 03 Mar 97 13:32:03 E From: "Benvenuto, Vincent A." To: firewalls-digest Subject: ACL vulnerability Date: Mon, 03 Mar 97 13:33:00 E Message-ID: <331B1923@smtpgate.faxinter.com> X-Mailer: Microsoft Mail V3.0 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We are in the middle of a great debate as to the proper way to firewall 15 remote sites. We need to essentially open dedicated lines to our partners to allow incoming/outgoing FTP, X.400, and SMTP. One camp says ACLs in routers will be sufficient, another says stick with Firewall-1 and proliferate it like hell. The cost difference network wide between the two approaches is huge. Where can I find an (authoritative) threat analysis that describes the vulnerability of router based static ACLs (non-stateful inspection)? Also, what methods (toolsets) are available to launch attacks through a router configured with ACLs? any advice suggestions, etc appreciated. Thanks in advance. Vinnie B From firewalls-owner Mon Mar 3 15:13:51 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id KAA28124 for firewalls-outgoing; Mon, 3 Mar 1997 10:39:40 -0800 (PST) Received: from mtevans.iins.com (MTEVANS.IINS.COM [192.102.90.25]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id KAA28037 for ; Mon, 3 Mar 1997 10:39:02 -0800 (PST) Received: from runabout ([192.102.90.18]) by mtevans.iins.com (Netscape Mail Server v2.02) with ESMTP id AAA84; Mon, 3 Mar 1997 11:42:58 -0700 Message-ID: <331B1B6E.67CD@iins.com> Date: Mon, 03 Mar 1997 11:41:51 -0700 From: "Loren Nozot" X-Mailer: Mozilla 4.0b2 (WinNT; I) MIME-Version: 1.0 To: Simon Blake CC: "'firewalls@GreatCircle.COM'" Subject: Re: Try it, it works! X-Priority: 3 (Normal) References: Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Simon Blake wrote: Arrrrgh .... how many times do these things come round on the net... not even we are safe from these people....... Anyone got an email script that searches for these things and auto deletes them? Regards, Simon Blake Historical Collections Group Witney England Email: SimonBlake@pasttimes.com =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- >-----Original Message----- >From: Koray Tuna [SMTP:bbm512@eti.cc.hun.edu.tr] >Sent: Monday, March 03, 1997 1:25 PM >To: firewalls@GreatCircle.COM >Subject: Try it, it works! > >The Following information is going to make you a lot of $$$CASH$$$ >if you read the article carefully and follow the easy steps. > > > For those using a POP3 server and something like Exchange, Netscape Communicator (Pre-Release), CC:Mail, etc. You can setup rules that search for: No Subject, "$$CASH$$", or whatever to delete them automatically or even to sort your email when it comes in. Loren From firewalls-owner Mon Mar 3 15:27:41 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id KAA27200 for firewalls-outgoing; Mon, 3 Mar 1997 10:33:49 -0800 (PST) Received: from mail.rc.on.ca ([207.176.151.2]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id KAA27042 for ; Mon, 3 Mar 1997 10:33:03 -0800 (PST) Received: by mail.rc.on.ca with Internet Mail Service (5.0.1389.3) id <01BC27D7.2F7B4170@mail.rc.on.ca>; Mon, 3 Mar 1997 13:31:22 -0500 Message-ID: From: Russ To: firewalls@GreatCircle.COM, "'Christian ALT'" Subject: RE: UDP canceled by ISP Date: Mon, 3 Mar 1997 13:31:21 -0500 X-Priority: 3 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.0.1389.3) Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Would someone from Checkpoint like to comment on why/if UDP would be used for authentication purposes?? Cheers, Russ R.C. Consulting, Inc. - NT/Internet Security > ---------- > From: > firewalls-owner@GreatCircle.COM[SMTP:firewalls-owner@GreatCircle.COM] > on behalf of Christian ALT[SMTP:calt@tla.ch] > Sent: Monday, March 3, 1997 7:39 AM > To: firewalls@GreatCircle.COM > Cc: calt@tla.ch > Subject: UDP canceled by ISP > > Installing Securemote from Checpoint to have encryption between > our site and a customer I went through a strange situation, and > I would like to have your opinion. > > The firewall-1 encryption uses port 259 over UDP for > authentication. We are unable to have that service running from > our site. We receive from a router the following message: > > ICMP destination-unreachable because trafic prohibited by > filter > > After enquieries we received the following explanation: > > Our trafic is of type UDP and goes through the network of a > provider (switch.ch)that forbides any trafic of type UDP. > > Since it is the first time that I see something like that I'm > just wondering if this is a trend among ISP, or a special > situation. > > TIA > -- > Christian ALT E-mail: calt@tla.ch > Telecom and Logistics Associates phone & fax : +41 22 > 328 14 88 > 10, Rue des Savoises, CH-1205 Geneva http://www.tla.ch > From firewalls-owner Mon Mar 3 15:49:11 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id LAA05573 for firewalls-outgoing; Mon, 3 Mar 1997 11:50:42 -0800 (PST) Received: from Tequila.GLIX.Net (Tequila.GLIX.Net [208.211.10.1]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id LAA05554 for ; Mon, 3 Mar 1997 11:50:33 -0800 (PST) Received: from localhost (jims@localhost) by Tequila.GLIX.Net (8.8.4/8.8.4) with SMTP id OAA00929; Mon, 3 Mar 1997 14:50:00 -0500 Date: Mon, 3 Mar 1997 14:50:00 -0500 (EST) From: Jim Serven To: fw-1-mailinglist@us.checkpoint.com, firewalls@greatcircle.com Subject: Solstice Fw1 & NAT (problem) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greetings, I'm working on a Solstice Fw1 installation (v2.1) utilizing NAT. Everything is configured and setup correctly (as far as we can tell). The problem is, we can Xlate out, but not back in. Here's a partial diagram of the problem: ----> ----> 10.0.0.4 10.0.0.1 35.1.1.5 (Xlates to 35.1.1.4) NAT works >>>>> way, but not <<< way. Using(fwxlconf): 10.0.0.4 10.0.0.4 FWXT_SRC_STATIC 35.1.1.4 35.1.1.4 35.1.1.4 FWXT_DST_STATIC 10.0.0.4 (and then another Xlate rule beyond that) 10.0.0.5 10.0.0.254 FWXT_HIDE 35.1.1.3 we have static arp entries in both the Fw, and hosta. we have explicit rules in the Fw for allow all services from/to both hosts. with the Fw turned off, Inet-host-1 can see/ping/telnet hosta w/o a problem. with the Fw on, Inet-host-1 can't do anything. (no errors are being logged) Any ideas? What am I overlooking? Gosh, NAT is such a pain in the butt! :) TIA, -Jim [-------------------------------------------------------------] [ Jim Serven The GLIX Network ] [ President PO Box 13516 ] [ http://www.glix.net Flint, Mi 48501-3516 ] [ (v) 810.898.4483 (f) 810.695.8403 ] [-------------------------------------------------------------] The GLIX Network = Professional Internet Solutions | GLIX.Net From firewalls-owner Mon Mar 3 16:02:12 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id PAA12452 for firewalls-outgoing; Mon, 3 Mar 1997 15:54:49 -0800 (PST) Received: from nexus.nexus.net.mx (nexusparc.acnet.net [167.114.25.165]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id PAA12220 for ; Mon, 3 Mar 1997 15:53:52 -0800 (PST) Received: (from jdelgado@localhost) by nexus.nexus.net.mx (8.7/8.7.2) id RAA24230; Mon, 3 Mar 1997 17:59:59 -0600 (CST) Date: Mon, 3 Mar 1997 17:59:57 -0600 (CST) From: Jose Luis Delgado To: Firewalls@GreatCircle.COM Subject: sniffer! Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi guys!! If exist: where can I find a sniffer for NT 4.0?? or a tcp wrapper?? Thanks in advance! From firewalls-owner Mon Mar 3 16:02:03 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id KAA28381 for firewalls-outgoing; Mon, 3 Mar 1997 10:41:09 -0800 (PST) Received: from darkstar.sysinfo.com (darkstar.sysinfo.com [204.246.65.62]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id KAA28140 for ; Mon, 3 Mar 1997 10:39:53 -0800 (PST) Received: from parka.winternet.com (dufresne@parka.winternet.com [198.174.169.9]) by darkstar.sysinfo.com (8.8.2/8.8.2) with SMTP id MAA22535; Mon, 3 Mar 1997 12:40:21 -0600 Date: Mon, 3 Mar 1997 12:38:04 -0600 (CST) From: Ron DuFresne To: Jay Heiser cc: firewalls@GreatCircle.COM Subject: Re: What IS a firewall? (final word on viruswalls) In-Reply-To: <331AF93D.562A@HomeCom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Mon, 3 Mar 1997, Jay Heiser wrote: > Virus control is like executable content control. You can do it either > on the desktop or at a network choke point. There are advantages to > both and doing both simultaneously can be justified for some > organizations. Don't dismiss providing additional (non-access control) > security on the firewall because of guesses about performance -- if you > haven't seen it operate, you don't really know. You were doing fine till here. It's not an either or situation, it's this: At the desktop, at this state of the game is required. At the firewall/gateway is an possible added layer of protection. But, the fact remains, and I'll state it again, the effectivenss of 'virus-walls' is not as good as the effectiveness of scanners made for this purpose for the desktop. So, you HAVE TO SCAN ON THE DESKTOP, and can add scanning at the firewall/gateway, if you can deal with the added load that has been mentioned a number of times here also. > > Does adding additional functionality to an access control device > increase the risk that it will fail? Probably. Should it be avoided > then? That question cannot be answered without doing a requirements > analysis and risk assessment. Sure it can be answered here. If you can't deal with the added laod and bottlenecking that this will produce on your wan links, then, dump the imperfect virus-wall for now, and go to a known working solution, the desktop, that produces less latency for the entire network/wan link. Later, Ron DuFresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. From firewalls-owner Mon Mar 3 17:15:24 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id LAA02138 for firewalls-outgoing; Mon, 3 Mar 1997 11:06:23 -0800 (PST) Received: from york.interport.net (york.interport.net [199.184.165.8]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id LAA01956 for ; Mon, 3 Mar 1997 11:05:29 -0800 (PST) Received: from interport.net (cyerkes@madison.nfs.interport.net [205.161.144.1]) by york.interport.net (8.8.5/8.8.5) with ESMTP id OAA18618; Mon, 3 Mar 1997 14:03:50 -0500 (EST) Received: (from cyerkes@localhost) by interport.net (8.8.5/8.8.5) id OAA07774; Mon, 3 Mar 1997 14:03:31 -0500 (EST) From: cyerkes Message-Id: <199703031903.OAA07774@interport.net> Subject: Re: Firewall OS To: pgalynin@chipnet.cz (Pavel Galynin) Date: Mon, 3 Mar 1997 14:03:30 -0500 (EST) Cc: firewalls@greatcircle.com In-Reply-To: <3318D71D.686E@chipnet.cz> from "Pavel Galynin" at Mar 2, 97 02:25:49 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk It is claimed, but unverified, that Pavel Galynin wrote: > > Originally, my question was about features and qualities you would like > to see in an OS you would put on your firewall machine. I also wondered > what complaints and flaws you can report about the OS you are currently > using for your firewall. > I got two DOS answers, but they were quite vague, saying they would like > something like DOS. The messages didn't mention which aspects of DOS > they would like to see on their OS. The other question is, if they like > DOS, why don't they use DOS? Why are there no firewalls for DOS ( at > least to my limited knowledge ) ? Ok, DOS is a loader: It loads the program and gets out of the way. The only extra stuff is a seriously simple standard way to get to some parts of the hardware (output a char/line, get a char from a serial port, etc). This can be the start of a firewall though - just load the firewall package and it goes. Drawback? The package must do ALL the work and have ALL the code (ip drivers, etc, etc). What do we want? - TCP/IP - so we can talk to the net. - drivers for hardware - so we can talk to the network devices. - Multitasking/threading - so we can handle multiple "processes" at a time. - Monitoring tools - so was can see what's going on. - packet screening - application proxies - perhaps some caching of some data (ie web data) - Application Filtering (so I can stop Java/ActiveX if I choose) - Protected memory - so one "process" can't write into another's memory - Virtual memory - so I don't have to buy only primary ($$) memory. - Shared libraries - so shared code doesn't get repeated in memory. - The source. - so I can make changes and updates and be sure that it's actually secure - and so OTHER people who may be more qualified can check it out. Black boxes and "trust us" doesn't cut it. - Really cheap, so Mom can afford to have it between her cable modem and the computers running her house (we are talking future). Can we lose the massiveness of NT and Unix (one due to code bloat, the other to a huge plethora of tools)? Oh yeah, most important, maturity - it's gone through the ringers before I bet my company on it PLUS I can find competant people to write for it and run it. AND it's available from multiple vendors so I don't have to follow one if their marketing plans don't coincide with my needs. Well, I guess that last one write off a lot and we get stuck with Unix again. (for now, as MS has wiped out much OS research that used to happen) chuck From firewalls-owner Mon Mar 3 17:21:54 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id PAA02445 for firewalls-outgoing; Mon, 3 Mar 1997 15:01:25 -0800 (PST) Received: from beach.sctc.com (beach.sctc.com [192.55.214.50]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id PAA02371 for ; Mon, 3 Mar 1997 15:00:58 -0800 (PST) Received: from mfil.terminal (mfil@localhost) by beach.sctc.com (8.7.5/8.7.3) with SMTP id QAA05643; Mon, 3 Mar 1997 16:57:20 -0600 (CST) Received: from sphinx.sctc.com (sphinx.sctc.com [172.17.192.3]) by beach.sctc.com (8.7.5/8.7.3) with ESMTP id QAA05616; Mon, 3 Mar 1997 16:56:57 -0600 (CST) Received: from shade.sctc.com (shade.sctc.com [172.17.192.48]) by sphinx.sctc.com (8.8.5/8.8.5) with SMTP id QAA10383; Mon, 3 Mar 1997 16:58:59 -0600 (CST) Received: (from smith@localhost) by shade.sctc.com (8.6.12/8.6.9) id QAA10801; Mon, 3 Mar 1997 16:58:58 -0600 Date: Mon, 3 Mar 1997 16:58:58 -0600 From: Rick Smith Message-Id: <199703032258.QAA10801@shade.sctc.com> To: dclark@gates.com (David Clark) Cc: smith@sctc.com, firewalls@greatcircle.com Subject: Re: firewall architectures X-Newsreader: TIN [version 1.2 PL2] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Dave Clark asks: : I am soliciting comments from anyone who has evaluated (or has : educated opinions on) the pros and cons of Sidewinder's "type : enforcement" and Checkpoint's "stateful inspection" technologies. Let me begin by noting that I work for Secure Computing and am not a purely disinterested speaker. However, I'm sure my colleagues on the list will point out any statements I make that deserve dispute. First of all, stateful insepection and type enforcement address different aspects of the computer security puzzle. Stateful inspection is a process applied to network traffic. Type enforcement is applied to software running on a computer system. So, the question breaks into two parts: 1) What is the benefit of type enforcement in a firewall? I posted a message to Firewalls in the thread "Re: stack overflows and trusted systems" on Feb 26 of last week that discusses this exact issue. I won't bore people with a repetition; contact me if you need a copy of it. In a nutshell, type enforcement protects the firewall from attack, keeps its pieces largely functioning and restricting traffic even if an attacker uses a really novel attack, and sets off alarms if the attacker makes a proxy or server misbehave. 2) What does Sidewinder do that's comparable to stateful packet filtering? Stateful packet filtering is used to distinguish between network traffic that's allowed to pass between internal and external networks and traffic that's to be blocked. Sidewinder provides a combination of transport and application level proxies to do this, like several other firewalls (Borderware Firewall Server, Gauntlet, SmartWall, etc). We chose to do proxies on Sidewinder because they provide the most certain control over the flow of traffic. No traffic will flow between the inside and outside unless a proxy has been established to carry the traffic. So, the device by default is "restrictive" in its handling of traffic. Packet filters, on the other hand, were traditionally built atop routers whose intention was to transmit traffic rapidly whenever possible. Security was added by discarding packets whose contents could not possibly belong to legitimate traffic. In short, packet filters are intrinsically "permissive" devices, and traffic will flow unless rules explicitly prevent it. Generic packet filters have proven inadequate in practice to block many types of attacks. "Stateful" filters were developed to make packet filters more effective. These filters keep information about connections or types of traffic that's sent in order to better infer what is really happening. In a sense the filters' state simply replicates the connection tracking logic in a typical TCP session, making them very similar in practice to transparent proxies. A shortcoming in many stateful packet filter implementations is that things get difficult as they try to track the state of more sophisticated application level traffic. For example, Sidewinder and various other proxy firewalls support a variety of user authentication techniques to control either inbound or outbound access. It's harder (though not impossible) to do that with stateful filters. I hear that it can be done for a few simple situations. I don't know if you can filter Web URLs in existing "stateful filter" firewalls. That's a major feature in Sidewinder and the Border Firewall now. Rick. smith@sctc.com secure computing corporation From firewalls-owner Mon Mar 3 18:11:33 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id LAA03187 for firewalls-outgoing; Mon, 3 Mar 1997 11:17:53 -0800 (PST) Received: from laptop.homecom.net ([207.240.62.17]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id LAA03105 for ; Mon, 3 Mar 1997 11:17:31 -0800 (PST) Received: from Jay.homecom.com (207.240.62.3) by laptop.homecom.net (Integralis SMTPRS 1.51) with SMTP id ; Mon, 03 Mar 1997 14:08:49 -0500 Message-Id: <331B2448.7521@HomeCom.com> Date: Mon, 03 Mar 1997 14:19:36 -0500 From: Jay Heiser Reply-To: jay@homecom.com Organization: HomeCom Internet Security Services X-Mailer: Mozilla 3.0Gold (Win95; U) MIME-Version: 1.0 To: firewalls-digest@greatcircle.com Subject: Let's decide what a firewall is (relevance of Anti-Virus discussion) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Its my contention that at a minimum, a firewall is an access control device. Its a functional definition, not a description of technology (I prefer gas internal combustion engines, but there are many other technologies that can be used to power the thing defined as 'car'). Packet filters, proxies, hybrids, all can perform access control, making them legitimate firewall candidates. The question of what is a GOOD firewall is completely different. It cannot be answered without requirements analysis so I won't address it. The Anti-virus firewall debate is one of several related discussions revolving around two questions: 1) 'What else is useful or appropriate to do at the point of external network connectivity besides access control?' 2) 'Is it useful or appropriate to do this on the same platform that is performing access control?' These are two different questions, and confusing these issues is clouding the debate. I'll give my opinion: 1) Its useful to take a crack at viruses at the external network access point. Virus control is not trivial and takes a multi-pronged approach. Without question, the desktop is the most effective place to control viruses. Succesful security approaches usually have multiple countermeasures to address any single threat, as experience shows that countermeasures can fail or be circumvented. Most computer viruses spread by floppy disk -- dowloading infected binaries over the Internet is rare. However, macro viruses spread like wildfire over the Internet. If you could stop all e-mail borne macro viruses for free, would you do it? Sure. OK, if you can't do it for free, what would you pay for this? 2) Its possible to filter out viruses both on the firewall and on a stand-alone server located outside of the firewall. Do whichever you are most comfortable with. E-mail is asynchronous, so a little time spent scanning attachments isn't noticeable. As far as polymorphics go, its pretty hard to detect them without actually running them. Most viruses attack Microsoft/Intel environments and the best AV software runs on the same platform. I see some compelling advantages for Intel/NT over RISC/UNIX when scanning for Windows viruses. Virus control is like executable content control. You can do it either on the desktop or at a network choke point. There are advantages to both and doing both simultaneously can be justified for some organizations. Don't dismiss providing additional (non-access control) security on the firewall because of guesses about performance -- if you haven't seen it operate, you don't really know. Does adding additional functionality to an access control device increase the risk that it will fail? Probably. Should it be avoided then? That question cannot be answered without doing a requirements analysis and risk assessment. I suggest that it is appropriate for this list to discuss any security control that would be applied at the point of external connectivity. -- Jay Heiser, 703-610-6846, jay@homecom.com Homecom Internet Security Services http://www.homecom.com/services/hiss For company & industry news...subscribe to newsletter@homecom.com From firewalls-owner Mon Mar 3 18:17:31 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id RAA26262 for firewalls-outgoing; Mon, 3 Mar 1997 17:05:22 -0800 (PST) Received: from onshore.com (onShore.com [206.69.88.1]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id RAA26245 for ; Mon, 3 Mar 1997 17:05:14 -0800 (PST) Received: from [206.69.90.196] (tofu.onShore.com [206.69.90.196]) by onshore.com (8.8.5/8.7.3) with ESMTP id TAA29538 for ; Mon, 3 Mar 1997 19:00:52 -0600 Message-Id: In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 3 Mar 1997 18:51:41 -0500 To: firewalls@GreatCircle.COM From: Stelios Valavanis Subject: review gauntlet Sender: firewalls-owner@GreatCircle.COM Precedence: bulk can someone point me to reviews of firewalls including TIS gauntlet? ___________________________________________________ stel valavanis stel@onShore.com http://www.onShore.com/ From firewalls-owner Mon Mar 3 18:23:26 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id SAA06899 for firewalls-outgoing; Mon, 3 Mar 1997 18:04:05 -0800 (PST) Received: from fw2.mwcia.org (fw2.mwcia.org [206.9.85.5]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id SAA06862 for ; Mon, 3 Mar 1997 18:03:44 -0800 (PST) Received: from pc.null.org (dialin1_local.mwcia.org [192.138.165.169]) by fw2.mwcia.org (8.8.5/8.8.5) with SMTP id UAA07378; Mon, 3 Mar 1997 20:06:17 -0600 Message-Id: <3.0.32.19970303200404.006b14f0@fw2.mwcia.org> X-Sender: rwh@fw2.mwcia.org X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Mon, 03 Mar 1997 20:04:06 -0600 To: Juan Carlos Gomez , Firewalls@GreatCircle.COM From: Richard Hoffbeck Subject: Re: plug-in Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 12:15 PM 3/3/97 +0000, Juan Carlos Gomez wrote: >Hi, > Has anybody know the tolerance of "fast-plug" (fwtk)?? It starts up from >"inetd", but it could be inefficient when we have many concurrent >connections. >Please, is there something similar that can be started as a daemon from the >init files??? try using plug-gw -daemon --rick +-----------------------------------------------------------------+ | Richard Hoffbeck phone: 612.636.4249 | | fax: 612.624.2196 | | Finger rwh@visi.com for PGP key : | | Fingerprnt = 1C DD 13 FB 11 1D E7 73 2F A1 9B 52 86 0F A2 2B | +-----------------------------------------------------------------+ From firewalls-owner Mon Mar 3 18:23:22 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id OAA27289 for firewalls-outgoing; Mon, 3 Mar 1997 14:29:49 -0800 (PST) Received: from stingray.ssnet.com (stingray.ssnet.com [208.212.179.5]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id OAA27257 for ; Mon, 3 Mar 1997 14:29:32 -0800 (PST) Received: from seitz.UUCP (uucp@localhost) by stingray.ssnet.com (8.8.5/8.6.12) with UUCP id RAA23205 for firewalls@greatcircle.com; Mon, 3 Mar 1997 17:28:42 -0500 (EST) Received: by seitz.com; Mon, 03 Mar 97 16:36:48 EDT Message-ID: <1518772F012E0F00@seitz.com> Date: 03 Mar 97 16:36:33 -0500 From: Chris Brown To: firewalls@greatcircle.com Subject: Linux VS FreeBSD as firewall / router X-Mailer: MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have been looking at setting up a greatly enhanced connection to the net. Currently we are using dial up from each work station and want to go to a dedicated 56K line. One of the prime concerns is for a firewall. I have been looking at Linux for a bit, primarily the Debian distribution. Either Debian or Redhat would be my linux rout however one of the people here was talking to someone at Netcom and was pointer at FreeBSD. Is there an advantage to Linux of FreeBSD from any stand point? Performance, support or things like bug fixes are all prime reasons to go for one over the other. Any help would be appreciated. From firewalls-owner Mon Mar 3 19:12:14 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id QAA16506 for firewalls-outgoing; Mon, 3 Mar 1997 16:15:23 -0800 (PST) Received: from kcpgw2.kcp.com (kcpgw2.kcp.com [198.62.69.67]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id QAA16459 for ; Mon, 3 Mar 1997 16:15:06 -0800 (PST) From: dharris@kcp.com Received: by kcpgw2.kcp.com id AA07592 (InterLock SMTP Gateway 3.0 for firewalls-digest@greatcircle.com); Mon, 3 Mar 1997 18:13:34 -0600 Message-Id: <199703040013.AA07592@kcpgw2.kcp.com> Received: by kcpgw2.kcp.com (Protected-side Proxy Mail Agent-2); Mon, 3 Mar 1997 18:13:34 -0600 Received: by kcpgw2.kcp.com (Protected-side Proxy Mail Agent-1); Mon, 3 Mar 1997 18:13:34 -0600 Mime-Version: 1.0 Date: Mon, 3 Mar 1997 18:08:31 -0600 Subject: Re: ACL vulnerability To: firewalls-digest , "Benvenuto; Vincent A." Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: cc:Mail note part Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Router ACLs filter based on port, IP address, or MAC address - correct? MAC address is useless once you pass the first router - right? IP address can be spoofed "easily" How tightly controlled is physical access to your partners' machines? Do you trust ALL employees at your partners' sites equally? How about the vendor they have on-site doing unsupervised repair on network-connected systems? How much do you stand to lose if the "wrong person" gains access to your site? Is your internal protection strong enough that you want to let unspecified individuals have access to your entire network? ______________________________ Reply Separator _________________________________ Subject: ACL vulnerability Author: "Benvenuto; Vincent A." at INTERNET-MAIL Date: 3/3/97 1:33 PM We are in the middle of a great debate as to the proper way to firewall 15 remote sites. We need to essentially open dedicated lines to our partners to allow incoming/outgoing FTP, X.400, and SMTP. One camp says ACLs in routers will be sufficient, another says stick with Firewall-1 and proliferate it like hell. The cost difference network wide between the two approaches is huge. Where can I find an (authoritative) threat analysis that describes the vulnerability of router based static ACLs (non-stateful inspection)? Also, what methods (toolsets) are available to launch attacks through a router configured with ACLs? any advice suggestions, etc appreciated. Thanks in advance. Vinnie B From firewalls-owner Mon Mar 3 19:34:43 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id SAA08202 for firewalls-outgoing; Mon, 3 Mar 1997 18:15:55 -0800 (PST) Received: from mail.ka.inka.de (quechua.inka.de [193.197.84.5]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id SAA08114 for ; Mon, 3 Mar 1997 18:15:26 -0800 (PST) Received: from uu.inka.de ([193.197.84.8]) by mail.ka.inka.de with smtp (ident root using rfc1413) id m0w1jjc-0004GGC (Debian Smail-3.2 1996-Jul-4 #2); Tue, 4 Mar 1997 03:13:44 +0100 (MET) Received: from lina.inka.de (lists@lina.inka.de) by uu.inka.de with bsmtp (S3.1.29.1) id ; Tue, 4 Mar 97 03:13 MET Received: by lina.inka.de id m0w1jZV-00016mC (Debian Smail-3.2 1996-Jul-4 #2); Tue, 4 Mar 1997 03:02:57 +0100 (CET) Message-ID: <19970304030256.19822@inka.de> Date: Tue, 4 Mar 1997 03:02:56 +0100 From: Bernd Eckenfels To: firewalls@greatcircle.com Subject: Re: POP3 Security References: <199703031442.OAA01651@h01.scientia.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.61.1 In-Reply-To: <199703031442.OAA01651@h01.scientia.com>; from Ian Miller on Mar 03, 1997 at 02:42:25PM +0000 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, > If you are using username/password POP3 logins, you have very weak security > in any case as anyone logging in from a remote provider may be eavesdropped > on that remote provider compromising the password. Well. As long as the Password is not your login password it is not that critical. If a hacker can't guess your password, he can still sniff all of your mails. (Thats exactly the thing he would dowith your sniffed password). I still wonder why netscape has invited ssl-news but no ssl-pop... IMHO this is completely ..umm.. doubtfull :) Greetings Bernd -- (OO) -- Bernd_Eckenfels@Wittumstrasse13.76646Bruchsal.de -- ( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/ o--o *plush* 2048/93600EFD eckes@irc +4972573817 BE5-RIPE (O____O) If privacy is outlawed only Outlaws have privacy From firewalls-owner Mon Mar 3 19:35:28 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id OAA29801 for firewalls-outgoing; Mon, 3 Mar 1997 14:45:14 -0800 (PST) Received: from netcomsv.netcom.com (uucp7.netcom.com [163.179.3.7]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id OAA29734 for ; Mon, 3 Mar 1997 14:44:56 -0800 (PST) Received: by netcomsv.netcom.com with UUCP (8.6.12/SMI-4.1) id OAA10210; Mon, 3 Mar 1997 14:20:42 -0800 Received: by Coded.COM (SMI-8.6/SMI-SVR4) id LAA14418; Mon, 3 Mar 1997 11:43:04 -0800 Date: Mon, 3 Mar 1997 11:43:04 -0800 From: vbaca@lx8.Coded.COM (Virginia L. Baca) Message-Id: <199703031943.LAA14418@Coded.COM> To: goertzek@wangfed.com, AniFreez@aol.com, firewalls@greatcircle.com, root@dial.pipex.com Subject: Re: How do I get off this list. Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-MD5: TB5m7Og6m4bg+s5tKMUZPQ== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > From hf85@dial.pipex.com Mon Mar 3 10:13:46 1997 > >Received: from relay5.UU.NET by netcomsv.netcom.com with ESMTP (8.6.12/SMI-4.1) id JAA17672; Mon, 3 Mar 1997 09:39:22 -0800 > To: "K.M." , AniFreez@aol.com, firewalls@greatcircle.com > MIME-Version: 1.0 > From: KENSINGTON 2 > Subject: Re: How do I get off this list. > Date: Mon, 03 Mar 97 16:01:11 GMT > Content-Transfer-Encoding: 7bit > >Message deleted I won't attempt to reply, however, I think this one should rot on the list! ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + Virginia L. Baca Coded Communications + + Systems Administrator 1939 Palomar Oaks Way + + Carlsbad, CA 92009 + + Voice: 619-431-1945 Ext.284 + + Fax: 619-438-4708 + + email: vbaca@coded.com + ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ My opinions and remarks are mine alone and not those of others. Don't assume that I know what I'm talking about. I just walk around here talking like I do. :-) From firewalls-owner Mon Mar 3 19:39:19 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id TAA17636 for firewalls-outgoing; Mon, 3 Mar 1997 19:07:27 -0800 (PST) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id TAA17618 for ; Mon, 3 Mar 1997 19:07:13 -0800 (PST) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id WAA27063; Mon, 3 Mar 1997 22:02:45 -0500 (EST) From: Adam Shostack Message-Id: <199703040302.WAA27063@homeport.org> Subject: Re: Linux VS FreeBSD as firewall / router In-Reply-To: <1518772F012E0F00@seitz.com> from Chris Brown at "Mar 3, 97 04:36:33 pm" To: CBROWN@seitz.com (Chris Brown) Date: Mon, 3 Mar 1997 22:02:45 -0500 (EST) Cc: firewalls@GreatCircle.COM X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Do you use either currently? An OS you are familiar with is a good base, since you know some of its ins and outs, and are more likely to hear about security problems. Chris Brown wrote: | One of the prime concerns is for a firewall. I have been | looking at Linux for a bit, primarily the Debian distribution. | Either Debian or Redhat would be my linux rout however one of the | people here was talking to someone at Netcom and was pointer at | FreeBSD. Is there an advantage to Linux of FreeBSD from any | stand point? Performance, support or things like bug fixes are all | prime reasons to go for one over the other. Any help would be | appreciated. | -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Mon Mar 3 19:47:50 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id QAA20231 for firewalls-outgoing; Mon, 3 Mar 1997 16:33:59 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id QAA20170 for ; Mon, 3 Mar 1997 16:33:37 -0800 (PST) Received: from mail.ka.inka.de by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-961106) id QAA16478; Mon, 3 Mar 1997 16:30:22 -0800 (PST) Received: from uu.inka.de ([193.197.84.8]) by mail.ka.inka.de with smtp (ident root using rfc1413) id m0w1i8N-0004FkC (Debian Smail-3.2 1996-Jul-4 #2); Tue, 4 Mar 1997 01:31:11 +0100 (MET) Received: from lina.inka.de (lists@lina.inka.de) by uu.inka.de with bsmtp (S3.1.29.1) id ; Tue, 4 Mar 97 01:31 MET Received: by lina.inka.de id m0w1i0G-00016mC (Debian Smail-3.2 1996-Jul-4 #2); Tue, 4 Mar 1997 01:22:28 +0100 (CET) Message-ID: <19970304012226.25133@inka.de> Date: Tue, 4 Mar 1997 01:22:26 +0100 From: Bernd Eckenfels To: firewalls@GreatCircle.COM Subject: Re: Firewall OS References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.61.1 In-Reply-To: ; from Magossa'nyi A'rpa'd on Mar 03, 1997 at 12:07:39PM +0100 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, > I think that generally it is _BAD_ idea to store the logfiles on the very > same machine you genereated them on. > I would store that logs on at least two independent, well-protected hosts. Excuse my ignorance. But what on earth is that important to be secured that way? My genral impression is most ppl dont even READ the logs. And if you fear a hacker could erase them the main damage (a break in) has already happened. There are 3 things which may happen: a) hacker destroys your site.. you dontneed logs, you WILL notice b) hacker stores warezes or uses your host for further breakins (you will notice sooner or later) c) hacker will steal all you vulnerable data (and continues todo so). c ist the most problematic case in log-file tampering. But since the hacker can copy your current databases in a few minutes he wont do all those additional work to delete logs. Am I missing something? So.. what do you need tprotect with firealls and have you ever realy used two independen, dedicated log hosts? (And which protocol you use for that?) Security is nice, but one should never leave ground.. some companies dont have all that money they would need to pay for silly security. Greetings Bernd -- (OO) -- Bernd_Eckenfels@Wittumstrasse13.76646Bruchsal.de -- ( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/ o--o *plush* 2048/93600EFD eckes@irc +4972573817 BE5-RIPE (O____O) If privacy is outlawed only Outlaws have privacy From firewalls-owner Mon Mar 3 20:02:48 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id TAA23600 for firewalls-outgoing; Mon, 3 Mar 1997 19:54:50 -0800 (PST) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id TAA23566 for ; Mon, 3 Mar 1997 19:54:38 -0800 (PST) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id VAA03322; Mon, 3 Mar 1997 21:40:45 -0500 Date: Mon, 3 Mar 1997 21:40:42 -0500 (EST) From: Rabid Wombat To: Russ cc: firewalls@GreatCircle.COM Subject: RE: Nuclear Winter on Firewalls In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Could we get back to the real purpose of the list, namely, figuring out > how to convince all customers to run their Firewalls on Windows NT! Been snorting judiciuosly sleighted myrmidons, Russ? -r.w. (thinking of re-posting old Sik Puppy posts from the archives to improve list content ...) From firewalls-owner Mon Mar 3 20:23:00 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id PAA07892 for firewalls-outgoing; Mon, 3 Mar 1997 15:34:27 -0800 (PST) Received: from emout06.mail.aol.com (emout06.mx.aol.com [198.81.11.97]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id PAA07790 for ; Mon, 3 Mar 1997 15:33:50 -0800 (PST) From: AniFreez@aol.com Received: (from root@localhost) by emout06.mail.aol.com (8.7.6/8.7.3/AOL-2.0.0) id SAA26506 for firewalls@greatcircle.com; Mon, 3 Mar 1997 18:32:18 -0500 (EST) Date: Mon, 3 Mar 1997 18:32:18 -0500 (EST) Message-ID: <970303183216_752880592@emout06.mail.aol.com> To: firewalls@greatcircle.com Subject: OKAY !!! Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I AM OFF THE LIST, PLEASE STOP E-MAILING ME TREATING ME LIKE I KNOW NOTHING !!!!!!!!!!!!!!!!!!!!! STOP IT !!! From firewalls-owner Mon Mar 3 20:23:05 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id KAA24283 for firewalls-outgoing; Mon, 3 Mar 1997 10:15:02 -0800 (PST) Received: from york.interport.net (york.interport.net [199.184.165.8]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id KAA24226 for ; Mon, 3 Mar 1997 10:14:47 -0800 (PST) Received: from interport.net (cyerkes@madison.nfs.interport.net [205.161.144.1]) by york.interport.net (8.8.5/8.8.5) with ESMTP id NAA29379; Mon, 3 Mar 1997 13:13:16 -0500 (EST) Received: (from cyerkes@localhost) by interport.net (8.8.5/8.8.5) id NAA00267; Mon, 3 Mar 1997 13:13:08 -0500 (EST) From: cyerkes Message-Id: <199703031813.NAA00267@interport.net> Subject: Re: sendmail and many domains running in sun with Solaris 2.5.1 To: r.sleiman@mail.gestronic.ch Date: Mon, 3 Mar 1997 13:13:07 -0500 (EST) Cc: Firewalls@GreatCircle.COM In-Reply-To: <331B04F6.5681@gestronic.ch> from "Raymond Sleiman" at Mar 3, 97 06:05:58 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk see the sendmail faq, consult the sendmail news groups, hit the ISP lists. hire someone. Don't ask a firewall list; it's irrelavent. It is claimed, but unverified, that Raymond Sleiman wrote: > > Hello All, > > > I am an ISP. I host mail for multiple domains. How can I get the > mail for each user to have a "From" address for the user's own > domain > instead of the domain of the mailhost? > > > Best Reagrds > From firewalls-owner Mon Mar 3 20:23:35 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id KAA22258 for firewalls-outgoing; Mon, 3 Mar 1997 10:00:44 -0800 (PST) Received: from exch-bel1.attachmate.com (exch-bel1.attachmate.com [149.82.1.46]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id JAA21974 for ; Mon, 3 Mar 1997 09:59:30 -0800 (PST) Received: by exch-bel1.attachmate.com with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BC27B8.D45139D0@exch-bel1.attachmate.com>; Mon, 3 Mar 1997 09:54:04 -0800 Message-ID: From: Darren Cromer To: "'firewalls@greatcircle.com'" Subject: RE: How do I get off this list. Date: Mon, 3 Mar 1997 09:56:15 -0800 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Gee, I'm really inclined to help now The boredom factor is an built-in safety feature to put hackers to sleep who monitor the list. -----Original Message----- From: KENSINGTON 2 [SMTP:hf85@dial.pipex.com] Sent: Monday, March 03, 1997 11:01 AM To: K.M.; AniFreez@aol.com; firewalls@GreatCircle.COM Subject: Re: How do I get off this list. I sympathise with the teenager, I also joined this list by mistake - and you are an extremely fucking boring bunch of cunts. From firewalls-owner Mon Mar 3 20:42:31 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id JAA21986 for firewalls-outgoing; Mon, 3 Mar 1997 09:59:36 -0800 (PST) Received: from relay2.smtp.psi.net (relay2.smtp.psi.net [38.8.188.2]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id JAA21948 for ; Mon, 3 Mar 1997 09:59:22 -0800 (PST) Received: from server2 by relay2.smtp.psi.net (8.8.3/SMI-5.4-PSI) id MAA18145; Mon, 3 Mar 1997 12:57:31 -0500 (EST) Message-Id: <199703031757.MAA18145@relay2.smtp.psi.net> Date: Mon, 3 Mar 1997 12:56:00 -0500 From: Keith Stone Subject: RE: On Guard To: firewalls , Steve Semple X-Mailer: Worldtalk (NetConnex V4.00a)/MIME Sender: firewalls-owner@GreatCircle.COM Precedence: bulk OnGuard claims to be of a similar class of firewall as Checkpoint (stateful multi-layer inspection). I've learned of a few differences: (1) Checkpoint runs on a standard operating system (NT or UNIX), while OnGuard uses a proprietary operating system that runs only on Intel PC's. (2) OnGuard can only take two net connections (one to the Internet, and one to the rest of your corporate net), while Checkpoint can take more, apparently bound by the number of available slots in the computer. (3) OnGuard requires a 486/66 PC as the minimum acceptable computer to run on, while Checkpoint requires a 100MHz Pentium. (4) OnGuard, fully loaded, with the ability to do NAT for an unlimited number of IP addresses, was quoted to me at $15K, and that includes the computer if you want to buy it from them. Checkpoint's software for unlimited NAT is around $18K, and you still need the computer. How to determine whether Checkpoint is worth the extra money is something I haven't been able to do yet. Checkpoint does seem to have about 40% of the firewall market, or so they say. This is by no means an exhaustive list, but they are things I've learned along the way. One other thing I found interesting. When I was at Networks Expo a couple of weeks ago, a Checkpoint reseller (there was more than one) I was talking to said that they were the only firewall that did SMLI. When I mentioned that OnGuard claimed to do the same thing, the guy shot back that in order to do so, On would have to violate patents. Somehow, I doubt this is true, and it's pretty brazen to make such a claim. ---------- From: Steve Semple Sent: Monday, March 03, 1997 12:41 PM To: firewalls Subject: On Guard Lately I've been barraged by mail from On Technology Corp regarding their many products, including On Guard firewall. Strikes me as odd that I've never even seen the product mentioned in discussions here over the past six months or so (I just returned from being on the road -- so if the past two weeks have been filled with On Guard give-and-take, please flame lightly). Has anyone evaluated this product? Care to comment? Steve From firewalls-owner Mon Mar 3 21:00:50 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id JAA20255 for firewalls-outgoing; Mon, 3 Mar 1997 09:45:02 -0800 (PST) Received: from mnl.sequel.net (mnl.sequel.net [204.255.104.30]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id JAA20224 for ; Mon, 3 Mar 1997 09:44:43 -0800 (PST) Received: from mind_ripper by mnl.sequel.net (SMI-8.6/SMI-SVR4) id BAA11163; Tue, 4 Mar 1997 01:44:52 +0800 Date: Tue, 4 Mar 1997 01:44:52 +0800 Message-Id: <3.0.32.19970304014430.0093d100@pop.infocom.sequel.net> X-Sender: succesor@pop.infocom.sequel.net X-Mailer: Windows Eudora Pro Version 3.0 Demo (32) To: gordonp.atc@gao.gov, firewalls@GreatCircle.COM From: Gaddy Gumbao Subject: CISCO's 2500 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi there all, Were evaluating this Cisco 2500 .How can we configure this to Banyan Vines.Does 2500 series support vines IP can we configure it to bridge transparent? How? Hope you can help me.... Thanks a lot..... Gaddy gumbao Servers Administrator From firewalls-owner Mon Mar 3 21:17:36 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id UAA03933 for firewalls-outgoing; Mon, 3 Mar 1997 20:47:13 -0800 (PST) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id UAA28340 for ; Mon, 3 Mar 1997 20:18:53 -0800 (PST) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id WAA03386; Mon, 3 Mar 1997 22:04:29 -0500 Date: Mon, 3 Mar 1997 22:04:25 -0500 (EST) From: Rabid Wombat To: Steve Simmons cc: firewalls@GreatCircle.COM Subject: Re: ALL THESE REMOVE MSGS In-Reply-To: <5faooq$hkk@lokkur.dexter.mi.us> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On 1 Mar 1997, Steve Simmons wrote: > "Gonzalez, David" writes: > > >Yeah, unprescribe mines three... > > Yeah, remote me. Please Release Me Please release me let me go, 'cause I'm not reading anymore. To fill my inbox is a sin. Rerease me, to suscrive once again. I have read your message here, and thousands follow it, I fear, Just remove me, make it so, Unsuscrive me, the list will never know. Unimbibe me, can't you see, You'd be a fool to cling to me. I haven't firewalled, my dear. Rewease me, don't wait another year. Apologies to the list, Englebert Humperdinck, S. Richard Andrews, and a six^H^H^H twelve pack. -r.w. From firewalls-owner Mon Mar 3 21:32:57 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id VAA07834 for firewalls-outgoing; Mon, 3 Mar 1997 21:08:33 -0800 (PST) Received: from giraffe.dolir.state.mo.us (giraffe.dolir.state.mo.us [168.166.166.2]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id VAA07614 for ; Mon, 3 Mar 1997 21:07:43 -0800 (PST) Received: (from warren@localhost) by giraffe.dolir.state.mo.us (8.6.12/8.6.9) id XAA24447; Mon, 3 Mar 1997 23:09:28 -0500 Date: Mon, 3 Mar 1997 23:09:27 -0500 (EST) From: Warren Auld To: firewalls@GreatCircle.com Subject: Re: Firewall OS In-Reply-To: <19970304012226.25133@inka.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 4 Mar 1997, Bernd Eckenfels wrote: > > There are 3 things which may happen: > > a) hacker destroys your site.. you dontneed logs, you WILL notice > b) hacker stores warezes or uses your host for further breakins > (you will notice sooner or later) > c) hacker will steal all you vulnerable data (and continues todo so). > > c ist the most problematic case in log-file tampering. But since the hacker > can copy your current databases in a few minutes he wont do all those > additional work to delete logs. Am I missing something? > d) a, b, or c have occured and you'd like to know what happened. To that end you want to protect the logs to the extent possible so you can reconstruct the incident in hopes of preventing a future replay (kinda like the black boxen on commercial aircraft.) warren From firewalls-owner Mon Mar 3 21:43:25 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id JAA19631 for firewalls-outgoing; Mon, 3 Mar 1997 09:38:01 -0800 (PST) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id JAA19586 for ; Mon, 3 Mar 1997 09:37:34 -0800 (PST) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id MAA24834 for firewalls@greatcircle.com; Mon, 3 Mar 1997 12:33:47 -0500 (EST) From: Adam Shostack Message-Id: <199703031733.MAA24834@homeport.org> Subject: Java as Web SERVER language To: firewalls@greatcircle.com (Firewalls mailing list) Date: Mon, 3 Mar 1997 12:33:46 -0500 (EST) X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Are there known problems with using Java to write web server code? I like the idea of using a strongly typed language with garbage clean up, but worry that there may be calls in the library like sprintf or strcpy. Has anyone done any research on this? Failing that, I see the big problem as being one of parsing user input, with its usual host of attendant dangers. Are there other things I should be worrying about within the confines of thinking about what language to use? Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From firewalls-owner Mon Mar 3 22:34:05 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id VAA10372 for firewalls-outgoing; Mon, 3 Mar 1997 21:22:04 -0800 (PST) Received: from mailhost.onramp.net (mailhost.onramp.net [199.1.11.3]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id VAA10260 for ; Mon, 3 Mar 1997 21:21:31 -0800 (PST) Received: from www.mckane.com (sage1.doogie.com [206.50.2.2]) by mailhost.onramp.net (8.8.5/8.6.5) with SMTP id XAA17031; Mon, 3 Mar 1997 23:19:53 -0600 (CST) Received: by www.mckane.com with Microsoft Mail id <01BC2829.6655A3F0@www.mckane.com>; Mon, 3 Mar 1997 23:19:53 -0600 Message-ID: <01BC2829.6655A3F0@www.mckane.com> From: Jerry McKane To: "'firewalls@greatcircle.com'" , "'Darren Cromer'" Cc: "'KENSINGTON 2'" Subject: RE: How do I get off this list. Date: Mon, 3 Mar 1997 23:19:50 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk such eloquent speech ---------- From: Darren Cromer[SMTP:DarrenCr@Attachmate.com] Sent: Monday, March 3, 1997 11:56 AM To: 'firewalls@greatcircle.com' Subject: RE: How do I get off this list. Gee, I'm really inclined to help now The boredom factor is an built-in safety feature to put hackers to sleep who monitor the list. -----Original Message----- From: KENSINGTON 2 [SMTP:hf85@dial.pipex.com] Sent: Monday, March 03, 1997 11:01 AM To: K.M.; AniFreez@aol.com; firewalls@GreatCircle.COM Subject: Re: How do I get off this list. I sympathise with the teenager, I also joined this list by mistake - and you are an extremely fucking boring bunch of cunts. From firewalls-owner Mon Mar 3 22:43:33 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id JAA19302 for firewalls-outgoing; Mon, 3 Mar 1997 09:35:20 -0800 (PST) Received: from york.interport.net (york.interport.net [199.184.165.8]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id JAA19293 for ; Mon, 3 Mar 1997 09:35:11 -0800 (PST) Received: from interport.net (cyerkes@madison.nfs.interport.net [205.161.144.1]) by york.interport.net (8.8.5/8.8.5) with ESMTP id MAA13832; Mon, 3 Mar 1997 12:33:41 -0500 (EST) Received: (from cyerkes@localhost) by interport.net (8.8.5/8.8.5) id MAA24477; Mon, 3 Mar 1997 12:33:03 -0500 (EST) From: cyerkes Message-Id: <199703031733.MAA24477@interport.net> Subject: Re: plug-in To: jcgomez@mad.servicom.es (Juan Carlos Gomez) Date: Mon, 3 Mar 1997 12:33:00 -0500 (EST) Cc: Firewalls@GreatCircle.COM In-Reply-To: <3.0.32.19970303121515.0071a6c8@pop.mad.servicom.es> from "Juan Carlos Gomez" at Mar 3, 97 12:15:17 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You've got the source. Feel free to modify it do meet your needs. It's a KIT, not a cast in stone product. It is claimed, but unverified, that Juan Carlos Gomez wrote: > > Hi, > Has anybody know the tolerance of "fast-plug" (fwtk)?? It starts up from > "inetd", but it could be inefficient when we have many concurrent > connections. > Please, is there something similar that can be started as a daemon from the > init files??? > > Thanks in advance. > > Juan Carlos. > From firewalls-owner Mon Mar 3 22:47:05 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id VAA13431 for firewalls-outgoing; Mon, 3 Mar 1997 21:37:03 -0800 (PST) Received: from sndsu1.sedalia.sinet.slb.com (sinet.slb.com [163.185.18.1]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id VAA13185 for ; Mon, 3 Mar 1997 21:36:01 -0800 (PST) Received: from [163.185.164.57] (dyn60.houston.omnes.net [163.185.164.60]) by sndsu1.sedalia.sinet.slb.com (8.6.9/8.6.9) with ESMTP id FAA09058 ; Tue, 4 Mar 1997 05:34:10 GMT Date: Tue, 4 Mar 1997 05:34:10 GMT X-Sender: chaabouni@pop.houston.omnes.net Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: firewalls@GreatCircle.COM From: user@hacker.com Subject: RE: How do I get off this list. Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I can't beleive it. a hacker can't get out of a mailing list ! What kind of hacker is that. >In message <970301132907_1115035466@emout10.mail.aol.com> writes: >> Hi I am a teenager, who saw this mailing list in the alt.2600 faq, and so I >> joined it, but it was not interesting to me, I accidentally deleted my letter >> telling me how to get off the list. Could someone help me remove myself from >> this list ? > > > >We should make him stay on the list. I can't think of better retribution for a >hacker than to bore him to death. > >KM From firewalls-owner Mon Mar 3 22:48:52 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id VAA14360 for firewalls-outgoing; Mon, 3 Mar 1997 21:42:19 -0800 (PST) Received: from songbird.com (songbird.com [206.14.4.2]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id VAA14318 for ; Mon, 3 Mar 1997 21:42:05 -0800 (PST) Received: (from kent@localhost) by songbird.com (8.8.3/8.7.3) id VAA26504; Mon, 3 Mar 1997 21:39:26 -0800 From: Kent Crispin Message-Id: <199703040539.VAA26504@songbird.com> Subject: Re: Firewall OS To: lists@lina.inka.de (Bernd Eckenfels) Date: Mon, 3 Mar 1997 21:39:26 -0800 (PST) Cc: firewalls@GreatCircle.COM In-Reply-To: <19970304012226.25133@inka.de> from "Bernd Eckenfels" at Mar 4, 97 01:22:26 am Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bernd Eckenfels allegedly said: > > Hi, > > > I think that generally it is _BAD_ idea to store the logfiles on the very > > same machine you genereated them on. > > I would store that logs on at least two independent, well-protected hosts. > > Excuse my ignorance. But what on earth is that important to be secured that > way? My genral impression is most ppl dont even READ the logs. And if you > fear a hacker could erase them the main damage (a break in) has already > happened. > > There are 3 things which may happen: > > a) hacker destroys your site.. you dontneed logs, you WILL notice > b) hacker stores warezes or uses your host for further breakins > (you will notice sooner or later) > c) hacker will steal all you vulnerable data (and continues todo so). > > c ist the most problematic case in log-file tampering. But since the hacker > can copy your current databases in a few minutes he wont do all those > additional work to delete logs. Am I missing something? Yes indeed you are. Sneaky individuals can take up residence on your system and be there for months, using your system as a base for other activities. In fact, they may have no desire whatsoever to harm your system -- their real targets may be on the other side of the globe. Another thing to consider -- sometimes a crack takes a long time to develop, culminating with a complete replacement utility set, interfaces permanently in promiscuous mode, and substantial amounts of disk space completely hidden from you, because ls, df, du, find, and a host of other utilities have been replaced. Secure logs may be the only way you ever notice anything. > So.. what do you need tprotect with firealls and have you ever realy used > two independen, dedicated log hosts? (And which protocol you use for that?) > > Security is nice, but one should never leave ground.. some companies dont > have all that money they would need to pay for silly security. Of course. You do a cost-benefit analysis. If you have truly valuable data (multibillion dollar financial transactions), and you are a big company, it may well be worth paying for secure logs. However, there are many schemes to keep logs secure -- and a printout is pretty immune to after-the-fact remote tampering. -- Kent Crispin "No reason to get excited", kent@songbird.com,kc@llnl.gov the thief he kindly spoke... PGP fingerprint: 5A 16 DA 04 31 33 40 1E 87 DA 29 02 97 A3 46 2F From firewalls-owner Mon Mar 3 23:02:15 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id WAA22942 for firewalls-outgoing; Mon, 3 Mar 1997 22:25:58 -0800 (PST) Received: from unlimited.net (netra.unlimited.net [208.193.101.2]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id WAA22918 for ; Mon, 3 Mar 1997 22:25:49 -0800 (PST) Received: from replay.unlimited.net by unlimited.net (SMI-8.6/SMI-SVR4) id WAA15244; Mon, 3 Mar 1997 22:15:45 -0800 Message-ID: <331BC03D.5E4E@unlimited.net> Date: Mon, 03 Mar 1997 22:25:01 -0800 From: randy law Reply-To: replay@unlimited.net X-Mailer: Mozilla 3.0 (Win95; I) MIME-Version: 1.0 To: Darren Cromer CC: "'firewalls@greatcircle.com'" Subject: Re: How do I get off this list. References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk well... you could see it that way, or, you can just read boring begging emails like his and mine asking how to remove ourselves from the list over and over and over again. how do i remove myself from the list? Darren Cromer wrote: > > Gee, I'm really inclined to help now > > The boredom factor is an built-in safety feature to put hackers to > sleep who monitor the list. > > -----Original Message----- > From: KENSINGTON 2 [SMTP:hf85@dial.pipex.com] > Sent: Monday, March 03, 1997 11:01 AM > To: K.M.; AniFreez@aol.com; firewalls@GreatCircle.COM > Subject: Re: How do I get off this list. > > I sympathise with the teenager, I also joined this list by mistake - > and you are an extremely fucking boring bunch of cunts. -- -rand0lph! "never trouble trouble til trouble troubles you!" mail to:replay@unlimited.net or replay@juno.com From firewalls-owner Mon Mar 3 23:32:57 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id XAA01243 for firewalls-outgoing; Mon, 3 Mar 1997 23:14:48 -0800 (PST) Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id XAA01174 for ; Mon, 3 Mar 1997 23:14:26 -0800 (PST) Received: from smtp1.sybase.com (sybgate.sybase.com [130.214.220.35]) by halon.sybase.com (8.8.4/8.8.4) with SMTP id XAA10910 for ; Mon, 3 Mar 1997 23:15:24 -0800 (PST) Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) id AA08507; Mon, 3 Mar 97 23:13:08 PST Received: (from unixsvr1@localhost) by notesgw2.sybase.com (8.8.4/8.8.4) id XAA14606 for @sybgate.sybase.com:firewalls@GreatCircle.COM; Mon, 3 Mar 1997 23:12:15 -0800 (PST) Message-Id: <199703040712.XAA14606@notesgw2.sybase.com> Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id 59D78E8A6E12ADF9882564500027D87A; Mon, 3 Mar 97 23:12:14 EDT To: Bernd Eckenfels Cc: firewalls From: Ryan Russell/SYBASE Date: 3 Mar 97 23:18:16 EDT Subject: Re: Firewall OS X-Lotus-Type: Reply All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hmm.... how about this: Hacker breaks into your site, does damage, you notice. You then go after the log files, since that's your only way to tell how he got in and what he might have touched. Good thing your log files are stored on multiple machines and/or machines that are harder to break into than the one the hacker got into already. What? No log machine? Guess you won't know how he got in, and hence won't be able to plug the hole. You may not even know where he came from at that point.. Ryan ---------- Previous Message ---------- To: firewalls cc: From: lists @ lina.inka.de (Bernd Eckenfels) @ smtp Date: 03/04/97 01:22:26 AM Subject: Re: Firewall OS Hi, > I think that generally it is _BAD_ idea to store the logfiles on the very > same machine you genereated them on. > I would store that logs on at least two independent, well-protected hosts. Excuse my ignorance. But what on earth is that important to be secured that way? My genral impression is most ppl dont even READ the logs. And if you fear a hacker could erase them the main damage (a break in) has already happened. There are 3 things which may happen: a) hacker destroys your site.. you dontneed logs, you WILL notice b) hacker stores warezes or uses your host for further breakins (you will notice sooner or later) c) hacker will steal all you vulnerable data (and continues todo so). c ist the most problematic case in log-file tampering. But since the hacker can copy your current databases in a few minutes he wont do all those additional work to delete logs. Am I missing something? So.. what do you need tprotect with firealls and have you ever realy used two independen, dedicated log hosts? (And which protocol you use for that?) Security is nice, but one should never leave ground.. some companies dont have all that money they would need to pay for silly security. Greetings Bernd -- (OO) -- Bernd_Eckenfels@Wittumstrasse13.76646Bruchsal.de -- ( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/ o--o *plush* 2048/93600EFD eckes@irc +4972573817 BE5-RIPE (O____O) If privacy is outlawed only Outlaws have privacy From firewalls-owner Mon Mar 3 23:37:59 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id JAA17777 for firewalls-outgoing; Mon, 3 Mar 1997 09:17:13 -0800 (PST) Received: from lshp1.fastnet.ch (lshp1.fastnet.ch [193.246.63.10]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id JAA17733 for ; Mon, 3 Mar 1997 09:16:57 -0800 (PST) Received: from [193.246.62.65] by lshp1.fastnet.ch with SMTP (1.37.109.4/16.2) id AA28184; Mon, 3 Mar 97 17:21:43 +0100 Received: from sleiman-r by gestronic.ch (SMI-8.6/SMI-SVR4) id SAA00943; Mon, 3 Mar 1997 18:12:42 +0100 Message-Id: <331B0A81.7668@gestronic.ch> Date: Mon, 03 Mar 1997 18:29:37 +0100 From: Raymond Sleiman Reply-To: r.sleiman@mail.gestronic.ch Organization: Gestronic S.A X-Mailer: Mozilla 3.0Gold (Win95; I) Mime-Version: 1.0 To: firewalls@greatcircle.com Subject: sendmail and many domains Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hello All, I am an ISP. I host mail for multiple domains. How can I get the mail for each user to have a "From" address for the user's own domain instead of the domain of the mailhost? Best Reagrds From firewalls-owner Mon Mar 3 23:47:06 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id XAA02249 for firewalls-outgoing; Mon, 3 Mar 1997 23:19:08 -0800 (PST) Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id XAA02125 for ; Mon, 3 Mar 1997 23:18:32 -0800 (PST) Received: from smtp1.sybase.com (sybgate.sybase.com [130.214.220.35]) by halon.sybase.com (8.8.4/8.8.4) with SMTP id XAA11156 for ; Mon, 3 Mar 1997 23:19:44 -0800 (PST) Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) id AA08768; Mon, 3 Mar 97 23:17:28 PST Received: (from unixsvr1@localhost) by notesgw2.sybase.com (8.8.4/8.8.4) id XAA14646 for @sybgate.sybase.com:firewalls@GreatCircle.COM; Mon, 3 Mar 1997 23:16:36 -0800 (PST) Message-Id: <199703040716.XAA14646@notesgw2.sybase.com> Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id 5D6C2EE9FF8F16EA882564500028409D; Mon, 3 Mar 97 23:16:35 EDT To: Keith Stone Cc: firewalls , Steve Semple From: Ryan Russell/SYBASE Date: 3 Mar 97 23:22:55 EDT Subject: RE: On Guard X-Lotus-Type: Reply All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I've used PIX and Firewall-1. PIX sounds really similar to what you've described from OnGuard. Firewall-1 may give you better logging, and since there's a general-purpose OS, you can probably customize things a bit more (i.e. add a proxy if you like.) As you mentioned, you can have a third or further interface with FW1, so it may be easier for you to build a DMZ. Also, FW1 has a centralized management app that can be on a different machine than the one that actually does the filtering...more useful if you have more than one. Ryan ---------- Previous Message ---------- To: firewalls, ssemple cc: From: keiths @ geotel.com (Keith Stone) @ smtp Date: 03/03/97 12:56:00 PM Subject: RE: On Guard OnGuard claims to be of a similar class of firewall as Checkpoint (stateful multi-layer inspection). I've learned of a few differences: (1) Checkpoint runs on a standard operating system (NT or UNIX), while OnGuard uses a proprietary operating system that runs only on Intel PC's. (2) OnGuard can only take two net connections (one to the Internet, and one to the rest of your corporate net), while Checkpoint can take more, apparently bound by the number of available slots in the computer. (3) OnGuard requires a 486/66 PC as the minimum acceptable computer to run on, while Checkpoint requires a 100MHz Pentium. (4) OnGuard, fully loaded, with the ability to do NAT for an unlimited number of IP addresses, was quoted to me at $15K, and that includes the computer if you want to buy it from them. Checkpoint's software for unlimited NAT is around $18K, and you still need the computer. How to determine whether Checkpoint is worth the extra money is something I haven't been able to do yet. Checkpoint does seem to have about 40% of the firewall market, or so they say. This is by no means an exhaustive list, but they are things I've learned along the way. One other thing I found interesting. When I was at Networks Expo a couple of weeks ago, a Checkpoint reseller (there was more than one) I was talking to said that they were the only firewall that did SMLI. When I mentioned that OnGuard claimed to do the same thing, the guy shot back that in order to do so, On would have to violate patents. Somehow, I doubt this is true, and it's pretty brazen to make such a claim. ---------- From: Steve Semple Sent: Monday, March 03, 1997 12:41 PM To: firewalls Subject: On Guard Lately I've been barraged by mail from On Technology Corp regarding their many products, including On Guard firewall. Strikes me as odd that I've never even seen the product mentioned in discussions here over the past six months or so (I just returned from being on the road -- so if the past two weeks have been filled with On Guard give-and-take, please flame lightly). Has anyone evaluated this product? Care to comment? Steve From firewalls-owner Tue Mar 4 01:06:15 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id AAA15660 for firewalls-outgoing; Tue, 4 Mar 1997 00:56:23 -0800 (PST) Received: from polaris.pacificnet.net (polaris.pacificnet.net [207.171.0.250]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id AAA15625 for ; Tue, 4 Mar 1997 00:56:12 -0800 (PST) Received: from default (pm3d-45.pacificnet.net [207.171.18.190]) by polaris.pacificnet.net (8.6.11/8.6.11) with SMTP id AAA26981; Tue, 4 Mar 1997 00:53:06 -0800 Message-ID: <331BE447.E2A@pacificnet.net> Date: Tue, 04 Mar 1997 00:58:47 -0800 From: Osiris Reply-To: osiris@pacificnet.net X-Mailer: Mozilla 3.01 (Win95; I) MIME-Version: 1.0 To: replay@unlimited.net CC: Darren Cromer , "'firewalls@greatcircle.com'" Subject: Re: How do I get off this list. References: <331BC03D.5E4E@unlimited.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk randy law wrote: > > well... you could see it that way, or, you can just read > boring begging emails like his and mine asking how to remove > ourselves from the list over and over and over again. > > how do i remove myself from the list? > When you first subscibed to the list, you were provided with instructions on how to unsubscribe. The strings are these: unsubscribe firewalls unsubscribe firewalls-digest unsubscribe firewalls-performance-digest The target is this: Majordomo@GreatCircle.COM From firewalls-owner Tue Mar 4 01:21:11 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id AAA07289 for firewalls-outgoing; Tue, 4 Mar 1997 00:29:30 -0800 (PST) Received: from gateway.jdedwards.com (gateway.jdedwards.com [208.141.148.4]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id AAA06963 for ; Tue, 4 Mar 1997 00:28:20 -0800 (PST) Received: by gateway.jdedwards.com (8.8.5) id BAA02021; Tue, 4 Mar 1997 01:23:12 -0700 (MST) Received: from unknown(10.1.254.50) by gateway.jdedwards.com via smap (V1.3) id sma002019; Tue Mar 4 01:22:42 1997 Received: from CORP.JDE (msmail) by mailsw (5.x) id AA00637; Tue, 4 Mar 1997 01:22:59 -0700 Received: by CORP.JDE with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BC283B.0D7DC8E0@CORP.JDE>; Tue, 4 Mar 1997 01:26:15 -0700 Message-Id: From: "Adams, Peter" To: "'firewalls@greatcircle.com'" Subject: How to get of the mail list..... Date: Tue, 4 Mar 1997 01:26:06 -0700 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk And start annoying the rest of planet earth. > >Welcome to the firewalls mailing list! > >Please save this message for future reference. Thank you. > >If you ever want to remove yourself from this mailing list, >you can send mail to with the following >command in the body of your email message: > > unsubscribe firewalls email_address@wherever.com > Here's the general information for the list you've subscribed to, > in case you don't already have it: > >Description >=========== >This list is for discussions of Internet "firewall" security systems and >related issues. It is an outgrowth of the Firewalls BOF session at the >Third UNIX Security Symposium in Baltimore on September 15, 1992. > >This is the undigestified version of the list. All messages sent to this >list are immediately forwarded to members of the list. The digestified >version of the list is Firewalls-Digest@GreatCircle.COM. To subscribe >to Firewalls-Digest, send "subscribe firewalls-digest" in the body of >a message (not on the "Subject:" line) to "Majordomo@GreatCircle.COM". > >Frequently Asked Questions >========================== >A "Frequently Asked Questions" (FAQ) document (written by Marcus Ranum, >mjr@tis.com) is available via anonymous FTP from host FTP.GreatCircle.COM, >file pub/firewalls/FAQ, or from Majordomo by sending the command "get >firewalls FAQ" in the body of an email message (not on the "Subject:" >line) to address "Majordomo@GreatCircle.COM", or via URL > ftp://ftp.greatcircle.com/pub/firewalls/FAQ > >Policies >======== >Code for cracking programs (programs designed to help break into another >system) should not be posted to the Firewalls mailing list. > >You can subscribe a local redistribution list or a gateway to a local >newsgroup, as long as whatever you do is local to your site. This >restriction makes it much easier for me to track down mailer problems. > >I'm very aggressive when it comes to bounced email. If email to you >starts bouncing, I'll probably drop you from the list fairly quickly; >you'll have to resubscribe when you get the problem fixed, and retrieve >the archives to find out what you missed. > >Archives >======== >All messages to the list are archived. The archives are available via >Majordomo using the "get" command (send "help" in the body of a message >to "Majordomo@GreatCircle.COM" for more info), or via anonymous FTP from >host FTP.GreatCircle.COM in directory "pub/firewalls/archive", or via URL > ftp://ftp.greatcircle.com/pub/firewalls/archive/ > >The archives are broken down by year and month, and are stored in files >named "firewalls.YYMM". The copy of the archive available by anonymous >FTP is updated every night at 2am local time (0900 GMT in the summer, >1000 GMT in the winter). > >WAIS Access >=========== >The Firewalls archive is available by WAIS on host WAIS.GreatCircle.COM, >at port 210, under the database name "firewalls-digest". The WAIS >archive is actually maintained from the Firewalls-Digest archive, which >has all the same information in it as the Firewalls archive, and is >easier to convert to WAIS format. The WAIS archive is updated nightly. > >The FAQ document is also avialable by WAIS on host WAIS.GreatCircle.COM, >at port 210, under the database name "firewalls-faq". > >For Further Information >======================= >Michael C. Berch >Postmaster and list manager, Great Circle Associates >mcb@greatcircle.com > > From firewalls-owner Tue Mar 4 01:26:09 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id AAA06541 for firewalls-outgoing; Tue, 4 Mar 1997 00:26:45 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id AAA06318 for ; Tue, 4 Mar 1997 00:25:57 -0800 (PST) Received: from gateway.jdedwards.com by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-961106) id AAA22396; Tue, 4 Mar 1997 00:22:42 -0800 (PST) Received: by gateway.jdedwards.com (8.8.5) id BAA01973; Tue, 4 Mar 1997 01:20:01 -0700 (MST) Received: from unknown(10.1.254.50) by gateway.jdedwards.com via smap (V1.3) id sma001968; Tue Mar 4 01:19:56 1997 Received: from CORP.JDE (msmail) by mailsw (5.x) id AA00607; Tue, 4 Mar 1997 01:20:13 -0700 Received: by CORP.JDE with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63) id <01BC283A.AA660C40@CORP.JDE>; Tue, 4 Mar 1997 01:23:29 -0700 Message-Id: From: "Adams, Peter" To: "'firewalls@greatcircle.com'" Subject: FW: HELP! Date: Tue, 4 Mar 1997 01:23:18 -0700 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.63 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >---------- >From: Adams, Peter >Sent: 26 February 1997 06:47 >To: 'majordomo@greatcircle.com' >Subject: HELP! > >Is anyone producing a product similiar to the TIS Toolkit for the NT platform >? > >OR > >Does the TIS Toolkit run on a LINUX platform ? > >OR > >Do I really need to get a UNIX system, and do the job properly ? > >Im using Cisco routers, with acl's but want a little more protection. ( hence >the firewall. - Proxy server ( FTP & HTTP ), SMTP receiver. are core >requirements > > >thankyou > From firewalls-owner Tue Mar 4 03:10:52 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id CAA23968 for firewalls-outgoing; Tue, 4 Mar 1997 02:13:25 -0800 (PST) Received: from wizard.abirnet.co.il ([194.90.211.10]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id CAA23954 for ; Tue, 4 Mar 1997 02:12:43 -0800 (PST) Received: from ziv.abirnet.co.il (z1.abirnet.co.il [194.90.211.21]) by wizard.abirnet.co.il (8.7.6/8.7.3) with SMTP id SAA00898; Tue, 4 Mar 1997 18:15:23 +0200 Date: Tue, 4 Mar 97 12:11:00 From: Ziv Dascalu Subject: RE: sniffer! To: Firewalls@GreatCircle.COM, Jose Luis Delgado X-PRIORITY: 3 (Normal) X-Mailer: Chameleon 5.0, TCP/IP for Windows, NetManage Inc. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, NT 4.0 server comes with it's network monitoring utility which was in prev. versions called blood.. you can also run most of the software sniffers that support NDIS 3.0 (the one using in WfW 3.11 and NT 3.5/3.51 since NT 4.0 runs NDIS 4.0 which is compatible with ndis 3.0) hope this helps /ZIv --- On Mon, 3 Mar 1997 17:59:57 -0600 (CST) Jose Luis Delgado wrote: >Hi guys!! > >If exist: >where can I find a sniffer for NT 4.0?? >or a >tcp wrapper?? > >Thanks in advance! -----------------End of Original Message----------------- /~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\ | A B I R N E T Active Network Protection | \~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~/ / AbirNet provides the next generation in Internet and Intranet Protection\ | AbirNet provides Windows 95 & NT-based software that let's you know | | how your network is being used while protecting it from intrusions | | and abuse using no-network overhead, see-it-all filtering, blocking, | | alerting, logging, and scanning technologies. | | | \========== Get a BETA version at ================/ From firewalls-owner Tue Mar 4 04:17:32 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id DAA25534 for firewalls-outgoing; Tue, 4 Mar 1997 03:00:04 -0800 (PST) Received: from f13.hotmail.com (F13.hotmail.com [207.82.250.24]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id CAA25500 for ; Tue, 4 Mar 1997 02:59:46 -0800 (PST) Received: (from root@localhost) by f13.hotmail.com (8.7.5/8.7.3) id CAA12345; Tue, 4 Mar 1997 02:58:15 -0800 (PST) Date: Tue, 4 Mar 1997 02:58:15 -0800 (PST) Message-Id: <199703041058.CAA12345@f13.hotmail.com> Received: from 193.1.182.53 by www.hotmail.com with HTTP; Tue, 04 Mar 1997 02:58:15 PST X-Originating-IP: [193.1.182.53] From: " Whizzy ." To: Firewalls@GreatCircle.COM Content-Type: text/plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk list --------------------------------------------------------- Get Your *Web-Based* Free Email at http://www.hotmail.com --------------------------------------------------------- From firewalls-owner Tue Mar 4 05:18:14 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id EAA05665 for firewalls-outgoing; Tue, 4 Mar 1997 04:59:56 -0800 (PST) Received: from castle.us-state.gov (castle.us-state.gov [198.76.102.19]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id EAA05612 for ; Tue, 4 Mar 1997 04:59:22 -0800 (PST) From: crumrig@us-state.gov Received: by castle.us-state.gov; id AA09828; Tue, 4 Mar 97 07:57:30 EST Received: from pubhost.us-state.gov(198.76.102.34) by castle.us-state.gov via smap (V1.3mjr) id sma009816; Tue Mar 4 07:57:15 1997 Received: by pubhost.us-state.gov; id AA05745; Tue, 4 Mar 97 07:57:15 EST Date: Tue, 4 Mar 97 07:55:28 PST Subject: RE: Firewall ? To: firewalls@GreatCircle.COM, alp@IDT.NET X-Mailer: Chameleon ENGP1, TCP/IP for Windows, NetManage Inc. Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Look at V-One's smartgate product ---------------Original Message--------------- I am looking for a product , which will connect two companies networks together using a oneway encryption, thru a firewall maybe ? I was wondering if there is a product out there which will be able to do this and let certain users from one company access all info on another companies lan via IP or IPX. Is this possible ? ----------End of Original Message---------- From firewalls-owner Tue Mar 4 05:33:18 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id BAA23483 for firewalls-outgoing; Tue, 4 Mar 1997 01:59:40 -0800 (PST) Received: from pub.pub.ro (pub.pub.ro [141.85.128.1]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id BAA23434 for ; Tue, 4 Mar 1997 01:58:39 -0800 (PST) Received: (from uucp@localhost) by pub.pub.ro (8.8.4/8.8.3) id LAA02323 for GreatCircle.COM!firewalls; Tue, 4 Mar 1997 11:56:04 +0200 (EET) Received: from ottonel with uucp; Tue, 4 Mar 97 08:43:51 Received: by ottonel.pub.ro id m0w1nwp-000F4OC (Debian /\oo/\ Smail3.1.29.1 #29.37); Tue, 4 Mar 97 08:43 EET Date: Tue, 4 Mar 1997 08:43:28 +0200 (EET) From: "Mihai Holinschi (UniByte)" To: Trevor Paquette cc: firewalls@GreatCircle.COM Subject: Re: virii and firewalls and scanning In-Reply-To: <9702281015.ZM7640@cygnus.aec.ca> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Salve! Sorry, dude! NOW I see that the last message was mailed to you, and not the REAL crap-brains... Sorry... _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ _/_/_/ Mihai Holinschi _/_/ unibyte@ottonel.pub.ro _/_/_/ _/_/_/ AKA _/_/ 00-401-410-0610 -Phone _/_/_/ _/_/_/ The Anarchyst _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ _/_/ Living is an ART. _/_/ _/_/_/_/_/_/_/_/_/_/_/_/ From firewalls-owner Tue Mar 4 05:33:21 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id FAA06061 for firewalls-outgoing; Tue, 4 Mar 1997 05:03:05 -0800 (PST) Received: from castle.us-state.gov (castle.us-state.gov [198.76.102.19]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id FAA05943 for ; Tue, 4 Mar 1997 05:02:12 -0800 (PST) From: crumrig@us-state.gov Received: by castle.us-state.gov; id AA09955; Tue, 4 Mar 97 08:00:35 EST Received: from pubhost.us-state.gov(198.76.102.34) by castle.us-state.gov via smap (V1.3mjr) id sma009929; Tue Mar 4 07:59:46 1997 Received: by pubhost.us-state.gov; id AA05829; Tue, 4 Mar 97 07:59:45 EST Date: Tue, 4 Mar 97 07:57:48 PST Subject: Re: virus checking To: firewalls@GreatCircle.COM, lance@pfi.com X-Mailer: Chameleon ENGP1, TCP/IP for Windows, NetManage Inc. Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk We do it inbetween our firewall and the mail host. ---------------Original Message--------------- [much discussion] thanks for all the feedback on this subject. it seems like there's a consensus against virus checking on a firewall which was my initial reaction as well. my network map includes an internal private network in which my mail server resides. wouldn't it be more natural to house the virus checking on that host, or is there a suseptibility before the smtp packet gets there? also, can anyone telling me in which order processing occurs in firewall 1? specifically, do i translate addresses first or route first? thanks again, lance ----------End of Original Message---------- From firewalls-owner Tue Mar 4 06:01:37 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id FAA06160 for firewalls-outgoing; Tue, 4 Mar 1997 05:04:21 -0800 (PST) Received: from castle.us-state.gov (castle.us-state.gov [198.76.102.19]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id FAA06069 for ; Tue, 4 Mar 1997 05:03:14 -0800 (PST) From: crumrig@us-state.gov Received: by castle.us-state.gov; id AA10009; Tue, 4 Mar 97 08:01:34 EST Received: from pubhost.us-state.gov(198.76.102.34) by castle.us-state.gov via smap (V1.3mjr) id sma009996; Tue Mar 4 08:01:23 1997 Received: by pubhost.us-state.gov; id AA05884; Tue, 4 Mar 97 08:01:23 EST Date: Tue, 4 Mar 97 07:58:50 PST Subject: RE: Firewall software To: firewalls@Greatcircle.com, mother@eagle.cc.ukans.edu X-Mailer: Chameleon ENGP1, TCP/IP for Windows, NetManage Inc. Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Nate look at V-ONES SMARTGATE product. You don't have to replace your firewall either. It will run on your internal hosts and can provide configurable access to different departments. ---------------Original Message--------------- Hello everyone- I am an assistant to the system administrator for the Universtiy of Kansas EECS apartment and was wondering if anyone had any recomendations for firewall software. The way we currently have our systems configured, ftp and telnet access are allowed from trusted hosts inside the building, but outside traffic is logged and denied access by TCP wrappers unless the telnet session attepmting to connect is SSH. Recently it has become apparent that the major threat is actually inside the department. We would really like to beef up security between the trusted hosts without sacrificeing ftp, telnet, ping, or any other useful application or slowing the system down much. Any advice would be appreciated, Nate Oborny, Oborny@eecs.ukans.edu ----------End of Original Message---------- From firewalls-owner Tue Mar 4 06:03:21 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id FAA10353 for firewalls-outgoing; Tue, 4 Mar 1997 05:35:18 -0800 (PST) Received: from threewiz.demon.co.uk (threewiz.demon.co.uk [158.152.116.88]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id FAA10154 for ; Tue, 4 Mar 1997 05:34:09 -0800 (PST) Received: from kimble (unverified [196.14.41.1]) by kimble.demon.co.uk (EMWAC SMTPRS 0.83) with SMTP id ; Tue, 04 Mar 1997 13:31:04 +0000 Message-ID: From: "David Harvey-George" To: "Jose Luis Delgado" , Subject: Re: sniffer! Date: Tue, 4 Mar 1997 13:31:03 -0000 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Jose Luis Delgado asked: > If exist: > where can I find a sniffer for NT 4.0?? There's a sniffer on the installation CD. It's called the Network Monitoring tool. You will need to get a different version if you want to operate in promiscuous mode. So I guess the answer is Microsoft. regards, David From firewalls-owner Tue Mar 4 06:20:43 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id BAA18062 for firewalls-outgoing; Tue, 4 Mar 1997 01:21:42 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id AAA07840 for ; Tue, 4 Mar 1997 00:31:33 -0800 (PST) Received: from lassie.eunet.fi by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-961106) id XAA19747; Mon, 3 Mar 1997 23:41:55 -0800 (PST) Received: from marathon.tekla.fi by lassie.eunet.fi with SMTP id AA07509 (5.67a/IDA-1.5 for ); Tue, 4 Mar 1997 09:42:56 +0200 Received: from ds10.tekla.fi by marathon.tekla.fi (5.65/20-jun-90) id AA21059; Tue, 4 Mar 1997 09:42:52 +0200 Received: from localhost by ds10.tekla.fi.tekla.fi (5.65/20-jun-90) id AA11231; Tue, 4 Mar 1997 09:42:49 +0200 Date: Tue, 4 Mar 1997 09:42:48 +0200 (EET) From: Harald Lundberg To: firewalls@GreatCircle.COM Subject: cisco encryption problem Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This question is strictly speaking not firewall-related, but I guess quite a lot of cisco gurus read this... Neither my manual nor my dealer has been of great help.... My problem: I have 2 routers running ciscos encryption engine (IOS 11.2). But the outgoing interfaces use non-official addresses (they only talk to the ISP's routers). All packets originating from the router use the outgoing interface's address. Is there any way to change this? I'd prefer setting an address for all packets generated by the router (including ping, telnet etc), but even just defining an address for the encryption engine would be ok. Any possibility for this? Or do I have to change the addresses for my outgoing interfaces and buy 2 more C-class addresses? Regards, Harald Harald Lundberg ;Tekla Oy,Koronakatu 1,FIN-02210,ESPOO,FINLAND tel +358-{9-8879449work,9-8039489fax,9-8026752,19-2418013res,50-5578303mob} From firewalls-owner Tue Mar 4 06:44:29 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id EAA02040 for firewalls-outgoing; Tue, 4 Mar 1997 04:22:10 -0800 (PST) Received: from castle.us-state.gov (castle.us-state.gov [198.76.102.19]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id EAA02000 for ; Tue, 4 Mar 1997 04:21:28 -0800 (PST) From: crumrig@us-state.gov Received: by castle.us-state.gov; id AA08426; Tue, 4 Mar 97 07:19:40 EST Received: from pubhost.us-state.gov(198.76.102.34) by castle.us-state.gov via smap (V1.3mjr) id sma008404; Tue Mar 4 07:18:59 1997 Received: by pubhost.us-state.gov; id AA04798; Tue, 4 Mar 97 07:18:59 EST Date: Tue, 4 Mar 97 07:14:46 PST Subject: Re: virus checking To: firewalls@greatcircle.com, David Harley X-Mailer: Chameleon ENGP1, TCP/IP for Windows, NetManage Inc. Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I don't know where you are getting your info David, but the product I am familiar with (mimesweeper) uses the same desktop software you use to check at eh desktop. So how can it be less usefull? Don't say it slows down things either, because it has been our experience that it's effect on delivery time is neglegable. ---------------Original Message--------------- Todd Graham Lewis writes... > > Besides, I think cleaning up a virus at the wall as something comes in > > is a ton easier than having to clean up 4 thousand machines, don't you? > Which is why I say that ActiveX should be filtered at the firewall. Does > no one else see the similarity? Why do we treat these two issues > differently? > Good question. Security in depth, remember? Nothing wrong with that. There's nothing wrong with scanning at the firewall as long as you don't rely on it exclusively, and as long as you can afford the overheads. > Saying that the firewall is > the WRONG place to do virus checking (which I've seen a couple of times > on the list recently) is like saying the desktop is the WRONG place to > have security. Not altogether. Properly-implemented desktop scanning will catch just about anything that scanning at the firewall will, but a little redundancy doesn't hurt, in virus management as in routing. Scanning at the firewall -won't- catch everything that can be picked up at the desktop. Of course, if you can't trust the quality of scanning at the desktop, a good scanner at the perimeter is a lot better than nothing. -- David Harley \ | / alt.comp.virus FAQ D.Harley@icrf.icnet.uk \ | / & Anti-Virus Web Page Support & Security Analyst \ | / Folk London On-Line gig-list Imperial Cancer Research Fund ____\|/____ http://webworlds.co.uk/dharley/ ----------End of Original Message---------- From firewalls-owner Tue Mar 4 06:44:34 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id BAA23480 for firewalls-outgoing; Tue, 4 Mar 1997 01:59:30 -0800 (PST) Received: from pub.pub.ro (pub.pub.ro [141.85.128.1]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id BAA23431 for ; Tue, 4 Mar 1997 01:58:27 -0800 (PST) Received: (from uucp@localhost) by pub.pub.ro (8.8.4/8.8.3) id LAA02314 for GreatCircle.COM!firewalls; Tue, 4 Mar 1997 11:55:52 +0200 (EET) Received: from ottonel with uucp; Tue, 4 Mar 97 08:42:01 Received: by ottonel.pub.ro id m0w1nv6-000F4OC (Debian /\oo/\ Smail3.1.29.1 #29.37); Tue, 4 Mar 97 08:41 EET Date: Tue, 4 Mar 1997 08:41:46 +0200 (EET) From: "Mihai Holinschi (UniByte)" To: Trevor Paquette cc: firewalls@GreatCircle.COM Subject: Re: virii and firewalls and scanning In-Reply-To: <9702281015.ZM7640@cygnus.aec.ca> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Salve, BORING dudes! (this message is dediquated to Trevor Paquette who likes to check paquettes for virii) You must be kidding about that crappy thing about network virii-checking ! Here are ONLY 2 reasons: 1. Have you heard of ENCRYPTED virii? If not, I can ASSURE you that other people did! 2. Checking for buggers can slow down the work of users, especially if you use a machine that might use a few upgrades (as a server)... On the other hand, your message can be interpreted another way: it cannot be done right now. The future is the answer... If so, please excuse me... If not, CRAP OFF! _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ _/_/_/ Mihai Holinschi _/_/ unibyte@ottonel.pub.ro _/_/_/ _/_/_/ AKA _/_/ 00-401-410-0610 -Phone _/_/_/ _/_/_/ The Anarchyst _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ _/_/ Living is an ART. _/_/ _/_/_/_/_/_/_/_/_/_/_/_/ PS: I'm off this list. Please reply at unibyte@ottonel.pub.ro AND root@unibyte.ottonel.pub.ro (I'm going to get rid of the first one, right after I make the socont one ready to work.. ;) ) From firewalls-owner Tue Mar 4 06:46:19 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id BAA17926 for firewalls-outgoing; Tue, 4 Mar 1997 01:17:29 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id AAA07557 for ; Tue, 4 Mar 1997 00:30:48 -0800 (PST) From: pearses@businessgas.co.uk Received: from businessgas.co.uk by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-961106) id XAA19710; Mon, 3 Mar 1997 23:41:19 -0800 (PST) Received: by firewall.businessgas.co.uk id <5939>; Tue, 4 Mar 1997 08:44:03 +0000 Comments: Authenticated sender is To: firewalls@GreatCircle.COM Date: Tue, 4 Mar 1997 07:41:05 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: NT Firewalls X-mailer: Pegasus Mail for Win32 (v2.52) Message-Id: <97Mar4.084403gmt.5939@firewall.businessgas.co.uk> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk For those of us watching in black and white, what are the good firewalls for NT ? steve From firewalls-owner Tue Mar 4 07:01:34 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id BAA18648 for firewalls-outgoing; Tue, 4 Mar 1997 01:30:16 -0800 (PST) Received: from relay.logicnet.ro (relay.logicnet.ro [193.226.80.252]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id BAA18487 for ; Tue, 4 Mar 1997 01:29:23 -0800 (PST) Received: from janus.logicnet.ro (EmperorOfDune@janus.logictl.net [193.226.81.10]) by relay.logicnet.ro (8.8.5/8.8.5) with ESMTP id LAA09604 for ; Tue, 4 Mar 1997 11:27:51 +0200 Received: (from cornel@localhost) by janus.logicnet.ro (8.7.5/8.7.3) id KAA00331; Tue, 4 Mar 1997 10:38:32 +0200 Date: Tue, 4 Mar 1997 10:38:30 +0200 (EET) From: Corneliu Tanasa To: AniFreez@aol.com cc: firewalls@GreatCircle.COM Subject: Re: OKAY !!! In-Reply-To: <970303183216_752880592@emout06.mail.aol.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- On Mon, 3 Mar 1997 AniFreez@aol.com wrote: > I AM OFF THE LIST, PLEASE STOP E-MAILING ME TREATING ME LIKE I KNOW NOTHING > !!!!!!!!!!!!!!!!!!!!! STOP IT !!! > I'm afraid that you really know nothing. At least you know nothing about the common sense :-( -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQB1AwUBMxvfiS4fmj5Bw9vpAQGidgL9EiOWh7bQ8u6+Ejpl0y33J95Vomp4Dw4+ M9UdHtpnlFcxLgz1YLJ+eyciVjq8vdSjfUJGbBItMiRtrZ9oIzPiU3R/vGFzPuqk R8yLCGM8QD/wb2RfKMrYHSFYDy6OLC5j =SsEA -----END PGP SIGNATURE----- From firewalls-owner Tue Mar 4 07:19:53 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id HAA27558 for firewalls-outgoing; Tue, 4 Mar 1997 07:11:33 -0800 (PST) Received: from scribe.cc.purdue.edu (scribe.cc.purdue.edu [128.210.11.6]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id HAA27483 for ; Tue, 4 Mar 1997 07:10:56 -0800 (PST) Received: from ia01.freh.purdue.edu by scribe.cc.purdue.edu; Tue, 4 Mar 97 10:09:27 -0500 Comments: Authenticated sender is From: "Michael S Hines" Organization: Purdue University To: firewalls@greatcircle.com Date: Tue, 4 Mar 1997 10:13:20 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: sniffer! Reply-to: mshines@purdue.edu X-mailer: Pegasus Mail for Win32 (v2.42) Message-Id: <331c3b2772dc002@scribe.cc.purdue.edu> Sender: firewalls-owner@GreatCircle.COM Precedence: bulk NT Server 4.0 comes with a sniffer built in... look on your distribution CD! Does statistics for multiple protocols with the ability to log packets for later analysis. Also has a trigger facility to start action based on some condition... Can't help you with wrappers... have you tried to port it directly (NT 4.0 supports POSIX standards)? > If exist: > where can I find a sniffer for NT 4.0?? > or a > tcp wrapper?? ----------------------------------------------------------------- Internet: mshines@purdue.edu * Michael S. Hines, CDP, CFE Voice: (765) 494-5845 * Sr. Information Systems Auditor FAX: (765) 496-1814 * Purdue University * 1065 Freehafer Hall * West Lafayette, IN 47907-1065 From firewalls-owner Tue Mar 4 08:07:05 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id FAA10352 for firewalls-outgoing; Tue, 4 Mar 1997 05:35:15 -0800 (PST) Received: from threewiz.demon.co.uk (threewiz.demon.co.uk [158.152.116.88]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id FAA10106 for ; Tue, 4 Mar 1997 05:33:58 -0800 (PST) Received: from kimble (unverified [196.14.41.1]) by kimble.demon.co.uk (EMWAC SMTPRS 0.83) with SMTP id ; Tue, 04 Mar 1997 11:26:21 +0000 Message-ID: From: "David Harvey-George" To: Subject: Re: Firewall OS - log files Date: Tue, 4 Mar 1997 11:26:20 -0000 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Bernd Eckenfels allegedly said: > > Excuse my ignorance. But what on earth is that important to be secured that > > way? > Yes indeed you are. Sneaky individuals can take up residence on your > system and be there for months ... snip > Secure logs may be the only way you ever notice anything. Then there is always the possibility of using the log-files in a prosecution. I recall Cliff Stoll's log files were used as evidence in prosecuting the German hackers that broke into his systems. I also remember that for some reason they were inadmissible... this was documented in the Cyberpunk book. David From firewalls-owner Tue Mar 4 08:07:42 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id HAA29127 for firewalls-outgoing; Tue, 4 Mar 1997 07:21:28 -0800 (PST) Received: from transit.jcd.se (transit.jcd.se [195.198.111.80]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id HAA29074 for ; Tue, 4 Mar 1997 07:21:08 -0800 (PST) Message-Id: <199703041521.HAA29074@miles.greatcircle.com> Received: by transit.jcd.se (1.38.193.4/16.2) id AA19682; Tue, 4 Mar 1997 16:14:58 +0100 From: John Cargill-Ek Subject: Re: virus checking To: peter@baileynm.com (Peter da Silva) (Peter da Silva) Date: Tue, 4 Mar 97 16:14:57 MET Cc: dufresne@parka.winternet.com, beck@obtuse.com, harley@icrf.icnet.uk, firewalls@GreatCircle.COM In-Reply-To: <9703031657.AA29885@sonic.nmti.com.nmti.com>; from "Peter da Silva" at Mar 3, 97 10:57 am Mailer: Elm [revision: 70.85] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Tue Mar 4 08:47:48 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id HAA01057 for firewalls-outgoing; Tue, 4 Mar 1997 07:34:05 -0800 (PST) Received: from guru.unixpros.com (guru.unixpros.com [207.17.234.5]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id HAA01023 for ; Tue, 4 Mar 1997 07:33:50 -0800 (PST) Message-Id: <199703041533.HAA01023@miles.greatcircle.com> Received: by guru.unixpros.com (1.38.193.4/16.2) id AA05398; Tue, 4 Mar 1997 10:30:04 -0500 From: Stan Wnuck Subject: What's the difference? To: firewalls@GreatCircle.COM Date: Tue, 4 Mar 97 10:30:03 EST Mailer: Elm [revision: 70.85] Sender: firewalls-owner@GreatCircle.COM Precedence: bulk This might be a stupid question, but one that still complexes me. I heard one time that the only difference between a Guard and a Firewall is that a Guard is just an expensive Firewall. Can anyone really give a real good explaination between the two? Stan Wnuck swnuck@unixpros.com Unixpros, Inc. 10 Industrial Way East (908) 389-3295 x542 Eatontown, NJ 07724 (908) 389-5461 Fax PM-CHS Technology Insertion Office Ft. Monmouth Army Base, NJ (908) 427-2033 / 427-6963 From firewalls-owner Tue Mar 4 08:48:14 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id HAA01484 for firewalls-outgoing; Tue, 4 Mar 1997 07:37:01 -0800 (PST) Received: from newman (newman.unifiedtech.com [38.251.136.48]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id HAA01386 for ; Tue, 4 Mar 1997 07:36:19 -0800 (PST) Received: from bass.unifiedtech.com by newman (SMI-8.6/SMI-SVR4) id KAA20335; Tue, 4 Mar 1997 10:33:20 -0500 Received: by bass.unifiedtech.com (SMI-8.6/SMI-SVR4) id KAA00783; Tue, 4 Mar 1997 10:33:25 -0500 Date: Tue, 4 Mar 1997 10:33:25 -0500 From: jonesmd@unifiedtech.com (Mike Jones) Message-Id: <199703041533.KAA00783@bass.unifiedtech.com> To: firewalls@greatcircle.com, DarrenCr@Attachmate.com Subject: RE: virus checking Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Content-MD5: uTLFCUGNi0D+04PjxJ9Gvw== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Darren Cromer writes... > Of course scanning at your firewall assumes that all virus's originate = =20 > on the internet and are not introduced internally. I'd > venture to guess that most virus we have come in contact with=20 > transmitted the old fashioned way through floppys. Not at all. Scanning at your firewall assumes that *some* viruses infiltrate from the Internet, which doesn't seem like a bad assumption at all these days. A lot of viruses probably do walk in in someone's pocket. A lot of = passwords are stuck to monitors on Post-Its, too, but that doesn't seem to have caused anyone to think that setting up a firewall is a bad idea. When I say you should check for viruses at the firewall, I don't mean that you should check for viruses ONLY at the firewall, any more than setting up a firewall means you can ignore other types of security = inside the network. -- Mike Jones Sr. Technical Advisor UNIFIED Technologies From firewalls-owner Tue Mar 4 09:34:02 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id HAA00732 for firewalls-outgoing; Tue, 4 Mar 1997 07:32:05 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id HAA00101 for ; Tue, 4 Mar 1997 07:29:55 -0800 (PST) Received: from landfield.com by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-961106) id GAA24854; Tue, 4 Mar 1997 06:28:00 -0800 (PST) Received: (from kent@localhost) by landfield.com (8.7.5/8.7.3) id IAA08457; Tue, 4 Mar 1997 08:29:34 -0600 (CST) From: Kent Landfield Message-Id: <199703041429.IAA08457@landfield.com> Subject: Re: Firewall software To: crumrig@us-state.gov Date: Tue, 4 Mar 1997 08:29:34 -0600 (CST) Cc: firewalls@GreatCircle.COM, mother@eagle.cc.ukans.edu In-Reply-To: from "crumrig@us-state.gov" at Mar 4, 97 07:58:50 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please do this sort of thing via email to the requesting party and not to the list. Please be polite to the other thousands of individuals on this list that do not need to be told over and over what products are available... # # Nate look at V-ONES SMARTGATE product. You don't have to replace your firewall either. It will run on your internal hosts and can provide configurable access to different departments. # ---------------Original Message--------------- # Hello everyone- # I am an assistant to the system administrator for the Universtiy of # Kansas EECS apartment and was wondering if anyone had any recomendations # for firewall software. The way we currently have our systems configured, # ftp and telnet access are allowed from trusted hosts inside the # building, but outside traffic is logged and denied access by TCP # wrappers unless the telnet session attepmting to connect is SSH. # Recently it has become apparent that the major threat is actually inside # the department. We would really like to beef up security between the # trusted hosts without sacrificeing ftp, telnet, ping, or any other # useful application or slowing the system down much. # Any advice would be appreciated, # # Nate Oborny, # Oborny@eecs.ukans.edu # # # ----------End of Original Message---------- -- Kent Landfield Phone: 1-817-545-2502 The Landfield Group FAX: 1-817-545-7650 Email: kent@landfield.com http://www.landfield.com/ Please send comp.sources.misc related mail to kent@uunet.uu.net. Search the Usenet Hypertext FAQ Archive at http://www.landfield.com/faqs/ From firewalls-owner Tue Mar 4 09:48:56 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id IAA06999 for firewalls-outgoing; Tue, 4 Mar 1997 08:14:07 -0800 (PST) Received: from dns.glo.be (dns.glo.be [206.48.177.1]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id IAA06980 for ; Tue, 4 Mar 1997 08:13:56 -0800 (PST) Received: from titan.glo.be (eloos@titan.glo.be [206.48.190.18]) by dns.glo.be (8.8.5/8.8.5) with ESMTP id RAA04302; Tue, 4 Mar 1997 17:09:39 +0100 Received: (from eloos@localhost) by titan.glo.be (8.8.5/8.8.5) id RAA19470; Tue, 4 Mar 1997 17:12:18 +0100 Date: Tue, 4 Mar 1997 17:12:18 +0100 (MET) From: Eric To: user@hacker.com cc: firewalls@GreatCircle.COM Subject: RE: How do I get off this list. In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Well, to tell you the truth, I came here also for learning the tricks to break trough firewalls, I also read a lot of hackers FAQ's and they all said that you should start with subscribing to this kind of mailing lists. So what's the first thing wannabe hackers do? .... (guess) (Note: My purpose of becoming a hacker was to secure OUR systems, not to break into others) --Eric Junior Systems Engineer Globe internet nv (own!=company) opinion On Tue, 4 Mar 1997 user@hacker.com wrote: > > I can't beleive it. > > a hacker can't get out of a mailing list ! > What kind of hacker is that. > > > >In message <970301132907_1115035466@emout10.mail.aol.com> writes: > >> Hi I am a teenager, who saw this mailing list in the alt.2600 faq, and so I > >> joined it, but it was not interesting to me, I accidentally deleted my letter > >> telling me how to get off the list. Could someone help me remove myself from > >> this list ? > > > > > > > >We should make him stay on the list. I can't think of better retribution for a > >hacker than to bore him to death. > > > >KM > > From firewalls-owner Tue Mar 4 10:02:41 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id IAA08711 for firewalls-outgoing; Tue, 4 Mar 1997 08:22:51 -0800 (PST) Received: from unb.ca (hermes.csd.unb.ca [131.202.3.20]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id IAA08669 for ; Tue, 4 Mar 1997 08:22:32 -0800 (PST) Received: from fan1.fan.nb.ca (aa126@fan1.fan.nb.ca [207.216.99.163]) by unb.ca (8.8.5/970302-23:25) id MAA25998; Tue, 4 Mar 1997 12:20:52 -0400 (AST) Received: (from aa126@localhost) by fan1.fan.nb.ca (8.8.4/8.7.3) id MAA19333; Tue, 4 Mar 1997 12:20:47 -0400 (AST) Date: Tue, 4 Mar 1997 12:20:47 -0400 (AST) From: William Burrow To: Bernd Eckenfels cc: firewalls Subject: Re: Firewall OS In-Reply-To: <199703040712.XAA14606@notesgw2.sybase.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On 3 Mar 1997, Ryan Russell/SYBASE wrote: > Security is nice, but one should never leave ground.. some companies dont > have all that money they would need to pay for silly security. How fast do you expect your logs to be written? A serial line can only handle so much data. I would suspect numerous hosts could be hooked up to a cheap multiport board on a 386 running Linux or DOS for next to nothing. Compared to the other hardware costs and Internet connection fees, this is pretty minimal. With Linux's ext2compress filesystem patch, one could even get by on a relatively small drive if needs be. Furthermore, I think that a copy of the logs kept on the originating system might fool a silly hacker into not noticing the logs are going elsewhere (though obviously the hackers reading this list will be better advised :). -- William Burrow -- Fredericton Area Network, New Brunswick, Canada Copyright 1997 William Burrow From firewalls-owner Tue Mar 4 10:25:28 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id IAA08126 for firewalls-outgoing; Tue, 4 Mar 1997 08:19:50 -0800 (PST) Received: from omsk.quadrix.com (omsk.quadrix.com [208.210.34.65]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id IAA07893 for ; Tue, 4 Mar 1997 08:18:41 -0800 (PST) Received: by omsk.quadrix.com (4.1/SMI-4.1) id AA25649; Tue, 4 Mar 97 11:15:50 EST Date: Tue, 4 Mar 97 11:15:50 EST From: bve@quadrix.com (BVE) Message-Id: <9703041615.AA25649@omsk.quadrix.com> To: randy law Subject: Re: How do I get off this list. Cc: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Date: Mon, 03 Mar 1997 22:25:01 -0800 From: randy law well... you could see it that way, or, you can just read boring begging emails like his and mine asking how to remove ourselves from the list over and over and over again. how do i remove myself from the list? Since you, and one or two others, have asked nicely, I will provide you with a copy of the information THAT IS ATTACHED TO THE BOTTOM OF EVERY MESSAGE *I* GET FROM THE FIREWALLS MAILING LIST. If you lose the INFO message that got you *on* a list, try looking at the beginning AND THE END of a message you receive from the list. You might just find the cure to your pain! *That* is why people get so snotty with you for e-mailing the whole list to ask them how to unsubscribe! ------------------------------ End of Firewalls-Digest V6 #91 ****************************** To unsubscribe from Firewalls-Digest, send the following command in the body of a message to "Majordomo@GreatCircle.COM": unsubscribe firewalls-digest [remainder deleted...] -------------------------- If you are on "firewalls" and not "firewalls-digest", just say: unsubscribe firewalls -- Bill Van Emburg Phone: 908-235-2335 Quadrix Solutions, Inc. Fax: 908-235-2336 (bve@quadrix.com) Check out http://yourtown.com! (http://quadrix.com) "You do what you want, and if you didn't, you don't" From firewalls-owner Tue Mar 4 10:33:05 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id KAA24059 for firewalls-outgoing; Tue, 4 Mar 1997 10:26:27 -0800 (PST) Received: from redback.quokkasports.com (redback.quokkasports.com [207.87.164.34]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id KAA24042 for ; Tue, 4 Mar 1997 10:26:14 -0800 (PST) Received: from fileserver.quokkasports.com by redback.quokkasports.com (SMI-8.6/SMI-SVR4) id KAA13566; Tue, 4 Mar 1997 10:24:27 -0800 Message-Id: <3.0.1.32.19970304102429.00800cb0@pop.quokkasports.com> X-Sender: phil@pop.quokkasports.com X-Mailer: Windows Eudora Pro Version 3.0.1 (32) Date: Tue, 04 Mar 1997 10:24:29 -0800 To: firewalls@greatcircle.com From: Phil Pierotti Cc: fw-1-mailinglist@us.checkpoint.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk In the near future I'll need to install a firewall (probably Checkpoint Firewall-1 on NT4.0) and I was wondering if anyone out there would like to comment (either positively or negatively) on any performance issues (or just "gotchas") they would forsee based on their experiences. We're going to have a 16Mbps pipe to the internet and I'd assume that'd require more that 10Base2 on the local LAN (Probabl 10BaseTX), but feel free to correct me if I'm wrong on this one. Anyway, rather that overload the list , please respond directly to me and I'll post a summary of what's said for the benefit of the list. Thanks Phil P ---------------------------------------------------------------------------- People who say it cannot be done should not interrupt those who are doing it ---------------------------------------------------------------------------- Quokka Sports, Inc. Phil Pierotti 525 Brannan Street, #203 o_o Senior Communications Engineer San Francisco CA 94107 / )o phil.pierotti@quokka.com United States of America (_/ Ph: +1 415 977 2390 http://www.whitbread.org/ Fx: +1 415 908 1841 From firewalls-owner Tue Mar 4 10:47:52 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id KAA22433 for firewalls-outgoing; Tue, 4 Mar 1997 10:10:59 -0800 (PST) Received: from sl001.infi.net (sl001.infi.net [205.219.238.210]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id KAA22422 for ; Tue, 4 Mar 1997 10:10:47 -0800 (PST) Received: (from swright@localhost) by sl001.infi.net (8.7.4/8.7.3) id NAA07211; Tue, 4 Mar 1997 13:04:05 -0500 (EST) Date: Tue, 4 Mar 1997 13:04:05 -0500 (EST) From: Steve Wright To: pearses@businessgas.co.uk cc: firewalls@GreatCircle.COM Subject: Re: NT Firewalls In-Reply-To: <97Mar4.084403gmt.5939@firewall.businessgas.co.uk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You might wanna try TIS Gauntlet. They have an excellent setup for NT. Hope this helps, Steve W. Security Consultant On Tue, 4 Mar 1997 pearses@businessgas.co.uk wrote: > > For those of us watching in black and white, > > what are the good firewalls for NT ? > > steve > From firewalls-owner Tue Mar 4 11:04:42 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id IAA12786 for firewalls-outgoing; Tue, 4 Mar 1997 08:57:45 -0800 (PST) Received: from maelstrom.dial.pipex.net (maelstrom.dial.pipex.net [158.43.128.52]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id IAA12713 for ; Tue, 4 Mar 1997 08:57:08 -0800 (PST) Received: from typhoon.dial.pipex.net (158.43.128.27) by maelstrom.dial.pipex.net (8.8.3/) id QAA29653; Tue, 4 Mar 1997 16:55:39 GMT Received: from af058.du.pipex.com (193.130.245.58) by typhoon.dial.pipex.net (8.8.2/UUNET PIPEX simple 1.29) id QAA21291; Tue, 4 Mar 1997 16:53:02 GMT Message-ID: <331C53F3.E81@dial.pipex.com> Date: Tue, 04 Mar 1997 16:55:15 +0000 From: hf85 Organization: Royal Academy Of Engineering X-Mailer: Mozilla 2.02 (Win16; I) MIME-Version: 1.0 To: Firewalls@greatcircle.com Subject: Retail Shopping on the Internet Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sirs, Does anyone out there have any experience in providing security solutions to retailers looking at stting up their own internet retail site? Please reply to: David Churchill-Saunders Eurocommerce From firewalls-owner Tue Mar 4 11:10:10 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id FAA09658 for firewalls-outgoing; Tue, 4 Mar 1997 05:30:45 -0800 (PST) Received: from dfw-ix16.ix.netcom.com (dfw-ix16.ix.netcom.com [206.214.98.16]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id FAA09639 for ; Tue, 4 Mar 1997 05:30:34 -0800 (PST) Received: (from smap@localhost) by dfw-ix16.ix.netcom.com (8.8.4/8.8.4) id HAA12258; Tue, 4 Mar 1997 07:28:44 -0600 (CST) Received: from hou-tx7-13.ix.netcom.com(204.32.167.45) by dfw-ix16.ix.netcom.com via smap (V1.3) id sma012251; Tue Mar 4 07:28:19 1997 Message-ID: <331C2291.4536@ix.netcom.com> Date: Tue, 04 Mar 1997 07:24:33 -0600 From: "John H. Gilley" Reply-To: jgilley@ix.netcom.com X-Mailer: Mozilla 3.01 (Win95; I) MIME-Version: 1.0 To: Gaddy Gumbao CC: gordonp.atc@gao.gov, firewalls@GreatCircle.COM Subject: Re: CISCO's 2500 References: <3.0.32.19970304014430.0093d100@pop.infocom.sequel.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Gaddy Gumbao wrote: > > Hi there all, > > Were evaluating this Cisco 2500 .How can we configure this > to Banyan Vines.Does 2500 series support vines IP can we configure it > to bridge transparent? How? > > Hope you can help me.... > > Thanks a lot..... > > Gaddy gumbao > Servers Administrator If you bought the Vines ip option, then go to www.cisco.com and look at the online configuration docs. --jgilley-- From firewalls-owner Tue Mar 4 11:15:42 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id IAA12469 for firewalls-outgoing; Tue, 4 Mar 1997 08:55:15 -0800 (PST) Received: from cascade.pacificrim.net (cascade.pacificrim.net [204.96.68.30]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id IAA12387 for ; Tue, 4 Mar 1997 08:54:38 -0800 (PST) Received: from robinson-a (whatcom-ppp67.pacificrim.net [205.240.16.67]) by cascade.pacificrim.net (8.8.5/8.8.3) with SMTP id IAA23031 for ; Tue, 4 Mar 1997 08:52:35 -0800 Message-ID: <331C51AC.4AD4@tchocolate.com> Date: Tue, 04 Mar 1997 08:45:32 -0800 From: andrew robinson Reply-To: robinson@tchocolate.com Organization: totally chocolate X-Mailer: Mozilla 3.0 (WinNT; I) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: packet filtering Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I oversee a small network of about 25 users (quickly growing): 10 Macs, 10 Win95 and 5 NT4.0 machines. Sometime during the next month, I will be installing a Cisco 1602 so that local users can gain access to the web and email. We have 3 servers on the network: 1 appleshare (apple talk), 1 novell 3.12 (ipx) and 1 nts4.0 (netBEUI). None of the servers are or will be running TCP/IP. During the next six month, we will be replacing the macs with NT and removing the Novell server. The network will then run entirely on ipx. All DNS, Web and email will be hosted by our ISP. Email will eventually move in-house. So, if I do basic packet filtering on the Cisco, and “unbind” TCP/IP from the server services on the NT machines, am I setting up a pretty secure/save situation? If I block all UDP, will DNS revert to TCP and still function? Will this hurt performance? Thanks in advance, andrew robinson totally chocolate From firewalls-owner Tue Mar 4 11:20:57 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id KAA22664 for firewalls-outgoing; Tue, 4 Mar 1997 10:13:02 -0800 (PST) Received: from main.geminisecure.com (main.geminisecure.com [205.179.16.1]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id KAA22647 for ; Tue, 4 Mar 1997 10:12:50 -0800 (PST) Received: (from leonard@localhost) by main.geminisecure.com (8.6.9/8.6.9) id KAA05688; Tue, 4 Mar 1997 10:07:16 -0800 Date: Tue, 4 Mar 1997 10:07:16 -0800 (PST) From: Leonard Miyata To: Stan Wnuck cc: firewalls@GreatCircle.COM Subject: Re: What's the difference? In-Reply-To: <199703041533.HAA01023@miles.greatcircle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk There is considerable overlap between 'Firewalls' and 'Guards' The purpose of a 'Guard' is to seperate Domains and to transfer data (ip packets, email messages etc) according to the rules (write up, read down, MAC, DAC, I&A ) deemed arpropriate. 'Firewalls' are much more Generic, allowing Insiders to access Outside information, while restricting Outsiders access to the Inside Network. The overall Goals are the same. However, 'Guards' must meet strict evaluation requirements ('Red Book', 'Orange Book', NCSC certification ) Documentation requirements (SFUG), and strict functional requirments (MAC, DAC, I&A, Audit). Because of the expense and time constrants of Third Party Evaulation, and re-certification of modification and upgrades, 'Guards' will usually be behind 'Firewalls' in features and performance. 'Firewalls' being market driven, will always have more advanced features and higher performance. But as for strict third party evaluation of the product, its 'May the buyer Beware' as the lack of market demand for 'Verification' of a product does not justify the expense of doing so. Only if market demand changes will the 'Trust' requirements of 'Guards' be merged into 'Firewalls' Personal Opinion Proviced Leonard Miyata aka leonard@geminisecure.com Gemini Computers Inc. On Tue, 4 Mar 1997, Stan Wnuck wrote: > > This might be a stupid question, but one that still complexes me. > > I heard one time that the only difference between a Guard and > a Firewall is that a Guard is just an expensive Firewall. > Can anyone really give a real good explaination between the two? > > > Stan Wnuck swnuck@unixpros.com > Unixpros, Inc. > 10 Industrial Way East (908) 389-3295 x542 > Eatontown, NJ 07724 (908) 389-5461 Fax > > PM-CHS Technology Insertion Office > Ft. Monmouth Army Base, NJ (908) 427-2033 / 427-6963 > From firewalls-owner Tue Mar 4 11:23:51 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id JAA13667 for firewalls-outgoing; Tue, 4 Mar 1997 09:03:31 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id JAA13506 for ; Tue, 4 Mar 1997 09:02:33 -0800 (PST) Received: from news.acrux.net by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-961106) id IAA25620; Tue, 4 Mar 1997 08:59:22 -0800 (PST) Received: from pluto (pluto [207.51.199.3]) by news.acrux.net (8.8.3/8.8.3) with SMTP id KAA10741; Tue, 4 Mar 1997 10:58:38 -0600 (CST) Date: Tue, 4 Mar 1997 10:58:38 -0600 (CST) From: Brian Tackett X-Sender: cym@pluto To: Bernd Eckenfels cc: firewalls@GreatCircle.COM Subject: Re: Firewall OS In-Reply-To: <19970304012226.25133@inka.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 4 Mar 1997, Bernd Eckenfels wrote: > Excuse my ignorance. But what on earth is that important to be secured that > way? My genral impression is most ppl dont even READ the logs. And if you > fear a hacker could erase them the main damage (a break in) has already > happened. If people don't read the logs, they might as well not even bother buying or building that shiny new firewall. See below for the second point. > a) hacker destroys your site.. you dontneed logs, you WILL notice > b) hacker stores warezes or uses your host for further breakins > (you will notice sooner or later) > c) hacker will steal all you vulnerable data (and continues todo so). In all of these cases, you seem to lack a grasp of the fundamental nature of electronic/information security. It is axiomatic that a determined and talented intruder can get in, if they have the time, resources, and will to do so. In all of the listed cases, there are two objectives of your information security policy (including firewalls and other security measures)... 1) To enforce security policy, including the protection of sensitive data. 2) To allow the intruder to be traced and, if possible, apprehended. To use an analogy, there is no way I can put enough security on my house to keep someone from breaking in. But I *CAN* do enough to ensure that, should someone break into my house, I will know about it, and have sufficient data points to find out who he is. > > c ist the most problematic case in log-file tampering. But since the hacker > can copy your current databases in a few minutes he wont do all those > additional work to delete logs. Am I missing something? He will if he has any intelligence. If you're unaware of the intrusion, you're at even more of a disadvantage, because the intruder (assuming he has a serious objective) can disseminate your information to interested parties, and since you are unaware of it, you can't act to counter. Also, an undetected intruder has all the time in the world to completely mine your system and place plenty of alternate access routes for himself. > Security is nice, but one should never leave ground.. some companies dont > have all that money they would need to pay for silly security. You above stated viewpoint is exactly why so many companies discover to their amazement that their information resources are, or can be, VERY important. Security does need to be tempered by practicality, but I sincerely hope you aren't the person who decides security policies for your organization ;) From firewalls-owner Tue Mar 4 11:29:33 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id JAA16754 for firewalls-outgoing; Tue, 4 Mar 1997 09:23:25 -0800 (PST) Received: from reflections.mindspring.com (reflections.eng.mindspring.net [207.69.183.9]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id JAA16701 for ; Tue, 4 Mar 1997 09:22:55 -0800 (PST) Received: from localhost (lists@localhost) by reflections.mindspring.com (8.7.6/8.7.3) with SMTP id MAA26294; Tue, 4 Mar 1997 12:18:35 -0500 Date: Tue, 4 Mar 1997 12:18:35 -0500 (EST) From: Todd Graham Lewis To: "James W. Thornton" cc: Firewalls@GreatCircle.COM Subject: Re: SGI Guantlet Firewalls? In-Reply-To: <2.2.32.19970301090833.009c0288@mail.gte.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I would be hesitant to run SGIs as firewalls, merely based on the history of major (silly) security bugs in IRIX. As lonbg as you're willing to follow the patches, though, you should be marginally safe. __ Todd Graham Lewis MindSpring Enterprises tlewis@mindspring.com From firewalls-owner Tue Mar 4 11:33:05 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id JAA16502 for firewalls-outgoing; Tue, 4 Mar 1997 09:21:34 -0800 (PST) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id JAA16177 for ; Tue, 4 Mar 1997 09:20:11 -0800 (PST) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id LAA04603; Tue, 4 Mar 1997 11:06:06 -0500 Date: Tue, 4 Mar 1997 11:06:03 -0500 (EST) From: Rabid Wombat To: Adam Shostack cc: Firewalls mailing list Subject: Re: Java as Web SERVER language In-Reply-To: <199703031733.MAA24834@homeport.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk You might want to look into the W3 Jigsaw server effort - it is a Java server that employs java server-side applets. There may be info available on the security aspects at W3.org, haven't looked, though. -r.w. On Mon, 3 Mar 1997, Adam Shostack wrote: > Are there known problems with using Java to write web server > code? I like the idea of using a strongly typed language with garbage > clean up, but worry that there may be calls in the library like > sprintf or strcpy. Has anyone done any research on this? > > Failing that, I see the big problem as being one of parsing > user input, with its usual host of attendant dangers. Are there other > things I should be worrying about within the confines of thinking > about what language to use? > > Adam > > > -- > "It is seldom that liberty of any kind is lost all at once." > -Hume > > > From firewalls-owner Tue Mar 4 11:33:27 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id LAA00135 for firewalls-outgoing; Tue, 4 Mar 1997 11:12:51 -0800 (PST) Received: from blkbox.com (blkbox.com [206.109.97.2]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id LAA29928 for ; Tue, 4 Mar 1997 11:12:04 -0800 (PST) Received: from s64.max0.houston.box.net by blkbox.COM id aa16044; 4 Mar 97 12:44 CST Message-Id: <3.0.32.19970304124641.0096e890@mail.blkbox.com> X-Sender: renegade@mail.blkbox.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Tue, 04 Mar 1997 12:47:16 -0600 To: Firewalls@greatcircle.com, Jose Luis Delgado MMDF-Warning: Unable to confirm address in preceding line at blkbox.COM From: renegade Subject: RE: sniffer! Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk be careful in using the network monitor from Microsoft, there is code to expolit and capture username password out on the net now, that can be run from unix and nt systems. netmon.exe has big security hole in it. At 12:11 PM 3/4/97, you wrote: >Hi, > >NT 4.0 server comes with it's network monitoring utility which was in prev. >versions called blood.. >you can also run most of the software sniffers that support NDIS 3.0 (the one >using in WfW 3.11 and NT 3.5/3.51 since NT 4.0 runs NDIS 4.0 which is compatible >with ndis 3.0) >hope this helps >/ZIv > >--- On Mon, 3 Mar 1997 17:59:57 -0600 (CST) Jose Luis Delgado > wrote: > >>Hi guys!! >> >>If exist: >>where can I find a sniffer for NT 4.0?? >>or a >>tcp wrapper?? >> >>Thanks in advance! > >-----------------End of Original Message----------------- > > > /~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\ > | A B I R N E T Active Network Protection | > \~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~/ > / AbirNet provides the next generation in Internet and Intranet Protection\ > | AbirNet provides Windows 95 & NT-based software that let's you know | > | how your network is being used while protecting it from intrusions | > | and abuse using no-network overhead, see-it-all filtering, blocking, | > | alerting, logging, and scanning technologies. | > | | > \========== Get a BETA version at ================/ > > ========================================================================== renegade@blkbox.com |Knowledge isnt power till it is used and expolited 281-894-4910 |Internet Security Consultant ========================================================================== From firewalls-owner Tue Mar 4 14:01:22 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id JAA15698 for firewalls-outgoing; Tue, 4 Mar 1997 09:17:35 -0800 (PST) Received: from europa.lif.icnet.uk (europa.lif.icnet.uk [143.65.100.4]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id JAA15608 for ; Tue, 4 Mar 1997 09:17:12 -0800 (PST) From: harley@icrf.icnet.uk Message-Id: <199703041717.JAA15608@miles.greatcircle.com> Received: by europa.lif.icnet.uk; Tue, 4 Mar 1997 17:15:33 GMT Subject: Re: virus checking To: crumrig@us-state.gov Date: Tue, 4 Mar 1997 17:15:33 +0000 (GMT) Cc: firewalls@greatcircle.com In-Reply-To: from "crumrig@us-state.gov" at Mar 4, 97 07:14:46 am X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > I don't know where you are getting your info David, Are you asking for credentials? * Primary author and maintainer of alt.comp.virus FAQ * Primary author of "Viruses and the Macintosh" FAQ * Extensive contributions to Virus-L and other lists and digests * Beta tester for a number of AV products * Author of a number of specialist articles * Virus manangement professional * etc. If you want the full c.v., you'll have to offer me a job. B-) In other words, I have a much higher profile in AV circles than I do in firewall circles. > but the product I am familiar with (mimesweeper) uses the > same desktop software you use to check at eh desktop. > So how can it be less usefull? Context. Consider the range of tasks a desktop antivirus software suite might perform, depending on which package and which components you use (this isn't an exhaustive list). * validate its own integrity * validate the integrity of other programs * validate the integrity of the boot sector and master boot record * check for known viruses in memory * monitor code on execution for suspicious behaviour non-intervening monitoring behaviour blocking * check for known viruses in system areas such as the master boot record * scan the local hard disk on access for known viruses * scan the local hard disk on demand scan for known viruses scan for complex polymorphics heuristic scan for unknown viruses * scan floppies on access for known viruses * scan program files on access for known viruses * scan ftp/http downloads on receipt and/or diskwrite * scan mail on receipt and/or disk-write etc...... All MIMEsweeper does is filter mail (AFAIK it still doesn't do FTP/HTTP, though that's promised). Not just for viruses, so you might lots of uses for it. But the AV scanner is there to validate mail as regards viruses. You -might- have the software configured to do all the jobs mentioned above as well. But the software isn't on the desktop, it's on an NT workstation at or near the perimeter, so it's not going to validate your desktop. MIMEsweeper doesn't know about client PCs, only about post offices. You could run desktop software from a file server to protect a client PC, but that's a different scenario. There's nothing wrong in principle with using MIMEsweeper. But don't fall into the trap of expecting it to do more than it was designed to do. > Don't say it slows down things either, I don't need to: you're just about to. B-) > because it has been our experience that it's effect on delivery > time is neglegable. In other words, there is an effect, but for you it's acceptable. Fair enough. Other people report differently. Again, it's a matter of context. Mail is essentially store and forward anyway: it can hang around for days before it's delivered, so hanging around a bit longer while MIMEsweeper filters it may well be perfectly acceptable. How acceptable it is to others depends on hardware, configuration, volume of traffic, user expectations, and what other defences you have in place (and many other factors, no doubt). -- David Harley \ | / alt.comp.virus FAQ D.Harley@icrf.icnet.uk \ | / & Anti-Virus Web Page Support & Security Analyst \ | / Folk London On-Line gig-list Imperial Cancer Research Fund ____\|/____ http://webworlds.co.uk/dharley/ From firewalls-owner Tue Mar 4 14:02:12 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id MAA13775 for firewalls-outgoing; Tue, 4 Mar 1997 12:52:25 -0800 (PST) Received: from reflections.mindspring.com (reflections.eng.mindspring.net [207.69.183.9]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id MAA13711 for ; Tue, 4 Mar 1997 12:51:53 -0800 (PST) Received: from localhost (lists@localhost) by reflections.mindspring.com (8.7.6/8.7.3) with SMTP id PAA27459; Tue, 4 Mar 1997 15:49:41 -0500 Date: Tue, 4 Mar 1997 15:49:41 -0500 (EST) From: Todd Graham Lewis To: John Madincea <71333.2026@CompuServe.COM> cc: majordomo Subject: TIS Gauntlet ! In-Reply-To: <970302165426_71333.2026_DHB58-1@CompuServe.COM> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk From firewalls-owner Tue Mar 4 14:54:56 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id MAA13213 for firewalls-outgoing; Tue, 4 Mar 1997 12:48:20 -0800 (PST) Received: from actcom.co.il (actcom.co.il [192.114.47.1]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id MAA13060 for ; Tue, 4 Mar 1997 12:47:30 -0800 (PST) Received: from localhost by actcom.co.il with SMTP (8.8.4/actcom-0.1) id WAA19069; Tue, 4 Mar 1997 22:46:51 +0200 (EET) (rfc931-sender: hayam@localhost) Date: Tue, 4 Mar 1997 22:46:50 +0200 (EET) From: Avraham Hayam Reply-To: Avraham Hayam To: Steve Wright cc: pearses@businessgas.co.uk, firewalls@GreatCircle.COM Subject: Re: NT Firewalls In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, Whrer can I find the data on TIS Gaunlet ? Thank you Avraham Hayam On Tue, 4 Mar 1997, Steve Wright wrote: > > You might wanna try TIS Gauntlet. They have an excellent setup for NT. > > Hope this helps, > > Steve W. > Security Consultant > > On Tue, 4 Mar 1997 pearses@businessgas.co.uk wrote: > > > > > For those of us watching in black and white, > > > > what are thegood firewalls for NT ? > > > > steve > > > From firewalls-owner Tue Mar 4 15:07:20 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id OAA00275 for firewalls-outgoing; Tue, 4 Mar 1997 14:35:02 -0800 (PST) Received: from reflections.mindspring.com (reflections.eng.mindspring.net [207.69.183.9]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id OAA29975 for ; Tue, 4 Mar 1997 14:34:12 -0800 (PST) Received: from localhost (lists@localhost) by reflections.mindspring.com (8.7.6/8.7.3) with SMTP id RAA27994; Tue, 4 Mar 1997 17:32:01 -0500 Date: Tue, 4 Mar 1997 17:32:01 -0500 (EST) From: Todd Graham Lewis To: Chris Brown cc: firewalls@GreatCircle.COM Subject: Re: Linux VS FreeBSD as firewall / routeFrom firewalls-owner Tue Mar 4 20:18:44 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id UAA15486 for firewalls-outgoing; Tue, 4 Mar 1997 20:08:05 -0800 (PST) Received: from xyzzy.plugh.edmonton.ab.ca (xyzzy.plugh.edmonton.ab.ca [198.161.22.2]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id UAA15423 for ; Tue, 4 Mar 1997 20:07:47 -0800 (PST) Received: (from uucp@localhost) by xyzzy.plugh.edmonton.ab.ca (8.6.12/8.6.9) id VAA12540; Tue, 4 Mar 1997 21:05:59 -0700 Received: from snouts-gw.obtuse.com(192.168.30.61), claiming to be "snouts.obtuse.com" via SMTP by mailhost.plugh.edmonton.ab.ca, id smtpd12538aaa; Tue Mar 4 21:05:51 1997 Received: (from beck@localhost) by snouts.obtuse.com (8.7.5/8.7.3) id VAA05514; Tue, 4 Mar 1997 21:05:41 -0700 From: Bob Beck Message-Id: <199703050405.VAA05514@snouts.obtuse.com> Subject: Re: Perl/Java on an External Web Server To: GAUSER@schneider.com (Gause Robert) Date: Tue, 4 Mar 1997 21:05:40 -0700 (MST) Cc: Firewalls@GreatCircle.COM In-Reply-To: from "Gause, Robert" at Mar 4, 97 02:05:00 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > > We are having discussions inside my company on whether it is appropriate or > not to run Perl or Java CGI programs on an external web server. My personal > preference is not to run either at the server and I am aware that Chapman & > Zwicky warn against it. > > What are your opinions and experiences. > There's no right answer. The easy answer is "don't do it, it's dangerous, and hard to do right". The same can be said for the net in general, so the easy answer doesn't always work. It really varies and depends on *why* and for what reason you need CGI scripts, and what resources you have to deal with them. I've seen many different ways to skin this cat. Here are some I've seen from a variety of organizations: 1) We have no need for it for anything, so we don't allow it. 2) We need some limited CGI, but we don't have the resources to maintain it here. Our ISP however, does allow us to do CGI and will host them on their web server, So we use our ISP's web server for CGI, they vett the scripts, their problem. 3) We need some CGI, but it's for our own stuff and we don't want to have it on another server. We have decided that CGI scripts may be written in C and must go through a code review process with our webmaster and a group of our geeks before they're allowed. We have an internal test server for people to develop them on. 4) Same as the above but C and perl. 5) We allow a certain set of people who we view as clued to write CGI's (possibly with some restrictions 6) Our webmasters are security geeks and writes all our CGI scripts. Nobody else is allowed to as they don't have a clue. We trust our guys not to make too many mistakes. 7) It's more valuable for us to be able to do CGI all over than the security risk the scripts entail. All our users can do un-script aliased CGI. We watch the other avenues of attack and log carefully, And we do plenty of user education about how to write good CGI code, but we realize we probably have users who have really dumb scripts out there, when we find them we make them fix them. (This is a teaching department at a university BTW, The purpose of the machines is for students to learn on, CGI is important to them. increasing security at a large cost in learning is cutting off nose to spite face) I suppose the best thing to ask then is, well, what do you need it for? What value is it, and what resources do you have to devote to making sure it's done right? Most of the particular decisions above, in the context they were made (and given other factors, such as servers running chrooted, etc) I agreed with as they were an acceptable decision made by an organization based on their needs at the time. > > Secondarily, any thoughts on serving Java apps (I am more open to this)? > Generally less risky, but usually for anything useful (as opposed to cute) it gets used in conjunction with CGI, and many people do not use it, for fear of problems. While you may be able to do it, it may not solve the problems you want to solve using CGI. From firewalls-owner Tue Mar 4 20:33:01 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id UAA14951 for firewalls-outgoing; Tue, 4 Mar 1997 20:02:51 -0800 (PST) Received: from diablo.cisco.com (diablo.cisco.com [171.68.223.106]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id UAA14904 for ; Tue, 4 Mar 1997 20:02:37 -0800 (PST) Received: from clonvick-pc.cisco.com (sj-dial-3-27.cisco.com [171.68.179.28]) by diablo.cisco.com (8.8.5/CISCO.SERVER.1.2) with SMTP id UAA07088; Tue, 4 Mar 1997 20:00:21 -0800 (PST) Message-Id: <2.2.32.19970305035659.006df6b8@diablo.cisco.com> X-Sender: clonvick@diablo.cisco.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 04 Mar 1997 21:56:59 -0600 To: Jim Serven , Phil Pierotti From: Chris Lonvick Subject: Re: your mail Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi All, With a _shared_ media you'll probably get 3Mbps over ethernet. I recall the "token ring study" where the proponents argued that token rings can sustain a whole bunch-o-workstations at near wire-speed while a shared Ethernet, with the same number of workstations would result in lots of collisions and backoffs resulting in "reduced efficiency". The conclusion was that 3Mbps was about the best you could expect with lots of devices on a shared Ethernet. Err..., I guess the real conclusion was that everyone should buy token ring equipment. On the other hand, with only 2 devices on an Ethernet (like a firewall and a router) you can get about 8Mbps throughput on a 10MHz media if both are really crankin' away. This was the thought behind the Ethernet Switch and then full-duplex Ethernet. I'd agree with Jim, here: make sure that your back-end can load your pipe. I would really hate to go to upper-management to tell them that your link to the Internet (which you are paying $$$$) cannot be fully utilized. Hope this helps, Chris Lonvick Cisco Systems Consulting Engineering Houston, TX, USA +1.713.778.5663 At 02:42 PM 3/4/97 -0500, Jim Serven wrote: > >> We're going to have a 16Mbps pipe to the internet and I'd assume that'd >> require more that 10Base2 on the local LAN (Probabl 10BaseTX), but feel >> free to correct me if I'm wrong on this one. > >If you truely are getting a 16 Mb (frac DS3) pipe, then you should utilize >-100-baseTX, and not -10-base. Reason I say this is 10bT only gives you >approximately 3 Mb at it's peak - so you won't see/meet your speed >required or utilized. > >If, however, you only utilize 10bT on your local lan, then you have some >options open to you, as well as a few ways to go about it. I will, >however, spare these options, as they are somewhat obvious and not >necessary to explicitly mention. > >Regards, > >-Jim > >[-------------------------------------------------------------] >[ Jim Serven The GLIX Network ] >[ President PO Box 13516 ] >[ http://www.glix.net Flint, Mi 48501-3516 ] >[ (v) 810.898.4483 (f) 810.695.8403 ] >[-------------------------------------------------------------] > The GLIX Network = Professional Internet Solutions | GLIX.Net > > > From firewalls-owner Tue Mar 4 21:37:57 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id VAA22065 for firewalls-outgoing; Tue, 4 Mar 1997 21:28:19 -0800 (PST) Received: from gargoyle.clark.net (gargoyle.clark.net [168.143.0.250]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id VAA22058 for ; Tue, 4 Mar 1997 21:28:12 -0800 (PST) Received: (qmail 18993 invoked by uid 500); 5 Mar 1997 05:29:09 -0000 Date: Wed, 5 Mar 1997 00:29:09 -0500 (EST) From: "Paul D. Robertson" X-Sender: proberts@gargoyle To: Bob Beck cc: Gause Robert , Firewalls@GreatCircle.COM Subject: Re: Perl/Java on an External Web Server In-Reply-To: <199703050405.VAA05514@snouts.obtuse.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 4 Mar 1997, Bob Beck wrote: [snip good CGI stuff] > > > > > Secondarily, any thoughts on serving Java apps (I am more open to this)? > > > > Generally less risky, but usually for anything useful (as > opposed to cute) it gets used in conjunction with CGI, and many people > do not use it, for fear of problems. While you may be able to do it, > it may not solve the problems you want to solve using CGI. Don't forget that if you do Java on an external web server, you will _probably_ have to let the internal folks see and use it. You'll want to make sure that you want to allow Java into the organization before you take that step. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@clark.net which may have no basis whatsoever in fact." PSB#9280 From firewalls-owner Tue Mar 4 21:48:20 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id VAA22940 for firewalls-outgoing; Tue, 4 Mar 1997 21:40:34 -0800 (PST) Received: from mcfeely.bsfs.org (mcfeely.bsfs.org [204.91.13.34]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id VAA22857 for ; Tue, 4 Mar 1997 21:40:08 -0800 (PST) Received: (from wombat@localhost) by mcfeely.bsfs.org (8.6.12/8.6.12) id XAA05687; Tue, 4 Mar 1997 23:26:14 -0500 Date: Tue, 4 Mar 1997 23:26:11 -0500 (EST) From: Rabid Wombat To: Chris Lonvick cc: Jim Serven , Phil Pierotti , firewalls@GreatCircle.COM Subject: Re: your mail In-Reply-To: <2.2.32.19970305035659.006df6b8@diablo.cisco.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 4 Mar 1997, Chris Lonvick wrote: > Hi All, > > With a _shared_ media you'll probably get 3Mbps over ethernet. I recall the > "token ring study" where the proponents argued that token rings can sustain > a whole bunch-o-workstations at near wire-speed while a shared Ethernet, > with the same number of workstations would result in lots of collisions > and backoffs resulting in "reduced efficiency". The conclusion was that > 3Mbps was about the best you could expect with lots of devices on a shared > Ethernet. Err..., I guess the real conclusion was that everyone should > buy token ring equipment. > > On the other hand, with only 2 devices on an Ethernet (like a firewall > and a router) you can get about 8Mbps throughput on a 10MHz media if > both are really crankin' away. This was the thought behind the Ethernet > Switch and then full-duplex Ethernet. > > I'd agree with Jim, here: make sure that your back-end can load your pipe. > I would really hate to go to upper-management to tell them that your link > to the Internet (which you are paying $$$$) cannot be fully utilized. > Just run fast ethernet interfaces on your outside router, firewall, and inside router, (and use EISA or PCI NICs (not ISA) if you use an Intel based firewall). I have run fast ethernet on Cisco routers, and have had no problems with the performance. One of the sites I support has multiple Catalyst 5000 ethernet switches interconnected to a 7507 via multiple fast ethernet connections, with the 7507 then connected to a FW-1/Sun Sparc platform. Works fine. Can't comment on FW-1 on NT, though. -r.w. From firewalls-owner Tue Mar 4 22:02:57 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id VAA23589 for firewalls-outgoing; Tue, 4 Mar 1997 21:50:40 -0800 (PST) Received: from usr09.primenet.com (usr09.primenet.com [206.165.5.109]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id VAA23554 for ; Tue, 4 Mar 1997 21:50:24 -0800 (PST) Received: from primenet.com (root@mailhost01.primenet.com [206.165.5.52]) by usr09.primenet.com (8.8.5/8.8.5) with ESMTP id WAA01519; Tue, 4 Mar 1997 22:48:53 -0700 (MST) Received: from Papa.mscomm.com (ip194.vcv.primenet.com [204.245.12.194]) by primenet.com (8.8.5/8.8.5) with SMTP id WAA09889; Tue, 4 Mar 1997 22:48:32 -0700 (MST) Message-ID: <331D097A.321A@primenet.com> Date: Tue, 04 Mar 1997 21:49:46 -0800 From: "Marc H. Ingle" Reply-To: elgnim@primenet.com Organization: Primenet X-Mailer: Mozilla 3.01Gold (Win95; I) MIME-Version: 1.0 To: rlcopperman@ccgate.hac.com, firewalls@GreatCircle.COM Subject: Mail List Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please REMOVE me from this list. From firewalls-owner Tue Mar 4 22:48:48 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id WAA24645 for firewalls-outgoing; Tue, 4 Mar 1997 22:03:36 -0800 (PST) Received: from hcsnet1.hcsaust.com.au (hcsnet1.hcsaust.com.au [150.173.243.1]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id WAA24567; Tue, 4 Mar 1997 22:03:09 -0800 (PST) Received: (from mail@localhost) by hcsnet1.hcsaust.com.au (8.6.12/8.6.9) id PAA04247; Wed, 5 Mar 1997 15:59:42 +1100 Received: from admin.hcsaust.com.au(150.173.254.28) by hcsnet1.hcsaust.com.au via smap (V1.3) id sma004245; Wed Mar 5 15:59:42 1997 Received: from support.Hcsaust.com.au (support.hcsaust.com.au [150.173.253.61]) by admin.hcsaust.com.au (8.6.12/8.6.9) with SMTP id RAA19009; Wed, 5 Mar 1997 17:06:53 +1100 Posted-Date: Wed, 5 Mar 1997 17:06:53 +1100 Organization: HCS Australia X-HCS-Address: 680 Blackburn Road, Clayton VIC 3168, Australia X-HCS-Phone-Fax: Phone: + 61 3 9541-7500, Fax: + 61 3 9543-3396 Date: Wed, 5 Mar 1997 16:49:34 +1100 (EST) From: Matthew Curtain To: Firewalls@GreatCircle.COM cc: firewalls-digest@GreatCircle.COM Subject: Re: Firewalls-Digest V6 #91 In-Reply-To: <199703040900.BAA16020@miles.greatcircle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi All I know this question is more a linux O/S related question, but does anyone use FWTK on a Linux box with 3 Network cards. Dual homed Baston with seperate network for WEB Servers and alike. Is this poss and what are the issues involved. Thanks in advance Matt Matthew Curtain (Systems Engineer) matthewc@hcsaust.com.au HCS Australia Ph: 61 3 95417500 680 Blackburn Rd Fax: 61 3 95442258 Clayton Victoria 3168 Australia From firewalls-owner Tue Mar 4 23:02:49 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id WAA28515 for firewalls-outgoing; Tue, 4 Mar 1997 22:30:00 -0800 (PST) Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id WAA28210 for ; Tue, 4 Mar 1997 22:28:49 -0800 (PST) Received: from smtp1.sybase.com (sybgate.sybase.com [130.214.220.35]) by halon.sybase.com (8.8.4/8.8.4) with SMTP id WAA05951 for ; Tue, 4 Mar 1997 22:29:55 -0800 (PST) Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) id AA22722; Tue, 4 Mar 97 22:27:39 PST Received: (from unixsvr1@localhost) by notesgw2.sybase.com (8.8.4/8.8.4) id WAA25510 for @sybgate.sybase.com:firewalls@GreatCircle.COM; Tue, 4 Mar 1997 22:26:46 -0800 (PST) Message-Id: <199703050626.WAA25510@notesgw2.sybase.com> Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id 74ED2F794C21A5E4882564510023C7EC; Tue, 4 Mar 97 22:26:41 EDT To: andrew robinson Cc: firewalls From: Ryan Russell/SYBASE Date: 4 Mar 97 22:32:20 EDT Subject: Re: packet filtering X-Lotus-Type: Reply All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk The clients would be running IP I assume, so they could surf. Attacker can simply connect to one of them as a jumping-off point. Not too difficult to get a Win95 machine to connect a share from your NT box and move the files in and out that way. Ryan ---------- Previous Message ---------- To: firewalls cc: From: robinson @ tchocolate.com (andrew robinson) @ smtp Date: 03/04/97 08:45:32 AM Subject: packet filtering Unknown MIME transfer encoding 8bit will be ignored Content-Transfer-Encoding: 8bit I oversee a small network of about 25 users (quickly growing): 10 Macs, 10 Win95 and 5 NT4.0 machines. Sometime during the next month, I will be installing a Cisco 1602 so that local users can gain access to the web and email. We have 3 servers on the network: 1 appleshare (apple talk), 1 novell 3.12 (ipx) and 1 nts4.0 (netBEUI). None of the servers are or will be running TCP/IP. During the next six month, we will be replacing the macs with NT and removing the Novell server. The network will then run entirely on ipx. All DNS, Web and email will be hosted by our ISP. Email will eventually move in-house. So, if I do basic packet filtering on the Cisco, and “unbind” TCP/IP from the server services on the NT machines, am I setting up a pretty secure/save situation? If I block all UDP, will DNS revert to TCP and still function? Will this hurt performance? Thanks in advance, andrew robinson totally chocolate From firewalls-owner Tue Mar 4 23:32:50 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id XAA07170 for firewalls-outgoing; Tue, 4 Mar 1997 23:27:41 -0800 (PST) Received: from fw.matav.hu (firewall.matav.hu [145.236.225.161]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id XAA07151 for ; Tue, 4 Mar 1997 23:27:29 -0800 (PST) Received: from tiivs7.tii.matav.hu ([145.236.48.148]) by hades.fw.matav.hu with SMTP id <55630-1>; Wed, 5 Mar 1997 08:24:40 +0100 Received: from piheno.tii.matav.hu by tiivs7.tii.matav.hu (MX V4.1 VAX) with SMTP; Wed, 05 Mar 1997 08:25:11 MET Received: (from mag@localhost) by piheno.tii.matav.hu (8.6.12/8.6.9) id IAA01150; Wed, 5 Mar 1997 08:27:06 GMT Date: Wed, 5 Mar 1997 09:27:05 +0100 From: "Magossa'nyi A'rpa'd" To: "Gause, Robert" CC: Firewalls@GreatCircle.COM Subject: HTML filtering and Re: Perl/Java on an External Web Server In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-2 Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 4 Mar 1997, Gause, Robert wrote: > We are having discussions inside my company on whether it is appropriate = or=20 > not to run Perl or Java CGI programs on an external web server. My perso= nal=20 > preference is not to run either at the server and I am aware that Chapman= &=20 > Zwicky warn against it. Me too. My opinion is not to run anything on the firewall which is not absolutely necessary. The more services are running on the firewall,=20 the more security holes are possible in it. You should put those thingies (anon ftp, www server, etc ) in the demilitarized zone. >=20 > What are your opinions and experiences. >=20 > Secondarily, any thoughts on serving Java apps (I am more open to this)? Java isn't running on the web server, it runs on the client. In this scenario it seems to be eqally safe as simple html.=20 The problem with Java is the other direction: if you allow Java to get inside your firewall, you will risk downloading some applet which manages t= o get out from a badly-written Java virtual machine. We all have seen example= s of vulnerabilities of this type. And ActiveX is far more dangerous than Java, though fortunately no one seems to use it outside the Microsoft domai= n :) And if all that html filtering is OK, you still have to filter out .lnk and .url files, and good knows what else. --- GNU GPL: csak tiszta forr=E1sb=F3l From firewalls-owner Tue Mar 4 23:51:46 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id XAA06234 for firewalls-outgoing; Tue, 4 Mar 1997 23:20:10 -0800 (PST) Received: from wizard.abirnet.co.il (wizard.abirnet.co.il [194.90.211.10]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id XAA06218 for ; Tue, 4 Mar 1997 23:19:57 -0800 (PST) Received: from ziv.abirnet.co.il (z1.abirnet.co.il [194.90.211.21]) by wizard.abirnet.co.il (8.7.6/8.7.3) with SMTP id JAA08606; Wed, 5 Mar 1997 09:18:23 +0200 Date: Wed, 5 Mar 97 09:12:30 From: Ziv Dascalu Subject: RE: sniffer! To: Firewalls@GreatCircle.COM, Jose Luis Delgado , renegade X-PRIORITY: 3 (Normal) X-Mailer: Chameleon 5.0, TCP/IP for Windows, NetManage Inc. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, can you please tell me more about this ? what do you mean "run from unix" ? Thanks /Ziv --- On Tue, 04 Mar 1997 12:47:16 -0600 renegade wrote: >be careful in using the network monitor from Microsoft, there is code to >expolit and capture >username password out on the net now, that can be run from unix and nt >systems. > >netmon.exe has big security hole in it. > > >At 12:11 PM 3/4/97, you wrote: >>Hi, >> >>NT 4.0 server comes with it's network monitoring utility which was in prev. >>versions called blood.. >>you can also run most of the software sniffers that support NDIS 3.0 (the one >>using in WfW 3.11 and NT 3.5/3.51 since NT 4.0 runs NDIS 4.0 which is >compatible >>with ndis 3.0) >>hope this helps >>/ZIv >> >>--- On Mon, 3 Mar 1997 17:59:57 -0600 (CST) Jose Luis Delgado >> wrote: >> >>>Hi guys!! >>> >>>If exist: >>>where can I find a sniffer for NT 4.0?? >>>or a >>>tcp wrapper?? >>> >>>Thanks in advance! >> >>-----------------End of Original Message----------------- >> >> >> /~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\ >> | A B I R N E T Active Network Protection > | >> \~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~/ >> / AbirNet provides the next generation in Internet and Intranet Protection\ >> | AbirNet provides Windows 95 & NT-based software that let's you know > | >> | how your network is being used while protecting it from intrusions > | >> | and abuse using no-network overhead, see-it-all filtering, blocking, > | >> | alerting, logging, and scanning technologies. > | >> | > | >> \========== Get a BETA version at >================/ >> >> >========================================================================== >renegade@blkbox.com |Knowledge isnt power till it is used and expolited >281-894-4910 |Internet Security Consultant >========================================================================== From firewalls-owner Wed Mar 5 00:03:01 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id XAA09993 for firewalls-outgoing; Tue, 4 Mar 1997 23:48:12 -0800 (PST) Received: from ns.calvacom.fr (ns.calvacom.fr [194.2.168.1]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id XAA09950 for ; Tue, 4 Mar 1997 23:47:57 -0800 (PST) Received: from LOCALNAME (par08.calvacom.fr [194.206.190.40]) by ns.calvacom.fr (8.7.3/8.6.9) with SMTP id IAA02523 for ; Wed, 5 Mar 1997 08:46:24 +0100 (MET) Message-ID: <331DA35D.294@calvacom.fr> Date: Wed, 05 Mar 1997 08:46:21 -0800 From: IHESI Organization: IHESI X-Mailer: Mozilla 2.01KIT (Win95; I; 16bit) MIME-Version: 1.0 To: firewalls@GreatCircle.COM Subject: Deconnected Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please !!! I would like deconnected to Firewalls@greatcircle.com and do not received the news Thanks From firewalls-owner Wed Mar 5 00:21:02 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id XAA07527 for firewalls-outgoing; Tue, 4 Mar 1997 23:31:08 -0800 (PST) Received: from silence.secnet.com ([199.185.231.10]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id XAA07470 for ; Tue, 4 Mar 1997 23:30:46 -0800 (PST) Received: from localhost (oliver@localhost) by silence.secnet.com (8.8.5/secnet) with SMTP id AAA06246 for ; Wed, 5 Mar 1997 00:31:44 -0700 (MST) Date: Wed, 5 Mar 1997 00:31:44 -0700 (MST) From: Oliver Friedrichs To: firewalls@greatcircle.com Subject: FreeBSD lpd Security Vulnerability Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ###### ## ## ###### ## ### ## ## ###### ## # ## ## ## ## ### ## ###### . ## ## . ######. Secure Networks Inc. Security Advisory March 5, 1997 FreeBSD lpd Security Vulnerability There is a serious security vulnerability in all FreeBSD lpd implementations This vulnerability allows remote users to gain unauthorized root access to any system allowing connections to the line printer daemon (lpd). A user is not required to be in lpd's access list (/etc/hosts.lpd) to exploit this vulnerability, as the problem occurs while lpd is attempting to determine whether the host is permitted to connect. Problem Description ~~~~~~~~~~~~~~~~~~~ The vulnerability is present in the source file lib/libc/net/rcmd.c, which contains the function __ivaliduser(). This function is used by the line printer daemon (lpd) to determine whether the user connecting to the daemon is in it's access list (contained in /etc/hosts.lpd). When performing a domain name lookup on the connecting IP address, the resulting response is copied into a fixed size buffer of size MAXHOSTNAMELEN (256 bytes). Since DNS responses containing a hostname and domain name are currently allowed to exceed 256 bytes, overflow can occur. The faulty code follows: if ((hp = gethostbyaddr((char *)&raddr, sizeof(u_long), AF_INET)) == NULL) return (-1); strcpy(hname, hp->h_name); The string copy is done without any bounds checking. Corrected code looks as follows: if ((hp = gethostbyaddr((char *)&raddr, sizeof(u_long), AF_INET)) == NULL) return (-1); strncpy(hname, hp->h_name, sizeof(hname)); hname[sizeof(hname)-1] = '\0'; Vulnerable Systems ~~~~~~~~~~~~~~~~~~ This security vulnerability only applies to the FreeBSD operating system. FreeBSD 2.1.5 is vulnerable FreeBSD 2.1.6 is vulnerable FreeBSD 2.1.7 is vulnerable FreeBSD 2.2 Gamma is vulnerable FreeBSD 2.2 is not vulnerable FreeBSD -current is vulnerable for dates prior to February 25, 1997 Corrected in -current, and -stable as of February 25, 1997. Workaround ~~~~~~~~~~ If the system in question does not require the use of printing services, lpd should be removed or commented out from the system startup file /etc/rc. If you require the use of printing services, this vulnerability can be fixed by applying the following patch to lib/libc/net/rcmd.c. This patch has been known to apply to all FreeBSD 2.x systems. --- CUT HERE --- *** libc/lib/net/rcmd.c.old Tue Feb 25 15:33:42 1997 --- libc/lib/net/rcmd.c Tue Feb 25 15:33:56 1997 *************** *** 377,383 **** if ((hp = gethostbyaddr((char *)&raddr, sizeof(u_long), AF_INET)) == NULL) return (-1); ! strcpy(hname, hp->h_name); while (fgets(buf, sizeof(buf), hostf)) { p = buf; --- 377,384 ---- if ((hp = gethostbyaddr((char *)&raddr, sizeof(u_long), AF_INET)) == NULL) return (-1); ! strncpy(hname, hp->h_name, sizeof(hname)); ! hname[sizeof(hname)-1] = '\0'; while (fgets(buf, sizeof(buf), hostf)) { p = buf; --- CUT HERE --- At this point, libc will have to be recompiled. lpd is shipped dynamically linked under FreeBSD, therefore the fix will take effect without recompiling lpd itself. Attributions ~~~~~~~~~~~~ Information about FreeBSD can be found at http://www.freebsd.org You can contact the author of this advisory at oliver@secnet.com Type Bits/KeyID Date User ID pub 1024/0E7BBA7D 1996/09/18 Oliver Friedrichs -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.3ia mQCNAzJATn0AAAEEAJeGbZyoCw14fCoAMeBRKiZ3L6JMbd9f4BtwdtYTwD42/Uz1 A/4UiRJzRLGhARpt1J06NVQEKXQDbejxGIGzAGTcyqUCKH6yNAncqoep3+PKIQJd Kd23buvbk7yUgyVlqQHDDsW0zMKdlSO7rYByT6zsW0Rv5JmHJh/bLKAOe7p9AAUR tCVPbGl2ZXIgRnJpZWRyaWNocyA8b2xpdmVyQHNlY25ldC5jb20+iQCVAwUQMkBO fR/bLKAOe7p9AQEBOAQAkTXiBzf4a31cYYDFmiLWgXq0amQ2lsamdrQohIMEDXe8 45SoGwBzXHVh+gnXCQF2zLxaucKLG3SXPIg+nJWhFczX2Fo97HqdtFmx0Y5IyMgU qRgK/j8KyJRdVliM1IkX8rf3Bn+ha3xn0yrWlTZMF9nL7iVPBsmgyMOuXwZ7ZB8= =xq4f -----END PGP PUBLIC KEY BLOCK----- Copyright Notice ~~~~~~~~~~~~~~~~ The contents of this advisory are Copyright (C) 1997 Secure Networks Inc, and may be distributed freely provided that no fee is charged for distribution, and that proper credit is given. You can find Secure Networks papers at ftp://ftp.secnet.com/pub/papers and advisories at ftp://ftp.secnet.com/advisories You can browse our web site at http://www.secnet.com You can subscribe to our security advisory mailing list by sending mail to majordomo@secnet.com with the line "subscribe sni-advisories" From firewalls-owner Wed Mar 5 01:56:25 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id BAA21480 for firewalls-outgoing; Wed, 5 Mar 1997 01:20:45 -0800 (PST) Received: from mailhost.fornet.net.tr ([195.174.114.2]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id BAA21413 for ; Wed, 5 Mar 1997 01:19:22 -0800 (PST) Received: from notesgw.fornet.net.tr by mailhost.fornet.net.tr (5.65v3.2/FORNET Konfigurasyon Version 1.2) id AA23113; Wed, 5 Mar 1997 11:18:19 +0300 Received: by notesgw.fornet.net.tr with Microsoft Mail id <01BC2956.E5B1EAE0@notesgw.fornet.net.tr>; Wed, 5 Mar 1997 11:18:05 +0200 Message-Id: <01BC2956.E5B1EAE0@notesgw.fornet.net.tr> From: Eren Girgin To: "'firewalls@greatcircle.com'" Subject: altavista FW compare with Firewall-1 checkpoint Date: Wed, 5 Mar 1997 11:18:04 +0200 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi, I'm looking for full comparision between altavista firewall and checkpoint fw-1 Which one is more secure? why ? and other questions like this,how can I find a doc for this info? Thanks for any help. Eren Girgin Consultant,Internet Technologies Dept. ------------------------------------------------------------------ ForNet A.S. , Internet Service Provider Adress:Yildiz Posta Cad.No:26/11 Gayrettepe-ISTANBUL/TURKEY Zip:80280 http://www.fornet.net.tr Tel :+90 212 2130045 Fax:+90 212 2662336 ------------------------------------------------------------------ From firewalls-owner Wed Mar 5 03:04:54 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id BAA20482 for firewalls-outgoing; Wed, 5 Mar 1997 01:14:56 -0800 (PST) Received: from us0229.nomura.co.uk (us0229.nomura.co.uk [194.223.136.1]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id BAA20435 for ; Wed, 5 Mar 1997 01:14:39 -0800 (PST) From: steve.gailey@nomura.co.uk Received: by us0229.nomura.co.uk; id AA03141; Wed, 5 Mar 97 09:18:10 GMT Received: from mailhub by us0229.nomura.co.uk via smap (V3.1) id xma003135; Wed, 5 Mar 97 09:18:07 GMT Received: from by nomura.co.uk (5.x/SMI-SVR4) id AA13208; Wed, 5 Mar 1997 09:13:03 GMT X-Openmail-Hops: 2 Date: Wed, 5 Mar 97 09:12:23 +0000 Message-Id: In-Reply-To: <1518772F012E0F00@seitz.com> Subject: Re: Linux VS FreeBSD as firewall / router Mime-Version: 1.0 To: CBROWN@seitz.com Cc: firewalls@greatcircle.com Content-Type: text/plain; charset=US-ASCII; name="Linux" Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I have used FreeBSD for this and have found it stable. You will also need to look at some of the Firewall toolkits available on the net. I have spoken to others who have used Linux and are happy with it. Just make sure that you configure it to fail safe. Use what you know and are most comfortable with, or failing that use what your friends and relations use so you can get tech-support. I wouldn't worry about performance as the limiting factor is going to be you Link, not your Firewall. One thing I would say however is this: Before you start, look at what you have to loose, how attractive it may be to others and your own skills. You may decide that using something like the TIS Gauntlet isn't so expensive after all. Steve ______________________________ Reply Separator _________________________________ Subject: Linux VS FreeBSD as firewall / router Author: firewalls-owner (firewalls-owner@GreatCircle.COM) at internet-mime Date: 3/3/97 8:36 PM I have been looking at setting up a greatly enhanced connection to the net. Currently we are using dial up from each work station and want to go to a dedicated 56K line. One of the prime concerns is for a firewall. I have been looking at Linux for a bit, primarily the Debian distribution. Either Debian or Redhat would be my linux rout however one of the people here was talking to someone at Netcom and was pointer at FreeBSD. Is there an advantage to Linux of FreeBSD from any stand point? Performance, support or things like bug fixes are all prime reasons to go for one over the other. Any help would be appreciated. From firewalls-owner Wed Mar 5 03:17:42 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id CAA29354 for firewalls-outgoing; Wed, 5 Mar 1997 02:59:30 -0800 (PST) Received: from mnl.sequel.net (mnl.sequel.net [204.255.104.30]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id CAA29329 for ; Wed, 5 Mar 1997 02:58:56 -0800 (PST) Received: from mind_ripper by mnl.sequel.net (SMI-8.6/SMI-SVR4) id SAA11437; Wed, 5 Mar 1997 18:58:50 +0800 Date: Wed, 5 Mar 1997 18:58:50 +0800 Message-Id: <3.0.32.19970305185827.0091c100@pop.infocom.sequel.net> X-Sender: succesor@pop.infocom.sequel.net X-Mailer: Windows Eudora Pro Version 3.0 Demo (32) To: jgilley@ix.netcom.com From: Gaddy Gumbao Subject: Re: CISCO's 2500 Cc: gordonp.atc@gao.gov, firewalls@GreatCircle.COM Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi there, There's no Vines IP on the CISCO 2500.So they are configuring it to Bridge transparent .Is that configuration gonna work? Thanks..... From firewalls-owner Wed Mar 5 03:32:53 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id CAA26493 for firewalls-outgoing; Wed, 5 Mar 1997 02:29:23 -0800 (PST) Received: from www.iclsorbus.fr (www.iclsorbus.fr [195.6.13.13]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id CAA26269 for ; Wed, 5 Mar 1997 02:27:42 -0800 (PST) Received: from webmaster (195.6.13.14) by www.iclsorbus.fr (EMWAC SMTPRS 0.81) with SMTP id ; Wed, 05 Mar 1997 11:27:41 +0100 Message-ID: From: "Julien CLAUZEL" To: "Gary White" Cc: "FireWall -> GreatCircle" Subject: Re: Active-X at the firewall or proxy server Date: Wed, 5 Mar 1997 11:25:49 +0100 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk If you are using MS Proxy you can use some Add-on products like: InterScan WebProtect (Trend). Julien CLAUZEL ---------- > From: Gary White > To: firewalls@greatcircle.com > Subject: Active-X at the firewall or proxy server > Date: Saturday, March 01, 1997 5:46 PM > > Hi- > Just curious if anybody has comments on good ways to block Active-X > short of reading all the html that comes through. > > thanks > -Gary > > __________________________________________________________________ > Gary White ARCO Exploration & Production Technology > gwhite@arco.com 2300 W Plano Parkway > (214) 509-6554 Plano, Texas 75075 From firewalls-owner Wed Mar 5 04:38:06 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id CAA25914 for firewalls-outgoing; Wed, 5 Mar 1997 02:24:59 -0800 (PST) Received: from inet.uni-c.dk (inet.uni-c.dk [130.228.6.2]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id CAA25787 for ; Wed, 5 Mar 1997 02:23:44 -0800 (PST) Received: from lgb432.ppp.uni-c.dk (lgb432.ppp.uni-c.dk [130.228.7.177]) by inet.uni-c.dk (8.8.4/8.6.9) with SMTP id LAA18821 for ; Wed, 5 Mar 1997 11:22:02 +0100 (MET) Received: by lgb432.ppp.uni-c.dk with Microsoft Mail id <01BC2957.6F377410@lgb432.ppp.uni-c.dk>; Wed, 5 Mar 1997 11:21:56 +0100 Message-ID: <01BC2957.6F377410@lgb432.ppp.uni-c.dk> From: Chris Larsen To: "'Firewalls@GreatCircle.COM'" Subject: NT sniffers & NT Firewalls. Date: Wed, 5 Mar 1997 11:19:20 +0100 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="---- =_NextPart_000_01BC2957.6F38FAB0" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk ------ =_NextPart_000_01BC2957.6F38FAB0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable To several people about sniffer on NT 4.0: If you have the Windows NT 4.0 Server you can install network monitoring = BUT only monitor packets to/from the host running it.=20 However if you have the BackOffice SMS package the network monitor there = will allow you to set the NIC in promiscuous mode,=20 ie. allow capturing all packets on the lan segment. If you really need a professional tool you should go for NetXray from = Cinco Networks ( http://www.cinco.com/ ), which is a very=20 valuable tool for analysing network problems. (This tool will also allow = remote probes to be installed and monitored). It is IMHO the best packet analyzer i have seen so far. Somebody noted that there where tools to remotely probe and capture = packets from NICs set into promiscuous mode of=20 operation. This is not only true for Windows NT, but also for other = packet capturing tools ie. tcpdump (can we always be 100% sure that these tools are secure?) . Never run these kind of utils unless=20 1) You really need it, 2) Your lan segment is secured, 3) You want your = inside to be compromised totally. Some utils are more secure than others, but generally speaking it is dangerous and should be = used wisely and of course only by men with the white hats on. Windows NT & Firewalls: On another point is Windows NT based firewalls (and i will probably be = flamed big time for this so please do it in private). I think NT firewalls can't (shouldnt) be declared as secure, untill Microsoft = releases full source code to the TCP/IP winsock and other network = related protocols that one would want to firewall. Security in NT relies = on trust that Microsoft guarantees that you have a secure winsock and = other protocol, which of course has been proven in several points is not = a thing you can trust Microsoft with at all. Too many things regarding security regarding Windows NT (or other = Microsoft products), are left to obscurity, and=20 undocumented features so you can't rely (trust or believe) in this OS to = run a firewall on. Now i maybe nitt-picking, but if something needs to be secure, well then = there should be a code review. And not only by US trusted=20 organisations like NCSA or the like. But also from other companys who = have expertise in this area. Untill Microsoft shapes up, i will advise against using NT as a firewall = based OS _and_ rely on its security.=20 This view is not about how well things run on NT vs Unix, but about the = belief of security in your networking OS. Because secuirty relies on every component in your firewall, router, = etc... One should also be give the oppurtunity to review=20 every detail (or at least be able to obtain information/reports about = it) which is part of the security aspect of protecting your network from the outside. Yes i use NT as server OS and not Unix, i also have several VMS = installations and i only use Unix based firewalls because of the reasons stated above. NT (same with VMS) compared to unix has much = better ACL and auditing facilities built in.(Yes i know you can do the = same on unix, but it dont want to start an flame war on OS's, and you = feel offended please reply privately.) Re. Chris. vader@inet.uni-c.dk | "We learn from history, Chris Larsen | that we don't learn from history" Struers A/S | System Manager | All opinions expressed herein are = solely http://www.babel.dk/windowsnt/ | of my own, and _not_ of my employers. ------ =_NextPart_000_01BC2957.6F38FAB0 Content-Type: application/ms-tnef Content-Transfer-Encoding: base64 eJ8+IjgKAQaQCAAEAAAAAAABAAEAAQeQBgAIAAAA5AQAAAAAAADoAAEIgAcAGAAAAElQTS5NaWNy b3NvZnQgTWFpbC5Ob3RlADEIAQ2ABAACAAAAAgACAAEEkAYAOAEAAAEAAAAMAAAAAwAAMAMAAAAL AA8OAAAAAAIB/w8BAAAAUQAAAAAAAACBKx+kvqMQGZ1uAN0BD1QCAAAAAEZpcmV3YWxsc0BHcmVh dENpcmNsZS5DT00AU01UUABGaXJld2FsbHNAR3JlYXRDaXJjbGUuQ09NAAAAAB4AAjABAAAABQAA AFNNVFAAAAAAHgADMAEAAAAaAAAARmlyZXdhbGxzQEdyZWF0Q2lyY2xlLkNPTQAAAAMAFQwBAAAA AwD+DwYAAAAeAAEwAQAAABwAAAAnRmlyZXdhbGxzQEdyZWF0Q2lyY2xlLkNPTScAAgELMAEAAAAf AAAAU01UUDpGSVJFV0FMTFNAR1JFQVRDSVJDTEUuQ09NAAADAAA5AAAAAAsAQDoBAAAAAgH2DwEA AAAEAAAAAAAAAwk8AQSAAQAcAAAATlQgc25pZmZlcnMgJiBOVCBGaXJld2FsbHMuACEJAQWAAwAO AAAAzQcDAAUACwATABQAAwARAQEggAMADgAAAM0HAwAFAAsAEwAUAAMAEQEBCYABACEAAAA4NTJB NzdBODJEOTVEMDExOUE2MzAwQTAyNDIyODdGNQDpBgEDkAYAgAoAABQAAAALACMAAAAAAAMAJgAA AAAACwApAAAAAAADAC4AAAAAAAMANgAAAAAAQAA5AMCJObBOKbwBHgBwAAEAAAAcAAAATlQgc25p ZmZlcnMgJiBOVCBGaXJld2FsbHMuAAIBcQABAAAAFgAAAAG8KU6wNEmoCAmVPxHQmmMAoCQih/UA AB4AHgwBAAAAAwAAAE1TAAAeAB8MAQAAABcAAABTVFJVRVJTL1Bvc3RNYXN0ZXIvQ0hMAAADAAYQ yHXh+QMABxCQCgAAHgAIEAEAAABlAAAAVE9TRVZFUkFMUEVPUExFQUJPVVRTTklGRkVST05OVDQw OklGWU9VSEFWRVRIRVdJTkRPV1NOVDQwU0VSVkVSWU9VQ0FOSU5TVEFMTE5FVFdPUktNT05JVE9S SU5HQlVUT05MWQAAAAACAQkQAQAAAPgIAAD0CAAAWQ8AAExaRnUQd3lN/wAKAQ8CFQKkA+QF6wKD AFATA1QCAGNoCsBzZXRuMgYABsMCgzIDxQIAcFxycRIgBxMCgzMPemhEZWwDIERsZwKDNMcE1hN1 CFBtaWMGBAXg/QKAfQqACM8J2QKACoENscELYG5nMTAzDfALCoES8jI0IFRvIBHwhnYEkAdAIHBl bwtQ3GUgAaAIYAVAcwMADdANBJAgAiAHsFQgNC4MMDoKhQqFSWYgeU0IYCARwByQIHQVUCDiVwuA ZG93B6EegwZS2xyRH+NjA5ELgHMBkBVxym4SAHcFsGsgBGADAIZ0BbALgGcgQlUegLkCIGx5I5Yc 4ADQaxIAmwQgI+AvA1Igc2hvIsBwIHJ1bgMAJCEj0C69H0ZIIQAcgiKQH91CJXFuTw3QF1AdQFMF 4SViYd5nIGQjLSByGPAgA/AVcX8i4SEAH+Mj4BxhBUAggk48SUMikRzgA2EEAGN19whgBCAEYiwf RgiQJ5AtBP8iYAUwCHEkISLiJWYeQSCC2xqBHGFnB4ACMC4fXBjw/yLhJMAjIAmAHVAush4ABBC+ aQIgHMEj4AbwH+NzJqD0dWw1AGccUAIQBcAHwNx0WBywJMAmE0MLgAWgNzdyI1IEICggIAJAcDrI Ly93OdAuYzhiOgCRA3AvICkvwHdoF1B+aCKQBCA1IByRJMAKhXb9B0B1AaAdMTYTN0IAcAdAPnkA kCQhIyYuwTyxbXN5J5AoVDsAJcI2MSy1c+8cUC0EGPAEYHQdQD6iB5F/LaFBkCKWNPIg4COWCYAp DSeQSQVAO1FJTUhPvwqFIHNBkQVAJWQ9dHoocn8gJBHwCfAcYDchCsAzdlP1A3BlBuBkNLFBITUA IID+YS3zLIIsYzYSQbNA9CSx/0FjQsMw9EFBJXUmEy5RBCD/LdILgC2hLs4eMB/QCoUdEP0coXQ1 sSeQP1M7UUixJIS+dCbwHUA3QiDIL8BiHZH/QEM3QkEgLGFFdjD4SiQwUoB0Y3BkdW1wOTD3ImIo QCzxdzfQBCBCARrA/DAlHGBMIQqFSRYR8EoVjwrARtIvIBjwPykgJ5DvB8Ah4ibxWJVrINFPEh2Q vwMQBCAnAB0wBBEKhTFaEO5ZND0j0C/AMl0jBcAyyes7QlmkZC/AM10kVtBfkf8f8SiBAIFO8UHU OnEuxEji/0EgNIInkEgiW8VZYgRgV8fvWaRJAgOgU6NzUrQq4CMg6xyxJLFzHPBhW1EnUjtC/mQa kQSQL0JC0jalQgEvUP808QPxSwJC0k8hBaAIcFjR/SSTYiTBRxED8CCAIHM68XtBMUkhc09WUEAe 7CDJJrggRmkY8FbQFXBzHtbuTwOgAHBTpW9NwTtCIMn8YmFi4ioAb+U5MELSRoD/LLM+ojyha7FR sQtgB4Bpkf5pVPEHcTczIIBfwk3xHTDfctFoUBxQaAIuomk8YEEw80OidnJuawqFHnFzKCJh+icF QCg2pAIwWhBCAQWB/wtgGPEdUF/WL8AnAFvhAyD+TRdQA2BAYAGANFF3E0zB/zbQAyBAYAhwKiEF oGHUIILAVENQL0lQLKEAgP5vJYBqlFOzIyZ94XhBNQD/LsEj4BhhJcFJIgIgLJE2w/9g8y2hcyZj kVmyI9AkwC6R/x5xfeEIkDI0JvAmwUkTfUj+ZzyQHLACMAnggwUf9zUg/2VVgG+CdzrWaugRwFcC RxH/LsEckCKCHGhxklCnNSB4wv8kMCImhsR9SGxDSTGE4gqFfxxAHFADgVFhj7IEIBjwZ78LESQS WaOFgpO4IMkoU3f3fUguwVXgYyWwOsFZYh0w/32xLaE+wC8RhXKYAULhCoX/JwAg8C8gMzJy8jRw TBJ2s+8iJXqBfeEkwCiGxAWxQZDfhkEckFoQLpF2g08F8EqC71rBNSBzJm3ZTi0xRoAAwMZ5QgEj wXQtcBdQZ7L/UrQooUBgB4CPpDTSQbZ8Vv8oQBVxIIEyY1lyaVc1IH8z/RjwdgiQOfAT0ELhUPdr 0d5VnoGG0jTxT1Zyk9ADAD5zUAMEIIZAJZAHsENT3kGdIjKDqfEnkEJS5yYif1OkYmKTAQQgOvAc UCAzZb54T9FQEFjRnfZZYWEzdp5VfO42oDEAB5F1cC/A+XQVYWSmgFjRKtALcSbBfy9QJBIecXwh nxlyxJ5xX/1C0V+cZB5BI9Bf1YWBJ5f/P1Omgo8HHXMmoAfgpFWTZJtawR5EdgQgr5BpeFK1/x1z RPSGQR/QTyGUVy6RYUOvIyUkEp5wM3ZCBZBhaeH/WZNv0JSzhkYcgiTAYmKDcb9fkrylcyYvwGix QTByL8D5EgBjLsLgcMGlN0BDQgHuZ3ggIGQdEHAIcDEgI8H/UWFKkrczCoXAFA2wAZADEf+WMkkx dxIFQEtyPLSY0ccx7yKCN0EAwFASLxjwcYAAIP87YR1zI9BaEDr3CrFRER/Q/yCClFdy0Bzwl8BP EoKCzWF/j8WBZwqFJhcdgWGybg1Z/weRRoC+orMUEfAh055xQtK/UPK6JEaAQENGpRyUVgXh/yKl qXVz1CSTvqK6InK/QZD/voTMNAqFNGFAYAYxIsFI0v8dYRyQWjGWEalgY9FsQ9Vhf1oQrJN74i2h xUHXoIzybR+XsDswQZACQB4RQUNM/0LDvpCUAM4zR3A6EIZAUBBPB5FS0AMQTaIuKNGka/9IsC1E ImJ3ccxj28IeQd1i/6HlBUAg8F+RhBYiwcwBA5HvdUNg4R4jnnAnZmFC0h/y/x4AFWBPER4AIOCC UncUyjG3SxN4I2NxKR7sCoVSMGF8Q2gFED8Q6X88JASBQKsLgBIALsVBLcLQZCOA4e3qfCAiV5hC CsDlQT8mIj9hI+GZYAqF6wMgTP8R0gOg8X/ukkkEVoHkAXqBee8feSJHtlGCEeAT0C9/BfD2H+6C R7Y9wEEwJkBN7z2BaJH2X+6hQZ+SoXADAP+poq2xm2Fi4ixiLpFZYwbw/0sBCoU5aXSxFWDtsTnA INQvAjA6oO6hTyFttUF3bn2ZdF9IsbTw/xQ+8AtQby55ZkFuDRgRAAKAAwAQEAAAAAADABEQAQAA AEAABzDQ5mXgSCm8AUAACDBgEDuwTim8AR4APQABAAAAAQAAAAAAAAADAA00/TcAAHC1 ------ =_NextPart_000_01BC2957.6F38FAB0-- From firewalls-owner Wed Mar 5 04:38:41 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id EAA05222 for firewalls-outgoing; Wed, 5 Mar 1997 04:07:01 -0800 (PST) Received: from cbisinet.cbis.com (cbisinet.cbis.com [206.230.22.18]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id EAA05114 for ; Wed, 5 Mar 1997 04:05:55 -0800 (PST) Received: from Notes.cbis.com by cbisinet.cbis.com (5.x/SMI-SVR4) id AA19343; Wed, 5 Mar 1997 07:04:24 -0500 Received: by Notes.cbis.com (IBM OS/2 SENDMAIL VERSION 1.3.17/2.12um) id AA3561; Wed, 05 Mar 97 06:59:49 -0500 Message-Id: <9703051159.AA3561@Notes.cbis.com> Received: by CBIS (Lotus Notes Mail Gateway for SMTP V1.1) id 854DF9B3491B1328852564510041CDBA; Wed, 5 Mar 97 06:59:48 To: firewalls-digest From: Warren Moore Date: 5 Mar 97 7:03:53 Subject: SHTTP Proxy for fwtk? X-Importance: High Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Greetings... Can someone on the list point me toward a proxy for the TIS fwtk that will handle SHTTP? Like most, I'd prefer software that doesn't cost any more than the fwtk itself. 8>) If there's no proxy available that you're aware of, does anyone have any ideas on how to make SHTTP work with the fwtk? Any and all information would be deeply appreciated...even if it's "nope, won't work." --- Warren S. Moore, CISSP Information Security Specialist Cincinnati Bell Information Systems Inc. From firewalls-owner Wed Mar 5 05:19:29 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id EAA07690 for firewalls-outgoing; Wed, 5 Mar 1997 04:46:30 -0800 (PST) Received: from mn1.swip.net (mn1.swip.net [192.71.180.97]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id EAA07613 for ; Wed, 5 Mar 1997 04:44:23 -0800 (PST) From: mats.toren@apfund1-3.se Received: by mn1.swip.net (8.8.2/2.01) id MAA00398; Wed, 5 Mar 1997 12:42:18 GMT Message-ID: <199703051242.MAA00398@mn1.swip.net> Date: Wed, 5 Mar 1997 12:40:02 +0100 To: firewalls@greatcircle.com Subject: Routing TCP/IP to IPX as a firewall? MIME-version: 1.0 (Created by TFS) Content-Type: text/plain ; charset=ISO-8859-1 Content-transfer-encoding: quoted-printable X-Mailer: TFS Gateway V210U0581M Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi everybody, please excuse a novice question but i'm learning. This morning i went to a=20 presentation by Cisco and they talked about Cisco 1600 IPX to IP Gateway an= d=20 PIX among other things. They said that there is no need for a firewall with this kind of product=20 because you could not "touch" anything inside the gateway with IP. Since my= =20 idea of routing was to transport information(bad too) between protocols I=20 asked if this was correct and they said it was. My qestion is if this is correct(I think not). If it is please explain=20 shortly. My other interest is if anyone had experiences with PIX, good or=20 bad. If this gateway solution is a good solution, would it be a good idea to let= =20 people connect to internet with IPX? I guess you would have to controll the= =20 routing capabilties of clientmachines to make this solution safe. Thanks in advance Mats Tor=E9n mats.toren@apfund1-3.se From firewalls-owner Wed Mar 5 05:35:23 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id DAA04438 for firewalls-outgoing; Wed, 5 Mar 1997 03:57:59 -0800 (PST) Received: from castle.us-state.gov (castle.us-state.gov [198.76.102.19]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id DAA04355 for ; Wed, 5 Mar 1997 03:57:11 -0800 (PST) From: crumrig@us-state.gov Received: by castle.us-state.gov; id AA26036; Wed, 5 Mar 97 06:55:40 EST Received: from pubhost.us-state.gov(198.76.102.34) by castle.us-state.gov via smap (V1.3mjr) id sma026016; Wed Mar 5 06:54:46 1997 Received: by pubhost.us-state.gov; id AA18602; Wed, 5 Mar 97 06:54:40 EST Date: Wed, 5 Mar 97 06:49:58 PST Subject: RE: Retail Shopping on the Internet To: Firewalls@greatcircle.com, hf85 X-Mailer: Chameleon ENGP1, TCP/IP for Windows, NetManage Inc. Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I assume you have had several replies by now, so I 'd like to throw mine in as well. I represent a company called Integrated Technologies or ITEQ for short. We are based out of Silver Spring, MD and could help in all phases. Let us know if we could be of service to you. ITEQ 1300 Spring Street Suite 320 Silver Spring, MD 20910 crumrig@us-state.gov ---------------Original Message--------------- Sirs, Does anyone out there have any experience in providing security solutions to retailers looking at stting up their own internet retail site? Please reply to: David Churchill-Saunders Eurocommerce ----------End of Original Message---------- From firewalls-owner Wed Mar 5 06:02:52 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id EAA07505 for firewalls-outgoing; Wed, 5 Mar 1997 04:41:37 -0800 (PST) Received: from ns.asiaconnect.com.my (ns.asiaconnect.com.my [202.190.60.10]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id EAA07434 for ; Wed, 5 Mar 1997 04:40:52 -0800 (PST) Received: (from param@localhost) by ns.asiaconnect.com.my (8.6.12/8.6.12) id NAA22109; Wed, 5 Mar 1997 13:39:16 GMT Date: Wed, 5 Mar 1997 20:39:15 +0700 (KL ) From: Paramaguru To: firewalls-digest@GreatCircle.com Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk list From firewalls-owner Wed Mar 5 06:03:14 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id EAA05107 for firewalls-outgoing; Wed, 5 Mar 1997 04:05:53 -0800 (PST) Received: from sghms.ac.uk (s1.sghms.ac.uk [192.153.12.1]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id EAA04878 for ; Wed, 5 Mar 1997 04:01:59 -0800 (PST) Received: from gillettpc.sghms.ac.uk by sghms.ac.uk (SGHMSV1.0) ID AA25223; Wed, 5 Mar 97 11:57:04 GMT Date: Wed, 5 Mar 1997 11:57:46 PST From: Mark Gillett Subject: cisco encryption problem To: hl@tekla.fi Cc: firewalls@greatcircle.com Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk It is alleged that Harald Lundberg wrote : > This question is strictly speaking not firewall-related, but I guess > quite > a lot of cisco gurus read this... Neither my manual nor my dealer > has been > of great help.... > My problem: I have 2 routers running ciscos encryption engine (IOS > 11.2). > But the outgoing interfaces use non-official addresses (they only > talk to > the ISP's routers). All packets originating from the router use the > outgoing interface's address. Is there any way to change this? You can run ip unnumbered on the external interfaces if your ISP agrees. The cisco documentation on this is a little vague :-( as is normal for them (although it keeps some of us in work :-) ). Basically, this allows you to operate a W.A.N link between two ciscos without any IP addresses in use at all. This would save you the need for more class C's - although you do loose SNMP stats for those interfaces :-( . Hope that helps - appologies for the off-topic post. ================================================================ Mark Gillett, Computer Unit, St. Georges Hospital Medical School ---------------------------------------------------------------- Contrary to popular belief, Unix is user friendly. It just happens to be very selective about who it decides to make friends with. ---------------------------------------------------------------- e-mail : mgillett@sghms.ac.uk web : http://www.sghms.ac.uk ================================================================ From firewalls-owner Wed Mar 5 07:04:13 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id GAA16176 for firewalls-outgoing; Wed, 5 Mar 1997 06:11:37 -0800 (PST) Received: from sic.se (mailbox.sic.se [194.236.7.200]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id GAA16144 for ; Wed, 5 Mar 1997 06:11:12 -0800 (PST) Received: from pamela.sic.se (pamela [194.236.7.44]) by sic.se (8.7.5/8.7.2) with SMTP id PAA15725; Wed, 5 Mar 1997 15:08:58 +0100 (MET) X-Mailer: InterCon tcpCONNECT4 4.0.2 (Macintosh) MIME-Version: 1.0 Message-Id: <9703051511.AA35750@pamela.sic.se> Date: Wed, 5 Mar 1997 15:11:35 +0100 From: "Stefan Berg" To: Warren Moore Cc: firewalls@GreatCircle.com Subject: Re: SHTTP Proxy for fwtk? Content-Type: Text/Plain; charset=US-ASCII Content-Disposition: Inline Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi there, Warren, try the Squid proxy server (http://squid.nlanr.net). Works like a charm for me! /Stefan > Can someone on the list point me toward a proxy for the TIS fwtk that > will handle SHTTP? Like most, I'd prefer software that doesn't cost > any more than the fwtk itself. 8>) If there's no proxy available > that you're aware of, does anyone have any ideas on how to make SHTTP > work with the fwtk? Any and all information would be deeply > appreciated...even if it's "nope, won't work. -- _______________________________________________________ Stefan Berg Computing Science Student University of Uppsala, Sweden. s93sbe@csd.uu.se http://www.csd.uu.se/~s93sbe _______________________________________________________ Hmm.. What do batteries run on?? From firewalls-owner Wed Mar 5 07:18:51 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id HAA24278 for firewalls-outgoing; Wed, 5 Mar 1997 07:12:15 -0800 (PST) Received: from maelstrom.dial.pipex.net (maelstrom.dial.pipex.net [158.43.128.52]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id HAA24270 for ; Wed, 5 Mar 1997 07:12:07 -0800 (PST) Received: from typhoon.dial.pipex.net (158.43.128.27) by maelstrom.dial.pipex.net (8.8.3/) id PAA15291; Wed, 5 Mar 1997 15:10:39 GMT Received: from ae241.du.pipex.com (193.130.244.241) by typhoon.dial.pipex.net (8.8.2/UUNET PIPEX simple 1.29) id PAA14437; Wed, 5 Mar 1997 15:07:59 GMT Message-ID: <331D8CD5.786F@dial.pipex.com> Date: Wed, 05 Mar 1997 15:10:13 +0000 From: hf85 Organization: Eurocommerce X-Mailer: Mozilla 2.02 (Win16; I) MIME-Version: 1.0 To: firewalls@greatcircle.com Subject: Solutions for retailers on the net Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Sirs, Does anyone out there have any experience in providing security solutions to retailers looking at setting up their own internet retail sites for on-line home based shopping? We are also looking for companies that can assist retailers in setting up their own web sites and corporate intranets? Please reply to: David Churchill-Saunders Eurocommerce From firewalls-owner Wed Mar 5 07:49:01 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id HAA26622 for firewalls-outgoing; Wed, 5 Mar 1997 07:40:47 -0800 (PST) Received: from relteccorp.com (igate.relteccorp.com [206.230.69.2]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id HAA26582 for ; Wed, 5 Mar 1997 07:40:34 -0800 (PST) Received: by relteccorp.com; id KAA24294; Wed, 5 Mar 1997 10:40:36 -0500 (EST) Received: from rctntas1.rct.relteccorp.com(161.153.112.253) by igate.relteccorp.com via smap (3.2) id xma024272; Wed, 5 Mar 97 10:40:16 -0500 Received: by rctntas1.rct.relteccorp.com with Microsoft Exchange (IMC 4.0.838.14) id <01BC2952.1192ED30@rctntas1.rct.relteccorp.com>; Wed, 5 Mar 1997 10:43:31 -0500 Message-ID: From: "Fountain, Brett (REU)" To: "'Mailist: Firewalls'" Subject: huge hole in MSIE3.01 Date: Wed, 5 Mar 1997 09:33:00 -0500 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.838.14 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk fyi - although this is not directly related to a firewall, i know that you may also want to be aware of other security issues. microsoft ie 3.x is vulnerable: remote hackers can get to your hard drives, stealing and/or destroying your data, without using any activex or other suspect code. read more info here: http://www.cybersnot.com/iebug.html download the ms patch here: http://www.microsoft.com/ie/security/update.htm be safe. :b From firewalls-owner Wed Mar 5 08:03:37 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id HAA27296 for firewalls-outgoing; Wed, 5 Mar 1997 07:49:26 -0800 (PST) Received: from newman (newman.unifiedtech.com [38.251.136.48]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id HAA27276 for ; Wed, 5 Mar 1997 07:49:11 -0800 (PST) Received: from bass.unifiedtech.com by newman (SMI-8.6/SMI-SVR4) id KAA21536; Wed, 5 Mar 1997 10:46:47 -0500 Received: by bass.unifiedtech.com (SMI-8.6/SMI-SVR4) id KAA01394; Wed, 5 Mar 1997 10:46:58 -0500 Date: Wed, 5 Mar 1997 10:46:58 -0500 From: jonesmd@unifiedtech.com (Mike Jones) Message-Id: <199703051546.KAA01394@bass.unifiedtech.com> To: firewalls@GreatCircle.COM Subject: SQL*net and FireWall-1 Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-MD5: FOL/b+6z0HDywwOdL7uy/A== Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Has anyone figured out how to run SQL*Net through FireWall-1? I would think that it should be possible, but I wanted to see if anyone else had done it before sitting down to a big "figure it out" session. -- Mike Jones Sr. Technical Advisor UNIFIED Technologies From firewalls-owner Wed Mar 5 08:25:52 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id IAA28444 for firewalls-outgoing; Wed, 5 Mar 1997 08:06:10 -0800 (PST) Received: from tor-srs2.netcom.ca (tor-srs2.netcom.ca [207.93.1.164]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id IAA28412 for ; Wed, 5 Mar 1997 08:05:52 -0800 (PST) Received: from by tor-srs2.netcom.ca (8.7.5/SMI-4.1/Netcom) id LAA24209; Wed, 5 Mar 1997 11:04:20 -0500 (EST) Date: Wed, 5 Mar 1997 11:04:20 -0500 (EST) Message-Id: <199703051604.LAA24209@tor-srs2.netcom.ca> From: lshearer@netcom.ca (Laura Ann Shearer) Subject: Internet Security To: firewalls@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I am a student a college in Toronto, Canada. I just joined this email list a few days ago. I am wondering if any of you with some knowledge about internet security would let me know what your opinion is about what the best combination for internet security is. I am doing a research paper on what Corporations can do about internet security. Any replies would be greatly appreciated. Laura From firewalls-owner Wed Mar 5 08:48:50 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id IAA00479 for firewalls-outgoing; Wed, 5 Mar 1997 08:24:02 -0800 (PST) Received: from news.acrux.net (pluto.acrux.net [207.51.199.3]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id IAA00450 for ; Wed, 5 Mar 1997 08:23:49 -0800 (PST) Received: from pluto (pluto [207.51.199.3]) by news.acrux.net (8.8.3/8.8.3) with SMTP id KAA20038; Wed, 5 Mar 1997 10:20:31 -0600 (CST) Date: Wed, 5 Mar 1997 10:20:31 -0600 (CST) From: Brian Tackett X-Sender: cym@pluto To: Todd Graham Lewis cc: firewalls@GreatCircle.COM Subject: Re: Linux VS FreeBSD as firewall / router In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 4 Mar 1997, Todd Graham Lewis wrote: > Both Linux and FreeBSD can easily outperform most commercial OS'es on > equivalent hardware. I feel comfortable with my company protected by > both, and would feel comfortable with us protected by either alone. > > Personally, I lean towards Debian Linux, but to each his own. Indeed ;) My experience has been that any given individual's opinion (and that's what it is, generally) of a product, whether it be an OS, applications, whatever, is comprised of a certain percentage of experience, pre-inclination, and luck. Pre-inclination, by which I mean that the "first impressions" usually stick. Someone who gets started with UNIX is likely to have an affinity for that OS, someone who startes with Windows NT, same thing. All this means is that USUALLY, by the time one is experienced enough to work extensively on more than one platform, (s)he has built up a lot of experience, which is where point 1 comes in. I have a lot of years of experience working with UNIX, so it's natural that I am going to be more productive working in that environment. My colleagues, however, are big VMS and Windows NT backgrounders. and THEY in turn are more effective in THAT environment. The third thing is luck; Two people with the same general level of competency and knowledge can have wildly differing opinions about a single product, and it's due to luck. Mr X may have had no bad experiences at all, and naturally, he's going to sing the praises of Product A. Mr Y on the other hand may have had an installation barf or a system bug bit him, and he's not likely to sing any such thing. I don't mind a little debate on topics of partisan interest, but generally, I've come to the opinion that they're not of much use. When you're selecting a product for your own use, get as much info as you can and make the decision; Give weight to the opinions of those whose technical judgements you trust, but lacking that, go with the consensus (if you can find one) From firewalls-owner Wed Mar 5 09:18:25 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id JAA05196 for firewalls-outgoing; Wed, 5 Mar 1997 09:07:31 -0800 (PST) Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id JAA05156 for ; Wed, 5 Mar 1997 09:07:15 -0800 (PST) Received: from smtp1.sybase.com (sybgate.sybase.com [130.214.220.35]) by halon.sybase.com (8.8.4/8.8.4) with SMTP id JAA03885 for ; Wed, 5 Mar 1997 09:08:27 -0800 (PST) Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) id AA13553; Wed, 5 Mar 97 09:06:12 PST Received: (from unixsvr1@localhost) by notesgw2.sybase.com (8.8.4/8.8.4) id JAA13143 for @sybgate.sybase.com:firewalls@GreatCircle.COM; Wed, 5 Mar 1997 09:05:19 -0800 (PST) Message-Id: <199703051705.JAA13143@notesgw2.sybase.com> Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id 18440D69EF61F5AD88256451005E453B; Wed, 5 Mar 97 09:05:17 EDT To: Mike Jones Cc: firewalls From: Ryan Russell/SYBASE Date: 5 Mar 97 9:10:09 EDT Subject: Re: SQL*net and FireWall-1 X-Lotus-Type: Reply All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Somebody has done it before... http://www.oracle.com/corporate/press/html/firewall.html Ryan ---------- Previous Message ---------- To: firewalls cc: From: jonesmd @ unifiedtech.com (Mike Jones) @ smtp Date: 03/05/97 10:46:58 AM Subject: SQL*net and FireWall-1 Has anyone figured out how to run SQL*Net through FireWall-1? I would think that it should be possible, but I wanted to see if anyone else had done it before sitting down to a big "figure it out" session. -- Mike Jones Sr. Technical Advisor UNIFIED Technologies From firewalls-owner Wed Mar 5 10:01:56 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id JAA05406 for firewalls-outgoing; Wed, 5 Mar 1997 09:11:08 -0800 (PST) Received: from halon.sybase.com (halon.sybase.com [192.138.151.33]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id JAA05398 for ; Wed, 5 Mar 1997 09:10:58 -0800 (PST) Received: from smtp1.sybase.com (sybgate.sybase.com [130.214.220.35]) by halon.sybase.com (8.8.4/8.8.4) with SMTP id JAA04463 for ; Wed, 5 Mar 1997 09:12:16 -0800 (PST) Received: from notesgw2.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) id AA14041; Wed, 5 Mar 97 09:09:59 PST Received: (from unixsvr1@localhost) by notesgw2.sybase.com (8.8.4/8.8.4) id JAA13443 for @sybgate.sybase.com:firewalls@GreatCircle.COM; Wed, 5 Mar 1997 09:09:07 -0800 (PST) Message-Id: <199703051709.JAA13443@notesgw2.sybase.com> Received: by SybaseNotes (Lotus Notes Mail Gateway for SMTP V1.1) id 945C620B517B6BA588256451005EAD8F; Wed, 5 Mar 97 09:08:56 EDT To: William Burrow Cc: Bernd Eckenfels , firewalls From: Ryan Russell/SYBASE Date: 5 Mar 97 9:14:29 EDT Subject: Re: Firewall OS X-Lotus-Type: Reply All Mime-Version: 1.0 Content-Type: Text/Plain Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I didn't write the part below that's quoted to me. Ryan ---------- Previous Message ---------- To: lists cc: firewalls From: aa126 @ fan1.fan.nb.ca (William Burrow) @ smtp Date: 03/04/97 12:20:47 PM Subject: Re: Firewall OS On 3 Mar 1997, Ryan Russell/SYBASE wrote: > Security is nice, but one should never leave ground.. some companies dont > have all that money they would need to pay for silly security. How fast do you expect your logs to be written? A serial line can only handle so much data. I would suspect numerous hosts could be hooked up to a cheap multiport board on a 386 running Linux or DOS for next to nothing. Compared to the other hardware costs and Internet connection fees, this is pretty minimal. With Linux's ext2compress filesystem patch, one could even get by on a relatively small drive if needs be. Furthermore, I think that a copy of the logs kept on the originating system might fool a silly hacker into not noticing the logs are going elsewhere (though obviously the hackers reading this list will be better advised :). -- William Burrow -- Fredericton Area Network, New Brunswick, Canada Copyright 1997 William Burrow From firewalls-owner Wed Mar 5 10:03:38 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id JAA06711 for firewalls-outgoing; Wed, 5 Mar 1997 09:22:32 -0800 (PST) Received: from paraiso.porto.ucp.pt (porto.ucp.pt [194.235.128.5]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id JAA06660 for ; Wed, 5 Mar 1997 09:21:58 -0800 (PST) Received: from conclave (conclave.porto.ucp.pt [194.235.128.21]) by paraiso.porto.ucp.pt (8.7.5/8.7.3) with SMTP id RAA17405 for ; Wed, 5 Mar 1997 17:01:18 GMT Message-Id: <1.5.4.32.19970305171932.008e6b00@porto.ucp.pt> X-Sender: jf@porto.ucp.pt X-Mailer: Windows Eudora Light Version 1.5.4 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 05 Mar 1997 17:19:32 +0000 To: firewalls@GreatCircle.COM From: Jorge Figueiredo Subject: SOCKS5 Compilation troubles Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Has anyone used SOCKS for firewalling? I am trying to compile Socks5 on a Debian Linux box, kernel 2.0.24, but it fails to succeed. It complains the lack of following files: sgtty.h sys/ttychars sys/mbuf.h sys/select.h sys/filio.h sys/sockio.h machine/endian.h Should Linux have them? Do these files belong to the same package? Which package? Where can I get it? Or did I miss any compilation option? Which? Thanks. Jorge Please reply directly to me(jf@porto.ucp.pt), because I don't subscribe this list! From firewalls-owner Wed Mar 5 10:39:10 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id KAA12844 for firewalls-outgoing; Wed, 5 Mar 1997 10:15:31 -0800 (PST) Received: from mailhost.onramp.net (mailhost.onramp.net [199.1.11.3]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id KAA12680 for ; Wed, 5 Mar 1997 10:14:32 -0800 (PST) Received: from sage (sage.onramp.net [199.1.138.113]) by mailhost.onramp.net (8.8.5/8.6.5) with ESMTP id MAA13237; Wed, 5 Mar 1997 12:11:49 -0600 (CST) Message-Id: <199703051811.MAA13237@mailhost.onramp.net> From: "Jerry Mckane" To: "Fountain, Brett (REU)" , "'Mailist: Firewalls'" Subject: Re: huge hole in MSIE3.01 Date: Wed, 5 Mar 1997 12:11:51 -0600 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1160 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Microsoft has posted a patch for it at there website ---------- > From: Fountain, Brett (REU) > To: 'Mailist: Firewalls' > Subject: huge hole in MSIE3.01 > Date: Wednesday, March 05, 1997 8:33 AM > > fyi - > > although this is not directly related to a firewall, i know that > you may also want to be aware of other security issues. > > microsoft ie 3.x is vulnerable: remote hackers can get to > your hard drives, stealing and/or destroying your data, > without using any activex or other suspect code. > > read more info here: > http://www.cybersnot.com/iebug.html > > download the ms patch here: > http://www.microsoft.com/ie/security/update.htm > > be safe. > :b From firewalls-owner Wed Mar 5 11:27:55 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id KAA16249 for firewalls-outgoing; Wed, 5 Mar 1997 10:48:59 -0800 (PST) Received: from reflections.mindspring.com (reflections.eng.mindspring.net [207.69.183.9]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id KAA16109 for ; Wed, 5 Mar 1997 10:48:07 -0800 (PST) Received: from localhost (lists@localhost) by reflections.mindspring.com (8.7.6/8.7.3) with SMTP id NAA00850; Wed, 5 Mar 1997 13:46:29 -0500 Date: Wed, 5 Mar 1997 13:46:29 -0500 (EST) From: Todd Graham Lewis To: Matthew Curtain cc: Firewalls Mailing List Subject: Re: Firewalls-Digest V6 #91 In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 5 Mar 1997, Matthew Curtain wrote: > I know this question is more a linux O/S related question, but does > anyone use FWTK on a Linux box with 3 Network cards. Dual homed Baston > with seperate network for WEB Servers and alike. Is this poss and what > are the issues involved. We considered doing it in order to eschew a strange web cache problem, but decided not to. I really don't see there being any problems with it, other than an inability to offer different services via the FWTK to the different interfaces. (e.g., if you offer pop via one method for one interface, you have to offer them for all, modulo the netperm ACL.) What problems were you anticipating? __ Todd Graham Lewis MindSpring Enterprises tlewis@mindspring.com From firewalls-owner Wed Mar 5 11:33:23 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id KAA15172 for firewalls-outgoing; Wed, 5 Mar 1997 10:41:50 -0800 (PST) Received: from mycroft.GreatCircle.COM (mycroft.greatcircle.com [198.102.244.35]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id KAA15110 for ; Wed, 5 Mar 1997 10:41:19 -0800 (PST) Received: from smtp.interlog.com by mycroft.GreatCircle.COM (8.8.5/SMI-4.1/Brent-961106) id KAA02269; Wed, 5 Mar 1997 10:38:09 -0800 (PST) Received: from stedder.interlog.com (ip93-165.tor.interlog.com [206.108.93.165]) by smtp.interlog.com (8.8.3/8.7.6) with SMTP id NAA20144; Wed, 5 Mar 1997 13:39:12 -0500 (EST) Message-Id: <1.5.4.32.19970305183759.006839a4@interlog.com> X-Sender: stedder@interlog.com (Unverified) X-Mailer: Windows Eudora Light Version 1.5.4 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 05 Mar 1997 13:37:59 -0500 To: hf85 From: "Shawn D. Tedder" Subject: Re: Solutions for retailers on the net Cc: firewalls@GreatCircle.COM Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Please respond with exact market plan or objectives. Some considerations are if "retailers" wish to accept credit card snail mail money order/cheques or faxed signature. Different solutions depend on security also however the are many sites doing commerce using no security. I can draw up a proposal based on what the circumstances are. The hardware/software required has to custom to what the concenus of the retailers want or what you wish to provide. Thank you. At 03:10 PM 3/5/97 +0000, hf85 wrote: >Sirs, > >Does anyone out there have any experience in providing security solutions >to retailers looking at setting up their own internet retail sites for on-line home >based shopping? We are also looking for companies that can assist retailers in setting >up their own web sites and corporate intranets? > >Please reply to: > >David Churchill-Saunders >Eurocommerce > > Shawn D. Tedder From firewalls-owner Wed Mar 5 11:33:54 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id KAA12646 for firewalls-outgoing; Wed, 5 Mar 1997 10:14:15 -0800 (PST) Received: from relay.rv.tis.com (relay.rv.tis.com [204.254.155.2]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id KAA12598 for ; Wed, 5 Mar 1997 10:13:52 -0800 (PST) Received: by relay.rv.tis.com; id NAA22594; Wed, 5 Mar 1997 13:21:54 -0500 (EST) Received: from dira.rv.tis.com(10.0.1.43) by relay.rv.tis.com via smap (3.2) id xma022584; Wed, 5 Mar 97 13:21:25 -0500 Received: from eroraha.trusted.com (inno-laptop.rv.tis.com [10.0.1.112]) by dira.rv.tis.com (8.7.4/8.7.3) with SMTP id NAA12279; Wed, 5 Mar 1997 13:03:37 -0500 (EST) Message-Id: <2.2.32.19970305180652.007631d8@pop.hq.tis.com> X-Sender: eroraha@pop.hq.tis.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 05 Mar 1997 13:06:52 -0500 To: Warren Moore From: Inno Eroraha Subject: Re: SHTTP Proxy for fwtk? Cc: firewalls-digest@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 07:03 AM 3/5/97, you wrote: >Greetings... > >Can someone on the list point me toward a proxy for the TIS fwtk that will >handle SHTTP? Like most, I'd prefer software that doesn't cost any more than >the fwtk itself. 8>) If there's no proxy available that you're aware of, does >anyone have any ideas on how to make SHTTP work with the fwtk? Any and all >information would be deeply appreciated...even if it's "nope, won't work." >--- simply include this entry on your /usr/local/etc/netperm-table: # ssl-gw: port ssl {your trusted network} -port ssl # so if your trusted net is 111.222.111.* the syntax would be: # ssl-gw: port ssl 111.222.111.* -port ssl # if you don't have ssl define in your /etc/services file as 443 then simply replace "ssl" with "443" in the above rule. Good luck! -0- inno >Warren S. Moore, CISSP >Information Security Specialist >Cincinnati Bell Information Systems Inc. > > > From firewalls-owner Wed Mar 5 11:33:46 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id JAA08762 for firewalls-outgoing; Wed, 5 Mar 1997 09:43:16 -0800 (PST) Received: from heimdall-nf1.usafa.af.mil (HEIMDALL.USAFA.AF.MIL [204.34.211.17]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id JAA08754 for ; Wed, 5 Mar 1997 09:43:08 -0800 (PST) Received: from scb-2.usafa.af.mil by heimdall-nf1.usafa.af.mil via smtpd (for miles.greatcircle.com [198.102.244.34]) with SMTP; 5 Mar 1997 17:41:43 UT Received: by scb.usafa.af.mil; Wed, 5 Mar 97 10:42:24 MST Date: Wed, 5 Mar 97 10:36:51 MST Message-ID: X-Priority: 3 (Normal) To: From: "2LT Jeffery J. Lowder, 333-4615" Subject: Windows 95 / WINS X-Incognito-SN: 548 X-Incognito-Format: VERSION=2.01a ENCRYPTED=NO Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Anyone know what protocols and ports this uses? I need to be able to proxy this through my firewall. email: lowderjj.scb@usafa.af.mil From firewalls-owner Wed Mar 5 12:33:03 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id KAA12503 for firewalls-outgoing; Wed, 5 Mar 1997 10:13:07 -0800 (PST) Received: from gate.int1.telenor.cz (int1.telenor.cz [193.219.192.254]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id KAA12494 for ; Wed, 5 Mar 1997 10:12:50 -0800 (PST) Received: (from mail@localhost) by gate.int1.telenor.cz (8.8.2/8.8.2) id TAA01921; Wed, 5 Mar 1997 19:11:18 +0100 X-Authentication-Warning: gate.int1.telenor.cz: mail set sender to using -f Received: from server.int1.telenor.cz(134.47.201.10) by gate.int1.telenor.cz via smap (V2.0beta) id xma001919; Wed, 5 Mar 97 19:11:03 +0100 Received: from jkl.int1.telenor.cz (jkl.int1.telenor.cz [134.47.201.121]) by server.null (8.6.12/8.6.12) with SMTP id TAA24347; Wed, 5 Mar 1997 19:10:55 +0100 Message-Id: <199703051810.TAA24347@server.null> Comments: Authenticated sender is From: "Jan Klabacka" Organization: Telenor CR To: Warren Moore Date: Wed, 5 Mar 1997 19:10:22 +0100 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: SHTTP Proxy for fwtk? CC: firewalls-digest@greatcircle.com In-reply-to: <9703051159.AA3561@Notes.cbis.com> X-mailer: Pegasus Mail for Win32 (v2.52) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On 5 Mar 97 at 7:03, Warren Moore wrote: > To: firewalls-digest > From: Warren Moore > Date: 5 Mar 97 7:03:53 > Subject: SHTTP Proxy for fwtk? > Greetings... > > Can someone on the list point me toward a proxy for the TIS fwtk that will > handle SHTTP? Like most, I'd prefer software that doesn't cost any more than I am not quite sure, but maybe it is possible to program http-proxy to do this (if it is ever necessary for clients using proxies right way). But, why not use other proxies (for instance squid - it has also protection against all access from/to any of firewalls interfaces, and - as addition - it is very good cache proxy - if it makes sense for you of course; and it is also for free) Regards Jan Klabacka ---------------------------- Jan Klabacka Telenor Czech Republic Phone: +420 2 311 97 71 (please note +420 2 311 97 73 (dial prefix Fax: +420 2 311 82 17 (change for CR email: jkl@telenor.cz http://www.telenor.cz/ From firewalls-owner Wed Mar 5 12:33:07 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id LAA23253 for firewalls-outgoing; Wed, 5 Mar 1997 11:49:37 -0800 (PST) Received: from citadel.evolving.com (citadel.evolving.com [198.202.204.162]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id LAA23187 for ; Wed, 5 Mar 1997 11:49:14 -0800 (PST) Received: from valiant.evolving.com (valiant.evolving.com [198.202.204.66]) by citadel.evolving.com (8.6.12/8.6.9) with ESMTP id MAA01450; Wed, 5 Mar 1997 12:47:22 -0700 Received: from thepound.evolving.com (thepound.evolving.com [206.214.51.52]) by valiant.evolving.com (8.6.12/8.6.9) with ESMTP id MAA08986; Wed, 5 Mar 1997 12:47:21 -0700 Received: (from rtruitt@localhost) by thepound.evolving.com (8.6.12/8.6.9) id MAA24204; Wed, 5 Mar 1997 12:46:20 -0700 From: Todd Truitt Message-Id: <199703051946.MAA24204@thepound.evolving.com> Subject: Re: cisco encryption problem To: mgillett@sghms.ac.uk (Mark Gillett) Date: Wed, 5 Mar 1997 12:46:19 -0700 (MST) Cc: hl@tekla.fi, firewalls@GreatCircle.COM In-Reply-To: from "Mark Gillett" at Mar 5, 97 11:57:46 am X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: firewalls-owner@GreatCircle.COM Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- 'Mark Gillett once said:' > It is alleged that Harald Lundberg wrote : >>< snip...> > > > My problem: I have 2 routers running ciscos encryption engine (IOS > > 11.2). > > But the outgoing interfaces use non-official addresses (they only > > talk to > > the ISP's routers). All packets originating from the router use the > > outgoing interface's address. Is there any way to change this? > > You can run ip unnumbered on the external interfaces if your ISP > agrees. The cisco documentation on this is a little vague :-( as is > normal for them (although it keeps some of us in work :-) ). > Basically, this allows you to operate a W.A.N link between two ciscos > without any IP addresses in use at all. This would save you the need > for more class C's - although you do loose SNMP stats for those > interfaces :-( . Would tunneling work in your situation ? i.e., your gateway router, R1, would be assigned a loopback interface of 111.111.111.2, as well as it's external interface addr, call it 199.10.20.2. Your ISP's router, R2, would be assigned a loopback interface, 111.111.111.1, as well as it's interface's addr for your link, 199.10.20.1. Run your encryption between the loopback interfaces via tunnelling through the connecting interfaces of R1 and R2. > Hope that helps - appologies for the off-topic post. Ditto. - --Todd -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQB1AwUBMx3NiM9y1J+ua2vxAQEliQMAnSEsoNOy84FaLdK19z2ALof0CFiYaG2v ASA9ORwkQubk+MwrEWrceZP/qTUQeT9oa8YTs5/317qerUg2qgFIGg9Bz8ajxBoS UojYguzt9VMXVR6Zu6xscpakfxLXQcjW =cAkw -----END PGP SIGNATURE----- From firewalls-owner Wed Mar 5 13:13:48 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id MAA28889 for firewalls-outgoing; Wed, 5 Mar 1997 12:36:00 -0800 (PST) Received: from relay.rv.tis.com (relay.rv.tis.com [204.254.155.2]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id MAA28782 for ; Wed, 5 Mar 1997 12:35:24 -0800 (PST) Received: by relay.rv.tis.com; id PAA26011; Wed, 5 Mar 1997 15:43:23 -0500 (EST) Received: from dira.rv.tis.com(10.0.1.43) by relay.rv.tis.com via smap (3.2) id xma026003; Wed, 5 Mar 97 15:43:21 -0500 Received: from herm.trusted.com (dyn209.rv.tis.com [10.0.1.209]) by dira.rv.tis.com (8.7.4/8.7.3) with SMTP id PAA15968; Wed, 5 Mar 1997 15:25:26 -0500 (EST) Message-Id: <3.0.32.19970305151819.00725434@pop.rv.tis.com> X-Sender: rick@pop.rv.tis.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Wed, 05 Mar 1997 15:27:42 -0500 To: Todd Graham Lewis From: Rick Murphy Subject: Re: plug-in Cc: Juan Carlos Gomez , Firewalls@GreatCircle.COM Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 04:17 PM 3/4/97 -0500, Todd Graham Lewis wrote: >We took plug-gw and daemonized it. My understanding, however, is that >under the TIS license, we're not allowed to redistribute the result. >Alas. > >Anyway, it shouldn't be too terribly difficult to daemonize it yourself. Almost all the proxies in 2.0 have been daemonized. I don't know why you'd bother doing it yourself :-) -Rick From firewalls-owner Wed Mar 5 14:08:59 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id KAA13953 for firewalls-outgoing; Wed, 5 Mar 1997 10:33:12 -0800 (PST) Received: from mc2-csr.com (lestat.mc2-csr.com [204.107.238.150]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id KAA13908 for ; Wed, 5 Mar 1997 10:32:56 -0800 (PST) Received: from merlin (merlin.mc2-csr.com [204.107.238.176]) by mc2-csr.com (8.7.3/8.7.3) with SMTP id NAA09076; Wed, 5 Mar 1997 13:03:13 -0500 (EST) Message-Id: <3.0.32.19970305130312.00f877c8@mc2-csr.com> X-Sender: lglaze@mc2-csr.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Wed, 05 Mar 1997 13:03:15 -0500 To: hf85 , firewalls@greatcircle.com From: Larry Glaze Subject: Re: Solutions for retailers on the net Mime-Version: 1.0 Content-Type: text/enriched; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 03:10 PM 3/5/97 +0000, hf85 wrote: >Sirs, > >Does anyone out there have any experience in providing security solutions >to retailers looking at setting up their own internet retail sites for on-line home >based shopping? We are also looking for companies that can assist retailers in setting >up their own web sites and corporate intranets? The company I work for specializes in building corporate web sites. We have set up many of our clients with online retailing. Some of them are Dirt Devil (www.dirtdevil.com), Camelot Music (www.camelotmusic.com), Stanley Steemer (www.stanleysteemer.com), and Magazines.com (www.magazines.com). We also build intranets and will specify and install any and all hardware to meet a companies needs, including firewalls, web serving software, database packages, serving hardware, and anything else needed. Some of our other clients include B.F. Goodrich (www.bfgoodrich.com), Parker Hannifin (www.parker.com), American Electric Power (www.aep.com), and Ashland Chemical (www.ashchem.com). If you would like more information about our company and the services we provide then you can either reply to me, or you can send email to the owner of our company, Brock Poling (bpoling@mc2-csr.com). Our phone number is 614-890-9558 if you would like to call. You can ask for either myself or Brock. Regards, Larry -- --------------------------------------------------------------------------- |0000,0000,8080Larry Glaze |0000,0000,8080 "...Life's a bummer..." | |0000,0000,8080System/Network Administrator |0000,0000,8080 --Smashing Pumpkins | |0000,0000,8080MC2 Cyberspace, Ltd |0000,0000,8080 | |0000,0000,8080http://www.mc2-csr.com/~lglaze |0000,0000,8080 lglaze@mc2-csr.com | --------------------------------------------------------------------------- | ffff,0000,0000All opinions are my own, as they should be! | --------------------------------------------------------------------------- From firewalls-owner Wed Mar 5 14:22:48 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id JAA08042 for firewalls-outgoing; Wed, 5 Mar 1997 09:35:26 -0800 (PST) Received: from jklinux.cnalife.com (jklinux.cnalife.com [208.146.97.100]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id JAA08033 for ; Wed, 5 Mar 1997 09:35:17 -0800 (PST) Received: from jklinux.cnalife.com (root@jklinux.cnalife.com [159.13.121.100]) by jklinux.cnalife.com (8.6.12/8.6.9) with SMTP id LAA27747; Wed, 5 Mar 1997 11:14:37 -0600 Date: Wed, 5 Mar 1997 11:14:36 -0600 (CST) From: "V. James Krammes" To: Gaddy Gumbao cc: jgilley@ix.netcom.com, gordonp.atc@gao.gov, firewalls@GreatCircle.COM Subject: Re: CISCO's 2500 In-Reply-To: <3.0.32.19970305185827.0091c100@pop.infocom.sequel.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Banyan Vines support is available in the enterprise level version of IOS for the Cisco 2500-series routers, at least in versions since 10.2. On Wed, 5 Mar 1997, Gaddy Gumbao wrote: > Hi there, > > There's no Vines IP on the CISCO 2500.So they are configuring it to > Bridge transparent .Is that configuration gonna work? > > Thanks..... > From firewalls-owner Wed Mar 5 14:49:17 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id OAA21456 for firewalls-outgoing; Wed, 5 Mar 1997 14:34:19 -0800 (PST) Received: from fw2.mwcia.org (fw2.mwcia.org [206.9.85.5]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id OAA21405 for ; Wed, 5 Mar 1997 14:34:03 -0800 (PST) Received: from rwh (rickh.mwcia.org [192.138.165.131]) by fw2.mwcia.org (8.8.5/8.8.5) with SMTP id QAA21576; Wed, 5 Mar 1997 16:35:47 -0600 Message-Id: <3.0.32.19970305163257.0098a1c0@fw2.mwcia.org> X-Sender: rwh@fw2.mwcia.org X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Wed, 05 Mar 1997 16:32:58 -0600 To: "2LT Jeffery J. Lowder, 333-4615" , From: Richard Hoffbeck Subject: Re: Windows 95 / WINS Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 10:36 AM 3/5/97 MST, 2LT Jeffery J. Lowder, 333-4615 wrote: >Anyone know what protocols and ports this uses? I need to be able to >proxy this through my firewall. The quick list is UDP port 137 - name services UDP port 138 - datagram services TCP port 139 - session services For more details, see NT Server Resource Kit, Networking Guide, Chapter 6 or RFC 1001 and RFC 1002. Of course it is only responsible to ask if you're really sure that you want to proxy SMB services out to the internet :-) --rick Richard Hoffbeck phone: 612.897.6442 Sr Systems Analyst Minnesota Workers Comp Insurer's Association Finger rwh@visi.com for PGP key : Fingerprnt = 1C DD 13 FB 11 1D E7 73 2F A1 9B 52 86 0F A2 2B From firewalls-owner Wed Mar 5 14:54:29 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id MAA01016 for firewalls-outgoing; Wed, 5 Mar 1997 12:46:00 -0800 (PST) Received: from mail1.digital.com (mail1.digital.com [204.123.2.50]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id MAA00943 for ; Wed, 5 Mar 1997 12:45:36 -0800 (PST) From: net_espinha@vaxrio.ENET.dec.com Received: from us3rmc.pa.dec.com by mail1.digital.com (5.65 EXP 4/12/95 for V3.2/1.0/WV) id AA02594; Wed, 5 Mar 1997 12:38:55 -0800 Received: from vaxrio.enet by us3rmc.pa.dec.com (5.65/rmc-22feb94) id AA11612; Wed, 5 Mar 97 12:22:03 -0800 Message-Id: <9703052022.AA11612@us3rmc.pa.dec.com> Received: from vaxrio.enet; by us3rmc.enet; Wed, 5 Mar 97 12:38:54 PST Date: Wed, 5 Mar 97 12:38:54 PST To: 56405::"lshearer@netcom.ca"@vaxrio.ENET.dec.com Cc: firewalls@greatcircle.com Apparently-To: firewalls@greatcircle.com Subject: RE: Internet Security Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Hi Laura, nternet Security. 1) an effective security policy 2) an effective environment auditing 3) adequate software and/or hardware to provide packet filtering and application level proxies. This is a quite extense subject to be written in a simple e-mail, so I suggest you to check some URL's out: www.ncsa.com - here you'll find info about all certified firewalls altavista.software.digital.com - here you'll find info about Altavista Firewall and Altavista Tunnel www.geocities.com/CapeCanaveral/3849 - (I am not sure if it's the correct URL, I'll check it out for you) where you will find info about hackers and attacks. But the most important thing is that you have to keep in mind that an effective protection level will only be reached if and only if you consider those 3 items described above. I work for Digital Equipment Co. as a network consultant engineer business partner, in Rio de Janeiro - Brazil. Feel free to contact me if you have any specialdoubt about network security. Hope it helps you. Good luck. 8-) Best Regards, Gustavo Queiroz Network Consultant Engineer - DEC do Brasil / NetStart Net_espinha@djo.mts.dec.com From firewalls-owner Wed Mar 5 15:32:52 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id MAA29676 for firewalls-outgoing; Wed, 5 Mar 1997 12:41:27 -0800 (PST) Received: from relay.rv.tis.com (relay.rv.tis.com [204.254.155.2]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id MAA29515 for ; Wed, 5 Mar 1997 12:40:51 -0800 (PST) Received: by relay.rv.tis.com; id PAA26160; Wed, 5 Mar 1997 15:48:53 -0500 (EST) Received: from dira.rv.tis.com(10.0.1.43) by relay.rv.tis.com via smap (3.2) id xma026153; Wed, 5 Mar 97 15:48:39 -0500 Received: from eroraha.trusted.com (inno-laptop.rv.tis.com [10.0.1.112]) by dira.rv.tis.com (8.7.4/8.7.3) with SMTP id PAA16132; Wed, 5 Mar 1997 15:30:50 -0500 (EST) Message-Id: <2.2.32.19970305203405.0072f2cc@pop.hq.tis.com> X-Sender: eroraha@pop.hq.tis.com X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 05 Mar 1997 15:34:05 -0500 To: Warren Moore From: Inno Eroraha Subject: Re: SHTTP Proxy for fwtk? -- Supplemental! Cc: firewalls-digest@greatcircle.com Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 07:03 AM 3/5/97, you wrote: >Greetings... > >Can someone on the list point me toward a proxy for the TIS fwtk that will >handle SHTTP? Like most, I'd prefer software that doesn't cost any more than >the fwtk itself. 8>) If there's no proxy available that you're aware of, does >anyone have any ideas on how to make SHTTP work with the fwtk? Any and all >information would be deeply appreciated...even if it's "nope, won't work." simply include this entry on your /usr/local/etc/netperm-table: # ssl-gw: port ssl {your trusted network} -port ssl # so if your trusted net is 111.222.111.* the syntax would be: # ssl-gw: port ssl 111.222.111.* -port ssl # if you don't have ssl define in your /etc/services file as 443 then simply replace "ssl" with "443" in the above rule. Then in your browser (Netscape), specify the name (or IP address) of the inside interface of the firewall for the "Security Proxy" and port 80 (or whatever) as the security port. Good luck! -0- inno >--- >Warren S. Moore, CISSP >Information Security Specialist >Cincinnati Bell Information Systems Inc. > > > From firewalls-owner Wed Mar 5 15:39:05 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id NAA08845 for firewalls-outgoing; Wed, 5 Mar 1997 13:16:33 -0800 (PST) Received: from mafalda.univalle.edu.co (mafalda.univalle.edu.co [200.25.53.10]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id NAA08531 for ; Wed, 5 Mar 1997 13:15:08 -0800 (PST) Received: from cusiana.univalle.edu.co(really [200.25.52.20]) by mafalda.univalle.edu.co via sendmail with smtp id for ; Wed, 5 Mar 1997 16:12:51 -0500 (GMT) (Smail-3.2 1996-Jul-4 #1 built 1997-Mar-3) Received: by cusiana.univalle.edu.co (4.1/SMI-4.1) id AA03765; Wed, 5 Mar 97 16:14:43-050 Date: Wed, 5 Mar 1997 16:14:42 -0500 (GMT-0500) From: "Jorge A. Mejia M." To: firewalls@GreatCircle.COM Subject: Re: Mail List In-Reply-To: <331D097A.321A@primenet.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Tue, 4 Mar 1997, Marc H. Ingle wrote: > Please > REMOVE > me from this list. > Same for me!!!! Please....! Please....! Please....! Please....! Please....! ******************************** * * * Jorge A. Mejia M. * * Observatorio Sismologico del * * Suroccidente - OSSO * * Universidad del Valle * * Ap. Aereo 25360 * * Cali - Colombia * * * * jmm@osso.univalle.edu.co * * * ******************************** From firewalls-owner Wed Mar 5 15:41:45 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id JAA10734 for firewalls-outgoing; Wed, 5 Mar 1997 09:59:24 -0800 (PST) Received: from grex.cyberspace.org (grex.cyberspace.org [152.160.30.1]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id JAA10711 for ; Wed, 5 Mar 1997 09:59:13 -0800 (PST) Received: (from neha@localhost) by grex.cyberspace.org (8.6.13/8.6.12) id MAA14580 for Firewalls@GreatCircle.COM; Wed, 5 Mar 1997 12:56:10 -0500 Date: Wed, 5 Mar 1997 12:56:10 -0500 From: Neha Kaur Message-Id: <199703051756.MAA14580@grex.cyberspace.org> To: Firewalls@GreatCircle.COM Subject: Re: Firewalls-Digest V6 #90 Sender: firewalls-owner@GreatCircle.COM Precedence: bulk kj From firewalls-owner Wed Mar 5 16:02:15 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id JAA05866 for firewalls-outgoing; Wed, 5 Mar 1997 09:15:31 -0800 (PST) Received: from fw2.mwcia.org (fw2.mwcia.org [206.9.85.5]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id JAA05829 for ; Wed, 5 Mar 1997 09:15:15 -0800 (PST) Received: from rwh (rickh.mwcia.org [192.138.165.131]) by fw2.mwcia.org (8.8.5/8.8.5) with SMTP id LAA18654; Wed, 5 Mar 1997 11:17:35 -0600 Message-Id: <3.0.32.19970305111444.00974ec0@fw2.mwcia.org> X-Sender: rwh@fw2.mwcia.org X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Wed, 05 Mar 1997 11:14:49 -0600 To: jonesmd@unifiedtech.com (Mike Jones), firewalls@GreatCircle.COM From: Richard Hoffbeck Subject: Re: SQL*net and FireWall-1 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 10:46 AM 3/5/97 -0500, Mike Jones wrote: >Has anyone figured out how to run SQL*Net through FireWall-1? I would think >that it should be possible, but I wanted to see if anyone else had done >it before sitting down to a big "figure it out" session. I've done it with straight through proxies like plug-gw from the TIS fwtk and with forwarding using ssh/sshd. I've been told that this works fine when the sql*net server is running under unix but will fail when it runs under NT because NT will try to negotiate a new connection port. I can verify that it works on unix but I can't say for sure that it won't work with NT. I know that Oracle has released a toolkit to some of the firewall vendors that provides an encryted link from sql*net client to sql*net server that can be passed through a firewall. TIS is the only one that I know of that actually has a finished product for sale, however. --rick Richard Hoffbeck phone: 612.897.6442 Sr Systems Analyst Minnesota Workers Comp Insurer's Association Finger rwh@visi.com for PGP key : Fingerprnt = 1C DD 13 FB 11 1D E7 73 2F A1 9B 52 86 0F A2 2B From firewalls-owner Wed Mar 5 16:16:40 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id JAA06634 for firewalls-outgoing; Wed, 5 Mar 1997 09:21:47 -0800 (PST) Received: from gate.int1.telenor.cz (int1.telenor.cz [193.219.192.254]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id JAA06599 for ; Wed, 5 Mar 1997 09:21:24 -0800 (PST) Received: (from mail@localhost) by gate.int1.telenor.cz (8.8.2/8.8.2) id SAA01813 for ; Wed, 5 Mar 1997 18:19:18 +0100 X-Authentication-Warning: gate.int1.telenor.cz: mail set sender to using -f Received: from server.int1.telenor.cz(134.47.201.10) by gate.int1.telenor.cz via smap (V2.0beta) id xma001811; Wed, 5 Mar 97 18:18:54 +0100 Received: from jkl.int1.telenor.cz (jkl.int1.telenor.cz [134.47.201.121]) by server.null (8.6.12/8.6.12) with SMTP id SAA24265 for ; Wed, 5 Mar 1997 18:18:48 +0100 Message-Id: <199703051718.SAA24265@server.null> Comments: Authenticated sender is From: "Jan Klabacka" Organization: Telenor CR To: firewalls-digest@GreatCircle.COM Date: Wed, 5 Mar 1997 18:18:16 +0100 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: In-reply-to: X-mailer: Pegasus Mail for Win32 (v2.52) Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On 5 Mar 97 at 20:39, Paramaguru wrote: > Date: Wed, 5 Mar 1997 20:39:15 +0700 (KL ) > From: Paramaguru > To: firewalls-digest@GreatCircle.COM > list > > Really guru user. Really I have not seen this behaviour on any other mailing list (at least not technical ones - but this one is probably supposed to be moreless technical). ---------------------------- Jan Klabacka Telenor Czech Republic Phone: +420 2 311 97 71 (please note +420 2 311 97 73 (dial prefix Fax: +420 2 311 82 17 (change for CR email: jkl@telenor.cz http://www.telenor.cz/ From firewalls-owner Wed Mar 5 17:21:35 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id PAA09971 for firewalls-outgoing; Wed, 5 Mar 1997 15:53:45 -0800 (PST) Received: from mc2-csr.com (lestat.mc2-csr.com [204.107.238.150]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id PAA09889 for ; Wed, 5 Mar 1997 15:53:09 -0800 (PST) Received: from merlin (merlin.mc2-csr.com [204.107.238.176]) by mc2-csr.com (8.7.3/8.7.3) with SMTP id SAA03931; Wed, 5 Mar 1997 18:45:06 -0500 (EST) Message-Id: <3.0.32.19970305184505.00f86dc8@mc2-csr.com> X-Sender: lglaze@mc2-csr.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Wed, 05 Mar 1997 18:45:06 -0500 To: hf85 , firewalls@GreatCircle.COM From: Larry Glaze Subject: Re: Solutions for retailers on the net Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk At 01:03 PM 3/5/97 -0500, Larry Glaze wrote: Something to the entire list accidentally. Figured I would send the apology *before* the flames rolled in. Sorry, meant to only send the message to the original sender. Doh! (slapping myself in the head) Larry From firewalls-owner Wed Mar 5 17:33:10 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id PAA09667 for firewalls-outgoing; Wed, 5 Mar 1997 15:51:46 -0800 (PST) Received: from smartwall.v-one.com (smartwall.v-one.com [206.205.89.11]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id PAA09583 for ; Wed, 5 Mar 1997 15:51:09 -0800 (PST) Received: by smartwall.v-one.com; id SAA05763; Wed, 5 Mar 1997 18:49:45 -0500 (EST) Received: from nt_fs1.v-one.com(198.69.135.3) by smartwall.v-one.com via smap (V3.1.1) id xma005759; Wed, 5 Mar 97 18:49:43 -0500 Received: from smartwall.v-one.com by nt-fs1.V-ONE.COM with SMTP (Microsoft Exchange Internet Mail Service Version 5.0.1389.3) id GJR5MW6Q; Wed, 5 Mar 1997 18:53:53 -0500 Message-Id: <3.0.1.16.19970305184212.68471676@localhost> X-Sender: pmcmahan@localhost X-Mailer: Windows Eudora Light Version 3.0.1 beta 7 (16) Date: Wed, 05 Mar 1997 18:42:12 To: "Gause, Robert" , Firewalls@GreatCircle.COM From: "Margaret H. McMahan" Subject: Re: Perl/Java on an External Web Server In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk >We are having discussions inside my company on whether it is appropriate or >not to run Perl or Java CGI programs on an external web server. My personal >preference is not to run either at the server and I am aware that Chapman & >Zwicky warn against it. > >What are your opinions and experiences. Be wary, most alot of people who program these apps don't realize what type of damage can be done from them. I hate to generalize, but having the the faults in my own coding skills I know that the general concern when writing code is what is IS SUPPOSED TO DO, rather then WHAT IT *COULD* DO. Even the most security conscious coder can leave accidental oopsies in these things. -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.3i mQCNAzLvUJ4AAAEEANaHt5lfE0dh5fxorFk4DlGvEDHRSHWoP29iMlchMt8JBgEM 0mItqC3hynJem+tRpcxLNL6mJVBkgRjtpOgzgWu1s0XX0YJe2FYMzVsY1UnBzGZv eEA8cCmXttmipDu6izaKfekWOXYdRrqsWzv4x7NGUmqIL4GE7Ig6pXap4BTpAAUR tCoiTWFyZ2FyZXQgSC4gTWNNYWhhbiIgPHBtY21haGFuQHYtb25lLmNvbT6JAJUD BRAy71CfiDqldqngFOkBAUkSA/0ff5t7FD9pA5y5KiOob0HDgX54YVYkDysuaDvZ 812amc4EPb3Y+vhmKwwUyokK5WYuhnQWSZZGfAyJtAcELTUTaGCcI9ruovwgfvaW g6cwVRj++p7BEFBon8n3Ojjz2gCMgztcXbpK78ZJ5Mk7xA0WKYSiTTDBz8DJV2hs pJgTnw== =TFt9 -----END PGP PUBLIC KEY BLOCK----- From firewalls-owner Wed Mar 5 17:49:11 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id PAA08596 for firewalls-outgoing; Wed, 5 Mar 1997 15:44:38 -0800 (PST) Received: from zeke.gov.yk.ca (ZEKE.GOV.YK.CA [199.247.128.34]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id PAA08531 for ; Wed, 5 Mar 1997 15:44:11 -0800 (PST) Received: by zeke.gov.yk.ca; id PAA07245; Wed, 5 Mar 1997 15:48:05 -0800 (PST) Received: from unknown(199.247.130.39) by zeke.gov.yk.ca via smap (V3.1) id xma007243; Wed, 5 Mar 97 15:48:04 -0800 Received: from [199.247.134.75] ([199.247.134.75]) by tempest.gov.yk.ca (8.7.5/8.7.3) with SMTP id PAA21758; Wed, 5 Mar 1997 15:39:29 -0800 From: Larry Kwiat To: Laura Ann Shearer cc: firewalls@greatcircle.com Subject: Re: Internet Security Message-ID: Date: Wed, 5 Mar 1997 16:08:54 -0500 (EST) X-Mailer: Simeon for Windows Version 4.0 X-Authentication: none MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk I'd strongly suggest that a corporation would take a business-driven approach to internet security, and risk-analyze the whole thing. Then do critical function analysis. Then plan information pathing and isolation. Develop audit procedures, and internal security operating procedures. This in conjunction with the application of security technology. Knowing nothing more about a corporation than you have mentioned, it is difficult to talk about more than the order of events and something of structure. I do know that taking the wrong approach and not having one's priorities in mind can make the whole exercise horribly expensive and possibly ineffective. But this goes much outside the subject of firewalls, at the first glance, it remains to be seen whether or not a corporation would need a firewall. Internet connection and a large-scale internal network, yes, then a firewall is a likely good start. Really this post should not go any further, and I winge a little in responding this much. Sorry for the space, folks. On Wed, 5 Mar 1997 11:04:20 -0500 (EST) Laura Ann Shearer wrote: > I am a student a college in Toronto, Canada. > > I just joined this email list a few days ago. I am wondering if any of > you with some knowledge about internet security would let me know what > your opinion is about what the best combination for internet security > is. I am doing a research paper on what Corporations can do about > internet security. Any replies would be greatly appreciated. > > Laura Sincerely, Larry Kwiat Information Security Coordinator Information Services Branch Department of Government Services Government of Yukon Phone: (403) 667-8081 Fax: (403) 667-5304 Netmail: kwiat@gov.yk.ca From firewalls-owner Wed Mar 5 18:04:23 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id RAA26373 for firewalls-outgoing; Wed, 5 Mar 1997 17:49:10 -0800 (PST) Received: from lehman.Lehman.COM (lehman.Lehman.COM [192.147.66.1]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with SMTP id RAA26225 for ; Wed, 5 Mar 1997 17:48:26 -0800 (PST) Received: (from smap@localhost) by lehman.Lehman.COM (8.6.12/8.6.12) id UAA01037; Wed, 5 Mar 1997 20:45:39 -0500 Received: from relay.messaging-svcs2.lehman.com(146.127.39.20) by lehman via smap (V1.3) id tmp001035; Wed Mar 5 20:45:36 1997 Received: from kublai.lehman.com by relay.lehman.com (4.1/LB-0.6) id AA02618; Wed, 5 Mar 97 20:45:35 EST Received: from badger.lehman.com by kublai.lehman.com (4.1/Lehman Bros. V1.6) id AA22673; Wed, 5 Mar 97 20:45:33 EST Received: by badger.lehman.com (SMI-8.6/Lehman Bros. V1.5) id UAA12264; Wed, 5 Mar 1997 20:45:18 -0500 Date: Wed, 5 Mar 1997 20:45:18 -0500 Message-Id: <199703060145.UAA12264@badger.lehman.com> To: Firewalls@GreatCircle.COM Cc: Warren Moore Subject: Re: Firewalls-Digest V6 #92 In-Reply-To: <199703052336.PAA07281@miles.greatcircle.com> References: <199703052336.PAA07281@miles.greatcircle.com> From: "Richard Basch" Sender: firewalls-owner@GreatCircle.COM Precedence: bulk > Date: 5 Mar 97 7:03:53 > From: Warren Moore > Subject: SHTTP Proxy for fwtk? > > Greetings... > > Can someone on the list point me toward a proxy for the TIS fwtk that will > handle SHTTP? Like most, I'd prefer software that doesn't cost any more than > the fwtk itself. 8>) If there's no proxy available that you're aware of, does > anyone have any ideas on how to make SHTTP work with the fwtk? Any and all > information would be deeply appreciated...even if it's "nope, won't work." You might try to use Squid 1.1 and Socks5. That combination seems to work well. We have Socks5 running on our firewall (as well as TIS FWTK), and on our internal Web proxy server, we use Squid (the successor to Harvest). I have been able to connect to various sites with SSL without any problemes. -- Richard Basch Sr. Developer/Analyst, DSO URL: http://web.mit.edu/basch/www/home.html Lehman Brothers, Inc. Email: basch@lehman.com, basch@mit.edu 101 Hudson St., 38th Floor Fax: +1-201-524-5828 Jersey City, NJ 07302-3988 Voice: +1-201-524-5049 From firewalls-owner Wed Mar 5 18:19:15 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id PAA08982 for firewalls-outgoing; Wed, 5 Mar 1997 15:47:27 -0800 (PST) Received: from pha-web.chipnet.cz (pha-web.chipnet.cz [194.213.202.36]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id PAA03746 for ; Wed, 5 Mar 1997 15:18:26 -0800 (PST) Received: from PR_PC124.chipnet.cz by pha-web.chipnet.cz with SMTP (Microsoft Exchange Internet Mail Service Version 5.0.1389.3) id GGQDVNAD; Thu, 6 Mar 1997 00:17:01 +0100 Message-ID: <331D3833.5054@chipnet.cz> Date: Wed, 05 Mar 1997 10:09:07 +0100 From: Pavel Galynin X-Sender: Pavel Galynin (Unverified) X-Mailer: Mozilla 4.0b1 (Win95; I) MIME-Version: 1.0 To: Bernd Eckenfels CC: firewalls@GreatCircle.COM Subject: Re: Firewall OS X-Priority: Normal References: <19970304012226.25133@inka.de> Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Bernd Eckenfels wrote: > > Hi, > > > I think that generally it is _BAD_ idea to store the logfiles on the very > > same machine you genereated them on. > > I would store that logs on at least two independent, well-protected hosts. > > Excuse my ignorance. But what on earth is that important to be secured that > way? My genral impression is most ppl dont even READ the logs. People, yes, qualified Network admins, yes. > And if you > fear a hacker could erase them the main damage (a break in) has > already > happened. But you may just want to know, that it happened.. > > There are 3 things which may happen: > > a) hacker destroys your site.. you dontneed logs, you WILL notice > b) hacker stores warezes or uses your host for further breakins > (you will notice sooner or later) > c) hacker will steal all you vulnerable data (and continues todo so). B and C are bad, and you would want to detect the break-in as soon as possible, so logs really help.. > > c ist the most problematic case in log-file tampering. But since the hacker > can copy your current databases in a few minutes he wont do all those > additional work to delete logs. Am I missing something? Yep. A hacker may want to come back.. So he/she puts backdoors in and.. changes log files, surprise! > > So.. what do you need tprotect with firealls and have you ever realy used > two independen, dedicated log hosts? (And which protocol you use for that?) > > Security is nice, but one should never leave ground.. some companies dont > have all that money they would need to pay for silly security. If it were silly, then people wouldn't use it.. You just need some 386 with good network card and a big HD. > > Greetings > Bernd > -- > (OO) -- Bernd_Eckenfels@Wittumstrasse13.76646Bruchsal.de -- > ( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/ > o--o *plush* 2048/93600EFD eckes@irc +4972573817 BE5-RIPE > (O____O) If privacy is outlawed only Outlaws have privacy A lot of people before you did and a lot of people after you would use logs, and I think it's not that sharp to think that you're smarter then all of them. You might wanna think some things over, and guess, that if you're the only one who doesn't use logs, and everybody else does, then it might probably be a problem with you.. Paul. From firewalls-owner Wed Mar 5 18:33:27 1997 Received: (majordom@localhost) by miles.greatcircle.com (8.8.5/Lists-960417-1) id RAA24249 for firewalls-outgoing; Wed, 5 Mar 1997 17:23:58 -0800 (PST) Received: from home.byelex.nl (home.byelex.nl [195.109.44.130]) by miles.greatcircle.com (8.8.5/Miles-960830-1) with ESMTP id RAA24203 for ; Wed, 5 Mar 1997 17:23:37 -0800 (PST) Received: (from cowboy@localhost) by home.byelex.nl (8.8.5/8.8.5) id CAA03983; Thu, 6 Mar 1997 02:21:55 +0100 Date: Thu, 6 Mar 1997 02:21:55 +0100 (MET) From: Kevin McPeake To: crumrig@us-state.gov cc: Firewalls@GreatCircle.COM Subject: RE: Retail Shopping on the Internet In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: firewalls-owner@GreatCircle.COM Precedence: bulk On Wed, 5 Mar 1997 crumrig@us-state.gov wrote: > I assume you have had several replies by now, so I 'd like to throw mine in > as well. I represent a company called Integrated Technologies or ITEQ for > short. We are based out of Silver Spring, MD and could help in all phases. > Let us know if we could be of service to you. > > ITEQ > 1300 Spring Street > Suite 320 > Silver Spring, MD 20910 > crumrig@us-state.gov correct me if I'm wrong,.....but last I remembered, it was illegal to use US state or federal paid for services for your own personal business affairs (ie-government paid for telco calls or computer services or postal services) I'd be careful slinging that *us-state.gov email addy around for your business affairs, if I were you and that was the case. Then again, although I'm a US citizen, I have been out of the states for a few months now on business, so maybe things changed in the last few months (doubt it tho...in fact, I seem to recall a fine of 300 dollers per incident, now that I think about it). just a random thought... :) Kevin McPeake cowboy@home.byelex.nl Internet Consultant http://www.byelex.nl/ << You know something's up when your Thought process is idle. >> USER PID %CPU %MEM VSZ RSS TTY S STARTED TIME COMMAND cowboy 28365 0.0 0.2 2.84M 264K ttyp1 S 12:57:12 0:00.02 Thought Fro